Category Archives: Breaking News

Security Affairs: JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers

Hacker Group Makes $3 Million by Installing Monero Miners on Jenkins Servers

A criminal organization has made $3.4 million by compromising Jenkins servers and installing a Monero cryptocurrency miner dubbed JenkinsMiner.

“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency. As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.” states a blog post published by CheckPoint.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

Jenkins servers

According to the researchers, threat actors behind the massive mining operation were leveraging the CVE-2017-1000353 RCE vulnerability in the Jenkins Java deserialization implementation.

The vulnerability is due to lack of validation of the serialized object, its exploitation allowed the attackers to make Jenkins servers download and install the JenkinsMiner.

“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe. The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed.” continues the post.

Most of the downloads for the JenkinsMiner are from IP address located in China and assigned to the Huaian government information center, of course, we are not able to determine if the server was compromised or explicitly used by state-sponsored hackers.

Jenkinminer

Further details and IoCs are included in the analysis published by CheckPoint.

In January, security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.

Pierluigi Paganini

(Security Affairs – JenkinsMiner, Monero cryptocurrency miner)

The post JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers appeared first on Security Affairs.



Security Affairs

JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers

Hacker Group Makes $3 Million by Installing Monero Miners on Jenkins Servers

A criminal organization has made $3.4 million by compromising Jenkins servers and installing a Monero cryptocurrency miner dubbed JenkinsMiner.

“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency. As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.” states a blog post published by CheckPoint.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

Jenkins servers

According to the researchers, threat actors behind the massive mining operation were leveraging the CVE-2017-1000353 RCE vulnerability in the Jenkins Java deserialization implementation.

The vulnerability is due to lack of validation of the serialized object, its exploitation allowed the attackers to make Jenkins servers download and install the JenkinsMiner.

“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe. The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed.” continues the post.

Most of the downloads for the JenkinsMiner are from IP address located in China and assigned to the Huaian government information center, of course, we are not able to determine if the server was compromised or explicitly used by state-sponsored hackers.

Jenkinminer

Further details and IoCs are included in the analysis published by CheckPoint.

In January, security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.

Pierluigi Paganini

(Security Affairs – JenkinsMiner, Monero cryptocurrency miner)

The post JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers appeared first on Security Affairs.

Germany’s defense minister: Cyber security is going to be the main focus of this decade.

On Saturday, Germany defense minister Ursula von der Leyen told CNBC that cyber attacks are the greatest challenge threatening global stability.

The cybersecurity is a pillar of modern states, the string of recent massive attacks including NotPetya and WannaCry is the demonstration that we are all potential targets.

Cyber attacks could hit governments, private companies and citizens in every time and from every where causing severe problems to the victims and huge financial losses. The cyber risk is directly linked to geopolitical, environmental, technological, and economic risks. A cyber attack could destabilize governments worldwide, it can get a business out of the business.

When journalists asked about the “single greatest threat to global stability,” to the German defense minister, she confirmed the disconcerting scenario.

“I think it’s the cyber threats because whatever adversaries you can think of and even if you talk about Daesh (the terrorist group) they use the cyber domain to fight against us.” Germany’s defense minister Ursula von der Leyen told CNBC.

Germany defense minister urges European states to invest in collective defense

“This decade will be the decade of improvement in cyber security and information ruling,” she added.

 

Governments and companies are already investing to improve the resilience to cyber attacks of their networks. The Germany defense minister also noticed that Governments are also working to improve their offensive cyber capabilities.

The US and UK are reportedly using cyber soldiers to fight the Islamic State.

The video interview is available at the following link:

https://www.cnbc.com/video/2018/02/17/cyber-threats-biggest-threat-to-stabililty-german-defense-minister-says.html

Pierluigi Paganini

(Security Affairs – Germany defense minister:, Information Warfare)

The post Germany’s defense minister: Cyber security is going to be the main focus of this decade. appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 150 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Once again thank you!

·      FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins
·      Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild
·      Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack
·      49% of crypto mining scripts are deployed on pornographic related websites
·      CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family
·      Victims of some versions of the Cryakl ransomware can decrypt their files for free
·      Victims of the current version of the Cryakl ransomware can decrypt their files for free
·      A new variant of the dreaded AndroRAT malware appeared in threat landscape
·      Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware
·      Necurs botnet is behind seasonal campaigns of Valentines Day-themed spam
·      New details emerge from Equifax breach, the hack is worse than previously thought
·      Pyeongchang – Olympic Destroyer Unleashed to Embarrass Pyeongchang 2018 Games
·      All You Need to Know About North Korea and its cyber army
·      DoubleDoor, a new IoT Botnet bypasses firewall using two backdoor exploits
·      Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws
·      Windows Analytics now includes Meltdown and Spectre detector
·      Android Security Bulletin – Google fixed several Critical Code Execution vulnerabilities
·      Hackers have exploited a zero-day in Bitmessage client to steal Electrum wallet keys
·      SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues
·      UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack
·      Unknown Threat Actor Conducts OPSEC Targeting Middle East
·      119,000 Scanned IDs of FedEx-owned company Bongo Internationals customers exposed online
·      A new text bomb threatens Apple devices, a single character can crash any apple iPhone, iPad Or Mac
·      DELL EMC addressed two critical flaws in VMAX enterprise storage systems
·      OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1
·      Effective Tips for Internet Safety for Kids You Must Read
·      Prosecutor Robert Mueller indicted 13 Russians for a massive operation aimed to influence Presidential election
·      Researchers spotted a new malware in the wild, the Saturn Ransomware
·      Unknown hackers stole $6 million from a Russian bank via SWIFT system last year

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 150 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 150 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Once again thank you!

·      FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins
·      Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild
·      Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack
·      49% of crypto mining scripts are deployed on pornographic related websites
·      CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family
·      Victims of some versions of the Cryakl ransomware can decrypt their files for free
·      Victims of the current version of the Cryakl ransomware can decrypt their files for free
·      A new variant of the dreaded AndroRAT malware appeared in threat landscape
·      Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware
·      Necurs botnet is behind seasonal campaigns of Valentines Day-themed spam
·      New details emerge from Equifax breach, the hack is worse than previously thought
·      Pyeongchang – Olympic Destroyer Unleashed to Embarrass Pyeongchang 2018 Games
·      All You Need to Know About North Korea and its cyber army
·      DoubleDoor, a new IoT Botnet bypasses firewall using two backdoor exploits
·      Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws
·      Windows Analytics now includes Meltdown and Spectre detector
·      Android Security Bulletin – Google fixed several Critical Code Execution vulnerabilities
·      Hackers have exploited a zero-day in Bitmessage client to steal Electrum wallet keys
·      SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues
·      UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack
·      Unknown Threat Actor Conducts OPSEC Targeting Middle East
·      119,000 Scanned IDs of FedEx-owned company Bongo Internationals customers exposed online
·      A new text bomb threatens Apple devices, a single character can crash any apple iPhone, iPad Or Mac
·      DELL EMC addressed two critical flaws in VMAX enterprise storage systems
·      OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1
·      Effective Tips for Internet Safety for Kids You Must Read
·      Prosecutor Robert Mueller indicted 13 Russians for a massive operation aimed to influence Presidential election
·      Researchers spotted a new malware in the wild, the Saturn Ransomware
·      Unknown hackers stole $6 million from a Russian bank via SWIFT system last year

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 150 – News of the week appeared first on Security Affairs.

COINHOARDER criminal gang made an estimated $50 million with a Bitcoin phishing campaign

Researchers with Cisco Talos have monitored a bitcoin phishing campaign conducted by a criminal gang tracked as Coinhoarder that made an estimated $50 million by exploiting Google AdWords.

Researchers with Cisco Talos have monitored a bitcoin phishing campaign for several months with the help of the Ukraine Cyberpolice.

The gang, tracked as Coinhoarder, has made an estimated $50 million by exploiting Google AdWords to trick netizens into visiting Bitcoin phishing sites. This is the element that characterized this phishing campaign, Coinhoarder attackers used geo-targeting filters for their ads, the researchers noticed that hackers were targeting mostly Bitcoin owners in Africa.

The Ukrainian authorities located and shut down the servers hosting some of the phishing websites used by crooks. The phishing sites were hosted on the servers of a bulletproof hosting provider located in Ukraine, Highload Systems. The operation was temporarily disrupted but the police haven’t arrested any individual.

“Cisco has been tracking a bitcoin theft campaign for over 6 months. The campaign was discovered internally and researched with the aid of an intelligence sharing partnership with Ukraine Cyberpolice. The campaign was very simple and after initial setup the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims.” reads the analysis published by Talos. “This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims.”

The Coinhoarder group used Google Adwords for black SEO purposes, on February 24, 2017, researchers at Cisco observed a massive phishing campaign hosted in Ukraine targeting the popular Bitcoin wallet site blockchain.info with over 200,000 client queries. Crooks used Google Adwords to poison user search results in order to steal users’ wallets.

Unfortunately, this attack scheme is becoming quite common in the criminal ecosystem, hackers implement it to target many different crypto wallets and exchanges via malicious ads.

The COINHOARDER gang leveraged the typosquatting technique, the hackers used domains imitating the Blockchain.info Bitcoin wallet service in conjunction SSL signed phishing sites in order to appear as legitimate. Based on the number of queries, the researchers confirmed that this is one of the biggest campaigns targeting Blockchain.info to date.

“The COINHOARDER group has made heavy use of typosquatting and brand spoofing in conjunction SSL signed phishing sites in order to appear convincing. We have also observed the threat actors using internationalized domain names.” continues the analysis. “These domains are used in what are called homograph attacks, where an international letter or symbol looks very similar to one in English. Here are some examples from this campaign. 

The Punycode (internationalized) version is on the left, the translated (homographic) version on the right:

xn–blockchan-d5a[.]com → blockchaìn[.]com

xn–blokchan-i2a[.]info → blokchaín[.]info”

Talos researchers revealed that one campaign that was conducted between September and December 2017, the group made around $10 million.

“While working with Ukraine law enforcement, we were able to identify the attackers’ Bitcoin wallet addresses and thus, we could track their activity for the period of time between September 2017 to December 2017. In this period alone, we quantified around $10M was stolen.In one specific run, they made $2M within 3.5 week period. ” states Cisco Talos.

Further technical details on the campaign, including Indicators of Compromise are included in the analysis published by Cisco Talos.

Pierluigi Paganini

(Security Affairs – Coinhoarder, Bitcoin phishing campaign)

The post COINHOARDER criminal gang made an estimated $50 million with a Bitcoin phishing campaign appeared first on Security Affairs.

Security Affairs: Effective Tips for Internet Safety for Kids You Must Read

Online safety for your kids is very important.  However, that doesn’t necessarily mean that it needs to be hard work.

The key thing is to learn how to get parental controls set up properly so that you won’t have to worry as much about online safety when your kids start to use the internet for both school projects and entertainment.

There are many ways that the version of the internet that your kids see can be fine-tuned.  One option is to use a free content filter that is offered by all of the major providers.

There are also sophisticated software that is available for sale that you can invest in if you feel the need for a more advanced solution.

In order to determine which is best for you, we will be covering some of the major parental control options that are available to you.

In this article, we will be discussing various parent control options that are available to you.  However, keep in mind, that although there are some very useful parental control tools that are available – it is still important for you to watch what your children are doing when they are online as much as you can.  There is no substitute when it comes to parental supervision of children.

Content filters

All of the major UK broadband providers, including EE, Virgin Media, TalkTalk, Sky, and BT offer content filters as a standard feature.

They block off sites that contain material that is inappropriate for children, like self-harming, pornography, and other nasty material. Access to sites that are known to contain malware and viruses are also restricted. The best internet packages will have this as standard nowadays.

Which broadband providers offer the best security? 

You will need to decide whether or not you want to use the filters when you are getting your broadband first set up.  The settings can be changed at any time by simply logging into your account.  So you can always change your mind on whether you want to use the filters or not.

Software

Some broadband providers offer parental control software as part of their broadband packages. This type of software is widely available. Content filters are network-level filters and are applied to anyone who uses the connection.

By contrast, parental control software affects only the device that it is installed on.  So for example, if you install parent control software on your desktop computer, it will not affect what your children are doing when they are using their tablets and phones.

In addition to filtering inappropriate content out, like gambling-related, violent and pornographic sites, some of this software also lets you monitor the online activity of your children and even restrict what times of days certain websites can be used.

This can definitely come in handy.  You will finally have a way of keeping them off of sites like Facebook and YouTube when they are supposed to be doing their homework.

In general, any device that is able to access the internet has its own onboard parental control sets that can be tinkered with before allowing your children to use it.

That is particularly helpful if the broadband company provides you with the software that is the kind that applies to just one device at a time.

For example, Apple’s iPad and iPhone, have a broad range of restrictions, and you cause the settings menu to easily access them.  You can lock them in place and protect them using a password.

Those devices, in addition to many others, also allow you to disable paid transactions inside of games and apps.  That way your kids can run up any bills without you knowing about it!

There is no such thing as a flawless system. That is why it is a very good idea to make use of all of the different tools that are available to you.

When you place restrictions on the way devices can be used and also install software, it makes it double unlikely that your children will be exposed to any unsuitable or harmful material while they are online.

This will help to put your mind at ease, which is so important these days with all of the dangers lurking online.

Web browsers

At times your web browser, which is the program that is used for browsing the internet, allows you to block out certain kinds of websites.

Those settings may be used in conjunction with whatever software you have installed on your computer already which provides you with an added layer of protection.

For example, when the Google Chrome browser is used – which is a free download that is available to use – it includes a feature that allows you to set up different account profiles for managers and supervised users, which gives you full control of how your children can use the internet when they are online.

Once again it is best to use these features of the browser in combination with other parental controls, especially since the settings apply only to the Chrome browser.  More tech-savvy, older children can quickly discover a workaround, such as downloading another web browser other than Google Chrome.

Websites

On certain internet platforms and websites, like iTunes, YouTube, and Google, there is a family-friendly filter that can be switched on that should block out any content that isn’t suited for children to see.

Once again, keep in mind that there is no such thing as a flawless system so that is why it makes sense to use these features in combination with other kinds of parental controls.

This is only really effective to use with very young children since older kids can figure out how the filter can be turned off if they get curious enough and want to look at things that they know they aren’t allowed to.

General advice on how to get safe online

Get Safe Online, an internet safety initiative has provided the advice below. We hope you find it helpful to manage your children’s experiences online.

Set some boundaries even before your child gets their first internet connected device – whether it is a console, laptop, tablet, or mobile device.  After they have their device, it might be harder to change the settings or how they use it.

Network-level parental controls are offered by all major providers. When you switch to a different broadband package, you will have an option for turning content filtering on, so that adult material is blocked.

Keep in mind that doesn’t mean all bad stuff will be blocked – there is no such thing as a fully effective filter.  You will need to stay vigilant and supervise your children.

Have a discussion with your children about what is appropriate and safe to share and post online.

All videos, photos, and comments are part of a person’s ‘digital footprint’ and may be seen by anybody and be available forever on the internet.

Speak with your children about the type of content they view online, along with the precautions they need to take when they are communicating with others online – for example, to never share personal information with strangers.

Keep in mind that services such as YouTube and Facebook have a reason for having minimum age limits of 13 years old.  Don’t cave in to pressure – speak with your child’s school and other parents to be sure everyone is on the same page.

Explain to your children that being online doesn’t provide them with protection or anonymity. Make sure that you clearly tell them that they shouldn’t do anything over the internet that they wouldn’t feel completely comfortable doing in real life.

Written by Ali Qamar, Founder/Chief Editor at Cyberogism.com

Ali QamarAuthor Bio:
Ali Qamar is a privacy and cyber security enthusiast, his work has been featured in many major tech and security blogs including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs to name a few. He runs SpyAdvice.com currently. Follow Ali on Twitter @AliQammar57

 

 

 

Pierluigi Paganini

(Security Affairs – safety for kids, Internet)

The post Effective Tips for Internet Safety for Kids You Must Read appeared first on Security Affairs.



Security Affairs

Effective Tips for Internet Safety for Kids You Must Read

Online safety for your kids is very important.  However, that doesn’t necessarily mean that it needs to be hard work.

The key thing is to learn how to get parental controls set up properly so that you won’t have to worry as much about online safety when your kids start to use the internet for both school projects and entertainment.

There are many ways that the version of the internet that your kids see can be fine-tuned.  One option is to use a free content filter that is offered by all of the major providers.

There are also sophisticated software that is available for sale that you can invest in if you feel the need for a more advanced solution.

In order to determine which is best for you, we will be covering some of the major parental control options that are available to you.

In this article, we will be discussing various parent control options that are available to you.  However, keep in mind, that although there are some very useful parental control tools that are available – it is still important for you to watch what your children are doing when they are online as much as you can.  There is no substitute when it comes to parental supervision of children.

Content filters

All of the major UK broadband providers, including EE, Virgin Media, TalkTalk, Sky, and BT offer content filters as a standard feature.

They block off sites that contain material that is inappropriate for children, like self-harming, pornography, and other nasty material. Access to sites that are known to contain malware and viruses are also restricted. The best internet packages will have this as standard nowadays.

Which broadband providers offer the best security? 

You will need to decide whether or not you want to use the filters when you are getting your broadband first set up.  The settings can be changed at any time by simply logging into your account.  So you can always change your mind on whether you want to use the filters or not.

Software

Some broadband providers offer parental control software as part of their broadband packages. This type of software is widely available. Content filters are network-level filters and are applied to anyone who uses the connection.

By contrast, parental control software affects only the device that it is installed on.  So for example, if you install parent control software on your desktop computer, it will not affect what your children are doing when they are using their tablets and phones.

In addition to filtering inappropriate content out, like gambling-related, violent and pornographic sites, some of this software also lets you monitor the online activity of your children and even restrict what times of days certain websites can be used.

This can definitely come in handy.  You will finally have a way of keeping them off of sites like Facebook and YouTube when they are supposed to be doing their homework.

In general, any device that is able to access the internet has its own onboard parental control sets that can be tinkered with before allowing your children to use it.

That is particularly helpful if the broadband company provides you with the software that is the kind that applies to just one device at a time.

For example, Apple’s iPad and iPhone, have a broad range of restrictions, and you cause the settings menu to easily access them.  You can lock them in place and protect them using a password.

Those devices, in addition to many others, also allow you to disable paid transactions inside of games and apps.  That way your kids can run up any bills without you knowing about it!

There is no such thing as a flawless system. That is why it is a very good idea to make use of all of the different tools that are available to you.

When you place restrictions on the way devices can be used and also install software, it makes it double unlikely that your children will be exposed to any unsuitable or harmful material while they are online.

This will help to put your mind at ease, which is so important these days with all of the dangers lurking online.

Web browsers

At times your web browser, which is the program that is used for browsing the internet, allows you to block out certain kinds of websites.

Those settings may be used in conjunction with whatever software you have installed on your computer already which provides you with an added layer of protection.

For example, when the Google Chrome browser is used – which is a free download that is available to use – it includes a feature that allows you to set up different account profiles for managers and supervised users, which gives you full control of how your children can use the internet when they are online.

Once again it is best to use these features of the browser in combination with other parental controls, especially since the settings apply only to the Chrome browser.  More tech-savvy, older children can quickly discover a workaround, such as downloading another web browser other than Google Chrome.

Websites

On certain internet platforms and websites, like iTunes, YouTube, and Google, there is a family-friendly filter that can be switched on that should block out any content that isn’t suited for children to see.

Once again, keep in mind that there is no such thing as a flawless system so that is why it makes sense to use these features in combination with other kinds of parental controls.

This is only really effective to use with very young children since older kids can figure out how the filter can be turned off if they get curious enough and want to look at things that they know they aren’t allowed to.

General advice on how to get safe online

Get Safe Online, an internet safety initiative has provided the advice below. We hope you find it helpful to manage your children’s experiences online.

Set some boundaries even before your child gets their first internet connected device – whether it is a console, laptop, tablet, or mobile device.  After they have their device, it might be harder to change the settings or how they use it.

Network-level parental controls are offered by all major providers. When you switch to a different broadband package, you will have an option for turning content filtering on, so that adult material is blocked.

Keep in mind that doesn’t mean all bad stuff will be blocked – there is no such thing as a fully effective filter.  You will need to stay vigilant and supervise your children.

Have a discussion with your children about what is appropriate and safe to share and post online.

All videos, photos, and comments are part of a person’s ‘digital footprint’ and may be seen by anybody and be available forever on the internet.

Speak with your children about the type of content they view online, along with the precautions they need to take when they are communicating with others online – for example, to never share personal information with strangers.

Keep in mind that services such as YouTube and Facebook have a reason for having minimum age limits of 13 years old.  Don’t cave in to pressure – speak with your child’s school and other parents to be sure everyone is on the same page.

Explain to your children that being online doesn’t provide them with protection or anonymity. Make sure that you clearly tell them that they shouldn’t do anything over the internet that they wouldn’t feel completely comfortable doing in real life.

Written by Ali Qamar, Founder/Chief Editor at Cyberogism.com

Ali QamarAuthor Bio:
Ali Qamar is a privacy and cyber security enthusiast, his work has been featured in many major tech and security blogs including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs to name a few. He runs SpyAdvice.com currently. Follow Ali on Twitter @AliQammar57

 

 

 

Pierluigi Paganini

(Security Affairs – safety for kids, Internet)

The post Effective Tips for Internet Safety for Kids You Must Read appeared first on Security Affairs.

Prosecutor Robert Mueller indicted 13 Russians for a massive operation aimed to influence Presidential election

The special prosecutor Robert Mueller has accused thirteen Russian nationals of tampering with the 2016 presidential election and charged them with conspiring against the United States.

Thirteen Russian nationals and three Russian entities have been indicted for a massive operation aimed to influence the 2016 Presidential election.

The special prosecutor Robert Mueller has accused the defendants of tampering with the 2016 US presidential election and charged them with conspiring against the United States.

According to the results of the investigation conducted by the prosecutor, the Internet Research Agency, a Russian organization, and the 13 Russians began targeting the United States back in 2014.

Russian nationals used stolen American identities and local computer infrastructure to influence the 2016 Presidential election, the group deliberately denigrate the candidate Clinton to support Trump.

“Certain Defendants traveled to the United States under false pretenses for the purpose of
collecting intelligence to inform Defendants’ operations. Defendants also procured and used
computer infrastructure, based partly in the United States, to hide the Russian origin of their
activities and to avoid detection by U.S. regulators and law enforcement.” reads the Mueller’s indictment.

“Defendant ORGANIZATION had a strategic goal to sow discord in the U.S. political
system, including the 2016 U.S. presidential election. Defendants posted derogatory information
about a number of candidates, and by early to mid-2016, Defendants’ operations included
supporting the presidential campaign of then-candidate Donald J. Trump (“Trump Campaign”) and
disparaging Hillary Clinton.”

The indictment states the Russian organization since April 2014 created a specific section focused on the US population that acted to influence the sentiment of citizens on the candidates through social media platforms, including Facebook, Instagram, Twitter, and YouTube. By 2014,

The group used VPN services to connect from Russia to the US and manage their network of social media accounts.

The organization would use email addresses such as staceyredneck@gmail.com during its activities.

The Russian propaganda machine created and controlled numerous social media accounts, one of them is the Twitter account “Tennessee GOP,” which used the
handle @TEN_GOP.

“The @TEN_GOP account falsely claimed to be controlled by a U.S. state
political party. Over time, the @TEN_GOP account attracted more than 100,000 online followers.” continues the Indictment.

The group used stolen identities of US citizens to buy political advertisements on social media, they also recruited Americans to spread derogatory information.

We are facing with a powerful and efficient propaganda machine. defendants and their conspirators
constantly monitored their campaign over social media. They measured the
size of the online U.S. audiences reached by their actions and the types of engagement with the
posts.

The activity of the organization was very active in 2016, when defendants posing as American citizens and communicating with Americans began to gather intelligence to better target their campaign.

“In order to carry out their activities to interfere in US political and electoral processes without detection of their Russian affiliation, the Defendants conspired to obstruct the lawful functions of the United States government through fraud and deceit, including by making expenditures in connection with the 2016 US presidential election without proper regulatory disclosure; failing to register as foreign agents carrying out political activities within the United States; and obtaining visas through false and fraudulent statements,” the indictment reads.

Social media giants Facebook and Twitter are both accused of running ads and promoted content for the groups operated by the Organization.

Twitter has admitted the involvement of thousands of bot accounts in Russian propaganda, the company has deleted 200,000 tweets posted by army of trolls used by the Kremlin.

Pierluigi Paganini

(Security Affairs – Mueller’s indictment, 2016 Presidential election)

The post Prosecutor Robert Mueller indicted 13 Russians for a massive operation aimed to influence Presidential election appeared first on Security Affairs.

Security Affairs: Researchers spotted a new malware in the wild, the Saturn Ransomware

Researchers at the MalwareHunterTeam spotted a new strain of ransomware called Saturn Ransomware, the name derives from the .saturn extension it appends to the name of the encrypted files.

Currently, the malware requests victims of $300 USD payment that doubles after 7 days.

Once infected a system, the Saturn Ransomware checks if it is running in a virtual environment and eventually it halts the execution to avoid being analyzed by researchers.

Then it performs a series of actions to make impossible for the victims restoring the encrypted files, it deletes shadow volume copies, disables Windows startup repair, and to clear the Windows backup catalog.

Below the command executed by the malicious code:


At this point, the Saturn ransomware is ready to encrypt files having certain file types.

The ransomware such as many other threats uses a Tor payment site that is reported in the ransom note dropped on the machine while the Saturn ransomware is encrypting the files.

“While encrypting the computer, Saturn Ransomware will drop ransom notes named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt and a key file named #KEY-[id].KEY in each folder that it encrypts a file. The key file is used to login to the TOR ransom site, while the ransom note contains brief information on what has happened to the victims files and a link to the TOR payment site at su34pwhpcafeiztt.onion.” wrote Larwrence Abrams from Bleeping Computer.

Saturn Ransomware

File encrypted by the Saturn Ransomware (Source Bleeping computer)

The Saturn ransomware also drops a #DECRYPT_MY_FILES#.vbs triggers an audio message to the victims, and it sets your Windows desktop background to  #DECRYPT_MY_FILES.BMP.

The authentication to TOR site is made by uploading the key file, then users will display the Saturn Decryptor page for the victim that includes detailed instructions.

Researchers are still analyzing the Saturn ransomware, even if it is being actively distributed, it is still unclear what distribution vector threat actors are using to spread it.

Further information, including the Indicators of compromise (IoCs), are available in the blog post published by Bleeping Computer.

Pierluigi Paganini

(Security Affairs – Saturn, cybercrime)

The post Researchers spotted a new malware in the wild, the Saturn Ransomware appeared first on Security Affairs.



Security Affairs

Researchers spotted a new malware in the wild, the Saturn Ransomware

Researchers at the MalwareHunterTeam spotted a new strain of ransomware called Saturn Ransomware, the name derives from the .saturn extension it appends to the name of the encrypted files.

Currently, the malware requests victims of $300 USD payment that doubles after 7 days.

Once infected a system, the Saturn Ransomware checks if it is running in a virtual environment and eventually it halts the execution to avoid being analyzed by researchers.

Then it performs a series of actions to make impossible for the victims restoring the encrypted files, it deletes shadow volume copies, disables Windows startup repair, and to clear the Windows backup catalog.

Below the command executed by the malicious code:


At this point, the Saturn ransomware is ready to encrypt files having certain file types.

The ransomware such as many other threats uses a Tor payment site that is reported in the ransom note dropped on the machine while the Saturn ransomware is encrypting the files.

“While encrypting the computer, Saturn Ransomware will drop ransom notes named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt and a key file named #KEY-[id].KEY in each folder that it encrypts a file. The key file is used to login to the TOR ransom site, while the ransom note contains brief information on what has happened to the victims files and a link to the TOR payment site at su34pwhpcafeiztt.onion.” wrote Larwrence Abrams from Bleeping Computer.

Saturn Ransomware

File encrypted by the Saturn Ransomware (Source Bleeping computer)

The Saturn ransomware also drops a #DECRYPT_MY_FILES#.vbs triggers an audio message to the victims, and it sets your Windows desktop background to  #DECRYPT_MY_FILES.BMP.

The authentication to TOR site is made by uploading the key file, then users will display the Saturn Decryptor page for the victim that includes detailed instructions.

Researchers are still analyzing the Saturn ransomware, even if it is being actively distributed, it is still unclear what distribution vector threat actors are using to spread it.

Further information, including the Indicators of compromise (IoCs), are available in the blog post published by Bleeping Computer.

Pierluigi Paganini

(Security Affairs – Saturn, cybercrime)

The post Researchers spotted a new malware in the wild, the Saturn Ransomware appeared first on Security Affairs.

Unknown hackers stole $6 million from a Russian bank via SWIFT system last year

A new attack against the SWIFT system made the headlines again, unknown hackers have stolen 339.5 million roubles (roughly $6 million) from a Russian bank last year.

The news of the attack against the international payments messaging system was reported on Friday by the Russian central bank, this is the last incident of a long string of cyber heists.

“The volume of unsanctioned operations as a result of this attack amounted to 339.5 million roubles,” states the Russian central bank.

“The central bank said it had been sent information about “one successful attack on the work place of a SWIFT system operator.” reported the Reuters agency.

The spokesman did not provide details about the attack, he quoted Artem Sychev, deputy head of the central bank’s security department, as saying the hackers implemented “a common scheme”.

“When a case of potential fraud is reported to us, we offer our assistance to the affected user to help secure its environment,” said Natasha de Teran, a spokeswoman for SWIFT.

SWIFT Taiwan bank hach

SWIFT highlighted that its “own systems” have never been compromised by attackers in past attacks.

“Brussels-based SWIFT said late last year digital heists were becoming increasingly prominent as hackers use more sophisticated tools and techniques to launch new attacks.” continues the Reuters.

This isn’t the only cyber attacks against a Russian bank that attempted to steal money through the SWIFT system, in December, hackers tried to steal 55 million roubles from Russian state bank Globex.

The string of attacks began with the cyber attack against Bangladesh Bank in February 2016 that resulted in the theft of $81 million.

Even if the SWIFT hasn’t revealed the exact number of victims of the SWIFT hackers, details on some attacks were revealed, such as the attack on Taiwan’s Far Eastern International Bank.

Pierluigi Paganini

(Security Affairs – Russia, Russian central bank)

The post Unknown hackers stole $6 million from a Russian bank via SWIFT system last year appeared first on Security Affairs.

Security Affairs: Unknown hackers stole $6 million from a Russian bank via SWIFT system last year

A new attack against the SWIFT system made the headlines again, unknown hackers have stolen 339.5 million roubles (roughly $6 million) from a Russian bank last year.

The news of the attack against the international payments messaging system was reported on Friday by the Russian central bank, this is the last incident of a long string of cyber heists.

“The volume of unsanctioned operations as a result of this attack amounted to 339.5 million roubles,” states the Russian central bank.

“The central bank said it had been sent information about “one successful attack on the work place of a SWIFT system operator.” reported the Reuters agency.

The spokesman did not provide details about the attack, he quoted Artem Sychev, deputy head of the central bank’s security department, as saying the hackers implemented “a common scheme”.

“When a case of potential fraud is reported to us, we offer our assistance to the affected user to help secure its environment,” said Natasha de Teran, a spokeswoman for SWIFT.

SWIFT Taiwan bank hach

SWIFT highlighted that its “own systems” have never been compromised by attackers in past attacks.

“Brussels-based SWIFT said late last year digital heists were becoming increasingly prominent as hackers use more sophisticated tools and techniques to launch new attacks.” continues the Reuters.

This isn’t the only cyber attacks against a Russian bank that attempted to steal money through the SWIFT system, in December, hackers tried to steal 55 million roubles from Russian state bank Globex.

The string of attacks began with the cyber attack against Bangladesh Bank in February 2016 that resulted in the theft of $81 million.

Even if the SWIFT hasn’t revealed the exact number of victims of the SWIFT hackers, details on some attacks were revealed, such as the attack on Taiwan’s Far Eastern International Bank.

Pierluigi Paganini

(Security Affairs – Russia, Russian central bank)

The post Unknown hackers stole $6 million from a Russian bank via SWIFT system last year appeared first on Security Affairs.



Security Affairs

119,000 Scanned IDs of FedEx-owned company Bongo International’s customers exposed online

Researchers discovered an Amazon S3 bucket contains personal information and scans of IDs of some 119,000 US and international citizens.

It has happened again, researchers discovered another unsecured Amazon S3 bucket holding a huge trove of data that was exposed online. The Amazon S3 bucket contains personal information and scans of IDs of some 119,000 US and international citizens, the discovered was made once again by Kromtech security experts earlier this month.

The data belongs to the FedEx-owned company Bongo International that provides support the online sales of North American retailers and brands to consumers in abroad. Bongo was acquired in 2014 by FedEx and was operating with the name FedEx Cross-Border International until it went out of the business in April 2017.

The AWS bucket contained more than 112,000 files, unencrypted information and ID scans of customers from many countries, including the US, Mexico, Canada, various EU countries, Saudi Arabia, Kuwait, Japan, Malaysia, China, Australia.

“Among other stuff, it contained more than 119 thousands of scanned documents of US and international citizens, such as passports, driving licenses, security IDs etc. IDs were accompanied by scanned “Applications for Delivery of Mail Through Agent” forms (PS Form 1583) – which also contained names, home addresses, phone numbers and zip codes.” reads the blog post published by the company.

ZDNet analyzed the documents and found scans of drivers’ licenses, national ID cards, work ID cards, voting cards, utility bills, vehicle registration forms, medical insurance cards, firearms licences, US military identification cards, and credit cards that customers used to verify their identity with the FedEx division.

“Among the exposed files, ZDNet confirmed drivers’ licenses, national ID cards, and work ID cards, voting cards, and utility bills. We also found resumes, vehicle registration forms, medical insurance cards, firearms licences, a few US military identification cards, and even a handful of credit cards that customers used to verify their identity with the FedEx division.” wrote Zack Whittaker on ZDNet.

“One identity card, when we checked, revealed the details of a senior official at the Netherlands’ Ministry of Defense.”

It seems that the Amazon S3 bucket includes data related to anybody who used Bongo International services between 2009 and 2012 and the bad news is that it has been available for public access for many years. As said, FexEx bought the company in 2014, it is likely it was not aware of the data leak at the time of the acquisition.

