Category Archives: Hacking

NK CARROTBALL dropper used in attacks on U.S. Govn Agency

A US Government agency was hit with a phishing attack attempting to deliver a new malware dropper dubbed CARROTBALL.

Security experts at Palo Alto Networks have uncovered a new malware dropper called CARROTBALL that was used in targeted attacks against a U.S. government agency and non-US foreign nationals.

Experts attribute the attack to the Konni Group, a North Korea-linked nation-state actor.

The attackers use a weaponized Microsoft Word document as a lure for the target, the phishing messages were sent from a Russian email address.

“Between July and October 2019, Unit 42 observed several malware families typically associated with the Konni Group (see Attribution section below for more details) used to primarily target a US government agency, using the ongoing and heightened geopolitical relations issues surrounding North Korea to lure targets into opening malicious email attachments.” reads the analysis published by Palo Alto Networks’s Unit42. “The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL.”

This campaign, which the researchers call Fractured Statue, used six unique document lures sent from four unique Russian email addresses.

The subject of the emails featured articles written in Russian pertaining to ongoing geopolitical relations issues surrounding North Korea. Five documents involved in the campaign contained CARROTBAT downloaders, and one contained a CARROTBALL downloader. Both downloaders were used to deliver the second-stage SYSCON malware.

Experts pointed out that the campaign appears as a resemblance to the Fractured Block campaign first uncovered by Unit 42 in November 2018, for this reason, the experts tracked this campaign as Fractured Statue.

Experts identified three different phases of the Fractured Statue campaign and CARROTBALL downloader was used only in the last one that sees the involvement of email messages with the subject “The investment climate of North Korea,” sent from the address “pryakhin20l0@mail[.]ru.”

“Also interesting to note is that the sender added multiple recipients to their email; one was an individual at a US government agency, and the other two individuals were non-US foreign nationals professionally affiliated with ongoing activities in North Korea” continues the analysis of the report.

CARROTBALL malware

Experts noticed that all of the malicious documents used in the campaign used the same macro that allowed attackers to determine the target Windows architecture, execute a command that was hidden in a textbox included in the document and then clear the contents of the textboxes and save the document.

In the last wave of the campaign, attackers used a different macro that doesn’t execute commands hidden in the document, instead it relied on an embedded Windows binary.

“The October 2019 attack, however, differed significantly from the previous ones. Instead of reading from the contents of the document itself, the macros leveraged an embedded Windows executable in the form of hex bytes delimited via the ‘|’ character that ultimately acted as a dropper.” continues the analysis. “When the macro was executed, the hex bytes were split, converted to binary, and dropped onto disk as an executable.”

When the macro executed, the hex bytes would be split and converted to binary, then the downloader dubbed CARROTBALL is dropped on the disk.

The name “Konni” identifies a Remote Access Trojan used in targeted campaigns carried out by North Korea-linked APT groups. Experts pointed out that as additional campaigns showing strongly overlapping TTPs yet did not feature the Konni RAT, some experts started using the “Konni” moniker to refer to the actors behind the aggregated set of activity

“Overall, the Fractured Statue campaign provides clear evidence that the TTPS discovered in Fractured Block are still relevant, and that the group behind the attacks still appears to be active.” concludes the report. “Additionally, development and use of the new downloader, CARROTBALL, alongside the more commonly observed malware delivery mechanism, CARROTBAT, may indicate that the previous methods employed by the group to successfully infect their targets are becoming less effective.”

Additional technical details are included in the report published by the Unit42.

Pierluigi Paganini

(SecurityAffairs – CARROTBALL, Fractured Statue)

The post NK CARROTBALL dropper used in attacks on U.S. Govn Agency appeared first on Security Affairs.

Technical Report of the Bezos Phone Hack

Motherboard obtained and published the technical report on the hack of Jeff Bezos's phone, which is being attributed to Saudi Arabia, specifically to Crown Prince Mohammed bin Salman.

...investigators set up a secure lab to examine the phone and its artifacts and spent two days poring over the device but were unable to find any malware on it. Instead, they only found a suspicious video file sent to Bezos on May 1, 2018 that "appears to be an Arabic language promotional film about telecommunications."

That file shows an image of the Saudi Arabian flag and Swedish flags and arrived with an encrypted downloader. Because the downloader was encrypted this delayed or further prevented "study of the code delivered along with the video."