Amazon S3 bucket

Kromtech tried to contact FedEx without success, the company removed the S3 bucket only after its existence was publicly disclosed.

“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure,” said FedEx spokesperson Jim McCluskey. “The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”

In October 2017, the Kromtech Security Center released a free scan tool that could allow admins to identify and secure Amazon S3 Buckets belonging to their organizations.

Let me suggest reading the guide published by the company to explain how to secure Amazon S3 buckets.

Pierluigi Paganini

(Security Affairs – FedEx, Amazon S3 bucket)

The post 119,000 Scanned IDs of FedEx-owned company Bongo International’s customers exposed online appeared first on Security Affairs.

Security Affairs: OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1

OpenSSL adds TLS 1.3 (Transport Layer Security) supports in the alpha version of OpenSSL 1.1.1 that was announced this week.

OpenSSL adds TLS 1.3 supports in the alpha version of OpenSSL 1.1.1 that was announced this week. TLS protocol was designed to allow client/server applications to communicate over the Internet in a secure way preventing message forgery, eavesdropping, and tampering.

“OpenSSL 1.1.1 is currently in alpha. OpenSSL 1.1.1 pre release 1 has now been made available.” states the OpenSSL’s announcement

“This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html)”

The first Internet-Draft dates back to April 2014, in January it was presented the 23 and will expire on July 9, 2018.

One of the most debated problems when dealing with TLS is the role of so-called middleboxes, many companies need to inspect the traffic for security purposes and TLS 1.3 makes it very hard.

“The reductive answer to why TLS 1.3 hasn’t been deployed yet is middleboxes: network appliances designed to monitor and sometimes intercept HTTPS traffic inside corporate environments and mobile networks. Some of these middleboxes implemented TLS 1.2 incorrectly and now that’s blocking browsers from releasing TLS 1.3. However, simply blaming network appliance vendors would be disingenuous.” reads a blog post published by Cloudflare in December that explained the difficulties of mass deploying for the TLS 1.3.

According to the tests conducted by the IETF working group in December 2017, there was around a 3.25 percent failure rate of TLS 1.3 client connections.

OpenSSL TLS 1.3

TLS 1.3 will deprecate old cryptographic algorithms entirely, this is the best way to prevent the exploiting of vulnerabilities that affect the protocol and that can be mitigated only when users implement a correct configuration.

In the last few years, researchers discovered several critical issues in the protocol that have been exploited in attacks.

OpenSSL maintainers have completely redesigned the OpenSSL random number generator in the new version.

The new OpenSSL release also includes the implementation for SHA3 and multi-prime RSA, and the support for the SipHash set of pseudorandom functions.

Pierluigi Paganini

(Security Affairs – OpenSSL,  TLS 1.3)

The post OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1 appeared first on Security Affairs.



Security Affairs

OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1

OpenSSL adds TLS 1.3 (Transport Layer Security) supports in the alpha version of OpenSSL 1.1.1 that was announced this week.

OpenSSL adds TLS 1.3 supports in the alpha version of OpenSSL 1.1.1 that was announced this week. TLS protocol was designed to allow client/server applications to communicate over the Internet in a secure way preventing message forgery, eavesdropping, and tampering.

“OpenSSL 1.1.1 is currently in alpha. OpenSSL 1.1.1 pre release 1 has now been made available.” states the OpenSSL’s announcement

“This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html)”

The first Internet-Draft dates back to April 2014, in January it was presented the 23 and will expire on July 9, 2018.

One of the most debated problems when dealing with TLS is the role of so-called middleboxes, many companies need to inspect the traffic for security purposes and TLS 1.3 makes it very hard.

“The reductive answer to why TLS 1.3 hasn’t been deployed yet is middleboxes: network appliances designed to monitor and sometimes intercept HTTPS traffic inside corporate environments and mobile networks. Some of these middleboxes implemented TLS 1.2 incorrectly and now that’s blocking browsers from releasing TLS 1.3. However, simply blaming network appliance vendors would be disingenuous.” reads a blog post published by Cloudflare in December that explained the difficulties of mass deploying for the TLS 1.3.

According to the tests conducted by the IETF working group in December 2017, there was around a 3.25 percent failure rate of TLS 1.3 client connections.

OpenSSL TLS 1.3

TLS 1.3 will deprecate old cryptographic algorithms entirely, this is the best way to prevent the exploiting of vulnerabilities that affect the protocol and that can be mitigated only when users implement a correct configuration.

In the last few years, researchers discovered several critical issues in the protocol that have been exploited in attacks.

OpenSSL maintainers have completely redesigned the OpenSSL random number generator in the new version.

The new OpenSSL release also includes the implementation for SHA3 and multi-prime RSA, and the support for the SipHash set of pseudorandom functions.

Pierluigi Paganini

(Security Affairs – OpenSSL,  TLS 1.3)

The post OpenSSL alpha adds TLS 1.3 support in the alpha version of OpenSSL 1.1.1 appeared first on Security Affairs.

A new text bomb threatens Apple devices, a single character can crash any apple iPhone, iPad Or Mac

Researchers discovered a new dangerous text bomb that crashes Apple devices, only a single character of the Indian Telugu language could create the chaos.

A new ‘text bomb’ threatens Apple devices, just a single character of the Indian alphabet (precisely the
Telugu language, a Dravidian language spoken in India by about 70 million people) can crash your device and block access to the Messaging app in iOS, including WhatsApp, Facebook Messenger, Outlook for iOS, Gmail, Safari and Messages for the macOS versions.

The issue seems not affect the beta versions of iOS 11.3 and Telegram and Skype applications.

First spotted by Italian Blog Mobile World, the text bomb affects a wide range of Apple devices, including iPads, Macs and even Watch OS devices running the latest versions of OS.

apple text bomb

The news of the bug was first reported on the Italian Blog Mobile World, the issue can be it can be easily exploited by anyone just by sending a message containing the Telugu character to the recipient.

Once the recipient receives the message or typed the Telugu symbol into the text editor, its Apple device will crash.

To fix the issue on the device that is crashing after received the text bomb is possible to send a message to the app that is crashing.

According to the bug report published on OpenRadar:

“When iOS, MacOS, watchOS try to render Indian symbol ‘‘ all of it has crashed Steps to Reproduce: Try to insert ‘‘ this symbol in any system text renderer like TextField, Label, TextView it always has crashed.”

“The issue was reported to Apple a few days ago, the tech giant will likely fix the issue in the iOS update before the release of iOS 11.3 that is planned for the next spring.”

Pierluigi Paganini

(Security Affairs – text bomb, Telugu language)

The post A new text bomb threatens Apple devices, a single character can crash any apple iPhone, iPad Or Mac appeared first on Security Affairs.

DELL EMC addressed two critical flaws in VMAX enterprise storage systems

Dell EMC addressed two critical vulnerabilities that affect the management interfaces for its VMAX enterprise storage systems.

The Dell EMC’s VMAX Virtual Appliance (vApp) Manager is an essential component of a wide range of the enterprise storage systems.

The first flaw tracked as CVE-2018-1215 is an arbitrary file upload vulnerability that could be exploited by a remote authenticated attacker to potentially upload arbitrary maliciously crafted files in any location on the web server. The flaw received a Common Vulnerability Scoring System (CVSS) base score of 8.8.

“Arbitrary file upload vulnerability A remote authenticated malicious user may potentially upload arbitrary maliciously crafted files in any location on the web server. By chaining this vulnerability with CVE-2018-1216, the attacker may use the default account to exploit this vulnerability.” reads the security advisory.

VMAX enterprise storage systems

The second flaw tracked as CVE-2018-1216 is an undocumented default account in the vApp Manager with a hard-coded password. The flaw received a Common Vulnerability Scoring System (CVSS) base score of 9.8.

“Hard-coded password vulnerability The vApp Manager contains an undocumented default account (ÒsmcÓ) with a hard-coded password that may be used with certain web servlets. A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system. Note: This account cannot be used to log in via the web user interface.” continues the advisory. 

The CVE-2018-1215 could be chained with a second flaw tracked as CVE-2018-1216 to use a hard-coded password to a default account to exploit this vulnerability.

“The vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement) contains multiple security vulnerabilities that may potentially be exploited by malicious users to compromise the affected system.” states the security advisory issued by Dell EMC.

Affected products:

  • Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18
  • Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21
  • Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514
  • Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier)
  • Dell EMC has removed the default ÒsmcÓ account from new installs, but the company noticed that the account will not be removed after the upgrade of the vApp Manager application.

Pierluigi Paganini

(Security Affairs – VMAX enterprise storage systems, hacking)

The post DELL EMC addressed two critical flaws in VMAX enterprise storage systems appeared first on Security Affairs.

Security Affairs: UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack

The United Kingdon’s Foreign and Commonwealth Office formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The UK Government formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The United Kingdon’s Foreign and Commonwealth Office “attributed the NotPetya cyber-attack to the Russian Government.”

According to the UK, NotPetya was used to disrupt Ukrainian “financial, energy and government sector” targets, but it went out of control causing severe damages to companies worldwide.

notpetya

The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack.

In August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive attack.

The UK considers the attack an intolerable act and will not accept future similar offensives.

“Foreign Office Minister Lord Ahmad has today attributed the NotPetya cyber-attack to the Russian Government. The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity.” reads the official statement issued by the UK Government.

“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt. Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”

Below the declaration of the Foreign Office Minister for Cyber Security Lord (Tariq) Ahmad of Wimbledon:

“The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017.

The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds.

The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.

The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace.”

According to Ukraine’s Secret Service (SBY), Russia orchestrated the NotPetya ransomware attack, going public with their accusations just days after the incident.

NotPetya wasn’t the last massive ransomware attack in order of time, in October Bad Rabbit

NotPetya was followed by the Bad Rabbit ransomware that in late October infected systems in many countries wordlwide, most of in East Europe, such as Ukraine and Russia.

Pierluigi Paganini

(Security Affairs – NotPetya, ransomware)

The post UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack appeared first on Security Affairs.



Security Affairs

UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack

The United Kingdon’s Foreign and Commonwealth Office formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The UK Government formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack.

The United Kingdon’s Foreign and Commonwealth Office “attributed the NotPetya cyber-attack to the Russian Government.”

According to the UK, NotPetya was used to disrupt Ukrainian “financial, energy and government sector” targets, but it went out of control causing severe damages to companies worldwide.

notpetya

The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack.

In August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive attack.

The UK considers the attack an intolerable act and will not accept future similar offensives.

“Foreign Office Minister Lord Ahmad has today attributed the NotPetya cyber-attack to the Russian Government. The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity.” reads the official statement issued by the UK Government.

“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt. Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”

Below the declaration of the Foreign Office Minister for Cyber Security Lord (Tariq) Ahmad of Wimbledon:

“The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017.

The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds.

The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.

The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace.”

According to Ukraine’s Secret Service (SBY), Russia orchestrated the NotPetya ransomware attack, going public with their accusations just days after the incident.

NotPetya wasn’t the last massive ransomware attack in order of time, in October Bad Rabbit

NotPetya was followed by the Bad Rabbit ransomware that in late October infected systems in many countries wordlwide, most of in East Europe, such as Ukraine and Russia.

Pierluigi Paganini

(Security Affairs – NotPetya, ransomware)

The post UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack appeared first on Security Affairs.

Security Affairs: SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues

SAP Security Notes – February 2018: SAP Security Notes February 2018 addressed several vulnerabilities including High-Risk flaws.

SAP has released February 2018 Patches that addressed some high-risk vulnerabilities in its software, a total of 26 Security Notes (5 high-, 19 medium- and 2 low-risk). Once again, the missing authorization check is the most common vulnerability type this month.

The Security Notes SAP addresses three cross-site scripting (XSS) vulnerabilities, two directory traversal flaws, two information disclosure bugs, two missing authorization checks, one unrestricted file upload, and other issues.

Affected products are the Internet Graphics Server (IGS), NetWeaver System Landscape Directory, HANA Extended Application Services, ABAP File Interface, SAP CRM, ERP Financials Information System, Netweaver Portal, Netweaver Java Web Application, CRM WebClient UI, BI Launchpad, and SAP HANA.

“On 13th of February 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.” reads the advisory published by SAP.

SAP Security Notes Feb 2018

SAP also addressed previous Security Notes that includes an incorrect authorization check in ERP Logistics, a cross-site request forgery (CSRF) vulnerability in SAP Sybase, and a flaw that ties the way the SAP Note Assistant handles digitally signed notes.

Three critical vulnerabilities were reported by Mathieu Geli, Vahagn Vardanyan, and Vladimir Egorov, researchers at ERPScan security firm.

The details of the issues fixed thanks to the support of the researchers are:

  • A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.
  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380). Update is available in SAP Security Note 2547431. An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). Update is available in SAP Security Note 2572940. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks.

The most severe vulnerability addressed by the security updates is a missing authentication check in SAP NetWeaver System Landscape Directory tracked as CVE-2018-2368, which received a CVSS base score of 8.3.

The flaw could be exploited by an attacker to access a service without any authorization, a circumstance that could lead to several attacks, including the privilege escalation and information disclosure,

“A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.” continues ERPScan.

The updates also addressed:

  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380) that could be exploited by an attacker to use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). that could be exploited by an attacker for revealing additional information (system data, debugging information, etc).

Other vulnerabilities addressed this month included a directory traversal (CVE-2018-2367) in SAP ABAP File Interface (CVSS base score: 6.6) and a directory traversal (CVE-2018-2380) in SAP Internet Sales (CVSS base score: 6.6).

Further info related to the flaws addressed by SAP are available on the company blog.

Pierluigi Paganini

(Security Affairs – SAP Security Notes February 2018, cybersecurity)

The post SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues appeared first on Security Affairs.



Security Affairs

SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues

SAP Security Notes – February 2018: SAP Security Notes February 2018 addressed several vulnerabilities including High-Risk flaws.

SAP has released February 2018 Patches that addressed some high-risk vulnerabilities in its software, a total of 26 Security Notes (5 high-, 19 medium- and 2 low-risk). Once again, the missing authorization check is the most common vulnerability type this month.

The Security Notes SAP addresses three cross-site scripting (XSS) vulnerabilities, two directory traversal flaws, two information disclosure bugs, two missing authorization checks, one unrestricted file upload, and other issues.

Affected products are the Internet Graphics Server (IGS), NetWeaver System Landscape Directory, HANA Extended Application Services, ABAP File Interface, SAP CRM, ERP Financials Information System, Netweaver Portal, Netweaver Java Web Application, CRM WebClient UI, BI Launchpad, and SAP HANA.

“On 13th of February 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 3 updates to previously released security notes.” reads the advisory published by SAP.

SAP Security Notes Feb 2018

SAP also addressed previous Security Notes that includes an incorrect authorization check in ERP Logistics, a cross-site request forgery (CSRF) vulnerability in SAP Sybase, and a flaw that ties the way the SAP Note Assistant handles digitally signed notes.

Three critical vulnerabilities were reported by Mathieu Geli, Vahagn Vardanyan, and Vladimir Egorov, researchers at ERPScan security firm.

The details of the issues fixed thanks to the support of the researchers are:

  • A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.
  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380). Update is available in SAP Security Note 2547431. An attacker can use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files. It allows to obtain critical technical and business-related information stored in a vulnerable SAP-system.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). Update is available in SAP Security Note 2572940. An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks.

The most severe vulnerability addressed by the security updates is a missing authentication check in SAP NetWeaver System Landscape Directory tracked as CVE-2018-2368, which received a CVSS base score of 8.3.

The flaw could be exploited by an attacker to access a service without any authorization, a circumstance that could lead to several attacks, including the privilege escalation and information disclosure,

“A Missing Authentication check vulnerability in SAP NetWeaver System Landscape Directory (CVSS Base Score: 8.3 CVE-2018-2368). Update is available in SAP Security Note 2565622. An attacker can use Missing authorization check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.” continues ERPScan.

The updates also addressed:

  • A Directory Traversal vulnerability in SAP Internet Sales (CVSS Base Score: 6.6 CVE-2018-2380) that could be exploited by an attacker to use Directory traversal to access to arbitrary files and directories located in a SAP-server file system including application source code, configuration and system files.
  • An Information Disclosure vulnerability in SAP HANA (CVSS Base Score: 5.3 CVE-2018-2369). that could be exploited by an attacker for revealing additional information (system data, debugging information, etc).

Other vulnerabilities addressed this month included a directory traversal (CVE-2018-2367) in SAP ABAP File Interface (CVSS base score: 6.6) and a directory traversal (CVE-2018-2380) in SAP Internet Sales (CVSS base score: 6.6).

Further info related to the flaws addressed by SAP are available on the company blog.

Pierluigi Paganini

(Security Affairs – SAP Security Notes February 2018, cybersecurity)

The post SAP Security Notes – February 2018 addresses tens of flaws including High Risk issues appeared first on Security Affairs.

Android Security Bulletin – Google fixed several Critical Code Execution vulnerabilities

Android Security Bulletin for February 2018 – Google has fixed tens of vulnerabilities for Android OS, including several critical remote code execution (RCE) flaws.

The Android Security Bulletin for February 2018 addresses 26 vulnerabilities in the mobile operating system, most of which are elevation of privilege flaws.

The 2018-02-01 security patch level fixed 7 vulnerabilities, 6 in Media Framework and one issue affecting the System component.

The tech giant has fixed two critical RCE vulnerabilities in Media Framework. The first issue is the CVE-2017-13228 that affects Android 6.0 and newer, the second one, tracked as CVE-2017-13230, impacts Android 5.1.1 and later.

Android Security Bulletin

Google also fixed other vulnerabilities in Media Framework, including an information disclosure vulnerability, an elevation of privilege bug, and several denial-of-service flaws.

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.” states the advisory.

The most severe of these vulnerabilities is tracked as CVE-2017-13236, it is a System issue that could be exploited by an attacker to achieve remote code execution in the context of a privileged process. The attacker can trigger the flaw via email, web browsing, and MMS when processing media files.

The 2018-02-05 security patch level includes fixes for 19 vulnerabilities in HTC, Kernel, NVIDIA, Qualcomm, and Qualcomm closed-source components.

The most severe flaws included in the 2018-02-05 security patch level are two remote code execution vulnerabilities in Qualcomm components tracked as CVE-2017-15817 and CVE-2017-17760.

Google also released the Pixel / Nexus Security Bulletin that addresses 29 vulnerabilities in Google devices.

“The Pixel / Nexus Security Bulletin contains details of security vulnerabilities and functional improvements affecting supported Google Pixel and Nexus devices (Google devices). For Google devices, security patch levels of 2018-02-05 or later address all issues in this bulletin and all issues in the February 2018 Android Security Bulletin.” states Google.

“All supported Google devices will receive an update to the 2018-02-05 patch level. We encourage all customers to accept these updates to their devices.”

Pierluigi Paganini

(Security Affairs – Google, Android)

The post Android Security Bulletin – Google fixed several Critical Code Execution vulnerabilities appeared first on Security Affairs.

Security Affairs: Hackers have exploited a zero-day in Bitmessage client to steal Electrum wallet keys

Bitmessage developers have issued an emergency update for the PyBitmessage client that patches a critical remote code execution vulnerability that has been exploited in attacks.

Bitmessage development team has rolled out an emergency patch to address a zero-day vulnerability in the PyBitmessage client for Bitmessage, which a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users.

The flaw is critical remote code execution vulnerability that according to the experts was being exploited in the wild to steal Bitcoin wallet keys.

bitmessage app

According to the security advisory published by the development team developers, hackers exploited the flaw in attacks against users running PyBitmessage 0.6.2.

“A remote code execution vulnerability has been spotted in use against some users running PyBitmessage v0.6.2. The cause was identified and a fix has been added and released as 0.6.3.2. If you run PyBitmessage via code, we highly recommend that you upgrade to 0.6.3.2. Alternatively you may downgrade to 0.6.1 which is unaffected.” reads the advisory.

The message encoding vulnerability has been patched with the release of version 0.6.3.2. The developers highlighted that PyBitmessage 0.6.1 is not affected by the vulnerability, this means that users can also downgrade their version to mitigate the attacks.

According to the security advisor, hackers targeted also the Bitmessage core developer Peter Šurda, his keys were most likely compromised for this reason he has created a new support address.

“Bitmessage developer Peter Šurda’s addresses are to be considered compromised.” continues the advisory.

Users are recommended to change their passwords and create new bitmessage keys.

Šurda speculates the attacker exploited the zero-day to create a remote shell and steal bitcoins from Electrum wallets.

“The exploit is triggered by a malicious message if you’re the recipient (including joined chans),”Šurda wrote on Reddit thread. “The attacker ran an automated script but also opened, or tried to open, a remote reverse shell. The automated script looked in ~/.electrum/wallets, but when using the reverse shell he had access to other files as well.”

Bitmessage developers are still investigating the attacks.

Pierluigi Paganini

(Security Affairs – bitmessage app, zero-day)

The post Hackers have exploited a zero-day in Bitmessage client to steal Electrum wallet keys appeared first on Security Affairs.



Security Affairs

Hackers have exploited a zero-day in Bitmessage client to steal Electrum wallet keys

Bitmessage developers have issued an emergency update for the PyBitmessage client that patches a critical remote code execution vulnerability that has been exploited in attacks.

Bitmessage development team has rolled out an emergency patch to address a zero-day vulnerability in the PyBitmessage client for Bitmessage, which a Peer-to-Peer (P2P) communications protocol used to send encrypted messages to users.

The flaw is critical remote code execution vulnerability that according to the experts was being exploited in the wild to steal Bitcoin wallet keys.

bitmessage app

According to the security advisory published by the development team developers, hackers exploited the flaw in attacks against users running PyBitmessage 0.6.2.

“A remote code execution vulnerability has been spotted in use against some users running PyBitmessage v0.6.2. The cause was identified and a fix has been added and released as 0.6.3.2. If you run PyBitmessage via code, we highly recommend that you upgrade to 0.6.3.2. Alternatively you may downgrade to 0.6.1 which is unaffected.” reads the advisory.

The message encoding vulnerability has been patched with the release of version 0.6.3.2. The developers highlighted that PyBitmessage 0.6.1 is not affected by the vulnerability, this means that users can also downgrade their version to mitigate the attacks.

According to the security advisor, hackers targeted also the Bitmessage core developer Peter Šurda, his keys were most likely compromised for this reason he has created a new support address.

“Bitmessage developer Peter Šurda’s addresses are to be considered compromised.” continues the advisory.

Users are recommended to change their passwords and create new bitmessage keys.

Šurda speculates the attacker exploited the zero-day to create a remote shell and steal bitcoins from Electrum wallets.

“The exploit is triggered by a malicious message if you’re the recipient (including joined chans),”Šurda wrote on Reddit thread. “The attacker ran an automated script but also opened, or tried to open, a remote reverse shell. The automated script looked in ~/.electrum/wallets, but when using the reverse shell he had access to other files as well.”

Bitmessage developers are still investigating the attacks.

Pierluigi Paganini

(Security Affairs – bitmessage app, zero-day)

The post Hackers have exploited a zero-day in Bitmessage client to steal Electrum wallet keys appeared first on Security Affairs.

Windows Analytics now includes Meltdown and Spectre detector

Good news for administrators of Windows systems, Microsoft has added a Meltdown-and-Spectre detector to its telemetry analysis tool Windows Analytics.

Microsoft has added a Meltdown-and-Spectre detector to its telemetry analysis tool Windows Analytics. The Meltdown-and-Spectre detector was available since Tuesday when Microsoft announced the new capabilities implemented in the free Windows Analytics service

The new capabilities allow admin to monitor:

  • Anti-virus Status: Some anti-virus (AV) software may not be compatible with the required Windows Operating System updates. This status insight indicates if the devices’ anti-virus software is compatible with the latest Windows security update.
  • Windows Operating System Security Update Status: This Windows Analytics insight will indicate which Windows security update is running on any device and if any of these updates have been disabled. In some cases, IT Administrators may choose to install the security update, but disable the fix. Our complete list of Windows editions and security updates can be found in our Windows customer guidance article.
  • Firmware Status – This insight provides details about the firmware installed on the device. Specifically, this insight reports if the installed firmware indicates that it includes the specific protections required. Initially, this status will be limited to the list of approved and available firmware security updates from Intel4. We will be adding other CPU (chipset) partners’ data as it becomes available to Microsoft.

The check for the status of the Operating System could allow admins to verify if Meltdown and Spectre patched are correctly working.

The antivirus check allows admins to verify if the running AV is compatible with required Windows Operating System updates.

The check for firmware status currently works only for Intel chips.

Windows Analytics Meltdown Spectre

Meltdown-and-Spectre detector is available for Windows 7 through Windows 10 and requires that systems are running the February 2018 patch levels (Win7 SP1, KB2952664; Win8.1, KB2976978; and for Win10, KB4033631).

Pierluigi Paganini

(Security Affairs – Meltdown-and-Spectre detector, Windows Analytics)

The post Windows Analytics now includes Meltdown and Spectre detector appeared first on Security Affairs.

Security Affairs: Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws

Microsoft Patch Tuesday for February 2018 addressed a total of 50 vulnerabilities in affecting Windows operating system, Microsoft Office, web browsers and other products of the tech giant.

Fourteen issues are listed as critical, 34 are rated as important, and only two of them are rated as moderate in severity.

The list of critical vulnerability includes an information disclosure issue in the Edge browser, a remote code execution vulnerability in the Windows’ StructuredQuery component, a memory corruption in Outlook,  and several memory corruptions flaws that reside into the scripting engines used by both Edge and Internet Explorer.

One of the most severe vulnerabilities addressed by the Microsoft Patch Tuesday for February 2018 is a memory corruption flaw tracked as CVE-2018-0852 that affects Microsoft Outlook. The flaw could be exploited to achieve remote code execution on the targeted machines.

“A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.” reads the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

In order to trigger the flaw, an attacker can trick the victim into opening a specifically crafted message attachment or viewing it in the Outlook Preview Pane … yes simply viewing an email in the Preview Pane could allow code execution.

“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability.” continues the advisory.

Microsoft Patch Tuesday for February 2018

Another vulnerability affecting Outlook and addressed with the Microsoft Patch Tuesday for February 2018 is a privileged escalation issue tracked as CVE-2018-0850. The vulnerability is rated as important and can be exploited by an attacker by sending a specially crafted email to an Outlook user. The exploitation doesn’t require user’s action, the flaw is triggered when the message is merely received.

“An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB).” states the advisory published by Microsoft.

“To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.”

Another critical flaw fixed by Microsoft is an information disclosure vulnerability (CVE-2018-0763), that affects Microsoft Edge. The vulnerability ties to the way Microsoft Edge improperly handles objects in the memory.

An attacker can trigger the flaw to obtain sensitive information to compromise the target machine, but in this case, it needs the user’s interaction.

“An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.” state the advisory published by Microsoft.

“To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”

Let’s close with another issue fixed by Microsoft is the CVE-2018-0771 that affects Microsoft Edge, it was publicly known before by Microsoft.

“A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.” states Microsoft.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

Users have to apply security patches as soon as possible.

Pierluigi Paganini

(Security Affairs – Microsoft Patch Tuesday for February 2018, hacking)

The post Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws appeared first on Security Affairs.



Security Affairs

Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws

Microsoft Patch Tuesday for February 2018 addressed a total of 50 vulnerabilities in affecting Windows operating system, Microsoft Office, web browsers and other products of the tech giant.

Fourteen issues are listed as critical, 34 are rated as important, and only two of them are rated as moderate in severity.

The list of critical vulnerability includes an information disclosure issue in the Edge browser, a remote code execution vulnerability in the Windows’ StructuredQuery component, a memory corruption in Outlook,  and several memory corruptions flaws that reside into the scripting engines used by both Edge and Internet Explorer.

One of the most severe vulnerabilities addressed by the Microsoft Patch Tuesday for February 2018 is a memory corruption flaw tracked as CVE-2018-0852 that affects Microsoft Outlook. The flaw could be exploited to achieve remote code execution on the targeted machines.

“A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.” reads the security advisory published by Microsoft. “If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

In order to trigger the flaw, an attacker can trick the victim into opening a specifically crafted message attachment or viewing it in the Outlook Preview Pane … yes simply viewing an email in the Preview Pane could allow code execution.

“Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file designed to exploit the vulnerability.” continues the advisory.

Microsoft Patch Tuesday for February 2018

Another vulnerability affecting Outlook and addressed with the Microsoft Patch Tuesday for February 2018 is a privileged escalation issue tracked as CVE-2018-0850. The vulnerability is rated as important and can be exploited by an attacker by sending a specially crafted email to an Outlook user. The exploitation doesn’t require user’s action, the flaw is triggered when the message is merely received.

“An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB).” states the advisory published by Microsoft.

“To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.”

Another critical flaw fixed by Microsoft is an information disclosure vulnerability (CVE-2018-0763), that affects Microsoft Edge. The vulnerability ties to the way Microsoft Edge improperly handles objects in the memory.

An attacker can trigger the flaw to obtain sensitive information to compromise the target machine, but in this case, it needs the user’s interaction.

“An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user’s system.” state the advisory published by Microsoft.

“To exploit the vulnerability, in a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”

Let’s close with another issue fixed by Microsoft is the CVE-2018-0771 that affects Microsoft Edge, it was publicly known before by Microsoft.

“A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.” states Microsoft.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”

Users have to apply security patches as soon as possible.

Pierluigi Paganini

(Security Affairs – Microsoft Patch Tuesday for February 2018, hacking)

The post Microsoft Patch Tuesday for February 2018 addresses 14 critical flaws appeared first on Security Affairs.

DoubleDoor, a new IoT Botnet bypasses firewall using two backdoor exploits

Security researchers spotted a new IoT botnet dubbed DoubleDoor that is able to bypass firewall as well as modem security using two backdoor exploits.

IoT devices continue to be a privileged target of cyber criminals, cyber attackers against so-called smart objects has seen a rapid evolution. Security researchers at NewSky Security (NewSky Security) have detected a new IoT botnet dubbed DoubleDoor that is able to bypass firewall as well as modem security using two backdoor exploits.

The analysis of the honeypot logs allowed the researchers to detect the new threat, it leverages two known backdoor exploits to manage two levels of authentications.

The first malicious code is the Juniper Networks SmartScreen OS exploit, it triggers the flaw CVE-2015–7755 to bypass the firewall authentication.

CVE-2015–7755 hardcoded backdoor affects the Juniper Networks’ ScreenOS software that powers their Netscreen firewalls.

“Essentially the telnet and SSH daemons of Netscreen firewalls can be accessed by using the hardcoded password <<< %s(un=’%s’) = %u with any username, regardless of it being valid or not.We saw its implementation in the initial attack cycle of DoubleDoor as it attacked our honeypots with username “netscreen” and the backdoor password.” wrote Ankit Anubhav, Principal Researcher, NewSky Security.

Once succeeded, the malicious code uses the CVE-2016–10401 Zyxel modem backdoor exploit to take full control over the IoT device.

The code is a privilege escalation exploit, “which is why the DoubleDoor attackers also performed a password based attack to get a basic privilege account like admin:CenturyL1nk before going for the superuser.”

“This time it was CVE-2016–10401 , a backdoor for ZyXEL PK5001Z devices. This backdoor is straight forward too, with a hardcoded su password as zyad5001.” continues the expert.

DoubleDoor

The experts highlighted that differently from other IoT botnets like Satori or Masuta, the DoubleDoor botnet doesn’t use a unique string in the reconnaissance phase.

“after the threat actors have performed the attack, they want a confirmation whether they were successful of getting control of the IoT device. For this, they try to invoke the shell with invalid commands. If the attacker has succeeded, it will show “{string}: applet not found” where {string} is the invalid command.” observed the research.

“DoubleDoor botnet takes care of this, by using a randomized string in every attack”

The DoubleDoor botnet seems to be in an early stage, most of the attacks are originated from South Korean IPs.

The botnet includes the code to target a limited number of devices, it will succeed only if the victim has a specific unpatched version of Juniper ScreenOS firewall which protects unpatched Zyxel modems.

“Double layer of IoT protection is more common in corporate environments, which don’t rely on built-in IoT authentication and like to protect it with another layer of firewall. Although such corporate devices can be lesser in number, getting control of corporate environment routers can be more valuable for an attacker as it can lead to targeted IoT attacks.” concluded the experts.

Pierluigi Paganini

(Security Affairs – DoubleDoor , IoT botnet)

The post DoubleDoor, a new IoT Botnet bypasses firewall using two backdoor exploits appeared first on Security Affairs.

All You Need to Know About North Korea and its cyber army

What Type Of Technology Does North Korea Have? How Did The Country Begin Using Hackers? How Do Hacking Efforts Comply with the Political Situation?

North Korea is not known for technological sophistication.  The country does not have any global technological franchises, such as Apple or Samsung, and its citizens continue to have limited access to any basic internet or smartphone apps.

However, the regime of Kim Jong Un has become increasingly adept at entering computer systems across the globe for the strategic benefit and financial gain.

According to statistics, North Korea‘s ‘cyber-soldiers’ have been linked to the stolen US-South Korean military plans, alleged theft of $60 million from a Taiwanese bank, and the collapse of the Seoul-based cryptocurrency exchange.

Even as the US begins to concentrate on the North Korean development of nuclear weapons, Kim Jong Un is attacking from the rear with aggressive NK hackers.

1.   What Type Of Technology Does North Korea Have?

The North Korean nation has experienced limited access to the free flow of online information. The majority of citizens can view only a few websites within the country, but with close government and media agency monitoring.

A select few of these agencies have international access, but the activities are carefully monitored to avoid any unwanted interactions.

For several years, North Korea had a single link to the global internet via the state-owned China United New Communications corporation; however, it recently secured a second link via Russian telecommunications company in October 2017.

According to Fergus Hanson, the head of the International Cyber Policy Center at the Australian Strategic Policy Institute, North Korea currently employees an estimated 1,700 state-sponsored hackers to deal with online interactions.

2.   How Did The Country Begin Using Hackers?

Kim Jong Il, the father of current leader Kim Jong Un, was an early proponent of technology to be used as a form of modern weaponry.

The military worked on several methods for disrupting GPS systems and setting off electromagnetic pulses to obstruct computer capabilities in other countries.

It is thought that North Korea set up Unit 121 – an early cyber-warrior squad approximately twenty years ago as part of the NK’s military.

The unit started to draw attention to its existence in 2004 during allegations of alleged ‘tapping’ into South Korea’s military wireless communication and for testing malicious computer coding.

In 2011, South Korea arrested five hackers allegedly working as North Korean hackers for stealing several millions of dollars via an online game.

3.   When Did the Hackers Show Signs Of Improvement?

North Korea’s ‘cyber-warriors’ began to draw international attention during 2014 when headlines stated an alleged intrusion into the Sony Corporation’s film business.

Sony was preparing to release a movie starring Seth Rogen and James Franco called ‘The Interview’ – a comedy about meeting the leader of North Korea.

All efforts of the intrusion seemed to be the protection of Kim’s image and punishment of the studio.

Leaked documentation of the hack-damaged careers in Hollywood resulted in Sony having to compensate over $8 million in damages.

Once North Korea got publicly identified as the perpetrator, the NK government denied involvement and publicly declared the US as slandering them.

Despite several accusations being made of hacking attacks, North Korea continues to deny their involvement.

4.   What is Happening at the Moment?

Currently, North Korea has improved the cyber attacks among rising tensions with the US and rest of the globe.  In 2016, a hacking group associated with North Korea getting accused of the theft of $81 million from a central bank account in Bangladesh.

In May 2017, cyber-security researchers linked the WannaCry ransom-ware attack to a North Korean hacking group known as Lazarus.

This hack resulted in the intrusion of over 300,000 computers and threatened the loss of data unless a ‘ransom’ was paid – typically, $300 in bitcoin within three days.

According to Europol, this is one of the most unprecedented hacks to date.

Despite the association with Lazarus, North Korean hackers have increased efforts to secure cryptocurrency, which could be used to avoid trade restrictions in recent sanctions approved by the UN.

South Korea is currently investigating the possible North Korean involvement of the cryptocurrency exchange eight months after the country hacked the target.

5.   Are the Hacks for Financial Gain Primarily?

Not exactly.

It was seen in October that a South Korean legal maker stated that Kim’s cyber-warriors stole military plans produced by South Korea in a case of armed conflict.

The plans included a classified section known as ‘decapitation strike, which was aimed at removing the North Korean leader.  The lawmaker attacked the South Korean armed forces for allowing the breach in military enforcement causing a mistake in the service.

Rhee Cheol-hee agrees that he had worked with defense officials and they are not supposed to save such vital data on PC files.

A US military aide stated that, despite the alleged hack, the UK continues to place confidence in South Korea and their ability to deal with the challenges of North Korea. Some suspect that North Korea may ramp up money counterfeiting to also help fund the regime.

6.   What are South Korea and the US Doing in Response?

Believe it or not, the US has not been standing by as North Korea regains its connection to the internet.  North Korea has restored an online relationship via Russia after China’s faltering strategy.

The link was reportedly distributed under a denial of service attack with a flood of data traffic being produced to overwhelm and obstruct computer systems in the US.

Meanwhile, US president Donald Trump has criticized the North Korean leader for this development of nuclear weapons stating that the US may use military force against the regime.

North Korea has, however, warned that nuclear war by occurring at any moment with South Korea and the UK being joined naval drills.

7.   How Do Hacking Efforts Comply with the Political Situation?

All hacking efforts appear to be continuing amidst the current political tensions.

North Korea’s hackers continue to push for valuable intelligence and harder currently, while traditional military forces engage with the chance of war.

While Lazarus may have been associated with the theft of $60 million from Taiwan’s Far Eastern International Bank, the malware used bore features of Lazarus and was an international highlight.

 

Written by Ali Qamar, Founder/Chief Editor at Cyberogism.com

Ali QamarAuthor Bio:
Ali Qamar is a tech and security enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. Currently, he is the chief editor at Cyberogism.com, an ultimate source for tech, security and innovation. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57

Pierluigi Paganini

(Security Affairs –  hacking,  WordPress)

Pierluigi Paganini

(Security Affairs – North Korea, Information Warfare)

The post All You Need to Know About North Korea and its cyber army appeared first on Security Affairs.

Security Affairs: A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

AndroRAT

The new variant included the following additional features:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

The post A new variant of the dreaded AndroRAT malware appeared in threat landscape appeared first on Security Affairs.



Security Affairs

A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

AndroRAT

The new variant included the following additional features:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

The post A new variant of the dreaded AndroRAT malware appeared in threat landscape appeared first on Security Affairs.

Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware

Security researcher Alexey Firsh at Kaspersky Lab last discovered a Telegram zero-day in the desktop Windows version that was exploited in attacks in the wild.

Security researcher Alexey Firsh at Kaspersky Lab last discovered a zero-day vulnerability in the desktop Windows version of the popular Telegram instant messaging app.

The bad news is that the Telegram zero-day flaw was being exploited by threat actors in the wild to deliver cryptocurrency miners for Monero and ZCash.

According to the expert, hackers have actively exploited the vulnerability since at least March 2017. Attackers tricked victims into downloading cryptocurrency miners or to establish a backdoor.

“In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.” reads the analysis of the expert.

The flaw is related to the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for any language that uses a right to left writing mode, like Arabic or Hebrew.

The attackers used a hidden RLO Unicode character in the file name that reversed the order of the characters, in this way the file name could be renamed. In a real attack scenario, then the attackers sent the file to the target recipient.

The crooks craft a malicious code to be sent in a message, let assume it is a JS file that is renamed as follows:

evil.js -> photo_high_re*U+202E*gnp.js  (— *U+202E* is the RLO character)

The RLO character included in the file name is used by an attacker to display the string gnp.js in reverse masquerading the fact that the file is a js and tricking the victims into believing that it is a harmless .png image.

Telegram zero-day

When the user clicks on the file, Windows displays a security notification if it hasn’t been disabled in the system’s settings.

telegram zero-day

If the user ignores the notification and clicks on ‘Run’, the malicious code executed.

The expert reported the Telegram zero-day to the company that promptly patched the flaw.

“Kaspersky Lab reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger’s products.” states the analysis published by Kaspersky.

“During their analysis, Kaspersky Lab experts identified several scenarios of zero-day exploitation in the wild by threat actors.”

The analysis of the servers used by the attackers revealed the presence of archives containing a Telegram’s local cache, this means that threat actors exploited the flaw to steal data from the victims.

In another attack scenario, crooks triggered the flaw to install a malware that leverages the Telegram API as a command and control mechanism.

“Secondly, upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in the hackers gaining remote access to the victim’s computer. After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools.” continues the analysis.

According to the researcher, the flaw was known only in the Russia crime community, it was not triggered by other crooks.

To mitigate the attack, download and open files only from trusted senders.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

 

Pierluigi Paganini

(Security Affairs – Telegram Zero-Day, hacking)

The post Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware appeared first on Security Affairs.

Security Affairs: Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in seasonal campaigns of Valentine’s Day-themed spam emails.

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in the activity of the infamous botnet.

Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April 2017. The Necurs botnet was used in the past months to push many other malware, including LockyJaffGlobeImposterDridex , Scarab and the Trickbot.

Scammers are mow using the Necurs botnet to send out an amazing number of messages offering companionship waiting for Valentine’s day.

Crooks are using the spam messages to trick victims into sharing personal photos that are used later by cybercriminals to blackmail the victims.

According to the IBM X-Force team, the campaign started in mid-January, it leverages the overall Necurs botnet that is composed of 6 million bots.

“The current campaign from Necurs reached over 230 million spam messages within a matter of two weeks as the botnet spewed tens of millions of messages in two major bouts. The first surge started on Jan. 16 and ran through Jan. 18; the second started on Jan. 27 and died down on Feb. 3.” reads the analysis published by X-Force researchers.

The expert spotted two current campaigns that sent out a total 230 million spam messages in 14 days-period.

necurs spammers valentines day

 

The first campaign reached a peak between Jan. 16 and Jan. 18 and the second one began on Jan. 27 and lasted through Feb. 3. Researchers observed an average 30 million spam messages were sent each day.

“Looking at the messages being sent out in excess of 30 million emails a day, the current campaign delivers short email blurbs from supposed Russian women living in the U.S. While typical spam email is notorious for bad spelling and grammar, these samples are rather well-worded.” continues the analysis.”

The experts determined that the spam messages are being sent from about 950,000 unique IP addresses, Most of IP are hosted in Vietnam and India while the top sender IP address is hosted via a Pakistani-based ISP.

“Together, Vietnam and India hosted 55 percent of the IPs from which the spam originated. It’s worth noting that spammers constantly shuffle the resources they leverage and the originating IPs logged in one campaign are not likely to be used in the next one. This is how fraudsters avoid blacklists and blocking.” added the researchers.

After the takedowns of the Andromeda and Avalanche botnets, Necurs remains the largest spam distributor in the cybercrime ecosystem. Crooks will continue to leverage the Necurs botnet for their spam campaigns, for this reason, the most effective countermeasure is to increase employee awareness on such kind of threats.

 

Pierluigi Paganini

(Security Affairs – Necurs botnet, Valentine’s Day)

The post Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam appeared first on Security Affairs.



Security Affairs

Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in seasonal campaigns of Valentine’s Day-themed spam emails.

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in the activity of the infamous botnet.

Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April 2017. The Necurs botnet was used in the past months to push many other malware, including LockyJaffGlobeImposterDridex , Scarab and the Trickbot.

Scammers are mow using the Necurs botnet to send out an amazing number of messages offering companionship waiting for Valentine’s day.

Crooks are using the spam messages to trick victims into sharing personal photos that are used later by cybercriminals to blackmail the victims.

According to the IBM X-Force team, the campaign started in mid-January, it leverages the overall Necurs botnet that is composed of 6 million bots.

“The current campaign from Necurs reached over 230 million spam messages within a matter of two weeks as the botnet spewed tens of millions of messages in two major bouts. The first surge started on Jan. 16 and ran through Jan. 18; the second started on Jan. 27 and died down on Feb. 3.” reads the analysis published by X-Force researchers.

The expert spotted two current campaigns that sent out a total 230 million spam messages in 14 days-period.

necurs spammers valentines day

 

The first campaign reached a peak between Jan. 16 and Jan. 18 and the second one began on Jan. 27 and lasted through Feb. 3. Researchers observed an average 30 million spam messages were sent each day.

“Looking at the messages being sent out in excess of 30 million emails a day, the current campaign delivers short email blurbs from supposed Russian women living in the U.S. While typical spam email is notorious for bad spelling and grammar, these samples are rather well-worded.” continues the analysis.”

The experts determined that the spam messages are being sent from about 950,000 unique IP addresses, Most of IP are hosted in Vietnam and India while the top sender IP address is hosted via a Pakistani-based ISP.

“Together, Vietnam and India hosted 55 percent of the IPs from which the spam originated. It’s worth noting that spammers constantly shuffle the resources they leverage and the originating IPs logged in one campaign are not likely to be used in the next one. This is how fraudsters avoid blacklists and blocking.” added the researchers.

After the takedowns of the Andromeda and Avalanche botnets, Necurs remains the largest spam distributor in the cybercrime ecosystem. Crooks will continue to leverage the Necurs botnet for their spam campaigns, for this reason, the most effective countermeasure is to increase employee awareness on such kind of threats.

 

Pierluigi Paganini

(Security Affairs – Necurs botnet, Valentine’s Day)

The post Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam appeared first on Security Affairs.

New details emerge from Equifax breach, the hack is worse than previously thought

New documents provided by Equifax to senators revealed that the security breach suffered by the firm involved additional data for some customers.

In 2017 Equifax confirmed it has suffered a massive data breach, cyber criminals stole sensitive personal records of 145 million belonging to US citizens and hundreds of thousands Canada and in the UK.

Attackers exploited the CVE-2017-5638 Apache Struts vulnerability. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.

The vulnerability was fixed back in March, but the company did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency.

Compromised records include names, social security numbers, birth dates, home addresses, credit-score dispute forms, and for some users also the credit card numbers and driver license numbers.

Now experts argue the Equifax hack is worse than previously thought, according to documents provided by Equifax to the US Senate Banking Committee the attackers also stole taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.

This means that crooks have all necessary data to arrange any king of fraud by steal victims’ identities.

Equifax data breach

“As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” criticized Senator Elizabeth Warren (D-MA) who disclosed the documents.

Equifax pointed out that additional info exposed after the security breach are only related to a limit number of users.

Another curious thing to observe about the Equifax case, it that C-Level management was allowed to retire with multi-million dollar severance pays.

On Monday, the company announced Jamil Farshchi as its Chief Information Security Officer (CISO), he replaces Chief Security Officer Susan Mauldin, who retired from the company after the data breach was disclosed in late 2017.

Pierluigi Paganini

(Security Affairs – Data Breach, hacking)

The post New details emerge from Equifax breach, the hack is worse than previously thought appeared first on Security Affairs.

Security Affairs: Pyeongchang – Olympic Destroyer Unleashed to Embarrass Pyeongchang 2018 Games

Shortly before the Pyeongchang opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.

It is well known that big events attract the attention of hackers. The biggest event right now is the 2018 Winter Olympics in Pyeongchang, South Korea and it looks like the hackers have arrived. Shortly before the opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down. All systems were restored by 8AM on the following Saturday, and although individuals were unable to print event tickets during the outage, the organizing committee described the event as affecting only “noncritical systems.” Given the high profile of the games, the rumor mill immediately began spreading whispers that the outage was the result of a cyberattack.

After restoring services and investigating the cause, Sunday evening Pyeongchang 2018 spokesperson Sung Baik-you issued an official statement confirming that the outage resulted from a cyber attack.

“There was a cyber-attack and the server was updated yesterday during the day and we have the cause of the problem”, Sung Baik-you said.

Leading up to the Olympic Games there was a lot of speculation whether North Korea would attempt to disrupt the games. Along with China and Russia, North Korean cyberwarfare teams are often suspected in large-scale attack such as these. In this case, the International Olympics Committee (IOC) is refusing to participate in any speculation as to the source of the attacks.

“We wouldn’t start giving you the details of an investigation before it has come to an end, particularly because it involves security which at these games is incredibly important. I am sure you appreciate we need to maintain the security of our systems,” said Mark Adams, head of communications for the IOC.

While the IOC and Pyeongchang spokespeople are being cautious about releasing details to focus on ensuring security and safety of the games, Cisco Talos has been forthcoming with technical details of the attack. While they haven’t pointed fingers at specific attackers, but in a Talos blog post on February 12, they have stated, “[samples identified] are not from adversaries looking for information from the games but instead they are aimed to disrupt the games.”

Pyeongchang

According to their research, there are many similarities between the Pyeongchang attack, which they are dubbing “Olympic Destroyer”, and earlier attacks such as BadRabbit and NotPetya. All of these attacks are focused on destruction and disruption of equipment not exfiltration of data or other, more subtle attacks. Using legitimate tools such as PsExec and WMI the attackers are specifically targeting the pyeongchang2018.com domain attempting to steal browser and system credentials to move laterally in the network and then wiping the victim computer to make it unusable.

While the source of the attacks is uncertain, the Cisco Talos blog post is clear in identifying motivation, “Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.”

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.

 

Pierluigi Paganini

(Security Affairs – Pyeongchang , hacking)

The post Pyeongchang – Olympic Destroyer Unleashed to Embarrass Pyeongchang 2018 Games appeared first on Security Affairs.



Security Affairs

Pyeongchang – Olympic Destroyer Unleashed to Embarrass Pyeongchang 2018 Games

Shortly before the Pyeongchang opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.

It is well known that big events attract the attention of hackers. The biggest event right now is the 2018 Winter Olympics in Pyeongchang, South Korea and it looks like the hackers have arrived. Shortly before the opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down. All systems were restored by 8AM on the following Saturday, and although individuals were unable to print event tickets during the outage, the organizing committee described the event as affecting only “noncritical systems.” Given the high profile of the games, the rumor mill immediately began spreading whispers that the outage was the result of a cyberattack.

After restoring services and investigating the cause, Sunday evening Pyeongchang 2018 spokesperson Sung Baik-you issued an official statement confirming that the outage resulted from a cyber attack.

“There was a cyber-attack and the server was updated yesterday during the day and we have the cause of the problem”, Sung Baik-you said.

Leading up to the Olympic Games there was a lot of speculation whether North Korea would attempt to disrupt the games. Along with China and Russia, North Korean cyberwarfare teams are often suspected in large-scale attack such as these. In this case, the International Olympics Committee (IOC) is refusing to participate in any speculation as to the source of the attacks.

“We wouldn’t start giving you the details of an investigation before it has come to an end, particularly because it involves security which at these games is incredibly important. I am sure you appreciate we need to maintain the security of our systems,” said Mark Adams, head of communications for the IOC.

While the IOC and Pyeongchang spokespeople are being cautious about releasing details to focus on ensuring security and safety of the games, Cisco Talos has been forthcoming with technical details of the attack. While they haven’t pointed fingers at specific attackers, but in a Talos blog post on February 12, they have stated, “[samples identified] are not from adversaries looking for information from the games but instead they are aimed to disrupt the games.”

Pyeongchang

According to their research, there are many similarities between the Pyeongchang attack, which they are dubbing “Olympic Destroyer”, and earlier attacks such as BadRabbit and NotPetya. All of these attacks are focused on destruction and disruption of equipment not exfiltration of data or other, more subtle attacks. Using legitimate tools such as PsExec and WMI the attackers are specifically targeting the pyeongchang2018.com domain attempting to steal browser and system credentials to move laterally in the network and then wiping the victim computer to make it unusable.

While the source of the attacks is uncertain, the Cisco Talos blog post is clear in identifying motivation, “Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.”

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.

 

Pierluigi Paganini

(Security Affairs – Pyeongchang , hacking)

The post Pyeongchang – Olympic Destroyer Unleashed to Embarrass Pyeongchang 2018 Games appeared first on Security Affairs.

Victims of the current version of the Cryakl ransomware can decrypt their files for free

Free decryption keys for the Cryakl ransomware were added to the free Rakhni Decryptor that could be downloaded on the NoMoreRansom website.

The Belgian Federal Police has located the command and control server used by a criminal organization behind the Cryakl ransomware. The server was located in an unspecified neighboring country, law enforcement seized it and shared the decryption keys found on the machine with the No More Ransom project.

“The Belgian Federal Police is releasing free decryption keys for the Cryakl ransomware today, after working in close cooperation with Kaspersky Lab. The keys were obtained during an ongoing investigation; by sharing the keys with No More Ransom the Belgian Federal Police becomes a new associated partner of the project – the second law enforcement agency after the Dutch National Police.” reads the statement published by the Europol.

“Led by the federal prosecutor’s office, the Belgian authorities seized this and other servers while forensic analysis worked to retrieve the decryption keys. Kaspersky Lab provided technical expertise to the Belgian federal prosecutor and has now added these keys to the No More Ransom portal on behalf of the Belgian federal police. This will allow victims to regain access to their encrypted files without having to pay to the criminals.”

The “exponential” rise in Ransomware threat represents a serious problem for users online and it is a profitable business for cyber criminals. The operation NO More Ransom is the response of the Europol of the growing threat.

Cryakl ransomware

Victims of Cryakl ransomware can recover encrypted files using the Rakhni Decryptor available for free from Kaspersky Lab or NoMoreRansom at the following URL.

The tool works with most versions of the Cryakl ransomware, but researchers at MalwareHunterTeam confirmed that it doesn’t work with versions newer than CL 1.4.0.

It has been estimated that the tool has helped more than 35,000 victims of ransomware to decrypt their files for free, an overall loss for crooks of over €10m.

“There are now 52 free decryption tools on www.nomoreransom.org, which can be used to decrypt 84 ransomware families. CryptXXX, CrySIS and Dharma are the most detected infections.” continues the statement.

The Belgian authorities are still investigating the case.

 

Pierluigi Paganini

(Security Affairs – Cryakl ransomware, cybercrime)

The post Victims of the current version of the Cryakl ransomware can decrypt their files for free appeared first on Security Affairs.

Cybersecurity week Round-Up (2018, Week 6)

Cybersecurity week Round-Up (2018, Week 6) -Let’s try to summarize the most important event occurred last week in 3 minutes.

Cyber criminals continue to target cryptocurrency industry with malware and phishing attacks.

Security researchers at Netlab have spotted a new Android mining botnet, dubbed ADB.miner, that targets devices with ADB interface open.

An international operation conducted by law enforcement allowed to dismantle the crime ring behind the Luminosity RAT. US authorities also announced to took down the global cyber theft ring known as Infraud Organization.

Good news for the Popular British hacktivist Lauri Love that will not be extradited to US, UK Court Ruled. The list of victims of the hacker includes the FBI, the Federal Reserve Bank NASA and the US Missile Defence Agency..

While Cisco and FireEye confirmed that North Korean Hacking Group exploited the recently discovered Adobe Flash 0-Day flaw,  Adobe rolled out an emergency patch that fixed it.

A security researcher ported the three NSA exploits released by Shadow Brokers crew to Metasploit, including EternalRomance.

For the second time, CISCO issues a security patch to fix a critical vulnerability in CISCO Adaptive Security Appliance. The company confirmed that threat actors are already attempting to exploit itare already attempting to exploit itin the wild .

While Intel releases new Spectre security updates, currently only for Skylake chips, VMware issues temporary mitigations for Meltdown and Spectre flaws.

The source code of the Apple iOS iBoot Bootloader leaked online, while Apple downplays the data leak security experts warn hacker can use it for a future jailbreak.

Swisscom data breach Hits 800,000 Customers, roughly 10% of Swiss population.

Crooks and experts devised new methods to exfiltrate data from compromised systems. Researchers at Forcepoint discovered a new piece of malware dubbed UDPOS that exfiltrates credit card data DNS queries.

The week ended with the discovery of an unpatchable flaw in Nintendo Switch bootROM by fail0verflow hacker group that exploited it to runs Linux OS on the console.

This week a researcher at Trustwave disclosed many vulnerabilities in NETGEAR routers, and Lenovo patches critical flaws that affect Broadcoms chipsets in dozens of Lenovo ThinkPad.

https://youtu.be/wVrJF7H4n1k

 

Pierluigi Paganini

(Security Affairs – cybersecurity, cyberweek)

The post Cybersecurity week Round-Up (2018, Week 6) appeared first on Security Affairs.

CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family

Researchers from CSE ZLAB malware Analysis Laboratory analyzed a set of samples of the Pallas malware family used by the Dark Caracal APT in its hacking operations.

The malware researchers from ZLab analyzed a collection of samples related to a new APT tracked as Dark Caracal, which was discovered by Electronic Frontier Foundation in collaboration with Lookout Mobile Security.

Dark Caracal has been active at least since 2012, but only recently it was identified as a powerful threat actor in the cyber arena.

The first analysis of the APT linked it to Lebanese General Directorate of General Security.

Dark Caracal is behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

One of their most powerful campaigns started in the first months of last year, using a series of trojanized Android applications to steal sensitive data from the victim’s mobile device. The trojan injected in these applications is known in the threat landscape with the name Pallas.

Threat actors use the “repackaging” technique to generate its samples, they start from a legitimate application and inject the malicious code before rebuilding the apk.

The target applications belongs to specific categories, such as social chat app (Whatsapp, Telegram, Primo), secure chat app (Signal, Threema), or software related to secure navigation (Orbot, Psiphon).

The attackers used social engineering techniques to trick victims into installing the malware. Attackers use SMS, a Facebook message or a Facebook post, which invites the victim to download a new version of the popular app through from a specific URL

http://secureandroid[.]info,

All the trojanized app are hosted at the same URL.

Dark Caracal

Figure 1 – Dark Caracal Repository – Malicious site

This malware is able to collect a large amount of data and to send it to a C&C through an encrypted URL that is decrypted at runtime. The capabilities of the trojan are:

  • Read SMS
  • Send SMS
  • Record calls
  • Read calls log
  • Retrieve account and contacts information
  • Gather all stored media and send them to C2C
  • Download and install other malicious software
  • Display a phishing window in order to try to steal credentials
  • Retrieve the list of all devices connected to the same network

Further details are included in the complete report published by CSE.

You can download the full ZLAB Malware Analysis Report at the following URL:

20180212_CSE_DARK_CARACAL_Pallas_Report.pdf

Pierluigi Paganini

(Security Affairs – Dark Caracal, Pallas malware)

The post CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family appeared first on Security Affairs.

49% of crypto mining scripts are deployed on pornographic related websites

The number of crypto mining scripts discovered by security experts continues to increase, especially those ones illegally deployed by hacking servers online.

The experts from Qihoo 360’s Netlab analyzed crypto mining scripts online by analyzing DNS traffic with its DNSMon system. The experts were able to determine which sites load the scripts from domains associated with in-browser mining services.

According to the researchers, 49% of crypto mining scripts are deployed on pornographic related websites.

The study revealed that cryptocurrency mining scripts are also deployed on fraud sites (8%), advertising domains (7%), and cryptocurrency mining (7%).

0.2% of websites have web mining code embedded in the homepage : 241 (0.24%) in Alexa Top 100,000 websites, 629 (0.21%) in Alexa Top 300,000 websites” reads the analysis published by NetLab. 

“Pornographic related websites are the main body , accounting for 49% of these websites. Others include fraud (8%), advertising (7%), mining (7%), film and television (6%) and other categories”

The most used crypto mining script is Coinhive (68%+10%), followed by JSEcoin (9%).

crypto currency mining scripts

The fact that cryptocurrency mining scripts are most deployed on porn websites is not a surprise because they have a large number of visitors that used to spend a lot of time watching their content.

Mining activities online are rapidly increasing, the following graph shows the mining site DNS traffic trends:

crypto currency mining scropts 2.png

Below the categories of new actors most involved in mining activities:

  • Advertisers : The mining activity of some websites is introduced by the advertisers’ external chains
  • Shell link : Some websites will use a “shell link” to obscure the mining site link in the source code
  • Short domain name service provider : goobo . COM .br Brazil is a short domain name service provider, the website home page, including a short domain name through the service generated when access to the link will be loaded coinhive mining
  • Supply chain contamination : the WWW . Midijs . NET is a JS-based MIDI file player, website source code used in mining to coinhive
  • Self-built pool : Some people in github open source code , can be used to build from the pool
  • Web users informed mining : authedmine . COM is emerging of a mining site, the site claims that only a clear case of known and authorized users, began mining
 

Pierluigi Paganini

(Security Affairs – crypto currency mining scripts, Monero)

The post 49% of crypto mining scripts are deployed on pornographic related websites appeared first on Security Affairs.

Security Affairs: Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack

Thousands of websites worldwide hijacked by a cryptocurrency mining code due to the hack of the popular Browsealoud plugin.

A massive attack hit thousands of websites around the world, crooks deployed Coinhive scripts forcing them to secretly mine cryptocurrencies on visitors’ browsers.

The list of compromised websites (4275) includes the UK’s NHS, Information Commissioner’s Office (ICO) (ico.org.uk), the UK’s Student Loans Company (slc.co.uk), The City University of New York (cuny.edu), and the US government’s court system.

Once discovered the hack some sites web down, the ICO also took its website down.

The compromised websites use the Browsealoud plugin which makes their content accessible for blind or partially sighted people by reading it.

In a time-window of roughly seven hours (between 0300 and 1145 UTC), all the websites using Browsealoud inadvertently ran the Monero cryptocurrency mining code.

The attackers injected an obfuscated version of the mining code in the plugin that once converted from hexadecimal back to ASCII allowed to load the mining code in the webpage.

cryptocurrency mining script obfuscated_mining_code

The alarm was thrown by the security expert Scott Helme who was contacted by a friend who sent him antivirus software warnings received after visiting a UK ICO website.

“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.said Helme.

“Someone just messaged me to say their local government website in Australia is using the software as well.”

The expert suggests using the Subresource Integrity (SRI) technique to block unwanted code injected in affected websites.

Texthelp, the company that developed the Browsealoud plugin, has removed its Browsealoud code from the web to stop the cryptocurrency mining operation.

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” said Texthelp’s chief technology officer Martin McKay in a statement.

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.”

Texthelp confirmed that “no customer data has been accessed or lost,” and “customers will receive a further update when the security investigation has been completed.”

The malicious code was removed by 1600 UTC today, the UK’s ICO is currently in a minimal “maintenance” mode as a precaution.

 

 

Pierluigi Paganini

(Security Affairs – Browsealoud plugin, cryptocurrency mining script)

The post Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack appeared first on Security Affairs.



Security Affairs

Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack

Thousands of websites worldwide hijacked by a cryptocurrency mining code due to the hack of the popular Browsealoud plugin.

A massive attack hit thousands of websites around the world, crooks deployed Coinhive scripts forcing them to secretly mine cryptocurrencies on visitors’ browsers.

The list of compromised websites (4275) includes the UK’s NHS, Information Commissioner’s Office (ICO) (ico.org.uk), the UK’s Student Loans Company (slc.co.uk), The City University of New York (cuny.edu), and the US government’s court system.

Once discovered the hack some sites web down, the ICO also took its website down.

The compromised websites use the Browsealoud plugin which makes their content accessible for blind or partially sighted people by reading it.

In a time-window of roughly seven hours (between 0300 and 1145 UTC), all the websites using Browsealoud inadvertently ran the Monero cryptocurrency mining code.

The attackers injected an obfuscated version of the mining code in the plugin that once converted from hexadecimal back to ASCII allowed to load the mining code in the webpage.

cryptocurrency mining script obfuscated_mining_code

The alarm was thrown by the security expert Scott Helme who was contacted by a friend who sent him antivirus software warnings received after visiting a UK ICO website.

“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.said Helme.

“Someone just messaged me to say their local government website in Australia is using the software as well.”

The expert suggests using the Subresource Integrity (SRI) technique to block unwanted code injected in affected websites.

Texthelp, the company that developed the Browsealoud plugin, has removed its Browsealoud code from the web to stop the cryptocurrency mining operation.

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” said Texthelp’s chief technology officer Martin McKay in a statement.

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.”

Texthelp confirmed that “no customer data has been accessed or lost,” and “customers will receive a further update when the security investigation has been completed.”

The malicious code was removed by 1600 UTC today, the UK’s ICO is currently in a minimal “maintenance” mode as a precaution.

 

 

Pierluigi Paganini

(Security Affairs – Browsealoud plugin, cryptocurrency mining script)

The post Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 149 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Once again thank you!

·      GandCrab, a new ransomware-as-a-service emerges from Russian crime underground
·      More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails
·      Security Affairs newsletter Round 148 – News of the week
·      UK Government Advices Industry Sectors To Comply With Guidance Or Pay $17 Million Fine
·      Almost all WordPress websites could be taken down due to unpatched CVE-2018-6389 DoS flaw
·      Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild
·      Cybersecurity week Round-Up (2018, Week 5)
·      Hacking Amazon Key – Hacker shows how to access a locked door after the delivery
·      Leaked memo suggest NSA and US Army compromised Tor, I2P, VPNs and want to unmask Monero users
·      Abusing X.509 Digital Certificates to establish a covert data exchange channel
·      ADB.Miner, the Android mining botnet that targets devices with ADB interface open
·      Crime ring linked to Luminosity RAT dismantled by an international law enforcement operation
·      Popular British hacktivist Lauri Love will not be extradited to US, UK Court Ruled
·      9 Tips to Prevent WordPress Hacks in this Dangerous Digital World
·      Adobe rolled out an emergency patch that fixed CVE-2018-4878 flaw exploited by North Korea
·      Automated Hacking Tool Autosploit Cause Concerns Over Mass Exploitation
·      Hackers can remotely access adult sex toys compromising at least 50.000 users
·      Researchers ported the NSA  EternalSynergy, EternalRomance, and EternalChampion to Metasploit
·      For the second time CISCO issues security patch to fix a critical vulnerability in CISCO ASA
·      Intel releases new Spectre security updates, currently only for Skylake chips
·      Joomla 3.8.4 release addresses three XSS and SQL Injection vulnerabilities
·      Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off.
·      US authorities dismantled the global cyber theft ring known as Infraud Organization
·      A Flaw in Hotspot Shield VPN From AnchorFree Can Expose Users Locations
·      fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS
·      Researcher found multiple vulnerabilities in NETGEAR Routers, update them now!
·      Swisscom data breach Hits 800,000 Customers, 10% of Swiss population
·      The source code of the Apple iOS iBoot Bootloader leaked online
·      UDPOS PoS malware exfiltrates credit card data DNS queries
·      Lenovo patches critical flaws that affect Broadcoms chipsets in dozens of Lenovo ThinkPad
·      Online Auction Safety Tips for Buyers and Sellers
·      VMware releases temporary mitigations for Meltdown and Spectre flaws

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 149 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 149 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Once again thank you!

·      GandCrab, a new ransomware-as-a-service emerges from Russian crime underground
·      More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails
·      Security Affairs newsletter Round 148 – News of the week
·      UK Government Advices Industry Sectors To Comply With Guidance Or Pay $17 Million Fine
·      Almost all WordPress websites could be taken down due to unpatched CVE-2018-6389 DoS flaw
·      Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild
·      Cybersecurity week Round-Up (2018, Week 5)
·      Hacking Amazon Key – Hacker shows how to access a locked door after the delivery
·      Leaked memo suggest NSA and US Army compromised Tor, I2P, VPNs and want to unmask Monero users
·      Abusing X.509 Digital Certificates to establish a covert data exchange channel
·      ADB.Miner, the Android mining botnet that targets devices with ADB interface open
·      Crime ring linked to Luminosity RAT dismantled by an international law enforcement operation
·      Popular British hacktivist Lauri Love will not be extradited to US, UK Court Ruled
·      9 Tips to Prevent WordPress Hacks in this Dangerous Digital World
·      Adobe rolled out an emergency patch that fixed CVE-2018-4878 flaw exploited by North Korea
·      Automated Hacking Tool Autosploit Cause Concerns Over Mass Exploitation
·      Hackers can remotely access adult sex toys compromising at least 50.000 users
·      Researchers ported the NSA  EternalSynergy, EternalRomance, and EternalChampion to Metasploit
·      For the second time CISCO issues security patch to fix a critical vulnerability in CISCO ASA
·      Intel releases new Spectre security updates, currently only for Skylake chips
·      Joomla 3.8.4 release addresses three XSS and SQL Injection vulnerabilities
·      Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off.
·      US authorities dismantled the global cyber theft ring known as Infraud Organization
·      A Flaw in Hotspot Shield VPN From AnchorFree Can Expose Users Locations
·      fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS
·      Researcher found multiple vulnerabilities in NETGEAR Routers, update them now!
·      Swisscom data breach Hits 800,000 Customers, 10% of Swiss population
·      The source code of the Apple iOS iBoot Bootloader leaked online
·      UDPOS PoS malware exfiltrates credit card data DNS queries
·      Lenovo patches critical flaws that affect Broadcoms chipsets in dozens of Lenovo ThinkPad
·      Online Auction Safety Tips for Buyers and Sellers
·      VMware releases temporary mitigations for Meltdown and Spectre flaws

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 149 – News of the week appeared first on Security Affairs.

Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild

Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild and a Proof-of-concept exploit code is available online.

This week, Cisco has rolled out new security patches for a critical vulnerability, tracked as CVE-2018-0101, in its CISCO ASA (Adaptive Security Appliance) software.

This is the second the tech giant issued a security patch to fix the critical vulnerability in CISCO ASA, the first one released in January. The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.

The affected models are:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

Now the company confirmed that attackers are trying to exploit the vulnerability CVE-2018-0101 in attacks in the wild.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory,” reads the security advisory published by CISCO. the update states. “Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory.”

The vulnerability was discovered by Cedric Halbronn and received a CVSS base score of 10.0, the highest one.

This week Halbronn presented its findings at the REcon conference in Brussels, in its speech titled ‘Robin Hood vs CISCO ASA Anyconnect.’ he highlighted that the vulnerability could be present up to seven years old because the AnyConnect Host Scan is available since 2011.

The new attack scenario covered with the new update sees an attacker exploiting the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.

CISCO ASA attack

A “Cisco ASA CVE-2018-0101 Crash PoC” was already published by some users on Pastebin.

 

Pierluigi Paganini

(Security Affairs – CISCO ASA, CVE-2018-0101)

The post Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild appeared first on Security Affairs.

Security Affairs: FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins

Russian authorities have arrested some employees at the Russian Federation Nuclear Center facility because they are suspected for trying to using a supercomputer at the plant to mine Bitcoin.

The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.

In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.

This week, security experts at  Radiflow, a provider of cybersecurity solutions for critical infrastructure, have discovered in a water utility the first case of a SCADA network infected with a Monero cryptocurrency-mining malware.

Radiflow, a provider of cybersecurity solutions for critical infrastructure, today announced that the company has revealed the first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.” reads the press release published by the company.

The Radiflow revealed that the cryptocurrency malware was designed to run in a stealth mode on a target system and even disable security software.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” explained Yehonatan Kfir, CTO at Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

A cryptocurrency malware infection could have e dramatic impact on ICS and SCADA systems because it could increase resources consumption affecting the response times of the systems used to control processes in the environments.

While the story was making the headlines, the Russian Interfax News Agency reported that several scientists at the Russian Federation Nuclear Center facility (aka All-Russian Research Institute of Experimental Physics) had been arrested by authorities charged for mining cryptocurrency with “office computing resources.”

The nuclear research plant is located in Sarov, in 2011, the Russian Federation Nuclear Center deployed on a new petaflop-supercomputer.

The scientists are accused to have abused the computing power of one of Russia’s most powerful supercomputers located in the Federal Nuclear Center to mine Bitcoins.

Russian Federation Nuclear Center facility

The supercomputer normally isolated from the Internet, but the researchers were discovered while attempting to connect it online. the Federal Security Service (FSB) has arrested the researchers.

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency.

“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,”

 

Pierluigi Paganini

(Security Affairs – Russian Federation Nuclear Center facility, Mining)

The post FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins appeared first on Security Affairs.



Security Affairs

FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins

Russian authorities have arrested some employees at the Russian Federation Nuclear Center facility because they are suspected for trying to using a supercomputer at the plant to mine Bitcoin.

The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.

In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.

This week, security experts at  Radiflow, a provider of cybersecurity solutions for critical infrastructure, have discovered in a water utility the first case of a SCADA network infected with a Monero cryptocurrency-mining malware.

Radiflow, a provider of cybersecurity solutions for critical infrastructure, today announced that the company has revealed the first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.” reads the press release published by the company.

The Radiflow revealed that the cryptocurrency malware was designed to run in a stealth mode on a target system and even disable security software.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” explained Yehonatan Kfir, CTO at Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

A cryptocurrency malware infection could have e dramatic impact on ICS and SCADA systems because it could increase resources consumption affecting the response times of the systems used to control processes in the environments.

While the story was making the headlines, the Russian Interfax News Agency reported that several scientists at the Russian Federation Nuclear Center facility (aka All-Russian Research Institute of Experimental Physics) had been arrested by authorities charged for mining cryptocurrency with “office computing resources.”

The nuclear research plant is located in Sarov, in 2011, the Russian Federation Nuclear Center deployed on a new petaflop-supercomputer.

The scientists are accused to have abused the computing power of one of Russia’s most powerful supercomputers located in the Federal Nuclear Center to mine Bitcoins.

Russian Federation Nuclear Center facility

The supercomputer normally isolated from the Internet, but the researchers were discovered while attempting to connect it online. the Federal Security Service (FSB) has arrested the researchers.

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency.

“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,”

 

Pierluigi Paganini

(Security Affairs – Russian Federation Nuclear Center facility, Mining)

The post FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins appeared first on Security Affairs.

Security Affairs: Online Auction Safety Tips for Buyers and Sellers

Buying or selling goods through online auctions is more popular than ever. Which are the best practices to follow for buyers and sellers for an online auction?

Buying or selling goods through online auctions is more popular than ever. Today, there are a number of different auctions sites available where sellers can post new and used items for sale.

Buyers often flock to these marketplaces, largely because auction prices tend to be quite low. Additionally, buying through online auctions is a great way to find unique items or collectibles that you simply can’t buy through traditional retail stores.

The vast majority of transactions that take place through these sites go off without a hitch. Occasionally, however, problems do occur.

There are instances where unscrupulous buyers or sellers try to take advantage of other people on the auction site.

By following a few simple online auction safety tips, you can ensure that you don’t fall victim to a scam.

A good place to start is by familiarizing yourself with some of the common risks including the following:

  • Sellers sometimes try to scam buyers by failing to send out items after they have already been paid for. Buyers, on the other hand, sometimes take advantage of sellers by failing to pay for the item after the seller has already sent it to them or claiming that they never received the item in order to get a refund.
  • Hackers or online thieves can take control of your account if they get access to your password. Not only can they use your account to make purchases but they can also steal your identity.
  • Buyers or sellers can sometimes use the personal information that is exchanged during a sale to steal your identity. For instance, if you use a personal check to pay for an item, and unscrupulous seller may try to steal your identity based on the information printed on your check.
  • Sellers sometimes may try to sell you a knockoff or copy rather than the actual item you are interested in purchasing.
  • Phishing scams may try to get you to share your information by posing as the auction site or as your payment processor. In most cases, these scams are designed to try to gain access to your banking information or to your password so that the perpetrators can steal your identity.

online auction

Now that you have a better idea of all of the things that can go wrong when buying through an online auction, you can take steps to prepare yourself. A good place to start is by familiarizing yourself with how each auction site is set up. Before posting an item for sale or placing a bid, spend some time performing the following tasks:

  • Try to get a sense of how the auction site works by watching several items. Pay particular attention to what happens at the end of the auction to see if there is a lot of last-minute bidding. You can then put auction software to work for you on bidding and selling.
  • Familiarize yourself with the website’s Terms of Use. Make sure you have a clear understanding of the various fees that are charged to both sellers and buyers.
  • Additionally, find out what steps they take to help protect users in the event that something goes awry with a transaction. Make sure that you fully understand the site’s rules before buying or selling items through their platform.
  • Find out what forms of payment the website recommends. In most cases, the best option is to use a service like PayPal rather than relying on other payment methods. Personal checks, wire transfers, money orders, cash, and credit or debit cards can be risky for both buyers and sellers. Services such as PayPal provide protection against problems that are commonly experienced online.
  • Protect your identity when creating your profile. Avoid including personally identifiable information in your profile. Try to keep your screen name and user account as anonymous as possible.
  • Choose your password carefully. The last thing that you want is for someone to be able to guess your password or to break it easily using software tools. Make sure your password is a minimum of 10 characters long. Include upper and lowercase letters along with symbols and numbers. Avoid including personal information such as your birthdate, age, or name in your password. Additionally, choose a different password for every site that you are on.

That way, even if hackers figure out your password on one site, they won’t be able to access your profiles on other sites.

Online auction – Before making a purchase or listing an item for sale, be sure to do careful research.

  • Start by taking a closer look at the reputation of the seller or buyer. Typically, the best option is to buy from sellers who have been selling through the platform for a long period of time and who have good feedback from buyers. Make sure all the transactions are completed through the auction site. Don’t fall for the scam where a seller tries to offer you a lower price if you buy the item from them directly rather than buying through the auction site.
  • Learn as much as you can about the item you are selling or buying. Find out how much the item is currently worth. Make sure that it is authentic and figure out what type of condition it is in. Buyers may want to consider saving a screenshot of the description so that they have proof that they can turn to if the item doesn’t live up to the seller’s promises.

About Author:

Ali Qamar is a privacy and cyber security enthusiast, his work has been featured in many major tech and security blogs including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs to name a few. He runs SpyAdvice.com currently.

 

 

Pierluigi Paganini

(Security Affairs – Online auction, identity theft)

The post Online Auction Safety Tips for Buyers and Sellers appeared first on Security Affairs.



Security Affairs

Online Auction Safety Tips for Buyers and Sellers

Buying or selling goods through online auctions is more popular than ever. Which are the best practices to follow for buyers and sellers for an online auction?

Buying or selling goods through online auctions is more popular than ever. Today, there are a number of different auctions sites available where sellers can post new and used items for sale.

Buyers often flock to these marketplaces, largely because auction prices tend to be quite low. Additionally, buying through online auctions is a great way to find unique items or collectibles that you simply can’t buy through traditional retail stores.

The vast majority of transactions that take place through these sites go off without a hitch. Occasionally, however, problems do occur.

There are instances where unscrupulous buyers or sellers try to take advantage of other people on the auction site.

By following a few simple online auction safety tips, you can ensure that you don’t fall victim to a scam.

A good place to start is by familiarizing yourself with some of the common risks including the following:

  • Sellers sometimes try to scam buyers by failing to send out items after they have already been paid for. Buyers, on the other hand, sometimes take advantage of sellers by failing to pay for the item after the seller has already sent it to them or claiming that they never received the item in order to get a refund.
  • Hackers or online thieves can take control of your account if they get access to your password. Not only can they use your account to make purchases but they can also steal your identity.
  • Buyers or sellers can sometimes use the personal information that is exchanged during a sale to steal your identity. For instance, if you use a personal check to pay for an item, and unscrupulous seller may try to steal your identity based on the information printed on your check.
  • Sellers sometimes may try to sell you a knockoff or copy rather than the actual item you are interested in purchasing.
  • Phishing scams may try to get you to share your information by posing as the auction site or as your payment processor. In most cases, these scams are designed to try to gain access to your banking information or to your password so that the perpetrators can steal your identity.

online auction

Now that you have a better idea of all of the things that can go wrong when buying through an online auction, you can take steps to prepare yourself. A good place to start is by familiarizing yourself with how each auction site is set up. Before posting an item for sale or placing a bid, spend some time performing the following tasks:

  • Try to get a sense of how the auction site works by watching several items. Pay particular attention to what happens at the end of the auction to see if there is a lot of last-minute bidding. You can then put auction software to work for you on bidding and selling.
  • Familiarize yourself with the website’s Terms of Use. Make sure you have a clear understanding of the various fees that are charged to both sellers and buyers.
  • Additionally, find out what steps they take to help protect users in the event that something goes awry with a transaction. Make sure that you fully understand the site’s rules before buying or selling items through their platform.
  • Find out what forms of payment the website recommends. In most cases, the best option is to use a service like PayPal rather than relying on other payment methods. Personal checks, wire transfers, money orders, cash, and credit or debit cards can be risky for both buyers and sellers. Services such as PayPal provide protection against problems that are commonly experienced online.
  • Protect your identity when creating your profile. Avoid including personally identifiable information in your profile. Try to keep your screen name and user account as anonymous as possible.
  • Choose your password carefully. The last thing that you want is for someone to be able to guess your password or to break it easily using software tools. Make sure your password is a minimum of 10 characters long. Include upper and lowercase letters along with symbols and numbers. Avoid including personal information such as your birthdate, age, or name in your password. Additionally, choose a different password for every site that you are on.

That way, even if hackers figure out your password on one site, they won’t be able to access your profiles on other sites.

Online auction – Before making a purchase or listing an item for sale, be sure to do careful research.

  • Start by taking a closer look at the reputation of the seller or buyer. Typically, the best option is to buy from sellers who have been selling through the platform for a long period of time and who have good feedback from buyers. Make sure all the transactions are completed through the auction site. Don’t fall for the scam where a seller tries to offer you a lower price if you buy the item from them directly rather than buying through the auction site.
  • Learn as much as you can about the item you are selling or buying. Find out how much the item is currently worth. Make sure that it is authentic and figure out what type of condition it is in. Buyers may want to consider saving a screenshot of the description so that they have proof that they can turn to if the item doesn’t live up to the seller’s promises.

About Author:

Ali Qamar is a privacy and cyber security enthusiast, his work has been featured in many major tech and security blogs including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs to name a few. He runs SpyAdvice.com currently.

 

 

Pierluigi Paganini

(Security Affairs – Online auction, identity theft)

The post Online Auction Safety Tips for Buyers and Sellers appeared first on Security Affairs.

Lenovo patches critical flaws that affect Broadcom’s chipsets in dozens of Lenovo ThinkPad

According to a security advisory issued by Lenovo, two critical vulnerabilities in Broadcom chipsets affects at least 25 models of Lenovo ThinkPad.

The affected models are ThinkPad 10,  ThinkPad L460, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260 and ThinkPad Yoga 260.

One of the flaws was discovered in June by Google that publicly disclosed it in September. Google also published a proof-of-concept exploit for a Wi-Fi firmware vulnerability affecting Broadcom chipsets in iOS 10 and earlier.

The flaw tracked as CVE-2017-11120, is a memory corruption vulnerability that could be exploited by attackers to execute code and establish a backdoor on a targeted device. T

The flaw initially reported affecting specific Broadcom chipsets used in Apple iPhones, Apple TV, and Android devices was patched in the same month.

The vulnerability, tracked as CVE-2017-11120, is a memory corruption vulnerability, Apple addressed it in the security update for the release of iOS 11.

Now Lenovo warns of the presence of the flaw in two dozen ThinkPad models that use Broadcom’s BCM4356 Wireless LAN Driver for Windows 10.

The Broadcom Wi-Fi chipsets used by Lenovo ThinkPad devices are affected by the CVE-2017-11120 flaw and also by the CVE-2017-11121 vulnerability, both issue are rated as “critical” and received a CVSS 10 score.

“Broadcom has issued an advisory for certain Broadcom WiFi controllers used by many computer and device makers, which contain buffer overflow vulnerabilities on the adapter (not the system CPU).“reads the security advisory.” Broadcom initially did not plan to remediate these issues, but when the WPA2 KRACK issue also emerged, Broadcom combined both fixes in to a single set of driver updates. Lenovo received the first of these near the end of 2017, and continues releasing fixes as integration and testing is completed.” 

The flaws can be exploited by remote attackers to execute arbitrary code on the adapter (not the system’s CPU) of the target system.

The CVE-2017-11121 vulnerability was also discovered by Google experts, it is a buffer overflow vulnerability caused by improper validation of Wi-Fi signals.

“Properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to denial of service or other effects,” reads the description for the flaw.

Lenovo users urge to update the Wi-Fi driver for their ThinkPad models.

 

Pierluigi Paganini

(Security Affairs – Lenovo Thinkpad, Broadcom Wi-Fi chipsets)

The post Lenovo patches critical flaws that affect Broadcom’s chipsets in dozens of Lenovo ThinkPad appeared first on Security Affairs.

VMware releases temporary mitigations for Meltdown and Spectre flaws

VMware has provided detailed instruction on how to mitigate the Meltdown and Spectre vulnerabilities in several of its products.

VMware is releasing patches and workarounds for its Virtual Appliance products affected by the Meltdown and Spectre vulnerabilities.

The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The mitigations measures could be applied to vCloud Usage Meter, Identity Manager (vIDM), vCenter Server, vSphere Data Protection, vSphere Integrated Containers and vRealize Automation (vRA).

“VMware Virtual Appliance updates address side-channel analysis due to speculative execution” states the advisory published by the company.

VMware

The company acknowledged problems for its virtual appliances and opted to release workarounds to protect its customers. The proposed solutions are only temporary waiting for a permanent fix that will be released as soon as they are available.

The complete list of workarounds is available here, in some cases, admins can mitigate the issue by launching a few commands as a privileged user, in other cases the procedure to deploy mitigations is more complex.

 

Pierluigi Paganini

(Security Affairs – Spectre patches, VMware )

The post VMware releases temporary mitigations for Meltdown and Spectre flaws appeared first on Security Affairs.

fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS

The group of hackers known as ‘fail0verflow’ has discovered a vulnerability in the gaming console Nintendo Switch that could be exploited to install a Linux distro.

The hackers announced their discovery in a post on Twitter, the published an image of a console running the Debian Linux distro after the hack.

The fail0verflow group revealed that the exploit triggers a flaw in the boot ROM process of the Nvidia Tegra X1 chip that powers the console, if confirmed the issue cannot be solved with a software o firmware update.

When asked if they have built the hack on nvtboot the group No closed-source boot chain components were involved.

Discovery of a flaw in the Boot ROM opens the door to the hack of the console for other purposes, for example to the piracy.

nintendo switch

In a next future, hackers could find a way to install homebrew apps and pirated games on the Nintendo Switch.

On the other side, Nintendo could work with Nvidia on new secure Tegra X1 chips, as a temporary solution it could ban users with hacked consoles to ban these users from online play.

 

Pierluigi Paganini

(Security Affairs – Nintendo Switch, hacking)

The post fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS appeared first on Security Affairs.

Security Affairs: fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS

The group of hackers known as ‘fail0verflow’ has discovered a vulnerability in the gaming console Nintendo Switch that could be exploited to install a Linux distro.

The hackers announced their discovery in a post on Twitter, the published an image of a console running the Debian Linux distro after the hack.

The fail0verflow group revealed that the exploit triggers a flaw in the boot ROM process of the Nvidia Tegra X1 chip that powers the console, if confirmed the issue cannot be solved with a software o firmware update.

When asked if they have built the hack on nvtboot the group No closed-source boot chain components were involved.

Discovery of a flaw in the Boot ROM opens the door to the hack of the console for other purposes, for example to the piracy.

nintendo switch

In a next future, hackers could find a way to install homebrew apps and pirated games on the Nintendo Switch.

On the other side, Nintendo could work with Nvidia on new secure Tegra X1 chips, as a temporary solution it could ban users with hacked consoles to ban these users from online play.

 

Pierluigi Paganini

(Security Affairs – Nintendo Switch, hacking)

The post fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS appeared first on Security Affairs.



Security Affairs

A Flaw in Hotspot Shield VPN From AnchorFree Can Expose Users Locations

Security expert Paulos Yibelo has discovered a vulnerability in Hotspot Shield VPN from AnchorFree that can expose locations of the users.

Paulos Yibelo, a security researcher, has discovered a vulnerability that can expose users and locations around the globe compromising their anonymity and privacy. The company has about 500 million users globally.

VPN services providers are used nowadays to protect the identity of individual users and against the eavesdropping of their browsing habits. In countries like North Korea and China they are popular among political activists or dissidents where internet access is restricted because of censorship or heavily monitored once these services hide the IP addresses of the real users, that can be used to locate the person real address.

The Great Firewall of China is an example. Locating a Hotspot Shield user in a rogue country could pose a risk to their life and their families.

The VPN Hotspot Shield developed by AnchorFree to secure the connection of users and protect their privacy contained flaws that allow sensitive information disclosure such as the country, the name of WIFI network connection and the user’s real IP address, according to the researcher.

“By disclosing information such as Wi-Fi name, an attacker can easily narrow down or pinpoint where the victim is located, you can narrow down a list of places where your victim is located”. states Paulos Yibelo.

The vulnerability CVE-2018-6460 was published without a response from the company on Monday, but on Wednesday a patch was released to address the issue. The vulnerability is present on the local web server (127.0.0.1 on port 895) that Hotspot Shield installs on the user’s machine.

“http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. There are other multiple endpoints that return sensitive data including configuration details.” continues the researcher. 

“While that endpoint is presented without any authorization, status.js is actually a JSON endpoint so there are no sensitive functions to override, but when we send the parameter func with $_APPLOG.Rfunc, it returns that function as a JSONP name. We can obviously override this in our malicious page and steal its contents by supplying a tm parameter timestamp, that way we can provide a logtime“.

Once running, the server hosts multiple JSONP endpoints, with no authentication requests and also with responses that leak sensitive information pertaining the VPN service, such as the configuration details. The researcher released a proof of concept (PoC) for the flaw, however, the reporter Zack Whittaker, from ZDNET, independently verified that flaw revealed only the Wi-Fi network name and the country, not the real IP address.

The company replied to the researcher allegation:

“We have found that this vulnerability does not leak the user’s real IP address or any personal information, but may expose some generic information such as the user’s country. We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information”. 

VPN HOTSPOT PoC

Sources:

https://threatpost.com/hotspot-shield-vulnerability-could-reveal-juicy-info-about-users-researcher-claims/129817/

https://www.helpnetsecurity.com/2018/02/07/hotspot-shield-vpn-flaw/

https://irishinfosecnews.wordpress.com/2018/02/07/hotspot-shield-vulnerability-could-reveal-juicy-info-about-users-researcher-claims/

http://www.zdnet.com/article/privacy-flaw-in-hotspot-shield-can-identify-users-locations/

http://www.ubergizmo.com/2018/02/security-flaw-hotspot-shield-vpn-expose-users/

https://betanews.com/2018/02/07/hotspot-shield-vpn-flaw/

https://thehackernews.com/2018/02/hotspot-shield-vpn-service.html

http://www.securitynewspaper.com/2018/02/07/flaw-hotspot-shield-can-expose-vpn-users-locations/

http://seclists.org/fulldisclosure/2018/Feb/11

https://blogs.securiteam.com/index.php/archives/3604

http://www.paulosyibelo.com/2018/02/hotspot-shield-cve-2018-6460-sensitive.html

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – Hotspot Shield VPN, privacy)

The post A Flaw in Hotspot Shield VPN From AnchorFree Can Expose Users Locations appeared first on Security Affairs.

UDPOS PoS malware exfiltrates credit card data DNS queries

A new PoS malware dubbed UDPoS appeared in the threat landscape and implements a novel and hard to detect technique to steal credit card data from infected systems.

The UDPoS malware was spotted by researchers from ForcePoint Labs, it relies upon User Datagram Protocol (UDP) DNS traffic for data exfiltration instead of HTTP that is the protocol used by most POS malware.

The UDPoS malware is the first PoS malicious code that implements this technique disguises itself as an update from LogMeIn, which is a legitimate remote desktop control application.

“According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” reads a blogpost published by LogMeIn noted.

“This link, file or executable isn’t provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”

The UDPoS malware only targets older POS systems that use LogMeIn.

“However, in amongst the digital haystack there exists the occasional needle: we recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests. Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.” reads the analysis published by ForcePoint.

The command and control (C&C) server are hosted by a Swiss-based VPS provider, another unusual choice for such kind of malware.

The server hosts a 7-Zip self-extracting archive, update.exe, containing LogmeinServicePack_5.115.22.001.exe and log that is the actual malware.

UDPoS

The malicious code implements a number of evasion techniques, it searches for antivirus software disables them, it also checks if it is running in a virtualized environment.

“For the anti-AV and anti-VM solution, there are four DLL and three Named Pipe identifiers stored in both service and monitor components:

However, only the monitor component makes use of these and, moreover, the code responsible for opening module handles is flawed: it will only try to open cmdvrt32.dll – a library related to Comodo security products – and nothing else.” continues the analysis.

“It is unclear at present whether this is a reflection of the malware still being in a relatively early stage of development/testing or a straightforward error on the part of the developers.”

It must be highlighted that currently there is no evidence of the UDPoS malware currently being used in attacks in the wild, but the activity of the C&C servers suggests crooks were preparing the attacks.

In the past other malware adopted the DNS traffic to exfiltrate data, one of them is the DNSMessenger RAT spotted by Talos experts in 2017. The researchers from Cisco Talos team spotted the malware that leverages PowerShell scripts to fetch commands from DNS TXT records.

Further info about the UDPoS malware, including IoCs, are available in the blog post.

 

Pierluigi Paganini

(Security Affairs – UDPoS , PoS malware)

The post UDPOS PoS malware exfiltrates credit card data DNS queries appeared first on Security Affairs.

The source code of the Apple iOS iBoot Bootloader leaked online

The source code for Apple iOS iBoot secure bootloader has been leaked to GitHub, now we will try to understand why this component is so important for the iOS architecture.

The iBoot is the component loaded in the early stages of the boot sequence and it is tasked with loading the kernel, it is stored in a boot ROM chip.

“This is the first step in the chain of trust where each step ensures that the next is signed by Apple.” states Apple describing the iBoot.

The leaked code is related to iOS 9, but experts believe it could still present in the latest iOS 11.

Apple promptly reacted to the data leak asking to remove the content for a violation of the Digital Millennium Copyright Act (DMCA).

“This repository is currently disabled due to a DMCA takedown notice. We have disabled public access to the repository. The notice has been publicly posted.” reads the notice on the GitHub repository.

“Reproduction of Apple’s “iBoot” source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software. The “iBoot” source code is proprietary and it includes Apple’s copyright notice. It is not open-source.”

iBoot dala leak

The data leak is considered very dangerous because hackers and security experts can analyze the code searching for security vulnerabilities that could be triggered to compromise the iBoot.

Even is the code cannot be modified, the exploit of a flaw could allow loading other components compromising the overall security of the architecture.

The boot sequence is:

Bootrom → Low Level Bootloader → iBoot → Device tree → Kernel.

The Jailbreak consists of compromising one of the above phases, typically the kernel one.

Newer iPhones have an ARM-based coprocessor that enhances iOS security, so-called Secure Enclave Processor, it makes impossible the access to the code to conduct reverse engineering of the code.

But now the iBoot code has been leaked online and experts can analyze it.

The jailbreak could allow removing security restrictions making it possible to install third-party software and packages, also code that is not authorized by Apple and therefore not signed by the IT giant.

Compromising the iBoot could theoretically allow loading any malicious code in the boot phase or a tainted kernel.

Apple tried to downplay the issue saying that it implements a layered model of security

“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protection,” reads a statement issued by Apple.

Pierluigi Paganini

(Security Affairs – iBoot, Apple)

The post The source code of the Apple iOS iBoot Bootloader leaked online appeared first on Security Affairs.

Swisscom data breach Hits 800,000 Customers, 10% of Swiss population

Swisscom data breach – Telco company Swisscom confirmed it has suffered a data breach that affected roughly 800,000 of its customers, roughly 10% of the Swiss population.

Swiss telco company Swisscom confirmed it has suffered a data breach that affected roughly 800,000 of its customers, roughly 10% of the Swiss population.

According to Swisscom, unauthorized parties gained access to data in Autumn, the attackers accessed the customers’ records using a sales partner’s credentials.

The security breach was discovered by Swisscom during a routine check, most of the exposed data are related to the mobile services subscribers.

“In autumn of 2017, unknown parties misappropriated the access rights of a sales partner, gaining unauthorised access to customers’ name, address, telephone number and date of birth. Under data protection law this data is classed as “non-sensitive”.” reads the press release issued by the company. 

“Prompted by this incident, Swisscom has now also tightened security for this customer information. The data accessed included the first and last names, home addresses, dates of birth and telephone numbers of Swisscom customers; contact details which, for the most part, are in the public domain or available from list brokers.”

Swisscom data breach

Exposed data includes names, physical addresses, phone numbers, and dates of birth, the telecom giant collects this type of data when customers subscribe an agreement.

It is not clear how the hackers obtained the credentials, the good news is that sales partners are allowed to access only information for customers’ identification and to manage contracts.

Swisscom highlighted that data accessed by the intruders are not considered sensitive under data protection laws, anyway, accessed info is a precious commodity in the criminal underground because crooks can use them to conduct phishing campaigns against the company’s customers.

Swisscom has reported the data breach to the Swiss Federal Data Protection and Information Commissioner (FDPIC).

“Swisscom stresses that the system was not hacked and no sensitive data, such as passwords, conversation or payment data, was affected by the incident,” continues the press release.“Rigorous long-established security mechanisms are already in place in this case.”

After the Swisscom data breach, the company revoked the credentials used to access its systems and implemented tighter controls for partners.

Swisscom implemented a number of changes to improve its security, including:

  • Access by partner companies will now be subject to tighter controls and any unusual activity will automatically trigger an alarm and block access.
  • In the future, it will no longer be possible to run high-volume queries for all customer information in the systems.
  • In addition, two-factor authentication will be introduced in 2018 for all data access required by sales partners.

Customers are advised to report any suspicious calls or email.

 

Pierluigi Paganini

(Security Affairs – Swisscom data breach, hacking)

The post Swisscom data breach Hits 800,000 Customers, 10% of Swiss population appeared first on Security Affairs.

US authorities dismantled the global cyber theft ring known as Infraud Organization

The US authorities have dismantled a global cybercrime organization tracked Infraud Organization involved in stealing and selling credit card and personal identity data.

The US authorities have taken down a global cybercrime organization, the Justice Department announced indictments for 36 people charged with being part of a crime ring specialized in stealing and selling credit card and personal identity data.

According to the DoJ, the activities of the ring tracked as ‘Infraud Organization’, caused $530 million in losses. The group is active since 2010, when it created in Ukraine by Svyatoslav Bondarenko.

Bondarenko remains at large, but Russian co-founder Sergey Medvedev has been arrested by the authorities.

Most of the crooks were arrested in the US (30), the remaining members come from Australia, Britain, France, Italy, Kosovo, and Serbia.

The indicted leaders of the organization included people from the United States, France, Britain, Egypt, Pakistan, Kosovo, Serbia, Bangladesh, Canada and Australia.

The motto of the Infraud Organization was “In Fraud We Trust,” it has a primary role in the criminal ecosystem as a “premier one-stop shop for cybercriminals worldwide,” explained the Deputy Assistant Attorney General David Rybicki.

“As alleged in the indictment, Infraud operated like a business to facilitate cyberfraud on a global scale,” said Acting Assistant Attorney General John Cronan.

The platform offered a privileged aggregator for criminals (10,901 approved “members” in early 2017) that could buy and sell payment card and personal data.

“Members ‘join the Infraud Organization via an online forum. To be granted
membership, an Infraud Administrator must approve the request. Once granted
membership, members can post and pay for advertisements within the Infraud forum. Members may move up and down the Infraud hierarchy.” said the indictment.

“The Infraud Organization continuously screens the wares and services of the vendors within the forum to ensure quality products. Vendors who are considered subpar are swiftly identified and punished by the Infraud Organization’s Administrators.”

Infraud Organization

The Infraud Organization used a number of websites to commercialize the data, it implemented a classic and efficient e-commerce for the stolen card and personal data, implementing also a rating and feedback system and an escrow” service for payments in digital currencies like Bitcoin.

 

 

Pierluigi Paganini

(Security Affairs – Infraud Organization, cybercrime)

The post US authorities dismantled the global cyber theft ring known as Infraud Organization appeared first on Security Affairs.

Joomla 3.8.4 release addresses three XSS and SQL Injection vulnerabilities

Joomla development team has released the Joomla 3.8.4 that addresses many issues, including an SQL injection bug and three cross-site scripting (XSS) flaws.

Joomla development team has released the Joomla 3.8.4 that addresses a large number of issues, including an SQL injection bug and three cross-site scripting (XSS) vulnerabilities. The latest release also includes several improvements.

The XSS and SQL injection vulnerabilities have been classified as “low priority”

“Joomla 3.8.4 is now available. This is a security release for the 3.x series of Joomla addressing four security vulnerabilities and including over 100 bug fixes and improvements.” reads the announcement.

The most severe issue is the SQL injection vulnerability tracked as CVE-2018-6376 due to its high impact.

The issue was reported by the researcher Karim Ouerghemmi from RIPS Technologies (ripstech.com), it affects Joomla! CMS versions 3.7.0 through 3.8.3.

“The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.” states the security advisory published by Joomla.

“Recent updates to our analysis engine lead to the discovery of a new vulnerability in the Joomla! core affecting versions prior to 3.8.4. RIPS discovered a second-order SQL injection that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions.” reads the analysis published by RIPS.

The experts explained that the flaw could be exploited to gain admin privileges and take over the Joomla installs.

“An attacker exploiting this vulnerability can read arbitrary data from the database. This data can be used to further extend the permissions of the attacker. By gaining full administrative privileges she can take over the Joomla! installation by executing arbitrary PHP code.” continues the post.

The researchers discovered the vulnerability by using their static code analyzer, an attacker can first inject arbitrary content into the targeted install’s database and then create a specially crafted query to gain admin privileges.

Joomla 3.8.4

The XSS flaws affect the Uri class (versions 1.5.0 through 3.8.3), the com_fields component (versions 3.7.0 through 3.8.3), and the Module chrome (versions 3.0.0 through 3.8.3).

According to the development team, the Uri class (formerly JUri) fails to properly filter the input opening to XSS attacks.

 

Pierluigi Paganini

(Security Affairs – Joomla 3.8.4, SQL injection)

The post Joomla 3.8.4 release addresses three XSS and SQL Injection vulnerabilities appeared first on Security Affairs.

Intel releases new Spectre security updates, currently only for Skylake chips

Intel is releasing new firmware updates that should address Spectre vulnerabilities CVE-2017-5715 for Skylake processors.

Intel is releasing new firmware updates limited to Skylake processors to address Spectre vulnerabilities, patches for other platforms are expected very soon.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

The company provided beta releases for the updates to apply to other processors to customers and partners to conduct extensive tests before the final release.

We all know the disconcerting story about the security patches released by Intel, on January 3, white hackers from Google Project Zero have disclosed some vulnerabilities in Intel chips called Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), Intel promptly released security patches but in many cases they caused problems to systems.