Investigators determined the video or downloader were suspicious only because Bezos' phone subsequently began transmitting large amounts of data. "[W]ithin hours of the encrypted downloader being received, a massive and unauthorized exfiltration of data from Bezos' phone began, continuing and escalating for months thereafter," the report states.

"The amount of data being transmitted out of Bezos' phone changed dramatically after receiving the WhatsApp video file and never returned to baseline. Following execution of the encrypted downloader sent from MBS' account, egress on the device immediately jumped by approximately 29,000 percent," it notes. "Forensic artifacts show that in the six (6) months prior to receiving the WhatsApp video, Bezos' phone had an average of 430KB of egress per day, fairly typical of an iPhone. Within hours of the WhatsApp video, egress jumped to 126MB. The phone maintained an unusually high average of 101MB of egress data per day for months thereafter, including many massive and highly atypical spikes of egress data."

The Motherboard article also quotes forensic experts on the report:

A mobile forensic expert told Motherboard that the investigation as depicted in the report is significantly incomplete and would only have provided the investigators with about 50 percent of what they needed, especially if this is a nation-state attack. She says the iTunes backup and other extractions they did would get them only messages, photo files, contacts and other files that the user is interested in saving from their applications, but not the core files.

"They would need to use a tool like Graykey or Cellebrite Premium or do a jailbreak to get a look at the full file system. That's where that state-sponsored malware is going to be found. Good state-sponsored malware should never show up in a backup," said Sarah Edwards, an author and teacher of mobile forensics for the SANS Institute.

"The full file system is getting into the device and getting every single file on there­ -- the whole operating system, the application data, the databases that will not be backed up. So really the in-depth analysis should be done on that full file system, for this level of investigation anyway. I would have insisted on that right from the start."

The investigators do note on the last page of their report that they need to jailbreak Bezos's phone to examine the root file system. Edwards said this would indeed get them everything they would need to search for persistent spyware like the kind created and sold by the NSO Group. But the report doesn't indicate if that did get done.

THSuite data leak exposes cannabis users information

Experts found online an unsecured database owned by THSuite and used by point-of-sale systems in medical and recreational marijuana dispensaries.

Data leak continues to be a frequent issue suffered by companies, news of the day is the discovery of an unsecured database owned by THSuite and used by point-of-sale systems in medical and recreational marijuana dispensaries across the United States.

The archive was stored in an unsecured S3 bucket, it was discovered by researchers from VPNMentor and impacted 30,000 people. 

The use of marijuana for medical purposes is legal in some US states and THSuite offers business process management software services to cannabis dispensary owners and operators.

The dispensaries collect large quantities of sensitive information in order to comply with state laws. THSuite solutions simplify this process and implement an effective traceability system by collecting many customers’ private data.

“Over 85,000 files were leaked in this data breach, including over 30,000 records with sensitive PII. The leak also included scanned government and company IDs stored in an Amazon S3 bucket through the Amazon Simple Storage Service.” reads the analysis published by VPNmentor.

“In the sample of entries we checked, we found information related to three marijuana dispensaries in different locations around the US: Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company. Examples of these entries can be found below.”

THSuite breach-patients

Experts pointed out that the data leak might have affected many more dispensaries, likely all THSuite clients and their customers were impacted.

Exposed records include full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts.

The database also included details about Amedicanna’s inventory and sales, experts found the list of transactions containing the following data:

  • Patient name and medical ID number
  • Employee name
  • Cannabis variety purchased
  • Quantity of cannabis purchased
  • Total transaction cost
  • Date received, along with an internal receipt ID

The leaked data also included scanned government and employee IDs.

The exposure for medical marijuana patients, and possibly for recreational marijuana users as well could have serious consequences for the privacy of impacted individuals.

Patients may face negative consequences, both personally and professionally.

“Under HIPAA regulations, it’s a federal crime in the US for any health services provider to expose protected health information (PHI) that could be used to identify an individual. HIPAA violations can result in fines of up to $50,000 for every exposed record, or even in jail time.” concludes VPNmentor.

Below the timeline for the THSuite data leak:

  • Date discovered: December 24, 2019
  • Date owners contacted: December 26, 2019
  • Date Amazon AWS contacted: January 7, 2020
  • Date database closed: January 14, 2020

Pierluigi Paganini

(SecurityAffairs – THsuite, data leak)

The post THSuite data leak exposes cannabis users information appeared first on Security Affairs.

Iran-Linked PupyRAT backdoor used in recent attacks on European energy sector

Hackers used a remote access Trojan (RAT) associated with Iran-linked APT groups in recent attacks on a key organization in the European energy sector.

Security experts from Recorded Future reported that a backdoor previously used in attacks carried out by an Iran-linked threat actor was used to target a key organization in the European energy sector.

The malware is the PupyRAT backdoor, it is a “multi-platform (Windows, Linux, OSX, Android), multi-function RAT and post-exploitation tool mainly written in Python” that can give the attackers full access to the victim’s system.

The PupyRAT backdoor is an open-source piece of malware available on GitHub, it was used in past campaigns associated with the Iran-linked APT groups like APT33 (also known as Elfin, Magic Hound and HOLMIUM), COBALT GYPSY, and APT34 (aka OilRIG).

The above groups were involved in past attacks on organizations in the energy sector worldwide.

Now experts from Recorded Future identified malicious traffic between PupyRAT install and the command and control (C&C) server identified by the experts. The communication involved a mail server for a European energy sector organization and took place between November 2019 and at least January 5, 2020.

“Using Recorded Future remote access trojan (RAT) controller detections and network traffic analysis techniques, Insikt Group identified a PupyRAT command and control (C2) server communicating with a mail server for a European energy sector organization from late November 2019 until at least January 5, 2020.” reads the analysis published by Recorded Future. “While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion.”

The researchers were not able to attribute the attack to Iran-linked APT groups, anyway, their analysis highlights that the targeted organization had a role in the coordination of European energy resources.

The activity predated the recent escalation of kinetic activity between the U.S. and Iran.

Experts suggest to monitor for sequential login attempts from the same IP against different accounts, use a password manager and set strong, unique passwords and of course adopt multi-factor authentication. Recorded Future researchers also recommend that organizations analyze and cross-reference log data to detect high-frequency lockouts, unsanctioned remote access attempts, temporal attack overlaps across multiple user accounts, and fingerprint unique web browser agent information.

“Although this commodity RAT, PupyRAT, is known to have been used by Iranian threat actor groups APT33 and COBALT GYPSY, we cannot confirm whether the PupyRAT controller we identified is used by either Iranian group.” concludes the report. “Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe.”

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Iran-Linked PupyRAT backdoor used in recent attacks on European energy sector appeared first on Security Affairs.

250 Million Microsoft customer support records and PII exposed online

An expert discovered that over 250 million Microsoft customer support records might have been exposed along with some personally identifiable information.

The popular researcher Bob Diachenko found an unprotected database containing over 250 million customer support records along with some personally identifiable information. The unprotected archive was containing support requests submitted to the tech giant from 2005 to December 2019.

Diachenko reported his discovery to the company that after investigating the issue admitted the data leak.

“Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics.” reads the post published by Microsoft. “While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”

Microsoft confirmed that Customer Service and Support” (CSS) records were exposed online due to a misconfigured server containing logs of conversations between the support team and its customers.

Microsoft secured the database on December 31, 2019, it also added that it is not aware of malicious use of the data.

Microsoft explained that the database was redacted using automated tools to remove the personally identifiable information of its customers, but in some sporadic cases, this information was not removed because there was not a standard format.

Diachenko confirmed the presence of many records containing the following attributes:

  • Customer email addresses
  • IP addresses
  • Locations
  • Descriptions of CSS claims and cases
  • Microsoft support agent emails
  • Case numbers, resolutions, and remarks
  • Internal notes marked as “confidential”

The availability of detailed logs in the hand of crooks could expose Microsoft customers to the risk of Tech support scams

“Even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular.” explained Diachenko.

Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.”

Technical support logs frequently expose VIP clients, their internal architectures, such kind of data could be used by cyber criminals to compromise the customers’ systems.

The company started notifying impacted customers, below the timeline of the data leak:

  • December 28, 2019 – The databases were indexed by search engine BinaryEdge
  • December 29, 2019 – Diachenko discovered the databases and immediately notified Microsoft.
  • December 30-31, 2019 – The tech giant secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
  • Jan 21, 2020 – Microsoft disclosed additional details about the exposure as a result of the investigation.

Pierluigi Paganini

(SecurityAffairs – data leak, hacking)

The post 250 Million Microsoft customer support records and PII exposed online appeared first on Security Affairs.