Many companies rolled out patches to revert the Intel updates, including Red Hat and Microsoft.

Now Intel seems to have a more clear idea about the cause of the problems observed after the deploy of the initial updates and release new microcode updates.

“For those concerned about system stability while we finalize the updated solutions, we are also working with our OEM partners on the option to utilize a previous version of microcode that does not display these issues, but removes the Variant 2 (Spectre) mitigations. This would be delivered via a BIOS update, and would not impact mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown). ” states the microcode revision guidance issued by Intel.

Problems such as frequent reboots were related to the fix for the CVE-2017-5715 Spectre flaw (Spectre Variant 2) and affected almost any platform, including systems running on Broadwell Haswell CPUs, as well as Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

While many users have chosen to don’t install the patches to avoid problems, security firms are reporting the first PoC malware that exploits the Meltdown and Spectre vulnerabilities.

On January 17, experts at AV-TEST reported that they had detected 77 malware samples apparently related to the Intel vulnerabilities.

 

Pierluigi Paganini

(Security Affairs – Intel, CVE-2017-5715)

The post Intel releases new Spectre security updates, currently only for Skylake chips appeared first on Security Affairs.

Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off.

Researchers from Princeton University have developed an app called PinME to locate and track smartphone without using GPS.

The research team led by Prateek Mittal, assistant professor in Princeton’s Department of Electrical Engineering and PinMe paper co-author developed the PinMe application that mines information stored on smartphones that don’t require permissions for access.

The data is processed alongside with public available maps and weather reports resulting on information if a person is traveling by foot, car, train or airplane and their travel route. The applications for intelligence and law enforcement agencies to solve crimes like kidnapping, missing people and terrorism are very significant.

As the researchers notice, the application utilizes a series of algorithms to locate and track someone using information like the phone IP address and time zone combined with data from its sensors. The phone sensors collect compass details from the gyroscope, air pressure reading from barometer and accelerometer data while remaining undetected from the user. The resulting data processed can be used to extract contextual information about users’ habits, regular activities, and even relationships.

This technology as many others have two sides: Help solving crimes at large, and implications on privacy and security of the users.  The researchers hope to be fomenting the development of security measures to switch off sensor data by revealing this sensor security flaw. Nowadays such sensor data is collected by fitness and game applications to track people movement.

Another key point where the application can be a game changer is an alternative navigation tool, as highlighted by the researchers. Gps signals used in autonomous cars and ships can be the target of hackers putting the safety of the passengers in danger. The researchers conducted their experiment using Galaxy S4 i9500, iPhone 6 and iPhone 6S. To determine the last Wi-Fi connection, the PinMe application read the latest IP address used and the network status.

pinme

To determine how a user is traveling, the application utilizes a machine learning algorithm that recognizes the different patterns of walking, driving and flying by gathering data from the phones sensor like speed, direction of travel, delay between movement and altitude.

Once determined the pattern of activity of a user, the application then executes one of four additional algorithms to determine the type transportation. By comparing the phone data against public information the route of the user is determined. Maps from Google and the U.S. Geological Survey were used to determine the altitude details of every point on Earth. Details regarding temperature, humidity, and air pressure reports were also used to determine the use of trains or planes.

The researchers wanted also to raise the question about privacy and data collected without the user consent as Prateek Mittal states: “PinMe demonstrates how information from seemingly innocuous sensors can be exploited using machine-learning techniques to infer sensitive details about our lives”.

Sources:

https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371

https://nakedsecurity.sophos.com/2017/12/19/gps-is-off-so-you-cant-be-tracked-right-wrong/

https://www.princeton.edu/news/2017/11/29/phones-vulnerable-location-tracking-even-when-gps-services

https://www.theregister.co.uk/2018/02/07/boffins_crack_location_tracking_even_if_youve_turned_off_the_gps/

https://www.helpnetsecurity.com/2018/02/07/location-tracking-no-gps/

https://www.bleepingcomputer.com/news/security/apps-can-track-users-even-when-gps-is-turned-off/

https://arxiv.org/pdf/1802.01468.pdf

http://ieeexplore.ieee.org/document/8038870/?reload=true

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – PinME, hacking)

The post Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off. appeared first on Security Affairs.

Security Affairs: Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off.

Researchers from Princeton University have developed an app called PinME to locate and track smartphone without using GPS.

The research team led by Prateek Mittal, assistant professor in Princeton’s Department of Electrical Engineering and PinMe paper co-author developed the PinMe application that mines information stored on smartphones that don’t require permissions for access.

The data is processed alongside with public available maps and weather reports resulting on information if a person is traveling by foot, car, train or airplane and their travel route. The applications for intelligence and law enforcement agencies to solve crimes like kidnapping, missing people and terrorism are very significant.

As the researchers notice, the application utilizes a series of algorithms to locate and track someone using information like the phone IP address and time zone combined with data from its sensors. The phone sensors collect compass details from the gyroscope, air pressure reading from barometer and accelerometer data while remaining undetected from the user. The resulting data processed can be used to extract contextual information about users’ habits, regular activities, and even relationships.

This technology as many others have two sides: Help solving crimes at large, and implications on privacy and security of the users.  The researchers hope to be fomenting the development of security measures to switch off sensor data by revealing this sensor security flaw. Nowadays such sensor data is collected by fitness and game applications to track people movement.

Another key point where the application can be a game changer is an alternative navigation tool, as highlighted by the researchers. Gps signals used in autonomous cars and ships can be the target of hackers putting the safety of the passengers in danger. The researchers conducted their experiment using Galaxy S4 i9500, iPhone 6 and iPhone 6S. To determine the last Wi-Fi connection, the PinMe application read the latest IP address used and the network status.

pinme

To determine how a user is traveling, the application utilizes a machine learning algorithm that recognizes the different patterns of walking, driving and flying by gathering data from the phones sensor like speed, direction of travel, delay between movement and altitude.

Once determined the pattern of activity of a user, the application then executes one of four additional algorithms to determine the type transportation. By comparing the phone data against public information the route of the user is determined. Maps from Google and the U.S. Geological Survey were used to determine the altitude details of every point on Earth. Details regarding temperature, humidity, and air pressure reports were also used to determine the use of trains or planes.

The researchers wanted also to raise the question about privacy and data collected without the user consent as Prateek Mittal states: “PinMe demonstrates how information from seemingly innocuous sensors can be exploited using machine-learning techniques to infer sensitive details about our lives”.

Sources:

https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371

https://nakedsecurity.sophos.com/2017/12/19/gps-is-off-so-you-cant-be-tracked-right-wrong/

https://www.princeton.edu/news/2017/11/29/phones-vulnerable-location-tracking-even-when-gps-services

https://www.theregister.co.uk/2018/02/07/boffins_crack_location_tracking_even_if_youve_turned_off_the_gps/

https://www.helpnetsecurity.com/2018/02/07/location-tracking-no-gps/

https://www.bleepingcomputer.com/news/security/apps-can-track-users-even-when-gps-is-turned-off/

https://arxiv.org/pdf/1802.01468.pdf

http://ieeexplore.ieee.org/document/8038870/?reload=true

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – PinME, hacking)

The post Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off. appeared first on Security Affairs.



Security Affairs

For the second time CISCO issues security patch to fix a critical vulnerability in CISCO ASA

Cisco has rolled out new security patches for a critical vulnerability, tracked as CVE-2018-0101, in its CISCO ASA (Adaptive Security Appliance) software.

At the end of January, the company released security updates the same flaw in Cisco ASA software. The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.

The vulnerability resides in the Secure Sockets Layer (SSL) VPN feature implemented by CISCO ASA software, it was discovered by the researcher Cedric Halbronn from NCC Group.

The flaw received a Common Vulnerability Scoring System base score of 10.0.

According to CISCO, it is related to the attempt to double free a memory region when the “webvpn” feature is enabled on a device. An attacker can exploit the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.

Further investigation of the flaw revealed additional attack vectors, for this reason, the company released a new update. The researchers also found a denial of service issue affecting Cisco ASA platforms.

“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” reads a blog post published by Cisco.

The experts noticed that the flaw ties with the XML parser in the CISCO ASA software, an attacker can trigger the vulnerability by sending a specifically crafted XML file to a vulnerable interface.

CISCO ASA attack

The list of affected CISCO ASA products include:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

According to Cisco experts, there is no news about the exploitation of the vulnerability in the wild, anyway, it is important to apply the security updates immediately.

 

Pierluigi Paganini

(Security Affairs – CISCO ASA, hacking)

The post For the second time CISCO issues security patch to fix a critical vulnerability in CISCO ASA appeared first on Security Affairs.

Automated Hacking Tool Autosploit Cause Concerns Over Mass Exploitation

The Autosploit hacking tool was developed aiming to automate the compromising of remote hosts both by collecting automatically targets as well as by using Shodan.io API.

Users can define its platform search queries like Apache, IIS and so forth to gather targets to be attacked. After gathering the targets, the tool uses Metasploit modules of its exploit component to compromise the hosts.

The Metasploit modules to be used will depend on the comparison of the name of the module and the query search. The developer also added a type of attack where all modules can be used at once. As the author noticed, Metasploit modules were added with the intent of enabling Remote Code Execution as well as gaining Reverse TCP Shell or Meterpreter Sessions.

Autosploit

There are different opinions about the release of the tool by experts. As noticed by Bob Noel, Director of Strategic Relationships and Marketing at Plixer:

“AutoSploit doesn’t introduce anything new in terms of malicious code or attack vectors. What it does present is an opportunity for those who are less technically adept to use this tool to cause substantial damage. Once initiated by a person, the script automates and couples the process of finding vulnerable devices and attacking them. The compromised devices can be used to hack Internet entities, mine cryptocurrencies, or be recruited into a botnet for DDoS attacks. The release of tools like these exponentially expands the threat landscape by allowing a wider group of hackers to launch global attacks at will”.

On the other hand, Chris Roberts, chief security architect at Acalvio states:

” The kids are not more dangerous. They already were dangerous. We’ve simply given them a newer, simpler, shinier way to exploit everything that’s broken. Maybe we should fix the ROOT problem”.

The recent revelation that adult sex toys can be accessed remotely by hackers using Shodan is a scenario where the tool can represent a great and grave danger.

The risks and dangers looming around always existed. The release of the tool is not a new attack vector itself according to Gavin Millard, Technical Director at Tenable:

“Most organizations should have a process in place for measuring their cyber risk and identifying issues that could be easily leveraged by automated tools. For those that don’t, this would be an ideal time to understand where those exposures are and address them before a curious kid pops a web server and causes havoc with a couple of commands”.

A recommendation is given by Jason Garbis, VP at Cyxtera: ” In order to protect themselves, organizations need to get a clear, accurate, and up-to-date picture of every service they expose to the Internet. Security teams must combine internal tools with external systems like Shodan to ensure they’re aware of all their points of exposure”.

Sources:

https://www.scmagazine.com/autosploit-marries-shodan-metasploit-puts-iot-devices-at-risk/article/740912/
https://motherboard.vice.com/en_us/article/xw4emj/autosploit-automated-hacking-tool
https://arstechnica.com/information-technology/2018/02/threat-or-menace-autosploit-tool-sparks-fears-of-empowered-script-kiddies/
https://www.wired.com/story/autosploit-tool-makes-unskilled-hacking-easier-than-ever/
https://n0where.net/automated-mass-exploiter-autosploit
http://www.informationsecuritybuzz.com/expert-comments/autosploit/
https://securityledger.com/2018/02/episode-82-skinny-autosploit-iot-hacking-tool-get-ready-gdpr
https://www.kitploit.com/2018/02/autosploit-automated-mass-exploiter.html
https://www.darkreading.com/threat-intelligence/autosploit-mass-exploitation-just-got-a-lot-easier-/a/d-id/1330982
http://www.securityweek.com/autosploit-automated-hacking-tool-set-wreak-havoc-or-tempest-teapot

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

 

Pierluigi Paganini

(Security Affairs – Metasploit, hacking)

The post Automated Hacking Tool Autosploit Cause Concerns Over Mass Exploitation appeared first on Security Affairs.

Hackers can remotely access adult sex toys compromising at least 50.000 users

Researchers discovered that sex toys from German company Amor Gummiwaren GmbH and its cloud platform are affected by critical security flaws.

As a result for Master Thesis by Werner Schober in cooperation with SEC Consult and the University of Applied Sciences St. Pölten, it was discovered that sex toys from German company Amor Gummiwaren GmbH and its cloud platform are affected by critical security flaws.

In an astonishing revelation, multiple vulnerabilities were discovered in “Vibratissimo” secy toys and in its cloud platform that compromised not only the privacy and data protection but also physical safety of owners.

sexy toys

The database pertaining all customers data was accessible via internet in such a way that explicit images, chat logs, sexual orientation, email addresses and passwords in clear text were compromised.

A total lack of security measures had caused the enumeration of all explicit images of users compromising their identities due to the utilization of predictable numbers and absence of authorization verification. Hackers could even give pleasure to users without their consent using the internet or standing nearby the address within the range of Bluetooth. These are only a few dangers users are exposed once connected to the world of the Internet of Things (IoT).

The Internet of Things (IoT) is a technology that comprises a myriad of devices connected to the internet and has evolved in such way that is present in many products used in a daily basis, from cars to home utilities. Once taking this into account we see the arising of a new sub-category within the Internet of Things (IoT) named Internet of Dildos (IoD). The Internet of Dildos (IoD) comprehends every device connected to networks that give mankind pleasure. According to the article, the term from 1975 given to this area of research is the following: “Teledildonics (also known as “cyberdildonics”) is technology for remote sex (or, at least, remote mutual masturbation), where tactile sensations are communicated over a data link between the participants”.

The products from Amor Gummiwaren GmbH that are vulnerable are the following: Vibratissimo Panty Buster, MagicMotion Flamingo, and Realov Lydia. The analysis of researchers focused on Vibratissimo Panty Buster. The panty buster is a sex toy that can be controlled remotely with mobile applications (Android, iOS), but the mobile application, the backend server, hardware, and firmware are developed by third-party company. The application presents many interactive features that enable extensive communication and sharing capabilities, in such a manner that creates a social network where users can expand their experience. Some features are: Search for other users, the creation of friends lists, video chat, message board and sharing of image galleries that can be stored across its social network.

The vulnerabilities found were: Customer Database Credential Disclosure, Exposed administrative interfaces on the internet, Cleartext Storage of Passwords, Unauthenticated Bluetooth LE Connections, Insufficient Authentication Mechanism, Insecure Direct Object Reference, Missing Authentication in Remote Control and Reflected Cross-Site Scripting. As we start taking a glimpse at the vulnerabilities discovered we can consider the following: All credentials of Vibratissimo database environment were leaked on the internet, alongside with the PHPMyAdmin interface that can have allowed hackers to access the database and dump all content.

The PHPMyAdmin interface was accessible throughout the URL http://www.vibratissimo.com/phpmyadmin/ with the stored passwords without encryption in clear text format. The content pertained to the database might have the following data: Usernames, Session Tokens, Cleartext passwords, chat histories and explicit image galleries created by the users themselves. The DS_STORE file and config.ini.php was found on the web server of Vibratissimo in such way that hackers could exploit attack vector like directory listing and discover the operating system which in this case is a MAC OSX.

Also, as disclosed by the researchers, there are great dangers to users in the remote control of the vibrator. The first is related to the connection between the Bluetooth LE of the vibrator and the smartphone application that could lead to eavesdropping, replay and MitM attacks. Although the equipment offers several pairing methods the most dangerous is “no pairing” as noted in the report. This method can allow hackers to search for information on the device as well as write data. If a hacker is in range, he could take control of the device. Also, a man in the middle attack is possible due to the lack of authentication, where a hacker can create a link for itself and then decrement or increment the ID to get direct access to the link used by the person. Due to the lack of authentication, a reflected cross-site scripting is also possible, but as noticed by the researchers it is not as dangerous as the other security issues.

Last but not least the researchers recommend a complete update in the software and mobile application used by the devices. It is highly recommended for all users to change their login information as well as their passwords for greater protection. Not all security flaws were addressed and corrected, therefore there are some dangers loaming around that can be exploited by tools like Shodan and autosploit. It is a social security concern these vulnerabilities since they pose a grave danger to user’s reputation, that can lead to suicide.

Sources:

http://www.securitynewspaper.com/2018/02/03/internet-dildos-long-way-vibrant-future-iot-iod/

https://www.sec-consult.com/en/blog/2018/02/internet-of-dildos-a-long-way-to-a-vibrant-future-from-iot-to-iod/index.html

https://www.sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilities-in-whole-vibratissimo-smart-sex-toy-product-range/index.html

https://www.theregister.co.uk/2018/02/02/adult_fun_toy_security_fail/

http://www.zdnet.com/article/this-smart-vibrator-can-be-easily-hacked-and-remotely-controlled-by-anyone

https://mashable.com/2018/02/01/internet-of-dildos-hackers-teledildonics

https://www.cnet.com/news/beware-the-vibratissimo-smart-vibrator-is-vulnerable-to-hacks/

http://www.wired.co.uk/article/sex-toy-bluetooth-hacks-security-fix

https://www.forbes.com/sites/thomasbrewster/2018/02/01/vibratissimo-panty-buster-sex-toy-multiple-vulnerabilities/#37ec1d25a944

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – sex toys, hacking)

The post Hackers can remotely access adult sex toys compromising at least 50.000 users appeared first on Security Affairs.

Adobe rolled out an emergency patch that fixed CVE-2018-4878 flaw exploited by North Korea

Adobe rolled out an emergency patch that fixed two critical remote execution vulnerabilities, including the CVE-2018-4878 flaw exploited by North Korea.

Adobe has rolled out an emergency patch to address two Flash player vulnerabilities after North Korea’s APT group was spotted exploiting one of them in targeted attacks.

Last week, South Korea’s Internet & Security Agency (KISA) warned of a Flash zero-day vulnerability (CVE-2018-4878) that has reportedly been exploited in attacks by North Korea’s hackers.

According to the alert published by the KISA, the vulnerability affects the latest Flash Player version 28.0.0.137 and earlier.

The zero-day vulnerability could be exploited by an attack by tricking victims into opening a document, web page or email containing a specially crafted Flash file.

“A zero-day vulnerability has been found in Adobe Flash Player. An attacker may be able to convince a user to open a Microsoft Office document, web page, or spam mail containing a Flash file,” reads the advisory published by the Korean CERT.

According to the researcher Simon Choi the Flash Player zero-day has been exploited by North Korea since mid-November 2017. The attackers exploited the zero-day vulnerability in attacks aimed at South Korean individuals involved in research activity on North Korea.

Hackers exploited the vulnerability to deliver a malware, in the image shared by Choi on Twitter shows that the exploit has been delivered via malicious Microsoft Excel files.

Cisco and FireEye have both been investigating, and warn that a North Korean group that they have been following for a while are likely behind this latest attack. Called TEMP.Reaper by FireEye and Group 123 by Cisco, the group with ties to North Korea was very active in 2017.

Adobe addressed the bug with an emergency patch that also fixed another remote code execution vulnerability, tracked as CVE-2018-4877, that was discovered by researchers at Qihoo 360 Vulcan Team.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could lead to remote code execution in Adobe Flash Player 28.0.0.137 and earlier versions.  Successful exploitation could potentially allow an attacker to take control of the affected system.”  reads the security advisory published by Adobe.  

“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users.  These attacks leverage Office documents with embedded malicious Flash content distributed via email.”

The two vulnerabilities are rated critical for all supported operating systems, the unique exception is the Linux build of Adobe Flash Player Desktop Runtime.

There have been over 1,000 Adobe Flash vulnerabilities since it was released. Designed to make website development easier and providing additional features not supported by standard web browsers, it also adds complexity and a much broader attack surface. Web browsers no longer support Flash by default, but users often re-enable it for convenience. And just having it installed on your system may be enough for vulnerabilities like these ones to be exploited.

 

Pierluigi Paganini

(Security Affairs – Adobe Flash Player, 8)

The post Adobe rolled out an emergency patch that fixed CVE-2018-4878 flaw exploited by North Korea appeared first on Security Affairs.

Security Affairs: Researchers ported the NSA  EternalSynergy, EternalRomance, and EternalChampion to Metasploit

Security researcher Sean Dillon ported three NSA-linked exploits, EternalSynergy, EternalRomance, and EternalChampion, to the Metasploit platform.

The security researcher at RiskSense Sean Dillon (@zerosum0x0) ported the Rapid7 Metasploit three hacking tools supposedly stolen from the NSA-linked Equation Group.

The researcher modified the exploits to use them also against latest windows versions and merged them into the Metasploit Framework, they should work on all unpatched versions of Windows based on x86 and x64 architectures.

The three exploits are EternalSynergy, EternalRomance, and EternalChampion that were leaked by the hacker crew Shadow Brokers in April 2017.

Metasploit exploits NSA EternalRomance

The tools were later used in several attacks in the wild, for example, the EternalRomance exploit was used in the massive Bad Rabbit ransomware attack.

The versions ported to Metasploit could be used to target all Windows versions since Windows 2000.

The EternalChampion and EternalSynergy exploits trigger a race condition with Transaction requests tracked as CVE-2017-0146, while the EternalRomance and EternalSynergy exploits trigger the CVE-2017-0143, a type confusion between WriteAndX and Transaction requests.

The expert explained that the tool can be used to run any command as System or to stage Meterpreter.

“You can run any command as SYSTEM, or stage Meterpreter. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.” Dillon explained.

“This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).”

The Metasploit module does not implement shellcode execution, instead, it overwrites the SMB connection session structures instead to obtain Admin/SYSTEM session.

“The exploit chain is an almost 1:1 skid port of @worawit awesome zzz_exploit adaptation, which brings a few improvements over the original Eternal exploits. Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session.” wrote the expert.

“The MSF module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit’s psexec DCERPC implementation bolted onto it. For the last reason, Rex is used and not RubySMB,”

Further info and the “MS17-010 EternalSynergy / EternalRomance / EternalChampion aux+exploit modules” are available on GitHub.

Pierluigi Paganini

(Security Affairs – NSA exploits, Metasploit)

The post Researchers ported the NSA  EternalSynergy, EternalRomance, and EternalChampion to Metasploit appeared first on Security Affairs.



Security Affairs

Researchers ported the NSA  EternalSynergy, EternalRomance, and EternalChampion to Metasploit

Security researcher Sean Dillon ported three NSA-linked exploits, EternalSynergy, EternalRomance, and EternalChampion, to the Metasploit platform.

The security researcher at RiskSense Sean Dillon (@zerosum0x0) ported the Rapid7 Metasploit three hacking tools supposedly stolen from the NSA-linked Equation Group.

The researcher modified the exploits to use them also against latest windows versions and merged them into the Metasploit Framework, they should work on all unpatched versions of Windows based on x86 and x64 architectures.

The three exploits are EternalSynergy, EternalRomance, and EternalChampion that were leaked by the hacker crew Shadow Brokers in April 2017.

Metasploit exploits NSA EternalRomance

The tools were later used in several attacks in the wild, for example, the EternalRomance exploit was used in the massive Bad Rabbit ransomware attack.

The versions ported to Metasploit could be used to target all Windows versions since Windows 2000.

The EternalChampion and EternalSynergy exploits trigger a race condition with Transaction requests tracked as CVE-2017-0146, while the EternalRomance and EternalSynergy exploits trigger the CVE-2017-0143, a type confusion between WriteAndX and Transaction requests.

The expert explained that the tool can be used to run any command as System or to stage Meterpreter.

“You can run any command as SYSTEM, or stage Meterpreter. Note: unlike EternalBlue, kernel shellcode is not used to stage Meterpreter, so you might have to evade your payloads.” Dillon explained.

“This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).”

The Metasploit module does not implement shellcode execution, instead, it overwrites the SMB connection session structures instead to obtain Admin/SYSTEM session.

“The exploit chain is an almost 1:1 skid port of @worawit awesome zzz_exploit adaptation, which brings a few improvements over the original Eternal exploits. Instead of going for shellcode execution, it overwrites the SMB connection session structures to gain Admin/SYSTEM session.” wrote the expert.

“The MSF module is leaner (stripped down packet count/padding), checks extra named pipes, sprinkles randomness where possible, and has Metasploit’s psexec DCERPC implementation bolted onto it. For the last reason, Rex is used and not RubySMB,”

Further info and the “MS17-010 EternalSynergy / EternalRomance / EternalChampion aux+exploit modules” are available on GitHub.

Pierluigi Paganini

(Security Affairs – NSA exploits, Metasploit)

The post Researchers ported the NSA  EternalSynergy, EternalRomance, and EternalChampion to Metasploit appeared first on Security Affairs.

Crime ring linked to Luminosity RAT dismantled by an international law enforcement operation

The Europol’s European Cybercrime Centre along with the UK NSA disclosed the details of an international law enforcement operation that dismantled a crime ring linked to Luminosity RAT.

The Europol’s European Cybercrime Centre (EC3) along with the UK National Crime Agency (NCA) disclosed the details of an international law enforcement operation that targeted the criminal ecosystem around the Luminosity RAT (aka LuminosityLink).

According to the EC3, the joint operation was conducted in September 2017, it involved more than a dozen law enforcement agencies from Europe, the US, and Australia.

The Luminosity RAT was first spotted in 2015 but it became very popular in 2016.

The malware was offered for sale in the criminal underground for as little as $40, it allows attackers to take complete control over the infected system.

Luminosity RAT

In September 2016, the UK law enforcement arrested a man that was linked to the threat. The arrest triggered a new investigation that resulted in several arrests, search warrants, and cease and desist notifications across Europe, America, and Australia.

Law enforcement agencies target both sellers and users of Luminosity Trojan. According to the NCA, a small crime ring in the UK distributed Luminosity RAT to more than 8,600 buyers across 78 countries.

“The Luminosity Link RAT (a Remote Access Trojan) enabled hackers to connect to a victim’s machine undetected. They could then disable anti-virus and anti-malware software, carry out commands such as monitoring and recording keystrokes, steal data and passwords, and watch victims via their webcams.” states the press release published by NCA.

“The RAT cost as little as £30 and users needed little technical knowledge to deploy it.

A small network of UK individuals supported the distribution and use of the RAT across 78 countries and sold it to more than 8,600 buyers via a website dedicated to hacking and the use of criminal malware.”

The Luminosity RAT was one of the malicious code used in Business Email Compromise attacks and was also used Nigerian gangs in attacks aimed at industrial firms.

Law enforcement believes that thousands of individuals were infected with the RAT.

“Victims are believed to be in the thousands, with investigators having already identified evidence of stolen personal details, passwords, private photographs, video footage and data. Forensic analysis on the large number of computers and internet accounts seized continues.” reads the announcement published by the Europol.

“Through such strong, coordinated actions across national boundaries, criminals across the world are finding out that committing crimes remotely offers no protection from arrests. Nobody wants their personal details or photographs of loved ones to be stolen by criminals. We continue to urge everybody to ensure their operating systems and security software are up to date”. said Steven Wilson, Head of Europol’s European Cybercrime Centre.

 

Pierluigi Paganini

(Security Affairs – Luminosity RAT, cybercrime)

The post Crime ring linked to Luminosity RAT dismantled by an international law enforcement operation appeared first on Security Affairs.

Abusing X.509 Digital Certificates to establish a covert data exchange channel

Researcher at Fidelis Cybersecurity devised a new technique that abuses X.509 Digital Certificates to establish a covert data exchange channel

Last year, during the Bsides conference in July 2017, the security researcher at Fidelis Cybersecurity Jason Reaves demonstrated how to covertly exchange data using X.509 digital certificates, now the same expert published the proof-of-concept code.

The X.509  is a standard that defines the format of public key certificates currently used in many Internet protocols, including TLS/SS. TLS, for example, uses X.509 for certificate exchange, during the handshake process that establishes an encrypted communication.

The covert channel devised by Reaves uses fields in X.509 extensions to carry data, it could be exploited by an attacker to exfiltrate data from a target organization without being detected.

“The research demonstrates that a sufficiently motivated attacker can utilize technologies outside of their intended purposes to not only accomplish their goals but also end up bypassing common security measures in the process.” reads the paper published by the expert.

“In brief, TLS X.509 certificates have many fields where strings can be stored. You can see them in this image[16]. The fields include version, serial number, Issuer Name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself. “

The proof-of-concept code published by Reaves uses the field ‘class=wrap_text>SubjectKeyIdentifier

Digital certificate extensions were added in version 3 of the X.509 protocol and allow the CAs to add descriptions to a certificate, unfortunately, they can be abused to embed malicious data.

Attackers can send small amounts of data to an external server without being noticed.

Anyway, these extensions can be very large, for this reason, many libraries attempt to limit the ultimate handshake packet size. The expert noticed that the extension in the certificate itself can be created to a length that appears to only be limited by memory.

Data hidden in the X.509 metadata are impossible to detect, the PoC code published transfers the Mimikatz post-exploit attack tool in the TLS negotiation:

x.509 certificates embedded mimikatz

As possible mitigations, Reaves suggests to block self-signed certificates such the ones used in the PoC and check for executables in certificates.

Pierluigi Paganini

(Security Affairs – X.509 Digital Certificates, hacking)

The post Abusing X.509 Digital Certificates to establish a covert data exchange channel appeared first on Security Affairs.

Popular British hacktivist Lauri Love will not be extradited to US, UK Court Ruled

The popular British hacker Lauri Love (33) will not be extradited to stand trial in the US, the High Court of England and Wales ruled.

Lauri Love was accused of hacking into United States government websites, will not be extradited to stand trial in the U.S., the High Court of England and Wales ruled today.

The list of victims of the hacker includes the FBI, the Federal Reserve Bank, US Missile Defence Agency, National Aeronautics and Space Administration (NASA),  and the US Missile Defence Agency.

The decision of the Lauri Love’s extradition was taken at Westminster Magistrates’ Court in London in 2016, by District Judge Nina Tempia. If extradited, Love risks a sentence to up to 99 years in prison and a potential fine of up to $9 million.

Actually, the man would face a prison sentence in the UK following his five years of legal battle.

US Prosecutors believe that Lauri Love is a member of a hacker crew, they sustain that he was also involved in the OpLastResort campaign launched by Anonymous against the US Government.

Lauri Love hacktivist

Lord Chief Justice Lord Burnett of Maldon and Justice Ouseley halted the extradition after heard Lauri Love suffered severe mental illness, including Asperger syndrome, and depression, they fear the man should commit suicide if extradited.

“There have not been any incidents of self-harm in the past but I accept Mr Love has experienced suicidal thoughts intermittently, both in the past and now. Mr Love denied any suggestion that he had exaggerated his symptoms and his suicide risk which I accept given the medical evidence.” the High Court ruled on Monday.
“I also accept Professor Baron-Cohen and Professor Kopelman’s evidence that he would attempt suicide before extradition to the United States. Both are of the opinion he would be at high risk of suicide. I accept Professor BaronCohen’s oral evidence that Mr Love’s intention is not a reflection of a voluntary plan or act but due to his mental health being dependant on him being at home with his parents and not being detained for an indefinite period.”

The court recognized that extradition would be “oppressive” due to the man’s health conditions. Love supporters that were present in the court applauded the judgment.

The Crown Prosecution Service (CPS), which acts on behalf of the US authorities, would examine the judgment before deciding whether to appeal the high court decision to the supreme court.

“I’m thankful for all the support we’ve had, without which I’m not sure I would have made it this far.” commented Love expressing gratitude to the judges.

The judgment was accepted with joy in the hacking community and by human rights advocates.

Pierluigi Paganini

(Security Affairs – Lauri Love, hacking)

The post Popular British hacktivist Lauri Love will not be extradited to US, UK Court Ruled appeared first on Security Affairs.

ADB.Miner, the Android mining botnet that targets devices with ADB interface open

Security researchers at Qihoo 360’s Netlab have spotted a new Android mining botnet that targets devices with ADB interface open.

Security researchers at Qihoo 360’s Netlab have spotted a new Android mining botnet over the weekend. The malicious code ADB.Miner targets Android devices by scanning for open ADB debugging interface (port 5555) and infects them with a Monero cryptocurrency miner.

The port 5555 is the working port ADB debug interface on Android device that should be shut down normally. The devices infected by ADB.miner are devices where users or vendors have voluntary enabled the debugging port 5555.

Spread of time : the earliest time of infection can be traced back to near January 31. This current wave of helminthic infections has been detected by our system from around 15:00 on the afternoon of 2018-02-03 and is still on the rise.” reads the analysis published by Netlab.

“Infected port : 5555, is the working port adb debug interface on Android device, the port should be shut down normally, but unknown part of the cause led to the wrong port opened.”

Starting from February 3, the expert noticed a rapid growth of the volume of scan traffic on port 5555 associated with the ADB.Miner:

ADB.Miner

Once the ADB.Miner has infected a device, the compromised system start scanning the Internet for other devices to infect.

According to the experts, ADB.miner borrowed the scanning code implemented by the Mirai botnet, this is the first time that the Mirai code is used by an Android threat.

The researchers did not reveal the way the malware infects the Android devices, it is likely it exploits a flaw in the ADB interface.

The number of infected devices is rapidly growing, according to different caliber statistics, there are 2.75 ~ 5.5k, and this figure is rapidly growing.

The two sources reported by Netlab are:

  • Statistics from scanmon : 2.75k, mainly from China (40%) and South Korea (31%).
  • Statistics from our botnet tracking system: 5.5k

At the time of writing the number of ADB.miner scans reached 75,900 unique IP addresses.

ADB.Miner traffic 2.png

Most IP addresses scanning the port 5555 are located in China (~40%) and South Korea (~30%).

The operators of the botnet are using the following Monero wallet address:

  • 44XT4KvmobTQfeWa6PCQF5RDosr2MLWm43AsaE3o5iNRXXTfDbYk2VPHTVedTQHZyfXNzMn8YYF2466d3FSDT7gJS8gdHAr

That still has not received the first payment for the mine.

Pierluigi Paganini 

(Security Affairs – Monero, ADB.Miner)

The post ADB.Miner, the Android mining botnet that targets devices with ADB interface open appeared first on Security Affairs.

Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild

According to security researchers at Cisco and FireEye a North Korea Hacking Group is behind the attacks that exploited the recently discovered Adobe Flash 0-Day vulnerability.