Malware attack took down 600 computers at Volusia County Public Library

System supporting libraries in Volusia County were hit by a cyber attack, the incident took down 600 computers at Volusia County Public Library (VCPL) branches.

600 staff and public access computers were taken down at Volusia County Public Library (VCPL) branches in Daytona Beach, Florida, following a cyberattack. The attack started around 7 AM on January  9, 2020.

“The county’s technology staff were immediately notified and coordinated recovery efforts with library staff,” reads the official statement.

“Approximately 50 computers are back online, enabling library staff to perform patron business, such as checking books in and out, and making reservations.”

The library did not disclose the family of malware that infected its system, but experts believe that the computers were infected with ransomware.

The good news is that the cyber attack did not affect the ordinary operations of the Volusia County Public Library, the website of the library was not impacted too. Public Wi-Fi in the library was also not impacted by the attack, according to the statement, “the public is able to safely use Wi-Fi within the libraries on personal devices.”

As a result of the incident, the computers at the library were not able to surf the web.

“The county is conducting an investigation and more information will be available at a later date,” VCPL staff also said.

“Some Californian libraries are also affected by a ransomware attack that encrypted computers at 26 community libraries in Contra Costa County on January 3.” reported BleepingComputer.

Pierluigi Paganini

(SecurityAffairs – Volusia County Library, hacking)

The post Malware attack took down 600 computers at Volusia County Public Library appeared first on Security Affairs.

Jeff Bezos phone was hacked by Saudi crown prince

The phone of the Amazon billionaire Jeff Bezos was hacked in 2018 after receiving a WhatsApp message from the personal account of the crown prince of Saudi Arabia.

In April 2019, Gavin de Becker, the investigator hired by Amazon chief Jeff Bezos to investigate into the release of his intimate images revealed that Saudi Arabian authorities hacked the Bezos’s phone to access his personal data.

Gavin de Becker explained that the hack was linked to the coverage by The Washington Post newspaper, that is owned by Bezos, of the murder of Saudi journalist Jamal Khashoggi.

Gavin De Becker investigated the publication in January of leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating.

Jeff Bezos hired Gavin de Becker & Associates to find out how his intimate text messages and photos were obtained by the Enquirer.
Jeff Bezos blamed the Enquirer publisher American Media Inc of “blackmail” for threatening to publish the private photos if he did not stop the investigation. Jeff Bezos refused and decided to publicly disclose copies of emails from AMI.

In an article for The Daily Beast website, De Becker wrote that the parent company of the National Enquirer, American Media Inc., had demanded that De Becker deny finding any evidence of “electronic eavesdropping or hacking in their newsgathering process.”

“Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private
 leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating. ,” de Becker wrote on The Daily Beast website.

Now The Guardian provides additional details on the spying asserting that the intimate pictures were obtained through a sophisticated hacking operation directed by the crown prince of Saudi Arabia, Mohammad bin Salman.

According to anonymous sources of The Guardian, Bezos’ phone was hacked using a WhatsApp message from the personal account of bin Salman himself.

“The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, sources have told the Guardian.” reads the article published by The Guardian.

“The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis. “

According to the sources, Bezos received a bait video file sent on May 1, 2018, that allowed it to infect its mobile device. The malicious code was used to spy on Bezos siphoning large amounts of data from his phone. The paper pointed out that at the time, the relationship between Bezos and the prince was good and the two were exchanging friendly messages.

The revelation could have severe repercussions, first of all it will complicate the position of Mohammad bin Salman and his alleged involvement in the murder of Jamal Khashoggi at the Saudi embassy in Istanbul, Turkey, in October 2018.

Saudi Arabia has previously denied its involvement in the murder of Khashoggi that was attributed to a “rogue operation”. In December, a Saudi court convicted eight people of involvement in the murder after a secret trial that was criticised as a sham by human rights experts.

The revelation will have a significant impact on the business relationships of the Saudi “MBS” with western investors in Saudi Arabia.

Another aspect to evaluate is the impact on the personal relationship between Trump and his son-in-law Jared Kushner with the crown prince.

US President always ignored the warning of the US intelligence and publicly expressed dislike of Jeff Bezos.

The Guardian asked the Saudi embassy in Washington about the claims, and later a message on Twitter refused any accusation and labeled them as “absurd”.

The UN as announced the imminent release of an investigation.

Pierluigi Paganini

(SecurityAffairs – Bezos, hacking)

The post Jeff Bezos phone was hacked by Saudi crown prince appeared first on Security Affairs.

OP Glowing Symphony – How US military claims to have disrupted ISIS ‘s propaganda

US military claims to have disrupted the online propaganda activity of the Islamic State (ISIS) in a hacking operation dating back at least to 2016.

In 2016, the US Cyber Command carried out successful operations against the online propaganda of the Islamic State (ISIS), this is what emerged from declassified national security top-secret documents released on Tuesday.

The documents have been release under a Freedom of Information Act request.

According to the documents, the US Cyber Command “successfully contested ISIS in the information domain,” its operations had a significant impact on online radicalization and recruitment of the terrorist organization.

The first offensive hacking operation dated back 2016 and dubbed “Operation Glowing Symphony” was detailed in the documents released by the National Security Archive at George Washington University.

“Today the National Security Archive is releasing 6 USCYBERCOM documents obtained through FOIA which shed new light on the campaign to counter ISIS in cyberspace.” reads a post published by the National Security Archive at George Washington University. “These documents, ranging from a discussion of assessment frameworks to the 120-day assessment of Operation GLOWING SYMPHONY, reveal the unprecedented complexity of the operation, resulting challenges in coordination and deconfliction, and assessments of effectiveness.”

ISIS OP Glowing Symphony

The offensive Operation Glowing Symphony was carried out in November 2016 by Joint Task Force Ares (JTF-Ares), it mainly aimed at disrupting ISIS propaganda efforts by hacking or hijacking online social media accounts, and taking down websites used by the terrorist organization to spread propaganda.

The documents reveal the result of a 120-day assessment US Cyber Command conducted after the completion of Operation Glowing Symphony.

The assessment pointed out problems faced by the US cyber units, including the challenges of storing a huge amount of data contained in the hacked ISIS servers and accounts and the difficulty in coordination with other coalition members and US government agencies.

The Operation Glowing Symphony was approved in 2016 by president Barack Obama. It was initially approved for a 30-day period in late 2016, but it was later extended.

Operation GLOWING SYMPHONY is considered an important mileston in the counter-terrorism efforts and demonstrates the efficiency of the US offensive cyber capability against online propaganda of the Islamic State (ISIS).

“Operation GLOWING SYMPHONY was originally approved for a 30-day window, but the a July 2017 General Administrative Message reported the operation’s extension to an unknown date. Whether the operation is currently ongoing or not, it is public knowledge that JTF-ARES continues to operate.” continues the post. “It is also increasingly apparent that the counter-ISIS mission, JTF-ARES, and Operation GLOWING SYMPHONY are viewed within the US military’s cyber-warfighting community as not just a chapter in counter-terrorism and ‘low-intensity conflict’, but as demonstrations of the nation’s offensive cyber capability and a model for conducting an “American way” of cyber warfare.”

Pierluigi Paganini

(SecurityAffairs – OP Glowing Symphony, ISIS)

The post OP Glowing Symphony – How US military claims to have disrupted ISIS ‘s propaganda appeared first on Security Affairs.

Brazil Charges Glenn Greenwald with Cybercrimes

Glenn Greenwald has been charged with cybercrimes in Brazil, stemming from publishing information and documents that were embarrassing to the government. The charges are that he actively helped the people who actually did the hacking:

Citing intercepted messages between Mr. Greenwald and the hackers, prosecutors say the journalist played a "clear role in facilitating the commission of a crime."

For instance, prosecutors contend that Mr. Greenwald encouraged the hackers to delete archives that had already been shared with The Intercept Brasil, in order to cover their tracks.

Prosecutors also say that Mr. Greenwald was communicating with the hackers while they were actively monitoring private chats on Telegram, a messaging app. The complaint charged six other individuals, including four who were detained last year in connection with the cellphone hacking.

This isn't new, or unique to Brazil. Last year, Julian Assange was charged by the US with doing essentially the same thing with Chelsea Manning:

The indictment alleges that in March 2010, Assange engaged in a conspiracy with Chelsea Manning, a former intelligence analyst in the U.S. Army, to assist Manning in cracking a password stored on U.S. Department of Defense computers connected to the Secret Internet Protocol Network (SIPRNet), a U.S. government network used for classified documents and communications. Manning, who had access to the computers in connection with her duties as an intelligence analyst, was using the computers to download classified records to transmit to WikiLeaks. Cracking the password would have allowed Manning to log on to the computers under a username that did not belong to her. Such a deceptive measure would have made it more difficult for investigators to determine the source of the illegal disclosures.