There have been over 1,000 Adobe Flash vulnerabilities since it was released. Designed to make website development easier and providing additional features not supported by standard web browsers, it also adds complexity and a much broader attack surface. Web browsers no longer support Flash by default, but users often re-enable it for convenience. And just having it installed on your system may be enough for this latest zero-day Adobe Player vulnerability to be exploited.

KISA, the South Korean CERT issued a security bulletin on January 31, 2018, warning of a “use-after-free” vulnerability in Adobe Flash Player being actively exploited in the wild. The following day, Adobe issued Security Advisory APSA18-01 confirming CVE-2018-4878 as a potential remote code vulnerability and announcing plans to release a security patch on February 5, 2018. The attack is carried out with a malicious SWF file embedded inside a Microsoft Office or Hancom Hangul document or spreadsheet. Once opened, the victim’s computer executes the malicious SWF through Adobe Flash if it is installed.

“Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea,” according to FireEye.

The embedded payload is likely to be DOGCALL malware which facilitates the installation of ROKRAT command and control trojan which gives the remote attackers access to the victim’s system.

Experts warn that while waiting for the patch from Adobe on February 5th, users should be very cautious opening unexpected spreadsheets and document files. In reality, one should always be wary of any unexpected or suspicious document, especially ones that support embedding since they can hide all kinds of malware. You should also strongly consider uninstalling Adobe Flash. Even if it is disabled in your browser, having it installed on your system is enough for this latest exploit to execute successfully. Chances are you don’t need Adobe Flash any more. As explained by Sophos,

“The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.”

Cisco and FireEye have both been investigating, and warn that a North Korean group that they have been following for a while are likely behind this latest attack. Called TEMP.Reaper by FireEye and Group 123 by Cisco, the group with ties to North Korea was very active in 2017.

According to FireEye: “Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”

In addition to expanding their targets, the hacking group appears to have been expanding its skills, utilizing a variety of different techniques to deploy destructive wiper malware and the command and control trojans.

There have been many hacking accusations pointed at North Korea in the past few years. With tensions rising in 2017 and the impending Olympics in South Korea this month there is a lot of opportunities and potential motivation for something significant. This latest attack shows that this hacking group is poised to take advantage of these opportunities.

As described by Cisco’s Talos security team, “Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.
 

Pierluigi Paganini

(Security Affairs – North Korea, cybercrime)

The post Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild appeared first on Security Affairs.

Security Affairs: Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild

According to security researchers at Cisco and FireEye a North Korea Hacking Group is behind the attacks that exploited the recently discovered Adobe Flash 0-Day vulnerability.

There have been over 1,000 Adobe Flash vulnerabilities since it was released. Designed to make website development easier and providing additional features not supported by standard web browsers, it also adds complexity and a much broader attack surface. Web browsers no longer support Flash by default, but users often re-enable it for convenience. And just having it installed on your system may be enough for this latest zero-day Adobe Player vulnerability to be exploited.

KISA, the South Korean CERT issued a security bulletin on January 31, 2018, warning of a “use-after-free” vulnerability in Adobe Flash Player being actively exploited in the wild. The following day, Adobe issued Security Advisory APSA18-01 confirming CVE-2018-4878 as a potential remote code vulnerability and announcing plans to release a security patch on February 5, 2018. The attack is carried out with a malicious SWF file embedded inside a Microsoft Office or Hancom Hangul document or spreadsheet. Once opened, the victim’s computer executes the malicious SWF through Adobe Flash if it is installed.

“Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea,” according to FireEye.

The embedded payload is likely to be DOGCALL malware which facilitates the installation of ROKRAT command and control trojan which gives the remote attackers access to the victim’s system.

Experts warn that while waiting for the patch from Adobe on February 5th, users should be very cautious opening unexpected spreadsheets and document files. In reality, one should always be wary of any unexpected or suspicious document, especially ones that support embedding since they can hide all kinds of malware. You should also strongly consider uninstalling Adobe Flash. Even if it is disabled in your browser, having it installed on your system is enough for this latest exploit to execute successfully. Chances are you don’t need Adobe Flash any more. As explained by Sophos,

“The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.”

Cisco and FireEye have both been investigating, and warn that a North Korean group that they have been following for a while are likely behind this latest attack. Called TEMP.Reaper by FireEye and Group 123 by Cisco, the group with ties to North Korea was very active in 2017.

According to FireEye: “Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”

In addition to expanding their targets, the hacking group appears to have been expanding its skills, utilizing a variety of different techniques to deploy destructive wiper malware and the command and control trojans.

There have been many hacking accusations pointed at North Korea in the past few years. With tensions rising in 2017 and the impending Olympics in South Korea this month there is a lot of opportunities and potential motivation for something significant. This latest attack shows that this hacking group is poised to take advantage of these opportunities.

As described by Cisco’s Talos security team, “Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.
 

Pierluigi Paganini

(Security Affairs – North Korea, cybercrime)

The post Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild appeared first on Security Affairs.



Security Affairs

Almost all WordPress websites could be taken down due to unpatched CVE-2018-6389 DoS flaw

The Israeli security researcher Barak Tawily a vulnerability tracked as CVE-2018-6389 that could be exploited to trigger DoS condition of WordPress websites.

The expert explained that the CVE-2018-6389 flaw is an application-level DoS issued that affects the WordPress CMS and that could be exploited by an attacker even without a massive amount of malicious traffic.

“In this article I am going to explain how Denial of Service can easily be caused to almost any WordPress website online, and how you can patch your WordPress website in order to avoid this vulnerability being exploited.” reads the analysis of the expert.

Tawily revealed that the flaw exists in almost all versions of WordPress released in last nine years, including the latest one (Version 4.9.2).

The flaw affects the “load-scripts.php” WordPress script, it receives a parameter called load[] with value is ‘jquery-ui-core’. In the response, the CMS provides the JS module ‘jQuery UI Core’ that was requested.

CVE-2018-6389 WordPress flaw

As you know, WordPress is open-source project, for this reason, it was easy for the expert to perform code review and analyzed the feature in detail.

The load-scripts.php file was designed for WordPress admins and allows to load multiple JavaScript files into a single request, but the researcher noticed that that is is possible to call the function before login allowing anyone to invoke it.

The response provided by the WordPress CMS depends upon the installed plugins and modules.  It is possible to load them by simply passing the module and plugin names, separated by a comma, to the load-scripts.php file through the “load” parameter.

https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous

The ‘load-scripts.php’ finds the JavaScript files included in the URL and appends their content into a single file and then send back it to the user’s web browser.

The researcher highlighted that the wp_scripts list is hard-coded and is defined in the script-loader.php file, so he decided to send a request that in response will get all the JS module of the WordPress instance.

“There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user.”

“I wondered what would happen if I sent the server a request to supply me every JS module that it stored? A single request would cause the server to perform 181 I/O actions and provide the file contents in the response.”

Tawily developed a proof-of-concept (PoC) python script called doser.py that he used to makes large numbers of concurrent requests to the same URL to saturate the resources of the servers.

An attacker with a good bandwidth or a limited number of bots can trigger the CVE-2018-6389 vulnerability to target popular WordPress websites.

Below a video PoC of the attack.

Tawily reported this DoS vulnerability to the WordPress team through HackerOne platform, but the company refused to acknowledge the flaw.

“After going back and forth about it a few times and my trying to explain and provide a PoC, they refused to acknowledge it and claimed that:
“This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress’s control.“” Tawily wrote.

The expert has implemented the mitigation against this vulnerability in a forked version of WordPress, he has also released a bash script that addresses the issue.

Pierluigi Paganini

(Security Affairs – CVE-2018-6389, Monero)

The post Almost all WordPress websites could be taken down due to unpatched CVE-2018-6389 DoS flaw appeared first on Security Affairs.

Hacking Amazon Key – Hacker shows how to access a locked door after the delivery

Other problems for the Amazon Key technology, a hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.

Earlier in November, Amazon announced for its Prime members the Amazon Key, a program that would allow a delivery person to enter your home under video surveillance, securely drop off the package, and leave with the door locking behind them. The system could also be used to grant access to the people you trust, like your family, friends, or house cleaner.

A few days after the announcement, researchers with Rhino Security Labs demonstrated how to disable the camera on Amazon Key, which could let a rogue courier access the customers’ home.

 

Amazon Key app.png

Unfortunately, the technology seems to be totally secure, a hacker has in fact demonstrated another attack on the Amazan Key.

The hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.

Technical details of the attack are not available, the hacker used a “dropbox” device that appears as tiny PC with Wi-Fi connectivity that is able to control the Amazon Key.

The Dropbox can be used to unlock the Amazon Key or to trigger a DoS condition in which the Amazon’s device is not able to lock the door after a courier accessed the customers’ home.

Pierluigi Paganini 

(Security Affairs – Amazon Key, De-authentication attack)

The post Hacking Amazon Key – Hacker shows how to access a locked door after the delivery appeared first on Security Affairs.

Cybersecurity week Round-Up (2018, Week 5)

Cybersecurity week Round-Up (2018, Week 5) -Let’s try to summarize the most important event occurred last week in 3 minutes.

The week began with massive cyber attacks against three Dutch banks and the National Tax Agency. Experts speculate the involvement of Russia because the attacks started after the revelation of the hack of the APT 28 group operated by the Dutch intelligence.

The wave of attacks against the cryptocurrency sector continues.
Security experts spotted two huge botnets and a malware specifically designed to mine cryptocurrency abusing victims’ resources.

The first mining botnet dubbed Smominru was discovered by researchers from Proofpoint. The malware uses the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities.

The Smominru botnet has already infected more than half million systems.

It has been estimated that the botnet already mined 8,900 Monero ($2,346,271 at the current rate).

Researchers at Qihoo 360’s Netlab analyzed a new campaign powered by the DDG botnet, the second largest mining botnet of ever, that targets Redis and OrientDB servers. The miner has already infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017.

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.

APT groups are even more dangerous. Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor. The backdoor was used in attacks against Middle Eastern government organizations and financial and educational institutions.

South Korea warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks.

In the second part of the week, security experts from Bitdefender detailed the malware Operation PZChao that was attributed to the Chinese Iron Tiger APT.

One of the most clamorous cases of the weak is the data leak that involved military personnel data caused by the improper use of the Fitness Strava Application.
The data leak exposed information related to military bases worldwide, some of them were not publicly disclosed before.

The Meltdown and Spectre saga is going on.

Over the weekend Microsoft rolled out out-of-band updates to disable mitigations for Spectre v2 attacks to problems reported by its customers after the installation of the security patches.

While experts claim Intel reportedly alerted Chinese companies before US Government about Meltdown and Spectre flaws, malware researchers have spotted proof-of-concept malicious code that exploits Spectre and Meltdown flaws.

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, the leverages the Grand Theft Auto videogame community to infect devices.

Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US.

Pierluigi Paganini

(Security Affairs – cybersecurity, cyberweek)

The post Cybersecurity week Round-Up (2018, Week 5) appeared first on Security Affairs.

Leaked memo suggest NSA and US Army compromised Tor, I2P, VPNs and want to unmask Monero users

The image of a memo leaked online suggests US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero,

US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero, this is the truth revealed by a photo alleged leaked by US Army.
The image revealed a joint project to track anonymous cryptocurrencies conducted by US Army’s Cyber Protection Team (CPT) from the Cyber Protection Brigade and NSA.
The photo of the memo is dated August 21, 2017, and was posted in the biz section of 4chan. The content reads:

“MEMORANDUM FOR RECORD

SUBJECT: Additional resource request for ACC project

  1. 2nd Battalion’s joint NSA/CPT [Cyber Protection Team] anonymous cryptocurrency project needs additional support in the form of new hires and additional funding to meet GWOT [Global War On Terror] and drug interdiction objectives outlined in July’s Command update brief.
    • Requesting authorization to add additional civilian consultants to the ACC project and to initiate their SCI investigations
    • Requesting additional funds for class 7 and 9, amounts indicated in attached cost analysis worksheet.
  2. The success we have had with Tor, I2P, and VPN cannot be replicated with those currencies that do not rely on nodes [?]. There is a growing trend in the employment of Stealth address and ring signatures that will require additional R&D. Please reference the weekly SITREP [SITuation REPort] ON SIPR for more details regarding the TTPs involved.
  3. BLUF [Bottom Line, Up Front]: In order to put the CPT back on track, we need to identify and employ additional personnel who are familiar with the CryptoNote code available for use in anonymous currencies.
  4. Include this request for discussion at the next training meeting.
  5. Point of contact for this memorandum is CW4 Henry, James P. at DSN (312)-780-2222.

JAMES,HENRY
.P1363921716

JAMES P. HENRY
CW4, USASPB”

NSA US army unmask Monero Tor I2P VPN

The memo explicitly refers to the difficulties in unmasking cryptocurrencies that are based on the CryptoNote that is an application layer protocol implemented in the scheme of several decentralized privacy oriented digital currencies.

The document requests the allocation of additional resources to track anonymous cryptocurrencies like Monero (XMR), Anonymous Electronic Online CoiN (AEON), DarkNet Coin (DNC), Fantomcoin (FCN), and Bytecoin (BCN).

The US authorities believe that Monero would become the main cryptocurrency in the criminal underground.

Researchers at DeepDotWeb verified the authenticity of Defense Switched Network (DSN) phone number listed for James P. Henry

“There is a Defense Switched Network (DSN) phone number listed for James P. Henry. When this DSN phone number was converted into a phone number that can be reached from the regular commercial phone network and called, the number was in fact the US Army’s Cyber Protection Brigade located in Fort Gordon, Georgia, just as the document purported to originate from.” states the blog post published by DeepDotWeb.

“While it is possible someone could have done a search for the Cyber Protection Brigade telephone number and used the conversion chart to recreate the DSN version of the phone number, it should be noted that the DSN phone number was not published on the internet prior to the release of this leak.”

DeepDotWeb requested comments from a Monero developer and others sources who were formerly in the Army, they all confirmed that the document appears to be authentic and its content plausible.

DeepDotWeb cited an anonymous source who is still serving in the US Army, that after analyzed the document said it was accurate.

Security experts believe that the US intelligence and military are using internal resources to conduct surveillance on blockchains.

It is still unclear who leaked the memo, someone speculates it was intentionally published with a deterrence purpose.

Tor, I2P, and VPNs are not completely compromised by the intelligence agency, persistent attackers have already proposed and implemented techniques to unmask users but that are not effective for dragnet surveillance.

Documents leaked by Edward Snowden revealed that the NSA is able to unmask VPN solutions based on vulnerable VPN protocols such as the PPTP, however, VPNs which rely on OpenVPN may not be compromised.

Don’t forget that anonymizing networks are essential to fight censorship and to ensure freedom of speech.

Looking at the photo it is possible to note above the laptop’s monitor, in the bottom right of the photo, a Common Access Card (CAC) that is a smart ID card used by the Department of Defense.

I believe it was intentionally put there with a diversionary intent.

 

Pierluigi Paganini

(Security Affairs – NSA, Monero)

The post Leaked memo suggest NSA and US Army compromised Tor, I2P, VPNs and want to unmask Monero users appeared first on Security Affairs.

Security Affairs: Leaked memo suggest NSA and US Army compromised Tor, I2P, VPNs and want to unmask Monero users

The image of a memo leaked online suggests US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero,

US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero, this is the truth revealed by a photo alleged leaked by US Army.
The image revealed a joint project to track anonymous cryptocurrencies conducted by US Army’s Cyber Protection Team (CPT) from the Cyber Protection Brigade and NSA.
The photo of the memo is dated August 21, 2017, and was posted in the biz section of 4chan. The content reads:

“MEMORANDUM FOR RECORD

SUBJECT: Additional resource request for ACC project

  1. 2nd Battalion’s joint NSA/CPT [Cyber Protection Team] anonymous cryptocurrency project needs additional support in the form of new hires and additional funding to meet GWOT [Global War On Terror] and drug interdiction objectives outlined in July’s Command update brief.
    • Requesting authorization to add additional civilian consultants to the ACC project and to initiate their SCI investigations
    • Requesting additional funds for class 7 and 9, amounts indicated in attached cost analysis worksheet.
  2. The success we have had with Tor, I2P, and VPN cannot be replicated with those currencies that do not rely on nodes [?]. There is a growing trend in the employment of Stealth address and ring signatures that will require additional R&D. Please reference the weekly SITREP [SITuation REPort] ON SIPR for more details regarding the TTPs involved.
  3. BLUF [Bottom Line, Up Front]: In order to put the CPT back on track, we need to identify and employ additional personnel who are familiar with the CryptoNote code available for use in anonymous currencies.
  4. Include this request for discussion at the next training meeting.
  5. Point of contact for this memorandum is CW4 Henry, James P. at DSN (312)-780-2222.

JAMES,HENRY
.P1363921716

JAMES P. HENRY
CW4, USASPB”

NSA US army unmask Monero Tor I2P VPN

The memo explicitly refers to the difficulties in unmasking cryptocurrencies that are based on the CryptoNote that is an application layer protocol implemented in the scheme of several decentralized privacy oriented digital currencies.

The document requests the allocation of additional resources to track anonymous cryptocurrencies like Monero (XMR), Anonymous Electronic Online CoiN (AEON), DarkNet Coin (DNC), Fantomcoin (FCN), and Bytecoin (BCN).

The US authorities believe that Monero would become the main cryptocurrency in the criminal underground.

Researchers at DeepDotWeb verified the authenticity of Defense Switched Network (DSN) phone number listed for James P. Henry

“There is a Defense Switched Network (DSN) phone number listed for James P. Henry. When this DSN phone number was converted into a phone number that can be reached from the regular commercial phone network and called, the number was in fact the US Army’s Cyber Protection Brigade located in Fort Gordon, Georgia, just as the document purported to originate from.” states the blog post published by DeepDotWeb.

“While it is possible someone could have done a search for the Cyber Protection Brigade telephone number and used the conversion chart to recreate the DSN version of the phone number, it should be noted that the DSN phone number was not published on the internet prior to the release of this leak.”

DeepDotWeb requested comments from a Monero developer and others sources who were formerly in the Army, they all confirmed that the document appears to be authentic and its content plausible.

DeepDotWeb cited an anonymous source who is still serving in the US Army, that after analyzed the document said it was accurate.

Security experts believe that the US intelligence and military are using internal resources to conduct surveillance on blockchains.

It is still unclear who leaked the memo, someone speculates it was intentionally published with a deterrence purpose.

Tor, I2P, and VPNs are not completely compromised by the intelligence agency, persistent attackers have already proposed and implemented techniques to unmask users but that are not effective for dragnet surveillance.

Documents leaked by Edward Snowden revealed that the NSA is able to unmask VPN solutions based on vulnerable VPN protocols such as the PPTP, however, VPNs which rely on OpenVPN may not be compromised.

Don’t forget that anonymizing networks are essential to fight censorship and to ensure freedom of speech.

Looking at the photo it is possible to note above the laptop’s monitor, in the bottom right of the photo, a Common Access Card (CAC) that is a smart ID card used by the Department of Defense.

I believe it was intentionally put there with a diversionary intent.

 

Pierluigi Paganini

(Security Affairs – NSA, Monero)

The post Leaked memo suggest NSA and US Army compromised Tor, I2P, VPNs and want to unmask Monero users appeared first on Security Affairs.



Security Affairs

Security Affairs: GandCrab, a new ransomware-as-a-service emerges from Russian crime underground

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service in the dark web dubbed GandCrab.

GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

“Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels.” reads the analysis published by LMNTRIX.

GandCrab raas

As usually happen for Russian threat actors, members cannot use the ransomware to infect systems in countries in the former Soviet Republics that now comprise the Commonwealth of Independent States.

Below some interesting points from the advertisement:

  • Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
  • Large’ partners are able to increase their percentage of proceeds to 70 per cent
  • As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
  • Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
  • Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.

The operators behind the RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced to 30% for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

Other specific features related to GandCrab RaaS is the that it allows payment using the cryptocurrency Dash and the service is provided by a server hosted on a .bit domain.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

The RaaS implements a user-friendly admin console, which is accessible via Tor Network, to allow malware customization (i.e. ransom amount, individual bots and encryption masks)

The experts shared the Indicators of Compromise in their blog post.

 

Pierluigi Paganini

(Security Affairs – GandCrab RaaS, cybercrime)

The post GandCrab, a new ransomware-as-a-service emerges from Russian crime underground appeared first on Security Affairs.



Security Affairs

GandCrab, a new ransomware-as-a-service emerges from Russian crime underground

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service in the dark web dubbed GandCrab.

GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

“Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels.” reads the analysis published by LMNTRIX.

GandCrab raas

As usually happen for Russian threat actors, members cannot use the ransomware to infect systems in countries in the former Soviet Republics that now comprise the Commonwealth of Independent States.

Below some interesting points from the advertisement:

  • Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
  • Large’ partners are able to increase their percentage of proceeds to 70 per cent
  • As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
  • Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
  • Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.

The operators behind the RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced to 30% for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

Other specific features related to GandCrab RaaS is the that it allows payment using the cryptocurrency Dash and the service is provided by a server hosted on a .bit domain.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

The RaaS implements a user-friendly admin console, which is accessible via Tor Network, to allow malware customization (i.e. ransom amount, individual bots and encryption masks)

The experts shared the Indicators of Compromise in their blog post.

 

Pierluigi Paganini

(Security Affairs – GandCrab RaaS, cybercrime)

The post GandCrab, a new ransomware-as-a-service emerges from Russian crime underground appeared first on Security Affairs.

Security Affairs newsletter Round 148 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Once again thank you!

·      Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected
·      Download URLs for two packages of the phpBB forum software were compromised
·      Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor
·      Japan-based digital exchange Coincheck to refund to customers after cyberheist
·      #ThinkBeyond – Security solutions from market leaders may all fail in your particular environment
·      A new report from MALWAREBYTES reveals a rise of 90% on ransomware detection in business
·      Cybersecurity week Round-Up (2018, Week 4)
·      Dridex banking Trojan and the FriedEx ransomware were developed by the same group
·      Military personnel improperly used Fitness Strava Tracker exposed their bases
·      On Saturday Malwarebytes delivered a buggy update that caused excessive memory usage and crashes.
·      Over the weekend Microsoft rolled out out-of-band updates to disable mitigations for Spectre v2 attacks
·      Cisco ASA software is affected by a flaw with 10 out of 10 severity rating. Patch it asap
·      Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US
·      Intel reportedly alerted Chinese companies before US Government about Meltdown and Spectre flaws
·      Three Dutch banks and Tax Agency under DDoS Attacks … is it a Russian job?
·      Cybercriminals Stealing From Cybercriminals Ransomware Victims Left Stranded
·      Is ICEMAN behind the malware-based attack on Crystal Finance Millennium?
·      Mozilla fixes a critical remote code execution vulnerability in Firefox
·      Once again, Oracle MICROS PoS have been breached
·      US Attorney General set up the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking
·      Malware exploiting Spectre and Meltdown flaws are currently based on available PoC
·      Mining Smominru botnet used NSA exploit to infect more than 526,000 systems
·      Siemens fixed three flaws in plant management product Siemens TeleControl Basic system
·      South Korea Warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks
·      WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit
·      Chinese Iron Tiger APT is back, a close look at the Operation PZChao
·      DDG, the second largest mining botnet targets Redis and OrientDB servers
·      Hundreds of ICS products affected by a critical flaw in CODESYS WebVisu
·      Researchers discovered several zero-day flaws in ManageEngine products
·      Watch out, cyber criminals are using fake FBI emails to infect your computer
·      Japans Financial Services Agency raided the Coincheck headquarters in Tokyo after the hack
·      JenX botnet leverages Grand Theft Auto videogame community to infect devices
·      Western Digital My Cloud flaws allows local attacker to gain root access to the devices
·      Why are we all silent on the surveillance?

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 148 – News of the week appeared first on Security Affairs.

Security Affairs: UK Government Advices Industry Sectors To Comply With Guidance Or Pay $17 Million Fine

Aiming to tackle threats from rogue nations and hackers The UK Government urges to boost security measures of services in critical sectors.

On November 2016 United Kingdom published the National Cyber Security Strategy to address cyber threats from rogue nations like Iran, Russia, China, terrorists, states sponsored hackers and cyber menaces like ransomware against the national infrastructure.

On August 2017 UK government published a public consultation to improve United Kingdom essential services in electricity, transport, water, energy, health and digital infrastructure in accordance with the Directive of Security of Network and Information Systems (known as NIS Directive) in cooperation with the Member States within the European Union (EU).

The NIS Directive consultation covered six main topics that are the following: identification of essential services, national Framework to manage implementation, security requirements for operators of essential services, incident reporting requirements for operators of essential services, requirements on Digital Service Providers and proposed penalty regime.

The Directive comes into play to cover aspects of network security that are not present in GDPR. Regarding GDPR the Directive aligns itself with the deadline for the implementation.

It is important to notice that there are two major and distinct bodies inspecting the compliance of the NIS Directive, the Competent Authorities, and NCSC. NCSC stands for National Cyber Security Centre a part of GCHQ, while Competent Authority stands for Regulator Body defined in NIS Directive scope for different critical sectors. This division aims to allow NCSC to carry out its function in providing expert advice and incident response capability to cyber attacks.

The NIS Directive is established in a layered fashion with a mandatory security outcome to be achieved with each principle like the NIST Security Framework. This assures that the NIS Directive can be implemented throughout the whole industry regardless their sectors. The layered approach takes into account the implementation of the principles without discarding the actual infrastructure.

UK Government

The NIS Directive is composed of 14 principles that can be divided into four major objectives: Management of security risks (Governance, Risk Management, Asset Management, Supply chain), Protection of cyber attacks (Service protection policies and processes, Identity and access control, Data Security, System security, Resilient Networks & Systems, Staff Awareness & Training), Detection of cyber security events (Security Monitoring, Anomaly Detection) and reduction of the impact of cyber security events (Response and Recovery Planning, Improvements).

The directive sets the scope for the identification of operators of essential services and significant disruptive effects that that may pose a threat to national security, the potential threat to public safety and the possibility of significant adverse social or economic impact. The NIS Directive lay the ground for a national framework where Government ensures that the Competent Authorities have the necessary legislative provision to accomplish their duties and the necessary resources to conduct their activities.

The penalty will only be applied once the operator of essential service fails to comply with the directive tacking into account these following criteria listed in article 14, Security requirements and incident notification: the number of users affected by the disruption of the essential service, duration of the incident and the geographical spread with regard to the area affected by the incident. The fine will be judged and decided upon the accordance with the proper measures that were not taken and nor implemented, with a maximum value of €17 million. There are some uncertainties if essential services providers can accomplish the implementation requirements of NIS Directive until May 2018.

Sources:

http://www.bbc.com/news/technology-42861676
http://www.securityweek.com/uk-warns-critical-industries-boost-cyber-defense-or-face-hefty-fines
http://www.itpro.co.uk/cyber-warfare/30405/uk-energy-companies-face-17m-fines-for-poor-cybersecurity
https://www.infosecurity-magazine.com/news/uk-government-warns-of-17m/
http://www.itpro.co.uk/cyber-warfare/30405/uk-energy-companies-face-17m-fines-for-poor-cybersecurity
http://www.businessinsurance.com/article/20180129/STORY/912318798/UK-to-fine-firms-up-to-%2424-million-for-lax-cybersecurity
https://www.gov.uk/government/news/government-acts-to-protect-essential-services-from-cyber-attack
https://www.scmagazineuk.com/uk-companies-warned-to-boost-cyber-security-or-face-fines/article/740029/
https://www.computing.co.uk/ctg/news/3025464/critical-infrastructure-firms-could-be-fined-up-to-gbp17m-for-lacklustre-cyber-security
http://www.computerweekly.com/news/252433946/Hefty-fines-confirmed-for-CNI-providers-with-poor-cyber-security
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf
https://www.ncsc.gov.uk/guidance/nis-directive-top-level-objectives
https://www.ncsc.gov.uk/guidance/nis-guidance-collection
https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC

 

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – UK Government security measures, NIS Directive)

The post UK Government Advices Industry Sectors To Comply With Guidance Or Pay $17 Million Fine appeared first on Security Affairs.



Security Affairs

UK Government Advices Industry Sectors To Comply With Guidance Or Pay $17 Million Fine

Aiming to tackle threats from rogue nations and hackers The UK Government urges to boost security measures of services in critical sectors.

On November 2016 United Kingdom published the National Cyber Security Strategy to address cyber threats from rogue nations like Iran, Russia, China, terrorists, states sponsored hackers and cyber menaces like ransomware against the national infrastructure.

On August 2017 UK government published a public consultation to improve United Kingdom essential services in electricity, transport, water, energy, health and digital infrastructure in accordance with the Directive of Security of Network and Information Systems (known as NIS Directive) in cooperation with the Member States within the European Union (EU).

The NIS Directive consultation covered six main topics that are the following: identification of essential services, national Framework to manage implementation, security requirements for operators of essential services, incident reporting requirements for operators of essential services, requirements on Digital Service Providers and proposed penalty regime.

The Directive comes into play to cover aspects of network security that are not present in GDPR. Regarding GDPR the Directive aligns itself with the deadline for the implementation.

It is important to notice that there are two major and distinct bodies inspecting the compliance of the NIS Directive, the Competent Authorities, and NCSC. NCSC stands for National Cyber Security Centre a part of GCHQ, while Competent Authority stands for Regulator Body defined in NIS Directive scope for different critical sectors. This division aims to allow NCSC to carry out its function in providing expert advice and incident response capability to cyber attacks.

The NIS Directive is established in a layered fashion with a mandatory security outcome to be achieved with each principle like the NIST Security Framework. This assures that the NIS Directive can be implemented throughout the whole industry regardless their sectors. The layered approach takes into account the implementation of the principles without discarding the actual infrastructure.

UK Government

The NIS Directive is composed of 14 principles that can be divided into four major objectives: Management of security risks (Governance, Risk Management, Asset Management, Supply chain), Protection of cyber attacks (Service protection policies and processes, Identity and access control, Data Security, System security, Resilient Networks & Systems, Staff Awareness & Training), Detection of cyber security events (Security Monitoring, Anomaly Detection) and reduction of the impact of cyber security events (Response and Recovery Planning, Improvements).

The directive sets the scope for the identification of operators of essential services and significant disruptive effects that that may pose a threat to national security, the potential threat to public safety and the possibility of significant adverse social or economic impact. The NIS Directive lay the ground for a national framework where Government ensures that the Competent Authorities have the necessary legislative provision to accomplish their duties and the necessary resources to conduct their activities.

The penalty will only be applied once the operator of essential service fails to comply with the directive tacking into account these following criteria listed in article 14, Security requirements and incident notification: the number of users affected by the disruption of the essential service, duration of the incident and the geographical spread with regard to the area affected by the incident. The fine will be judged and decided upon the accordance with the proper measures that were not taken and nor implemented, with a maximum value of €17 million. There are some uncertainties if essential services providers can accomplish the implementation requirements of NIS Directive until May 2018.

Sources:

http://www.bbc.com/news/technology-42861676
http://www.securityweek.com/uk-warns-critical-industries-boost-cyber-defense-or-face-hefty-fines
http://www.itpro.co.uk/cyber-warfare/30405/uk-energy-companies-face-17m-fines-for-poor-cybersecurity
https://www.infosecurity-magazine.com/news/uk-government-warns-of-17m/
http://www.itpro.co.uk/cyber-warfare/30405/uk-energy-companies-face-17m-fines-for-poor-cybersecurity
http://www.businessinsurance.com/article/20180129/STORY/912318798/UK-to-fine-firms-up-to-%2424-million-for-lax-cybersecurity
https://www.gov.uk/government/news/government-acts-to-protect-essential-services-from-cyber-attack
https://www.scmagazineuk.com/uk-companies-warned-to-boost-cyber-security-or-face-fines/article/740029/
https://www.computing.co.uk/ctg/news/3025464/critical-infrastructure-firms-could-be-fined-up-to-gbp17m-for-lacklustre-cyber-security
http://www.computerweekly.com/news/252433946/Hefty-fines-confirmed-for-CNI-providers-with-poor-cyber-security
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf
https://www.ncsc.gov.uk/guidance/nis-directive-top-level-objectives
https://www.ncsc.gov.uk/guidance/nis-guidance-collection
https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC

 

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – UK Government security measures, NIS Directive)

The post UK Government Advices Industry Sectors To Comply With Guidance Or Pay $17 Million Fine appeared first on Security Affairs.

More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails

Participants to the Bee Token ICO were robbed for 100s of ETH, scammers sent out a phishing email stating that the ICO was now open, followed by an Ethereum address they controlled.

Another day, another incident involving cryptocurrencies, hundreds of users fell victims to email scams in the last days.

The victims were tricked by scammers into sending more than $1 million worth of Ethereum to them as part of Bee Token ICO (Initial Coin Offering). Bee Token is a blockchain-based home sharing service, it launched the ICO on January 31 and ended on February 2, when the Bee team obtained the $5 million necessary to start their project.

During the period of the ICO, the crooks sent phishing emails posing as the Bee Token ICO.

The scammers, impersonating the Bee team, sent out emails with a character of urgency to the potential investors inviting them to buy Bee Tokens by transferring Ethereum coins to their wallets.

The scammers attempted to convince users to participate to the ICO by sending Ethereum spreading the news that the company started a partnership with Microsoft and would be giving participants a 100% bonus for all contributions in the next 6 hours.

Cybercriminals also guaranteed that the value of Bee Token would double within 2 months, or participants would receive their RTH back.

“Today, investors who were eagerly waiting for their opportunity to join the Bee Token ICO were robbed for 100s of ETH. Scammers managed to get their hands on the Bee Token mailing list and sent out a phishing email stating that the ICO was now open, followed by an Ethereum address to send their contributions to.” states the blog post published TheRippleCryptocurrency.

After the Bee team became aware of fraudulent activity it issued three security alerts to warn of the ongoing scam:

The Bee Token team has been made aware of phishing sites that have copied the Bee Token website in an attempt to deceive users into sending them their money. Please DO NOT trust any website other than https://www.beetoken.com/ . REPEAT: DO NOT trust any website other than https://www.beetoken.com/reads one of the Bee Token Security Notice.

The Bee Token team also created a Google scam reporting form to allow users to report scams.

The RippleCryptocurrency.com had access to two different versions of the email that reported the following Ethereum addresses used by crooks:

a third one was reported on Reddit by users:

The overall amount of money contained in the three wallets at the end of the ICO was over $1 million.

Unfortunately such kind of incident is not uncommon, for this reason, Facebook banned ads for ICOs and cryptocurrencies on its social network.