During the conspiracy, Manning and Assange engaged in real-time discussions regarding Manning's transmission of classified records to Assange. The discussions also reflect Assange actively encouraging Manning to provide more information. During an exchange, Manning told Assange that "after this upload, that's all I really have got left." To which Assange replied, "curious eyes never run dry in my experience."

Good commentary on the Assange case here.

It's too early for any commentary on the Greenwald case. Lots of news articles are essentially saying the same thing. I'll post more news when there is some.

Yomi Hunter Catches the CurveBall

Yomi implements detection for CurveBall exploits and also supports CVE-2020-0601 exploit detection even for signed Powershell modules. 

The recent CurveBall vulnerability shook the Info-Sec community worldwide: a major vulnerability reported directly by the US National Security Agency.

Such uncommon vulnerability reporter alerted the whole Industry, CVE-2020-0601 quickly conquered most of the headlines. 

The reason for this unusual outreach is still not clear, but Microsoft, along with many experts in the industry, confirmed it actually is an important vulnerability having real chances of being abused in the wild.  

The Malware Threat behind CurveBall

There was a little misunderstanding during the first hours after the disclosure of the CVE-2020-0601 vulnerability. Many system administrators and companies were rushing to update internet exposed machines, like web servers or gateways, worried about possible remote code execution, reviving the EternalBlue/WannaCry crisis in their mind. 

Luckily, CurveBall is not the same type of issue. But, if this is true, how exactly it may impact the IT infrastructure and why did the NSA raise such alarm?

What the NSA states is real: CVE-2020-0601 exposes companies to high risks. But it does in a more stealthier way and, differently from EternalBlue, not in a way could be exploited by criminals and vandals for an Internet wide CryptoWorm infection.

In fact, CurveBall enables attackers to trick Windows 10, Windows Server 2016 and Windows Server 2019, to impersonate other trusted parties such as Microsoft itself, resulting in being successfully cryptographically verified by the vulnerable hosts.

Pragmatically, this means organizations relying on CVE-2020-0601 vulnerable cryptography implementations to protect their communication are at risk of man in the middle attacks, and impersonification in general. Even cryptographically signed files and emails are exposed to spoofing and tampering, violating the core parts of the threat models most of the company use to secure their businesses.

Is it all? No. 

CurveBall also poses at risk endpoints and security perimeters due to its appeal for one of the most relevant threats for modern businesses: Malware.

In fact, signed files equal signed malware in the modern threat panorama. Thus, several threat actors, both state-sponsored and cyber criminals, may likely abuse the CurveBall vulnerability to fake Microsoft signed executables, impersonating legit files and potentially tricking perimetral and endpoint security technologies relying on the faulty Windows cryptographic validation. 

Yomi Hunter Catches CVE-2020-0601

So, after evaluating the risks of CurveBall exploitation in the wild, especially considering the release of public tools to abuse the vulnerability to sign arbitrary files, we rolled out a new update of Yomi Hunter able to catch CurveBall exploit attempts.

Now, both Private and Public instances of the Yomi Sandbox are actively looking for CVE-2020-0601 exploits trying to evade traditional security controls. The new detection logic is available into malware reports generated by Yomi-Hunter community (e.g. LINK), within the new VirusTotal integrated reports, and for every private instances in use by Yoroi’s Cyber Security Defence Center customers.

Figure. CVE-2020-0601 exploit on Yomi Hunter

But, Yomi Hunter does not limit to hunt for Portable Executable files exploiting Curveball. The cryptographic detection mechanism rolled out in the new update supports CVE-2020-0601 exploit detection even for signed Powershell modules.  

If you want to try Yomi: The Malware Hunter please register here!

Pierluigi Paganini

(SecurityAffairs – Curveball, hacking)

The post Yomi Hunter Catches the CurveBall appeared first on Security Affairs.

US-based children’s clothing maker Hanna Andersson discloses a data breach

The US-based children’s clothing maker Hanna Andersson has disclosed a data breach that affected its customers.

The US-based children’s clothing maker and online retailer Hanna Andersson discloses a data breach, attackers planted an e-skimmer on its e-commerce platform.

Like other Magecart attacks, crooks compromised the online store and injected a JavaScript code into checkout pages to steal payment data while users were making purchases.

Hacker groups under the Magecart umbrella continue to steal payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint in 2019, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

In a report recently published by RiskIQ, experts estimate that the group has impacted millions of users. At the time, RiskIQ reported a total of 2,086,529 instances of Magecart detections, most of them were supply-chain attacks.

Hanna Andersson started informing its customers via email, the company was informed by law enforcement on December 5 that data related to credit cards used by its customers on its websites were available for sale on the dark web.

The company immediately launched an investigation that revealed that a third-party ecommerce platform, Salesforce Commerce Cloud, was infected with an e-skimmer. Forensics experts hired by the company discovered that the malicious code was likely planted on September 16, 2019. The malware was completely removed on November 11, 2019.

While Hanna Andersson’s investigation into the security incident revealed that no all of the customers who paid using their payment cards through the Salesforce Commerce Cloud (previously known as Demandware), it was not able to pinpoint the ones who were.

“The incident potentially involved information submitted during the final purchase process on our website, www.hannaandersson.com, including name, shipping address, billing address, payment card number, CVV code, and expiration date,” reads a notice issued by the company.

“We have taken steps to re-secure the online purchasing platform on our website and to further harden it against compromise. In addition, we have retained forensic experts to investigate the incident and are cooperating with law enforcement and the payment card brands in their investigation of and response to the incident.”

The company sanitized its e-commerce platform and declared to have implemented additional measures to protect the website.

The retailer is offering MyIDCare identity theft protection services through ID  Experts, it includes 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed id theft recovery services.

Pierluigi Paganini

(SecurityAffairs – Hanna Andersson, hacking)

The post US-based children’s clothing maker Hanna Andersson discloses a data breach appeared first on Security Affairs.

Expert found a hardcoded SSH Key in Fortinet SIEM appliances

Expert found a hardcoded SSH public key in Fortinet ’s Security Information and Event Management FortiSIEM that can allow access to the FortiSIEM Supervisor. 

Andrew Klaus, a security specialist from Cybera, discovered a hardcoded SSH public key in Fortinet’s Security Information and Event Management FortiSIEM that can be used by attackers to the FortiSIEM Supervisor. 

The expert discovered that the Fortinet devices share the same SSH key for the user ‘tunneluser‘, and it is stored in plain text.

FortiSIEM has a hardcoded SSH public key for user “tunneluser” which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor.” reads the security advisory. “The unencrypted key is also stored inside the FortiSIEM image. While the user’s shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds.”

Fortinet published a security advisory for the issue that is tracked as CVE-2019-17659.

The vulnerability could be exploited by attackers to trigger a confition of denial of service. 

“A use of hard-coded cryptographic key vulnerability in FortiSIEM may allow a remote unauthenticated attacker to obtain SSH access to the supervisor as the restricted user “tunneluser” by leveraging knowledge of the private key from another installation or a firmware image.” reads the advisory.

The user ‘tunneluser‘ only runs in a restricted shell that lets only that user create tunnel connections from the supervisor to the originating IP.

The feature was implemented to enable connecting to collectors from the supervisor when there is a firewall between the collector and the supervisor.

Fortinet invites customers that are not using the reverse tunnel feature to disable SSH on port 19999 that only allows tunneluser to authenticate. Fortinet also advise customers to disable “tunneluser” SSH access on port 22.

Below the timeline of the vulnerability:

  • Dec 2, 2019: Email sent to Fortinet PSIRT with vulnerability details.
  • Dec 3, 2019: Automated reply from PSIRT that email was received.
  • Dec 23, 2019: Sent a reminder email to PSIRT about requesting a human confirmation.
  • Jan 3, 2019: Public Release.

The flaw affects FortiSIEM version 5.2.6 and below, the tech firm addressed it with the release of FortiSIEM version 5.2.7. 

Pierluigi Paganini

(SecurityAffairs – FortiSIEM, hacking)

The post Expert found a hardcoded SSH Key in Fortinet SIEM appliances appeared first on Security Affairs.

Mitsubishi Electric discloses data breach, media blame China-linked APT

Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate information.