Pierluigi Paganini

(Security Affairs – Bee Tokens, scam)

The post More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails appeared first on Security Affairs.

Japan’s Financial Services Agency raided the Coincheck headquarters in Tokyo after the hack

 

Cryptocurrencies are in the middle of a Tempest, on Thursday India announced it would adopt measures to prevent the use of virtual currencies in the country, the value of Bitcoin dropped below $9,000 for the first time since November. Finance Minister Arun Jaitley, in his annual budget, explained its government would “take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system”.

coincheck hack coindesk

A week after the security breach suffered by the virtual currency exchange Coincheck, Japanese authorities raided the company.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

After the MtGox case, the Japanese government passed a law on cryptocurrencies that assigns to the FSA the tack of regulating the exchanges operating in the country.

Coincheck had submitted an application to the FSA for a licence, the company was waiting for the permission.

This week, Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia. The company announced it will refund about $400 million to customers after the hack. 

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor, they said Coincheck “expanded business by putting safety second”.

On Friday, agents of the Financial Services Agency raided the Coincheck’s headquarters in Tokyo’s Shibuya district with the intent to verify that the company adopted proper security measures to protect its assets.

“We have launched an on-site inspection to ensure preservation of clients’ assets,” said Finance Minister Taro Aso.

Japan’s Financial Services Agency gave Coincheck until February 13 to investigate the hack, implements additional security measures and “properly” deal with the affected clients.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

The post Japan’s Financial Services Agency raided the Coincheck headquarters in Tokyo after the hack appeared first on Security Affairs.

JenX botnet leverages Grand Theft Auto videogame community to infect devices

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, the leverages the Grand Theft Auto videogame community to infect devices.

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, that exploits vulnerabilities triggered by the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect devices.

The activity of the Satori botnet has been observed in 2017 by researchers from Check Point security, it uses A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532.

JenX exploits the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP command execution) and CVE-2017-17215 (Huawei Router HG532 arbitrary command execution). that affect Huawei and Realtek routers.

“A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims leveraging one of two known vulnerabilities that have become popular in IoT botnets recently:

“Both exploit vectors are known from the Satori botnet and based on code that was part of a recent public Pastebin post by the “Janit0r,” author of “BrickerBot.”

JenX also implemented some techniques used by the recently discovered PureMasuta botnet.

The command-and-control server is hosted at the site San Calvicie, which offers multiplayer mod support for Grand Theft Auto: San Andreas, and also DDoS-for-hire service.

JenX is a DDoS botnet, the DDoS  option offered by San Calvicie is called “Corriente Divina.”

The users of the website can rent a GTA San Andreas multiplayer modded server for $16 and a Teamspeak server goes for $9. Adding $20 it is possible to power massive DDoS attacks that can peak 290 and 300 Gbps.

“The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” wrote Radware’s Cyber Security expert Pascal Geenens. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.”

jenx botnet

Differently from Satori and PureMasuta botnets, JenX has a centralized infrastructure, it uses a central server to perform the scanning of new hosts.

“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” continues the analysis.

The presence of a central server that coordinates the activity makes it easy for law enforcement and security firms to take down the botnet. Of course, threat actors can deploy the control server to the Dark Web making hard take over from law enforcement.

Even if the JenX is able to power massive DDoS attacks, for now, is doesn’t represent a  serious threat because it aims to disrupt services from competing for GTA SA multiplayer servers.

“The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet,” Geenens concluded.

“But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month! That said, there is nothing that stops one from using the cheap $20 per target service to perform 290Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would oppose to it.”

Pierluigi Paganini

(Security Affairs – JenX botnet, IoT)

The post JenX botnet leverages Grand Theft Auto videogame community to infect devices appeared first on Security Affairs.

Western Digital My Cloud flaws allows local attacker to gain root access to the devices

Trustwave disclosed two vulnerabilities in Western Digital My Cloud network storage devices could be exploited by a local attacker to gain root access to the NAS devices.

Researchers at Trustwave disclosed two new vulnerabilities in Western Digital My Cloud network storage devices could be exploited by a local attacker to delete files stored on devices or to execute shell commands as root.

The two Western Digital My Cloud flaws are an arbitrary command execution vulnerability and an arbitrary file deletion issue. The arbitrary command execution vulnerability affects the common gateway interface script “nas_sharing.cgi” that allows a local user to execute shell commands as root. Hardcoded credentials allows any users to authenticate to the device using the username “mydlinkBRionyg.

“The first finding was discovering hardcoded administrator credentials in the nas_sharing.cgibinary. These credentials allow anyone to authenticate to the device with the username “mydlinkBRionyg”.” states the analysis published by Trustwave. “Considering how many devices are affected this is very serious one. Interestingly enough another researcher independently released details on the same issue less than a month ago.”

The arbitrary file deletion vulnerability is also tied to the common gateway interface script “nas_sharing.cgi”.

“Another problem I discovered in nas_sharing.cgi is that it allows any user execute shell commands as root. To exploit this issue the “artist” parameter can be used.” continues the analysis.

Western Digital My Cloud

Chaining the two flaws it is possible to execute commands as root, a local attacker could log in using the hardcoded credentials and executing a command that is passed inside the “artist” parameter using base64 encoding.

The Western Digital models affected are My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

Trustwave reported the issues to Western Digital in 2017, according to the researchers the flaws are addressed with the firmware (version 2.30.172 ) update, released on Nov. 16, 2017.

“As a reminder, we urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended. We also urge you to implement sound data protection practices such as regular data backups and password protection, including to secure your router when you use a personal cloud or network-attached storage device.recommends Western Digital.

Pierluigi Paganini

(Security Affairs – Western Digital My Cloud, hacking)

The post Western Digital My Cloud flaws allows local attacker to gain root access to the devices appeared first on Security Affairs.

Chinese Iron Tiger APT is back, a close look at the Operation PZChao

Chinese Iron Tiger APT is back, the new campaign, dubbed by Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.

Malware researchers from Bitdefender have discovered and monitored for several months the activity of a custom-built backdoor capable of password-stealing, bitcoin-mining, and of course to gain full control of the victim’s machine.

The campaign, dubbed by Bitdefender, Operation PZChao is targeting government, technology, education, and telecommunications organizations in Asia and the US.

“This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia. Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.” states the report published by BitDefender.
“An interesting feature of this threat, which drew our team to the challenge of analyzing it, is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system.”

It is interesting to notice that the malware features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery).

The experts who analyzed the command and control infrastructure and malicious codes used by the hackers (i.e. Gh0st RAT) speculate the return of the Iron Tiger APT group.

The Iron Tiger APT (aka Panda Emissary or TG-3390) is active at least since 2010 and targeted organization in APAC, but since 2013 it is attacking high-technology targets in the US.

The experts found many similarities between the Gh0stRat samples used in the Operation PZChao and the ones used in past campaigns associated with the Iron Tiger APT.

Attackers behind the Operation PZChao targeted victims with spear-phishing messages using a malicious VBS file attachment that once executed will download the malicious payloads to Windows systems from a distribution server. The researchers determined the IP address of the server, it is “125.7.152.55” in South Korea and hosts the “down.pzchao.com”.

Experts highlighted that new components are downloaded and executed on the target system in every stage of the attack.

Operation PZChao

 

The experts discovered that the first payload dropped onto compromised systems is a bitcoin miner.

The miner is disguised as a ‘java.exe’ file and used every three weeks at 3 am to avoid being noticed while mining cryptocurrency likely to fund the campaign.

But don’t forget that the main goal of the Operation PZChao is cyber espionage, the malicious code leverages two versions of the Mimikatz tool to gather credentials from the infected host.

The most important component in the arsenal of the attacker remains the powerful  Gh0sT RAT malware that allows controlling every aspect of the infected system.

“this remote access Torjan’s espionage capabilities and extensive intelligence harvesting from victims turns it into an extremely powerful tool that is very difficult to identify,”  concluded Bitdefender. “The C&C rotation during the Trojan’s lifecycle also helps evade detection at the network level, while the impersonation of legitimate, known applications takes care of the rest.”

 

Pierluigi Paganini

(Security Affairs –  Iron Tiger APT, Operation PZChao)

The post Chinese Iron Tiger APT is back, a close look at the Operation PZChao appeared first on Security Affairs.

Hundreds of ICS products affected by a critical flaw in CODESYS WebVisu

Researcher discovered a critical vulnerability in the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product currently used in 116 PLCs and HMIs from many vendors,

Security researcher Zhu WenZhe from Istury IOT discovered a critical stack-based buffer overflow vulnerability in the web server component of 3S-Smart Software Solutions’ CODESYS WebVisu product that allows users to view human-machine interfaces (HMIs) for programmable logic controllers (PLCs) in a web browser.

The vulnerability is tracked as CVE-2018-5440 and it has been assigned a CVSS score of 9.8, and the worst news is that it is quite easy to exploit.

The WebVisu product is currently used in 116 PLCs and HMIs from many vendors, including Schneider Electric, Hitachi, Advantech, Berghof Automation, Hans Turck, and NEXCOM.

An attacker can remotely trigger the flaw to cause a denial-of-service (DoS) condition and under some conditions execute arbitrary code on the web server.

“A crafted request may cause a buffer overflow and could therefore execute arbitrary code on the web server or lead to a denial-of-service condition due to a crash in the web server. ” reads the security advisory issued by CODESYS.

According to CODESYS, there is no evidence that the flaw has been exploited in the wild.

The flaw affects all Microsoft Windows (also WinCE) based CODESYS V2.3 web servers running stand-alone or as part of the CODESYS runtime system prior version V1.1.9.19.

The company has released the CODESYS web server V.1.1.9.19 for CODESYS V2.3 to
address the flaw. This is also part of the CODESYS setup V2.3.9.56.

The vendor also recommends organizations to restrict access to controllers, use firewalls to control the accesses and VPNs.

In December 2017, security researchers at SEC Consult discovered a flaw in version 2.4.7.0 of the CODESYS runtime which is included on PFC200s with firmware version 02.07.07. The CODESYS runtime is commonly included on PLCs to allow for easy programming by users. 17 models of WAGO PFC200 Series PLC were found vulnerable to remote exploit.

A PLC flaw can be a serious threat to production and critical infrastructure

Back to the present, querying the Shodan search engine for port 2455 used by CODESYS protocol we can find more than 5,600 systems are exposed online, most of them in the United States, Germany, Turkey, and China.

CODESYS hack

 

Pierluigi Paganini

(Security Affairs – WannaMine , cryptocurrency miner)

The post Hundreds of ICS products affected by a critical flaw in CODESYS WebVisu appeared first on Security Affairs.

DDG, the second largest mining botnet targets Redis and OrientDB servers

Researchers at Qihoo 360’s Netlab analyzed a new campaign powered by the DDG botnet, the second largest mining botnet of ever, that targets Redis and OrientDB servers.

A new Monero-mining botnet dubbed DDG was spotted in the wild, the malware targets Redis and OrientDB servers.

According to the researchers at Qihoo 360’s Netlab, the DDG botnet was first detected in 2016 and is continuously updated throughout 2017.

“Starting 2017-10-25, we noticed there was a large scale ongoing scan targeting the OrientDB databases. Further analysis found that this is a long-running botnet whose main goal is to mine Monero CryptoCurrency. We name it DDG.Mining.Botnet after its core function module name DDG.” reads the analysis published by Netlab.

The miner has already infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017, DDG is among the largest mining botnets.

Yesterday I wrote about the greatest mining botnet called Smominru that has infected over 526,000 Windows machines, its operators had already mined approximately 8,900 Monero ($2,346,271 at the current rate).

The malware exploits the remote code execution vulnerability CVE-2017-11467 to compromise OrientDB databases and targets Redis servers via a brute-force attack.

Crooks are focusing their efforts on attacks against servers that usually have significant computing capabilities.

The attack chain described by the researchers from Qihoo 360’s Netlab is composed of the following steps:

  • Initial Scanning: The attacker (ss2480.2) exploits the known RCE vulnerability of the OrientDB database and drops the attack payload
  • Stage 1: Attackers modify local Crontab scheduled tasks, download and execute i.sh (hxxp: //218.248.40.228:8443/i.sh) on the primary server and keep it synchronized every 5 minutes
  • Stage 2: DDG traverses the built-in file hub_iplist.txt, check the connectivity of every single entry and try to download the corresponding Miner program wnTKYg from the one can be successfully connected (wnTKYg.noaes if the native CPU does not support AES-NI)
  • Mining Stage: The Miner program begins to use the computing resources of the compromised host to begin mining for the attacker’s wallet.

The following image shows the DDG Mining Botnet attack process:

DDG botnet

The researchers conducted sinkholing of the botnet traffic and observed 4,391 IP addresses of compromised servers from all countries. Most of the infections is in China (73%), followed by the United States (11%), the botnet is mainly composed of compromised Redis databases (88%).

Cybercriminals are using three wallet addresses, the botnet mined 3,395 Monero ($925,000), but researchers also discovered another wallet containing 2,428 Monero ($660,000).

“The total income is Monroe 3,395 or 5,760. These tokens are worth USD 925,383 or 1,569,963 today. Note: There is an issue for the second wallet, where “Total Paid” is not consistent with the summary of all tractions’ amount. We cannot confirm which number is more accurate, so we show both numbers here.” continues the analysis.

Further information including the IoCs are included in the technical report published by Qihoo 360’s Netlab.

 

Pierluigi Paganini

(Security Affairs – DDG botnet, mining)

The post DDG, the second largest mining botnet targets Redis and OrientDB servers appeared first on Security Affairs.

Researchers discovered several zero-day flaws in ManageEngine products

Security experts at Digital Defense have discovered several vulnerabilities in the products of the Zoho-owned ManageEngine.

The list of vulnerabilities discovered includes a flaw that could be exploited by an attacker to take complete control over the vulnerable application.

The flaws affect ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.

ManageEngine has more than 40,000 customers worldwide and provides complete solutions for IT management.

manageengine products

One of the vulnerabilities affects the ManageEngine ServiceDesk Plus help desk software, the experts discovered an unauthenticated file upload flaw that could be exploited by an attacker to upload a JavaScript web shell and use it to execute arbitrary commands with SYSTEM privileges.

Researchers also discovered several blind SQL injection vulnerabilities that could be triggered by an unauthenticated attacker to take complete control of an application.

These ManageEngine products are also affected by an enumeration flaw that can be exploited to access user personal data, including usernames, phone numbers, and email addresses.

“[Digital Defense] announced that its Vulnerability Research Team (VRT) uncovered multiple, previously undisclosed vulnerabilities within several ManageEngine products, allowing unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially revealing sensitive information or full compromise of the application.” reads the press release issued by the company.

“Application layer vulnerabilities continue to be a key area of focus for software vendors,” said Mike Cotton, vice president of engineering at Digital Defense. “We are pleased to work collaboratively with affected vendors to facilitate prompt resolution, ensuring our clients and enterprises are protected from any potential exploitation of these vulnerabilities.”

ManageEngine promptly released security updates to address the vulnerabilities discovered by researchers at Digital Defense report.

Pierluigi Paganini

(Security Affairs – ManageEngine, hacking)

The post Researchers discovered several zero-day flaws in ManageEngine products appeared first on Security Affairs.

Watch out, cyber criminals are using fake FBI emails to infect your computer

The FBI Internet Crime Complaint Center (IC3) is warning of a new malware campaign aimed at infecting victims with weaponized attachments.

The Feds’ Internet Crime Complaint Center (IC3) is warning of a new spam campaign aimed at infecting victims with a ransomware. According to an alert issued on Wednesday by the IC3, numerous citizens filled complaints after received emails purporting to be from IC3. The message pretends to be the compensation from a cyber attack and asks the victims to fill the attached document, but the file is laced with malware.

The story is interesting, the email reports that a Nigerian cyber criminal had been arrested and feds have found the recipient’s email address of the alleged scammer’s PC. The email asks victims to return the document with recipient info and wait for the refund to arrive. Once the victim has opened the document, the infection process will start.

FBI

The FBI has identified at least three other versions of the IC3 impersonation scam:

  • “The first involved a fake IC3 social media page, which advertised itself as the FBI Cyber Crime Department (IC3) and requested recipients provide personal information in order to report an internet crime.” states the alert issued by the FBI. “
  • “The second involved an email which stated the recipient was treated unfairly by various banks and courier companies. The email claimed the recipient’s name was found in a financial company’s database and that they will be compensated for this unfair treatment.”
  • “The third example involved an email from the Internet Crime Investigation Center/Cyber Division and provided an address in Minneapolis, Minnesota. The email also included a case reference number in the subject line. The email informed the recipient that their IP address was referred to the IC3 as a possible victim of a federal cyber-crime. The email then requests the recipient to contact the sender via telephone.”

FBI is currently investigating the cases, victims of an online scam can file a complaint with the IC3 at www.ic3.gov.

 

Pierluigi Paganini

(Security Affairs – FBI, malware)

The post Watch out, cyber criminals are using fake FBI emails to infect your computer appeared first on Security Affairs.

South Korea Warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks

South Korea’s Internet & Security Agency (KISA) is warning of a Flash zero-day vulnerability that has reportedly been exploited in attacks by North Korea’s hackers.

According to the alert published by the KISA, the vulnerability affects the latest Flash Player version 28.0.0.137 and earlier.

The zero-day vulnerability could be exploited by an attack by tricking victims into opening a document, web page or email containing a specially crafted Flash file.

“A zero-day vulnerability has been found in Adobe Flash Player. An attacker may be able to convince a user to open a Microsoft Office document, web page, or spam mail containing a Flash file,” reads the advisory published by the Korean CERT.

According to the researcher Simon Choi the Flash Player zero-day has been exploited by North Korea since mid-November 2017. The attackers exploited the zero-day vulnerability in attacks aimed at South Korean individuals involved in research activity on North Korea.

Hackers exploited the vulnerability to deliver a malware, in the image shared by Choi on Twitter shows that the exploit has been delivered via malicious Microsoft Excel files.

According to Adobe, the flaw is a critical use-after-free that allows remote code execution that received the code CVE-2018-4878.

The zero-day has been exploited in limited, surgical attacks against Windows users, Adobe plans to release a security update for the next week.

“A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.” reads the security advisory published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.”

Flash zero-day

Waiting for the security updates, users should implement mitigations.

“Beginning with Flash Player 27, administrators have the ability to change Flash Player’s behavior when running on Internet Explorer on Windows 7 and below by prompting the user before playing SWF content,” Adobe suggests. “Administrators may also consider implementing Protected View for Office. Protected View opens a file marked as potentially unsafe in Read-only mode.”

 

Pierluigi Paganini

(Security Affairs – Flash Zero-Day, North Korea)

The post South Korea Warns of Flash Zero-Day flaw exploited by North Korea in surgical attacks appeared first on Security Affairs.

WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.

This morning I wrote about the Smominru botnet that used NSA exploit to infect more than 526,000 systems, and I explained that other threat actors are using similar techniques to mine cryptocurrency.

This is the case of a strain of the Monero crypto-mining worm dubbed WannaMine that spreads leveraging the EternalBlue exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack, it targets the SMBv1 protocol and has become widely adopted in the community of malware developers.

In June, following the WannaCry attacks experts discovered that there were at least other 3 different groups have been leveraging the NSA EternalBlue exploit,

Back to the present, WannaMine was developed to mine the Monero cryptocurrency abusing victims’ resources. According to security researchers at CrowdStrike, the malicious code is very sophisticated, it implements a spreading mechanism and persistence model similar to those used by state-sponsored APT groups.

“CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time. The tools have caused systems and applications to crash due to such high CPU utilization speeds.” reads the analysis published by CrowdStrike. 

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors, demonstrating a trend highlighted in the recent CrowdStrike Cyber Intrusion Services Casebook 2017, which states that “contemporary attacks continue to blur the lines between nation-state and eCrime tactics.”

WannaMine is a fileless that was first reported by researchers at Panda Security.

WannaMine

The malicious code implements so-called “living off the land” techniques to gain persistence on the infected system leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. WannaMine registers a permanent event subscription that would execute every 90 minutes a PowerShell command located in the Event Consumer.

Experts noticed that the malware uses credential harvester Mimikatz to collect users’ credentials that could be used for lateral movements. It also relies on the EternalBlue exploit in case it is not able to move laterally with the above technique.

WannaMine is able to infect systems running all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” CrowdStrike concluded.

WannaMine would degrade the performance of the infected machines, in case of laptops the malicious code could cause damages if it runs continuously for several hours.

Sophos experts published an interesting post containing Q&A on WannaMine.

 

Pierluigi Paganini

(Security Affairs – WannaMine , cryptocurrency miner)

The post WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit appeared first on Security Affairs.

Security Affairs: WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.

This morning I wrote about the Smominru botnet that used NSA exploit to infect more than 526,000 systems, and I explained that other threat actors are using similar techniques to mine cryptocurrency.

This is the case of a strain of the Monero crypto-mining worm dubbed WannaMine that spreads leveraging the EternalBlue exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack, it targets the SMBv1 protocol and has become widely adopted in the community of malware developers.

In June, following the WannaCry attacks experts discovered that there were at least other 3 different groups have been leveraging the NSA EternalBlue exploit,

Back to the present, WannaMine was developed to mine the Monero cryptocurrency abusing victims’ resources. According to security researchers at CrowdStrike, the malicious code is very sophisticated, it implements a spreading mechanism and persistence model similar to those used by state-sponsored APT groups.

“CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time. The tools have caused systems and applications to crash due to such high CPU utilization speeds.” reads the analysis published by CrowdStrike. 

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors, demonstrating a trend highlighted in the recent CrowdStrike Cyber Intrusion Services Casebook 2017, which states that “contemporary attacks continue to blur the lines between nation-state and eCrime tactics.”

WannaMine is a fileless that was first reported by researchers at Panda Security.

WannaMine

The malicious code implements so-called “living off the land” techniques to gain persistence on the infected system leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. WannaMine registers a permanent event subscription that would execute every 90 minutes a PowerShell command located in the Event Consumer.

Experts noticed that the malware uses credential harvester Mimikatz to collect users’ credentials that could be used for lateral movements. It also relies on the EternalBlue exploit in case it is not able to move laterally with the above technique.

WannaMine is able to infect systems running all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” CrowdStrike concluded.

WannaMine would degrade the performance of the infected machines, in case of laptops the malicious code could cause damages if it runs continuously for several hours.

Sophos experts published an interesting post containing Q&A on WannaMine.

 

Pierluigi Paganini

(Security Affairs – WannaMine , cryptocurrency miner)

The post WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit appeared first on Security Affairs.



Security Affairs

Mining Smominru botnet used NSA exploit to infect more than 526,000 systems

Researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ that is using the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities.

The number of cyber attacks against the cryptocurrency sector continues, vxers are focusing their efforts on the development of cryptocurrency/miner malware.

Recently security experts observed cryptocurrency miners leveraging the NSA EternalBlue SMB exploit (CVE-2017-0144) as spreading mechanism.

On August 2017, a new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread.

Now researchers Researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ (aka Ismo) that is using the EternalBlue exploit (CVE-2017-0144) to infect Windows computers and recruit them in Monero cryptocurrency mining activities.

” Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cybercriminals are stealing them, demanding ransomware payments  in them, and harnessing other computers to mine them for free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which had earned millions of dollars for its operators.” states the analysis published by Proofpoint

With the help of Abuse.CH and the ShadowServer Foundation, Proofpoint conducted a sinkholing operation that allowed to profile the botnet.

The command and control infrastructure of the Smominru botnet is hosted on DDoS protection service SharkTech, Proofpoint promptly notified the abuse to the service provider without receiving any response.

According to the researchers, the Smominru botnet has been active at least since May 2017 and has already infected more than 526,000 Windows computers.

Most of the infected systems are servers distributed worldwide, most of them in Russia, India, and Taiwan. It is a profitable business, the operators had already mined approximately 8,900 Monero ($2,346,271 at the current rate).

“Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” the researchers said. “The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week (Figure 2).”

smominru botnet

The researchers at Proofpoint discovered that crooks are using at least 25 hosts to scan the Internet for EternalBlue vulnerable Windows computers and also leveraging the NSA EsteemAudit (CVE-2017-0176) for compromising the target machines.

The machines all appear to sit behind the network autonomous system AS63199, further technical details and the IoCs are included in the analysis published by Proofpoint.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations.” concluded the Proofpoint.

“Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size.”

 

Pierluigi Paganini

(Security Affairs – Smominru botnet, Monero)

The post Mining Smominru botnet used NSA exploit to infect more than 526,000 systems appeared first on Security Affairs.

Malware exploiting Spectre and Meltdown flaws are currently based on available PoC

Malware Exploiting Spectre, Meltdown Flaws Emerges

Researchers at the antivirus testing firm AV-TEST have discovered more than 130 samples of malware that were specifically developed to exploit the Spectre and Meltdown CPU vulnerabilities.

The good news is that these samples appear to be the result of testing activities, but experts fear that we could soon start observing attacks in the wild.

Most of the codes obtained by AV-TEST are just recompiled versions of the Proof of Concept code available online. Experts at AV-TEST also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.

“We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”Andreas Marx, CEO of AV-TEST, told SecurityWeek.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

On January 17, experts at AV-TEST reported that they had detected 77 malware samples apparently related to the Intel vulnerabilities.

The number of malware samples related to Meltdown and Spectre reached pi119 by January 23.

On January 31, AV-TEST confirmed to be in possession of 139 samples from various sources.

 

According to the AV-TEST CEO, several groups of experts are working on a malware that could trigger Intel flaws, most of them are re-engineering the available PoC.

“We aren’t the only ones concerned. Others in the cybersecurity community have clearly taken notice, because between January 7 and January 22 the research team at AV-Test discovered 119 new samples associated with these vulnerabilities,” reads a blog post published by Fortinet. “FortiGuard Labs has analyzed all of the publicly available samples, representing about 83 percent of all the samples that have been collected, and determined that they were all based on proof of concept code.  The other 17 percent may have not been shared publicly because they were either under NDA or were unavailable for reasons unknown to us.”

 

Pierluigi Paganini

(Security Affairs – Spectre and Meltdown, malware)

The post Malware exploiting Spectre and Meltdown flaws are currently based on available PoC appeared first on Security Affairs.

Mozilla fixes a critical remote code execution vulnerability in Firefox

Mozilla has released security updates for Firefox 58 that addresses a critical remote code vulnerability that allows a remote attacker to run arbitrary code on vulnerable systems.

Mozilla has released an update for the Firefox 58 browser  (aka Firefox Quantum) that addresses a critical flaw that could be exploited by a remote attacker to execute arbitrary code on computers running the vulnerable version of the browser.
The vulnerability, tracked as CVE-2018-5124, affects Firefox versions 56 through 58, meanwhile, it doesn’t impact Firefox for Android and Firefox 52 ESR.

The development teams behind major Linux distributions have also started rolling out updated packages that fix the flaw.

It was discovered by the Mozilla developer Johann Hofmann.

According to a security advisory published by Cisco, the Firefox 58.0.1 version fixed an ‘arbitrary code execution’ flaw that originates due to ‘insufficient sanitization’ of HTML fragments in chrome-privileged documents (browser UI).

“A vulnerability in Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.” states the security advisory.

“The vulnerability is due to insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software. An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.

Firefox 58 was released on January 23, it addresses more than 30 vulnerabilities in the popular browser, some of them rated as high severity, including a use-after-free, buffer overflow, and integer overflow flaws.

According to Mozilla, its bug bounty program has already paid out nearly $1 million to white hat hackers who reported vulnerabilities.

Don’t waste time, apply the software updates as soon as possible.

 
 

Pierluigi Paganini

(Security Affairs – Spectre patches, Linus Torvalds)

The post Mozilla fixes a critical remote code execution vulnerability in Firefox appeared first on Security Affairs.

Is ICEMAN behind the malware-based attack on Crystal Finance Millennium?

Exclusive – The Iceman gang taking responsibility for infecting Crystal Finance Millennium, the journalist Marc Miller interviewd one of the members of the crew.

Iceman gang member confirms that they are behind the introduction and spreading of malware that infected the systems at Crystal Finance Millennium.

In Septemeber security experts at TrendMicro reported that the Ukraine based Account Firm, Crystal Finance Millennium (CFM), has been hacked and is found to be distributing malware.

The incident caused the firm to take down its website to stop spreading the threat.

Crystal Finance Millennium ICEMAN

Crystal Finance Millennium attack (Source Trend Micro)

Marc Miller had a chance to speak to one of the gang members on XMMP and he confirmed that the Iceman group is behind this attack. They started with a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company.

He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and “full automation of the doctor’s office” – contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

The group sent phishing emails to various targets based in Ukraine and former Soviet countries. The emails contained a ZIP file that, in turn, contained a JavaScript file. When users unzipped the archive and ran the JS file, the script would download a file named load.exe from the CFM’s web server.

The loader (load.exe file) will, later on, download a Purge ransomware that was modified for that operation by the Iceman group. According to the gang, each target was treated individually to maximize profit. Sometimes they would run a ransomware program and sometimes they would run a banking Trojan. “When you sophisticate your attack, you can drain the sharks” – he said.

An inclusive interview is in the making to unveil the course of this attack. It will be released in the upcoming weeks.

About the Author: Marc Miller
Marc Miller is a web journalist, focused on cybercrime.

He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.

In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.

 

Pierluigi Paganini

(Security Affairs – ICEMAN, Crystal Finance Millennium)

The post Is ICEMAN behind the malware-based attack on Crystal Finance Millennium? appeared first on Security Affairs.

Security Affairs: Is ICEMAN behind the malware-based attack on Crystal Finance Millennium?

Exclusive – The Iceman gang taking responsibility for infecting Crystal Finance Millennium, the journalist Marc Miller interviewd one of the members of the crew.

Iceman gang member confirms that they are behind the introduction and spreading of malware that infected the systems at Crystal Finance Millennium.

In Septemeber security experts at TrendMicro reported that the Ukraine based Account Firm, Crystal Finance Millennium (CFM), has been hacked and is found to be distributing malware.

The incident caused the firm to take down its website to stop spreading the threat.

Crystal Finance Millennium ICEMAN

Crystal Finance Millennium attack (Source Trend Micro)

Marc Miller had a chance to speak to one of the gang members on XMMP and he confirmed that the Iceman group is behind this attack. They started with a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company.

He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and “full automation of the doctor’s office” – contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

The group sent phishing emails to various targets based in Ukraine and former Soviet countries. The emails contained a ZIP file that, in turn, contained a JavaScript file. When users unzipped the archive and ran the JS file, the script would download a file named load.exe from the CFM’s web server.

The loader (load.exe file) will, later on, download a Purge ransomware that was modified for that operation by the Iceman group. According to the gang, each target was treated individually to maximize profit. Sometimes they would run a ransomware program and sometimes they would run a banking Trojan. “When you sophisticate your attack, you can drain the sharks” – he said.

An inclusive interview is in the making to unveil the course of this attack. It will be released in the upcoming weeks.

About the Author: Marc Miller
Marc Miller is a web journalist, focused on cybercrime.

He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.

In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.

 

Pierluigi Paganini

(Security Affairs – ICEMAN, Crystal Finance Millennium)

The post Is ICEMAN behind the malware-based attack on Crystal Finance Millennium? appeared first on Security Affairs.



Security Affairs

US Attorney General set up the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking

The US Attorney General announced the creation of the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking.

Tor network is still a privileged ecosystem for cyber criminals and pedos, law enforcement and intelligence agencies worldwide reserve a significative effort in fighting any illegal practice that leverages anonymizing networks.

The US Attorney General has set up a task force, dubbed Joint Criminal Opioid Darknet Enforcement (J-CODE), composed of federal agents and cyber experts to dismantle black marketplaces that offer for sale any kind of drug.

The Joint Criminal Opioid Darknet Enforcement team will be distributed in many cities across the US, the feds are tasked to infiltrate the black markets, identify the operators, and shut down them.

The darknet, and in particular black marketplaces, have a relevant aggregation role for the distribution of illegal opioids. Even if many sellers are overseas,  the Joint Criminal Opioid Darknet Enforcement team will be focused on domestic operators.

During the official announcement of the task force, Attorney General Jeff explained the abuses of anonymizing networks, but he also highlighted that they can be used for good purposes, such as to avoid censorship. Sessions added that the hard work of law enforcement agencies allowed the infiltration of illegal rings.

“Criminals think that they are safe on the darknet, but they are in for a rude awakening,” Sessions said.

“We have already infiltrated their networks, and we are determined to bring them to justice. The J-CODE team will help us continue to shut down the online marketplaces that drug traffickers use and ultimately that will help us reduce addiction and overdoses across the nation.” 

Drugs represent a serious threat to the state, it has been estimated that opioids kill more than 90 Americans every day through overdoses, and this is the tip of the iceberg of a phenomenon that has many other dramatic consequences.

The creation of the Joint Criminal Opioid Darknet Enforcement is an important investment in fighting online opioid trafficking in term or resources and cyber capabilities.

“J-CODE will more than double the FBI’s investment in fighting online opioid trafficking.  The FBI is dedicating dozens more Special Agents, Intelligence Analysts, and professional staff to J-CODE so that they can focus on this one issue of online opioid trafficking.” concluded the press release published by the DoJ.

 

Pierluigi Paganini

(Security Affairs – Joint Criminal Opioid Darknet Enforcement, dark web)

The post US Attorney General set up the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking appeared first on Security Affairs.

Cybercriminals Stealing From Cybercriminals Ransomware Victims Left Stranded

What do you get when you add Bitcoin, with a TOR network proxy and cybercriminals? Even more cybercrime!

Bitcoin is the preferred cryptocurrency for ransomware payments. Like most cryptocurrencies it is largely anonymous, allowing the ransoming cybercriminals to collect their money while staying safely in the shadows. Even though Bitcoin is the most popular cryptocurrency, the majority of victims do not have a ready cache of Bitcoin to pay ransom with so the cybercriminals came up with a process to facilitate these ransom payments.

Payment websites are hosted on the Tor network where victims login, purchase Bitcoin and deposit them into the wallet of the bad actors. Sounds convenient, unless there is another bad actor in the middle. To understand how that happens, we first need to explain the Tor network.

Tor is an acronym based on a software project called The Onion Router. It “[redirects] Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage…“, Tor (anonymity network), Wikipedia. In other words, you must use a Tor client to connect to the Tor network and in doing so, you participate as a relay in the network helping to provide anonymity for all other users.

There are many situations where this type of Internet anonymity would be useful: researching a company without alerting them to who is looking, researching a controversial topic without being identified, avoiding oppressive government restrictions or spying, and facilitating Bitcoin payments while hiding the location of the web server. The challenge for the ransomers is that victims are even less likely to be set up with a Tor client than they are to have Bitcoin! To solve this problem, there are individuals who run “Tor proxies.” These proxies are accessible with a regular browser on the Internet so no special software is required. For example, the hidden server on the Tor network might be addressed by hxxps://sketchwebsite.onion which requires a Tor browser to connect. However by entering hxxps://sketchwebsite.onion.to into a regular browser, a connection is made with a “regular server” on the Internet which redirects (proxies) the request to sketchwebsite.onion on your behalf. You can surf the Tor network, and make your Bitcoin payments with no special software required. By design, a proxy takes a connection from one party and passes it to another. This involves looking at the incoming request to understand where it needs to be forwarded. This also creates an opportunity for the proxy to make changes in between.

Proofpoint is the security vendor that identified cybercriminals taking advantage of Tor proxies to steal from victims and the ransoming cybercriminals. They discovered that when victims attempted to connect to the ransomers’ website through a Tor proxy, the criminals operating the proxy made changes to the stream. Instead of the Bitcoin being deposited to the intended ransomer’s digital wallets, the funds were redirected to the proxy operator’s wallet. While you won’t be sympathetic to the ransoming cybercriminals’ loss of revenue, the real problem is that without payment they won’t release the decryption key to the victim. The ransomware victim thought they were paying Bitcoin to the ransomer for the decryption key, but with the man-in-the-middle attack at the Tor proxy they paid for nothing.

Through some very detailed analysis documented here, Proofpoint estimates that approximately 2 BTC have been redirected (around $20,000 at the time they published their article.) It was a notice on the LockeR ransomware payment portal that alerted Proofpoint researchers that something was amiss in the cybercrime underworld:

bitcoin ransomware

“While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims by further increasing the risk to victims who would resort to paying ransomware ransoms,” Proofpoint researchers said. “This kind of scheme also reflects the broader trend of threat actors of all stripes targeting cryptocurrency theft. Continued volatility in cryptocurrency markets and increasing interest in the Tor network will likely drive further potential abuses of Tor proxies, creating additional risks for new users.”

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.
 

Pierluigi Paganini

(Security Affairs – Bitcoin, cybercrime)

The post Cybercriminals Stealing From Cybercriminals Ransomware Victims Left Stranded appeared first on Security Affairs.

Once again, Oracle MICROS PoS have been breached

Security experts from ERPScan discovered a new flaw in Oracle MICROS PoS terminals that could be exploited by an attacker to read sensitive data from devices.

Security experts from ERPScan discovered a new directory traversal vulnerability in Oracle MICROS Point-of-Sale terminals, tracked as CVE-2018-2636, which could be exploited by an attacker to read sensitive data from devices without authentication from a vulnerable workstation.

“CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.” reads the analysis published by ERPScan.

“So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.”

Oracle’s MICROS has more than 330,000 cash registers worldwide, it is widely adopted in food and beverage outlets (200,000+) and hotels (30,000).

The researchers explained that it could be easy for a local attacker to access a MICRO POS URL, for example, he can find a digital scales or other devices that use RJ45 in the outlet and connect it to Raspberry PI, then scan the internal network. Another option is to locate such kind of devices exposed on the Internet, at the time of writing, there are 139 MICROS POS systems exposed online, most of them located in US and Canada.

Oracle MICROS POS

This is not the first time when MICROS security is touched. In 2016, there was an incident where hackers attacked MICROS through the Customer Support Portal.

The vulnerability received the 8.1 CVSS v3 score.

“If you want to secure your system from cyberattacks, you have to persistently implement all security patches provided by your vendor. In our case, refer to Oracle CPU January 2018.” concluded the post.

This isn’t the first time that we approach the security of Oracle MICROS PoS systems, on August 2016, the systems of the Oracle MICROS payment terminals division were infected with a malware.

 

Pierluigi Paganini

(Security Affairs – hacking, Oracle MICROS PoS)

The post Once again, Oracle MICROS PoS have been breached appeared first on Security Affairs.

Three Dutch banks and Tax Agency under DDoS Attacks … is it a Russian job?

Three Dutch Banks (ABN AMRO, ING Bank, Rabobank) and Tax Agency were targeted by a coordinated DDoS Attacks a few days the revelation of the Russian APT Hack.

Early this week a massive DDoS attack targeted three Dutch banks, ABN AMROING BankRabobank, and the Dutch Taxation Authority (Belastingdienst).

The attack against the system of ABN AMRO started over the weekend, while both ING Bank and Rabobank suffered coordinated DDoS attacks on Monday.
while the other two banks were hit on Monday.

The DDoS attacks caused severe accessibility problems to the bank infrastructure, they prevented customers from accessing the web services.

The attack against the Dutch Tax Authority prevented taxpayers filing tax-related documents.

DDoS attack three dutch banks ABN_AMRO_Hoofdkantoor_04

Who is behind the attack?

According to security experts from ESET, the origins of the attacks are servers in Russia.

“The DDoS attacks that hit  and  over the weekend and on Monday, came from servers in Russia, according to security company ESET. The company adds that this does not automatically mean that the perpetrators are also in Russia, the Telegraaf reports.states NL Times.

“The perpetrators used a so-called botnet – an army of hijacked computers and smart devices – to commit the DDoS attacks. Using the program Zbot, they remotely ordered these devices to visit a certain site en masse, thereby overloading the site’s server and crashing the site. The command and control servers are mainly in Russia, ESET determined.”

It is difficult to attribute the attack to a specific threat actor. anyway, the cybersecurity expert Richey Gevers noted that the attacks came a few days after the story of the Cozy Bear hack operated by the Dutch Intelligence Agency AIVD. According to Gevers, the DDoS attack peaked 40 Gbps in volume of traffic.

The expert also added that the attackers powered the attacks using a botnet composed of home routers.

 

The Ministry of Justice and Security called the attacks on the Dutch institutions very advanced, according to BNR. “But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.

Researchers from ESET claimed the attackers used the Zbot malware, a very old threat based on the infamous ZeuS banking trojan.

According to BNR, even is the malware is not complex, the Ministry of Justice and Security has classified the attacks on the Dutch institutions as very complex

“But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.

 

Pierluigi Paganini

(Security Affairs – DDoS attacks, Dutch banks)

The post Three Dutch banks and Tax Agency under DDoS Attacks … is it a Russian job? appeared first on Security Affairs.

Cisco ASA software is affected by a flaw with 10 out of 10 severity rating. Patch it asap

Cisco released security updates to address a critical security vulnerability, tracked as CVE-2018-0101, in Cisco ASA software

Cisco addressed a critical security flaw, tracked as CVE-2018-0101, in Adaptive Security Appliance (ASA) software.

The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.

The vulnerability was discovered by the researcher Cedric Halbronn from NCC Group, he will disclose technical details on February 2 at the Recon Brussels 2018 conference.

The flaw resides in the Secure Sockets Layer (SSL) VPN feature implemented by CISCO ASA software.

According to CISCO, it is related to the attempt to double free a memory region when the “webvpn” feature is enabled on a device. An attacker can exploit the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.

“A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” reads the security advisory published by CISCO.

“The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.”

Below the list of affected CISCO ASA products:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software (FTD)

The vulnerability was introduced in Firepower Threat Defense 6.2.2 that implemented the remote access VPN feature since September 2017.

Cisco has addressed the vulnerability by issuing security updates for each of the affected CISCO ASA software that are still supported by the company.

The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability, but Cisco confirmed that it is not aware of any attacks in the wild that are exploiting this vulnerability.

 

 

Pierluigi Paganini

(Security Affairs – Cisco ASA software, hacking)

The post Cisco ASA software is affected by a flaw with 10 out of 10 severity rating. Patch it asap appeared first on Security Affairs.

Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US

Cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.

According to a senior US Secret Service official, the organization has managed to steal more than $1m from ATM machines using this technique.

Once crooks gain physical access to the ATM, they will infect it with a malware or specialized electronics that is designed to instruct the machine to deliver money in response to specific commands.

The jackpotting technique was first proposed by white hat hacker Barnaby Jack in 2010.

Barnaby Jack Jackpotting video

The popular investigator Brian Krebs obtained an alert issued by ATM maker manufacturers Diebold Nixdorf this month, the company warns of an ongoing campaign conducted by a gang in the US.

“On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.” wrote Krebs.

“On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.”

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The crooks are infecting the ATM with the Ploutus-D malware, the vendor warns that Opteva 500 and 700 series machines are particularly vulnerable to these attacks.

These attacks are the first confirmed cases of jackpotting attacks against ATMs in the US. Jackpotting attacks were already reported in Europe, in May 27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The malicious code allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

In January, experts at FireEye Labs have discovered a new version of the Ploutus ATM malware, the so-called Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Ploutus-D

The alert issued by Secret Service explains that the cybercriminals use an endoscope to inspect the internal parts of the ATM searching for the place where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

endoscope jackpotting

Diebold Nixdorf urges the improvement of physical security for ATMs, especially for those located in public places such as malls and pharmacies. Also, tightening the security configuration of the firmware is recommended.

The alert issued by Secret service recommends to limit physical access to the ATM machines and implement protection mechanisms for cash modules (i.e. Use firmware with latest security functionality. use the most secure configuration of encrypted communications incl. physical authentication).

Pierluigi Paganini

(Security Affairs – Jackpotting, banking)

The post Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US appeared first on Security Affairs.

Security Affairs: Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US

Cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.

According to a senior US Secret Service official, the organization has managed to steal more than $1m from ATM machines using this technique.

Once crooks gain physical access to the ATM, they will infect it with a malware or specialized electronics that is designed to instruct the machine to deliver money in response to specific commands.

The jackpotting technique was first proposed by white hat hacker Barnaby Jack in 2010.

Barnaby Jack Jackpotting video

The popular investigator Brian Krebs obtained an alert issued by ATM maker manufacturers Diebold Nixdorf this month, the company warns of an ongoing campaign conducted by a gang in the US.

“On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.” wrote Krebs.

“On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.”

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The crooks are infecting the ATM with the Ploutus-D malware, the vendor warns that Opteva 500 and 700 series machines are particularly vulnerable to these attacks.

These attacks are the first confirmed cases of jackpotting attacks against ATMs in the US. Jackpotting attacks were already reported in Europe, in May 27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The malicious code allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

In January, experts at FireEye Labs have discovered a new version of the Ploutus ATM malware, the so-called Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Ploutus-D

The alert issued by Secret Service explains that the cybercriminals use an endoscope to inspect the internal parts of the ATM searching for the place where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

endoscope jackpotting

Diebold Nixdorf urges the improvement of physical security for ATMs, especially for those located in public places such as malls and pharmacies. Also, tightening the security configuration of the firmware is recommended.

The alert issued by Secret service recommends to limit physical access to the ATM machines and implement protection mechanisms for cash modules (i.e. Use firmware with latest security functionality. use the most secure configuration of encrypted communications incl. physical authentication).

Pierluigi Paganini

(Security Affairs – Jackpotting, banking)

The post Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US appeared first on Security Affairs.



Security Affairs

Intel reportedly alerted Chinese companies before US Government about Meltdown and Spectre flaws

According to the Wall Stree Journal, Intel reportedly alerted Chinese companies before US Gov about Meltdown and Spectre vulnerabilities.

There is no peace for Intel, according to a report published by The Wall Street Journal the company warned Chinese tech giants about the Meltdown and Spectre vulnerabilities before notifying them to the US government.

Citing unnamed people familiar with the matter and some of the companies involved, The WSJ revealed that the list of Chinese companies includes Lenovo and Alibaba.

It is not clear when Intel notified the flaw to Lenovo, but a leaked memo from Intel to computer makers suggests the company reported the issues to an unnamed group of on November 29 via a non-disclosure agreement. The same day, the Intel CEO Brian Krzanich sold off his shares.

Last week, French tech publication LeMagIT’s Christophe Bardy disclosed the first page of the “Technical Advisory” issued by the Intel Product Security Incident Response Team.

Of course, security experts speculate the companies might have passed this information to the Chinese Government, but Alibaba spokesman refused any accusation.

I personally believe that the Chinese Government was informed by the companies about the Meltdown and Spectre vulnerabilities and it is disconcerting that the US intelligence agencies neither US CERTs were not aware of the flaws.

Meltdown Spectre patches

We also know that the Meltdown flaw is easy to exploit, this means that it is likely that threat actors might have triggered it to extract passwords and other sensitive data from a target machine. The situation is worrisome in cloud-computing environments were many customers share the same servers, in this scenario an attacker can launch a Meltdown attack to steal info belonging to other clients with applications hosted on the same server.

El Reg reached Intel for a comment, below the reply of the chip vendor:

“The Google Project Zero team and impacted vendors, including Intel, followed best practices of responsible and coordinated disclosure. Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication. In this case, news of the exploit was reported ahead of the industry coalition’s intended public disclosure date at which point Intel immediately engaged the US government and others.” states the El Reg.

Let me close with this eloquent Tweet published by security journalist Zach Whittaker:

Pierluigi Paganini

(Security Affairs – China, Intel)

The post Intel reportedly alerted Chinese companies before US Government about Meltdown and Spectre flaws appeared first on Security Affairs.

#ThinkBeyond – Security solutions from market leaders may all fail in your particular environment

Buying solutions proposed by analyst firms without carefully analyzing your organization expose it to cyber threats. It’s time to #ThinkBeyond this broken paradigm.

The cybersecurity market is expected to double by 2022, analysts estimated the growth could reach three hundred thousand dollars, at a Compound Annual Growth Rate (CAGR) of 11.0%. In the same period, the number of cyber attacks are expected to increase, hackers will adopt new sophisticated techniques while the surface of attacks of companies and organizations is enlarging due to the adoption of paradigms such as the Internet of Things, Cloud computing, and mobile computing.

Another important element that will characterize the next months it the adoption of new regulations and directives, such as the GDPR and the NIS directive, that will influence the evolution of the market.

Businesses will face the “perfect storm,” the ideal condition for security firms that continue to develop new solutions designed to cover a specific portion of the market instead of responding to the real needs for cyber security of their customers.

The increasing number of successful cyber attacks and the daily security breaches reported by experts demonstrate that most of the companies are still far from an adequate security posture.

In origin it was mainly a problem of awareness on cyber threats, but now the critical issue is represented by the ability of businesses and decision makers in buying security solutions that match their needs.

The purchase of a new security solution or a service is often driven by the recommendations of analysts that produce any kind of report to influence the final decision of the management and the IT staff.

The emulation is part of the human nature, for C-Level personnel is easy to select their business partners by choosing them from the companies listed in authoritative studies and publications such as the Gartner Magic Quadrant.

Evidently, this approach is not sufficient to ensure the resilience to cyber attacks of a modern business.

In many cases the same security companies suggested by these reports were involved in embarrassing incidents, this is the case of the accountancy firm Deloitte that was awarded as the best Security Consulting Services providers by Gartner, but that was victims itself of a sophisticated hack that compromised its global email server in 2016.

These studies could influence a blind and an unaware choice of security solutions, they could give businesses a false sense of security.

It is absurd to compose a security infrastructure only by implementing the recommendations of the analyst firms while the events in the threat landscape demonstrate that such an approach is ruinous.

A model of cyber security driven by profits could not be effective against cyber threats. Threat actors rapidly and continuously change their Tactics, Techniques, and Procedures (TTPs ), and security industry is not able to follow them.

Security investments should be measured by the amount of cyber risk mitigated per dollar spent, only in this way it is possible to evaluate real enhancement of the resilience of an architecture while adding new components to the mosaic.

Before deciding to read a report from major analyst companies that suggest products from IT giants, it is essential for any organization to assess and prioritize all cyber risks and business processes.

The risk assessment must involve as many stakeholders, this is the best way to protect our infrastructure from several threat actors.

Once all the risks are identified and prioritized, the company will have to mitigate them by using systems inside their infrastructure and eventually integrating them with proper solutions.  Instruments like Gartner’s Magic Quadrant could help companies to select vendors with a filtrated vision of the market, however, we cannot forget that security solutions from market leaders may all fail in a particular environment.

The adoption of security solutions that are recognized by the analysis as leading products of the cyber security industry will not protect our organizations for multiple reasons.

The reality is disconcerting, in most of the security breaches the attackers were able to bypass the stack of security solutions deployed by the victims to defend their infrastructure.

We cannot continue to build our defence implementing a model of cyber security that is imposed by a restricted number of firms. From the attacker’s perspective, #ThinkBeyondit is easy to predict the type of defence measures in place and adopt the necessary changes in their attack chain.

Don’t forget that threat actors continuously monitor our infrastructure and companies need to avoid in providing points of reference that could be the starting points for their offensive.

The choice of the components for the infrastructure of a company must be driven by an objective analysis of the context in which they operate and carefully considering the evolution of cyber threats.

Security solutions must be user-friendly, overly-complex systems make it hard to use. Another problem related to the choice of security products and services is related to the capability of the organization in processing their output of the defence systems. In a real scenario, cyber security analysts often miss the vast majority of alerts and warnings because of the huge volume of information generated by security solutions.

Most of the leading security firms urge a layered approach in cyber security, but what happens if these layers are not able to “correctly” exchange information each other, or in a worst scenario there are affected by vulnerabilities that can be triggered to compromise the security of the overall architecture.

Building a layered defense system doesn’t mean to simply put together the security products and service suggested by prominent studies, but the analysis must go beyond.

The integration is the most complicated part in setting up a security infrastructure, every time the IT staff intends to add another piece to their cyber barricade it needs to carefully understand the way various components interact and which are the behavior of the resulting system.

Buying solutions proposed by analyst firms will not protect the organizations, spending more doesn’t necessarily mean you will be secure, this must be clear to anyone that works to increase the resilience of its systems to cyber attacks. It’s time to #ThinkBeyond this broken paradigm.

Pierluigi Paganini

(Security Affairs – #ThinkBeyond, security)

The post #ThinkBeyond – Security solutions from market leaders may all fail in your particular environment appeared first on Security Affairs.

Dridex banking Trojan and the FriedEx ransomware were developed by the same group

Security researchers from ESET have tied another family of ransomware, dubbed FriedEx (aka BitPaymer), to the authors of the Dridex Trojan.

The Dridex banking Trojan that has been around since 2014, it was involved in numerous campaigns against financial institutions over the years and crooks have continuously improved it.

In April 2017, millions of people were targeted by a phishing campaign exploiting a Microsoft Word 0day and aimed to spread the Dridex Banking Trojan, a few days ago security researchers at Forcepoint spotted a new spam campaign that is abusing compromised FTP servers as a repository for malicious documents and infecting users with the Dridex banking Trojan.

Now, security researchers from ESET have tied another strain of ransomware, dubbed FriedEx (aka BitPaymer), to the authors of the Dridex Trojan.

FriedEx was first spotted in July, and in August it was responsible for infections at NHS hospitals in Scotland.

The FriedEx ransomware was involved in attacks against high profile targets, researchers believe it was delivered via Remote Desktop Protocol (RDP) brute force attacks.

The ransomware encrypts each file using a randomly generated RC4 key that is then encrypted with a hardcoded 1024-bit RSA public key.

“Initially dubbed BitPaymer, based on text in its ransom demand web site, this ransomware was discovered in early July 2017 by Michael Gillespie. In August, it returned to the spotlight and made headlines by infecting NHS hospitals in Scotland.” states the analysis published by ESET.

FriedEx focuses on higher profile targets and companies rather than regular end users and is usually delivered via an RDP brute force attack. The ransomware encrypts each file with a randomly generated RC4 key, which is then encrypted using the hardcoded 1024-bit RSA public key and saved in the corresponding .readme_txt file.”

The analysis of FriedEx code revealed that many similarities with Dridex code.

For example, the Dridex and FriedEx binaries share the same portion of a function used for generating UserID, the experts also noticed that the order of the functions in the binaries is the same in both malware families, a circumstance that suggests the two malware share the same codebase.

FriedEx

“It resolves all system API calls on the fly by searching for them by hash, stores all strings in encrypted form, looks up registry keys and values by hash, etc. The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis.” states ESET.

Both Dridex and FriedEx use the same packer, but experts explained that the same packer is also used by other malware families like QBot, Emotet or Ursnif also use it.

Another similarity discovered by the researchers is related to the PDB (Program Database) paths included in both malware. PDB paths point to a file that contains debug symbols used by vxers to identify crashes, the paths revealed the binaries of both threats are compiled in Visual Studio 2015.

The experts also analyzed the timestamps of the binaries and discovered in many cases they had the same date of compilation, but it is not a coincidence.

“Not only do the compilations with the same date have time differences of several minutes at most (which implies Dridex guys probably compile both projects concurrently), but the randomly generated constants are also identical in these samples. These constants change with each compilation as a form of polymorphism, to make the analysis harder and to help avoid detection.” continues the analysis.

The experts concluded that FriedEx was developed by the Dridex development team, they believe that the criminal gang not only will continue to improve the banking Trojan but it will also follow malware “trends” developing their own strain of ransomware.

Pierluigi Paganini

(Security Affairs – FriedEx ransomware, Dridex)

The post Dridex banking Trojan and the FriedEx ransomware were developed by the same group appeared first on Security Affairs.

Military personnel improperly used Fitness Strava Tracker exposed their bases

Military worldwide have publicly shared online their exercise routes recorded through the fitness tracker Strava revealing the fitness sessions conducted inside or near military bases

We discussed many times privacy risks related to IoT devices, here we are to discuss an alarming case, fitness tracker Strava revealed details of Military Bases.

American and allied military worldwide have publicly shared their exercise routes online revealing the fitness sessions conducted inside or near military bases, including Afghanistan, Iraq, and Syria.

This leak of information has happened because military personnel turned on their fitness Strava tracker while making exercises at the bases.

A map showing exercise routes recorded by users of a tracking app reveals sensitive information about military personnel in locations around the world, including Afghanistan, Iraq, and Syria.

Such kind of information could be used by enemies and terrorists to plan an attack.

Obviously while in some regions of the globe it is impossible to distinguish the activity of the military personnel, in other locations the routes immediately stand out.

For example, examining the map of Iraq you can notice that the entire region is dark, except for a series of well-known military bases used by the American military and its allies.

The list of the bases easy to locate thank to the map associated to the fitness tracker Strava includes Taji north of Baghdad, Qayyarah south of Mosul, Speicher near Tikrit and Al-Asad in Anbar Province and a number of minor sites highlighted in northern and western Iraq.

Searching for bases in Afghanistan, it is easy to locate the Bagram Air Field in the north of Kabul along with other smaller sites south of the country.

Strava Tracking app military bases

The movements of soldiers within Bagram air base – the largest US military facility in Afghanistan – Source BBC

Similarly, in Syria it is  Qamishli in the northwest, a stronghold of US-allied Kurdish forces, is clearly visible.

Tobias Schneider, one of the security experts that discovered the map, shared details about the bases on Twitter, including the French Madama base in Niger.

The researchers Nathan Ruser spotted also activities of Russians in Khmeimim.

The good news is this issue could be easily fixed, Strava confirmed that “athletes with the Metro/heatmap opt-out privacy setting have all data excluded.”

The app allows users to set up “privacy zones,” that are areas where the Strava tracker doesn’t collect GPS info. These areas can be designed around the user’s home or work,  but evidently, the military personnel ignored it.

Pierluigi Paganini

(Security Affairs – Spectre patches, Linus Torvalds)

The post Military personnel improperly used Fitness Strava Tracker exposed their bases appeared first on Security Affairs.

Over the weekend Microsoft rolled out out-of-band updates to disable mitigations for Spectre v2 attacks

Over the weekend, Microsoft rolled out out-of-band updates to disable mitigations for one of the Spectre attack variants because they can cause systems to become unstable.

The situation is becoming embarrassing! Just after the release of the Meltdown and Spectre security updates Intel excluded any problems for their deployments citing testing activities of conducted by other tech giants.

At the same time, some companies were claiming severe issued, including performance degradation and in some cases crashes.

Last week, Intel changed its position on the security patches, it first published the results of the test conducted on the Meltdown and Spectre patches and confirmed that the impact on performance could be serious, then it recommended to stop deploying the current versions of Spectre/Meltdown patches.

Over the weekend, Microsoft rolled out out-of-band updates to disable mitigations for one of the Spectre attack variants because they can cause systems to become unstable.

Our own experience is that system instability can in some circumstances cause data loss or corruption.” states the security advisory published by Microsoft.

While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described.” 

Microsoft was among the first companies that provided security updates for Meltdown and Spectre vulnerabilities, anyway, the patches caused severe issues to AMD architectures.

The decision follows the similar actions adopted by other tech giants like Red HatHP, Dell, Lenovo, VMware.

Microsoft and the companies above observed problems after the installation of the Spectre vulnerability (Variant 2, aka CVE-2017-5715, that is a branch target injection vulnerability) for this reason opted to revert previous patches.

While the Meltdown and Variant 1 of the Spectre attacks can be mitigated efficiently with software updates, the Spectre Variant 2 requires microcode updates to be fully addressed.

Intel published a technical note about the mitigation of the Spectre flaw, it addressed the issue with an opt-in flag dubbed IBRS_ALL bit (IBRS states for Indirect Branch Restricted Speculation).

The famous Linus Torvalds expressed in an email to the Linux Kernel mailing list his disappointment, he defined the Linux Spectre Patches “UTTER GARBAGE”

 

Spectre patches

Microsoft confirmed that the patches issued by Intel cause system instability and can in some cases lead to data loss or corruption, for this reason, the company distributed over the weekend the Update KB4078130 for Windows 7, Windows 8.1 and Windows 10 that disables the mitigation for CVE-2017-5715.

The company has also provided detailed instructions for manually enable and disable Spectre Variant 2 mitigations through registry settings.

Microsoft said it is not aware of any attack in the wild that exploited the Spectre variant 2 (CVE 2017-5715 ).

“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device,” continues the advisory.

 

Pierluigi Paganini

(Security Affairs – CVE-2017-5715, Spectre)

The post Over the weekend Microsoft rolled out out-of-band updates to disable mitigations for Spectre v2 attacks appeared first on Security Affairs.

On Saturday Malwarebytes delivered a buggy update that caused excessive memory usage and crashes.

On Saturday Malwarebytes issued a buggy update to its home and enterprise products that caused serious problems for the users, including excessive memory usage, connectivity issues, and in some cases system crashes.

A buggy update rolled out over the weekend by Malwarebytes to its home and enterprise products caused serious problem for the users, including excessive memory usage, connectivity issues, and in some cases system crashes.

Malwarebytes issued the buggy update on Saturday morning (PST) and according to the security firm the software was only available only for 16 minutes before it removed it.

“On the morning of Saturday, January 27th, 2018 protection update v1.0.3798 was released for all versions of Malwarebytes for Windows. As endpoints updated to this release, customers noticed their machines were reporting many Internet block notifications, and a sudden large increase in RAM usage” reads the Root Cause Analysis published by Malwarebytes.

“There are detection syntax controls in place to prevent such events as the one experienced in this incident. Recently we have been improving our products so that we can show the reason for a block, i.e. the detection “category” for the web protection blocks. In order to support this new feature, we added enhanced detection syntaxes to include the block category in the definitions. The unfortunate oversight was that one of the syntax controls was not implemented in the new detection syntax, which cause the malformed detection to be pushed into production.”

malwarebytes buggy update

Some users reported problems to their connections that were blocked by the security software after the installation of the buggy update. Another displeasing problems reported by the users is the abnormal memory usage, the process associated with the application had used up more than 10 Gb of the (RAM), in some cases were also observed system crashes.

http://securityaffairs.co/wordpress/wp-content/uploads/2018/01/malwarebytes buggy update

Malwarebytes confirmed that the broken detection was present in the update version v1.0.3798 thru v1.0.3802. (v2018.01.27.03 – v2018.01.27.11
for MBES customers).

The buggy update was issued to all software versions for Windows, below the list of affected versions:

  • Malwarebytes for Windows Premium
  • Malwarebytes for Windows Premium Trial
  • Malwarebytes Endpoint Security (MBES)
  • Malwarebytes Endpoint Protection (Cloud Console)

The problem was addressed with the v1.0.3803 (v2018.01.27.12 for MBES customers).

Affected users can follow the recovery solutions published by the company to remove the buggy update and install the correct one.

The company remarked that it pushes tens of thousands updates routinely testing each one before it is distributed.

“We have pushed upwards of 20,000 of these protection updates routinely. We test every single one before it goes out. We pride ourselves on the safety and accuracy of our detection engines and will work to ensure that this does not happen again,” Malwarebytes stated following the incident.

Pierluigi Paganini

(Security Affairs – security solution, antivirus)

The post On Saturday Malwarebytes delivered a buggy update that caused excessive memory usage and crashes. appeared first on Security Affairs.

A new report from MALWAREBYTES reveals a rise of 90% on ransomware detection in business

A new report from MALWAREBYTES titled “Malwarebytes Annual State of Malware Report” reveals a rise of 90% on ransomware detection in business.

The report brings to light new trends on hackers activities and threats especially the rise of ransomware as a tool of choice.

Researchers from MALWAREBYTES had gathered an enormous amount of data from the telemetry of their products, intel teams, and data science from January to November 2016 and to January to November 2017 to consolidate the evolution of the threat landscape of malware.

It is taken into account the tactics of infection, attack methods, development and distribution techniques used by hackers to target and compromise business and customers alike. There was a surge of 90% in ransomware detection for business customers in such way that it had become the fifth most detected threat. Regarding its modus operandi, the researchers found out a change in the distribution of malicious payloads, which includes banker Trojans and cryptocurrency miners.

Ransomware was on the rise, but it was not the only method employed by hackers. The report reveals that hackers had used banking trojans, spyware and hijackers to steal data, login credentials, contact lists, credit card data and spy on the user as an alternative way to compromise system security. The report discovered that hijackers detection grew 40% and spyware detection grew 30%. The report lists the Top 10 business threat detections with the five most significant threats being: Hijacker, Adware, Riskware Tool, Backdoor, and Ransomware respectively.

ransomware

While the report covers a variety of threats, it emphasizes how malware outbreak had evolved. A game changer to the ransomware outbreak like WannaCry was the government exploit tool EternalBlue that was leaked and has been employed to compromise update processes and increased geo-targeting attacks. According to the report these tactics had been adopted to bypass traditional methods of detection.

The report highlights the delivery techniques utilized by ransomware due to the EternalBlue exploit tool leaked from NSA. The usage of this exploit tool was a ground break landmark to the development of WannaCry and NotPetya ransomware. The EternalBlue (CVE-2017-0144) is a vulnerability in Server Message Block (SMB) handling present in many Windows operating systems. WannaCry was able to widespread globally due to operating systems that were not properly updated.

The report dedicates a special attention to NotPetya ransomware, as it was influenced by ransomware Petya and WannaCry. This ransomware has used two Server Message Block (SMB) vulnerabilities: EternalBlue (CVE2017-0144) and EternalRomance (CVE-2017-0145) and was also able to encrypt the MFT (Master File Table) and the MBR (Master Boot Record) on affected systems. Other malware analyzed in the report, that used the leaked exploit tools from the  NSA was: Adylkuzz, CoinMiner, and Retefe.

The researchers also unveil a new attack vector employed by hackers: Geo Targeting attacks. In this type of attack, groups of hackers or rogue nations employ a variety of techniques to disrupt, destabilize, or compromise data in specific countries. The Magniber malicious code targeted South Korea specifically and the BadRabbit had targeted Ukraine.  Although NotPetya emerged in Ukraine its action was not limited within its borders.

Finally, the report brings forth to light trends based on data collected. Cyptocurrency miners already become a new threat with the recent news of a steal of bitcoins from Japan. Other trends to watch out this year in the report is the attacks on the supply chain, the increase of malware in MAC systems and leaks in government and in companies that will lead to new zero-day vulnerabilities.

Sources:

https://www.darkreading.com/endpoint/ransomware-detections-up-90–for-businesses-in-2017/d/d-id/1330909

http://www.information-age.com/ransomware-detections-increased-90-123470549/

https://www.washingtontimes.com/news/2018/jan/25/ransomware-detections-90-percent-2017-leaked-nsa-e/

http://www.computerweekly.com/news/252433761/Ransomware-was-most-popular-cyber-crime-tool-in-2017

https://www.infosecurity-magazine.com/news/malware-tactics-shifted/

https://press.malwarebytes.com/2018/01/25/malwarebytes-annual-state-malware-report-reveals-ransomware-detections-increased-90-percent/

https://www.malwarebytes.com/pdf/white-papers/CTNT_2017stateofmalware/

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – malware, cybercrime)

The post A new report from MALWAREBYTES reveals a rise of 90% on ransomware detection in business appeared first on Security Affairs.

Cybersecurity week Round-Up (2018, Week 4)

Cybersecurity week Round-Up (2018, Week 4) -Let’s try to summarize the most important event occurred last week in 3 minutes.

The threats that most of all characterized this week are IoT botnets and malvertising.

Security experts at NewSky’s believe the operators of the recently discovered Satori botnet are launching a new massive hacking campaign against routers to infect and recruit them in the botnet dubbed Masuta. The Masuta botnet targets routers using default credentials, one of the versions analyzed dubbed “PureMasuta” relies on the old network administration EDB 38722 D-Link exploit.

A new botnet called Hide ‘N Seek (HNS botnet) appeared in the threat landscape, the malware is rapidly spreading infecting unsecured IoT devices, mainly IP cameras. The number of infected systems grew up from 12 at the time of the discovery up to over 20,000 bots.

Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.

The problems with Meltdown and Spectre security patches continue, Intel recommended to stop deploying the current versions of Spectre/Meltdown patches, while the Linux father Linus Torvalds defined the Spectre updates “utter garbage.”

Bell Canada suffers a data breach for the second time in less than a year.

Crooks continue to focus their interest on cryptocurrencies, researchers at PaloAlto Networks uncovered Monero Crypto-Currency Mining Operation impacted 30 Million users worldwide.

Maersk chair revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya Attack.

The week ended with a clamorous incident, the Japan-based digital exchange Coincheck was hacked, hackers stole worth half a billion US dollars of NEM currency. The incident had a significant effect on the value of the most popular crypto currencies.