Mitsubishi Electric disclosed a security breach that might have exposed personal and confidential corporate data. According to the company, attackers did not obtain sensitive information about defense contracts.

The breach was detected almost eight months ago, on June 28, 2019, with the delay being attributed to the increased complexity of the investigation caused by the attackers deleting activity logs.

“On June 28, last year, a suspicious behavior was detected and investigated on a terminal in our company, and as a result of unauthorized access by a third party, data was transmitted to the outside,” reads a data breach notification published by the company.

The intrusion took place on June 28, 2019, and the company launched an investigation in September 2019. Mitsubishi Electric disclosed the security incident only after two local newspapers, the Asahi Shimbun and Nikkei, reported the security breach.

Mitsubishi Electric had also already notified members of the Japanese government and Ministry of Defense.

This morning, at a press conference, Yoshii Kan, a secretary-general of Japan, said that the company had reported the intrusion. Although Mitsubishi Electric is dealing with government agencies such as the Ministry of Defense, Mr. Kan said, “I was notified that it was confirmed that there was no leak of sensitive information such as defense equipment and electric power.”

“Mitsubishi Electric, a major general electronics maker , has been hit by a large-scale cyber attack , and it has been found that information about public and private business partners such as highly confidential defense-related and important social infrastructure such as electric power and railroad may leak out.” reported the Asahi Shimbun. “An internal survey found that computers and servers at headquarters and major sites were subject to numerous unauthorized accesses.”

Mitsubishi Electric

The two media outlets attribute the cyber attack to a China-linked cyber espionage group tracked as Tick (aka Bronze Butler).

The hacker group has been targeting Japanese heavy industry, manufacturing and international relations at least since 2012,

According to the experts, the group is linked to the People’s Republic of China and is focused on exfiltrating confidential data.

“According to people involved, Chinese hackers Tick may have been involved. According to Mitsubishi Electric, “logs (to check for leaks) have been deleted and it is not possible to confirm whether or not they actually leaked.” reported the Nikkei.

“According to the company, at least tens of PCs and servers in Japan and overseas have been found to have been compromised. The amount of unauthorized access is approximately 200 megabytes, mainly for documents.”

The security breach was discovered after Mitsubishi Electric staff found a suspicious file on one of the company’s servers, further investigation allowed the company to determine that hack of an employee account.

According to the media, hackers gained access to the networks of around 14 company departments, including sales and the head administrative office. Threat actors stole around 200 MB of files including:

  • Personal information and recruitment applicant information (1,987) 
  • New graduate recruitment applicants who joined the company from October 2017 to April 2020, and experienced recruitment applicants from 2011 to 2016 and our employee information (4,566) 
  • 2012 Survey results regarding the personnel treatment system implemented for employees in the headquarters in Japan, and information on retired employees of our affiliated companies (1,569) 

“Exchanges with government agencies such as the Ministry of Defense, the Nuclear Regulatory Commission, the Agency for Natural Resources and Energy, the Cabinet Office, and the Ministry of the Environment,” as well as “transaction-related conference materials such as joint development with private companies such as electric power, railways, and telecommunications, and product orders” might also have been leaked.” reported Kyodo News.

The company is still investigating the security breach, but it seems that attackers have attempted to delete any evidence of the attack.

Mitsubishi Electric is going to report the incident to the affected customers.

“We are informing the affected customers of the possible breach of trade secrets,” states the company.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Mitsubishi Electric discloses data breach, media blame China-linked APT appeared first on Security Affairs.

NATO will send a counter-hybrid team to Montenegro to face Russia’s threat

The Chairman of the NATO Military Committee announced that the alliance has sent a counter-hybrid team to Montenegro to face Russian hybrid attacks.

Last week in Brussels, the Chairman of the NATO Military Committee (MC), Marshal Sir Stuart Peach, announced the effort of the Alliance in facing Russian hybrid attacks.

The term “Hybrid warfare” refers to a military strategy which employs political warfare and blends conventional warfare, irregular warfare and cyberwarfare with other influencing methods, such as fake news, diplomacy, lawfare and foreign electoral intervention.

Peach said that the NATO alliance had set up the first NATO counter-hybrid team in Montenegro.

“The first NATO counter-hybrid team has been deployed to our ally state, Montenegro, with the aim of helping to strengthen Montenegro’s capacities and deterring hybrid challenges”, Peach said.

Several countries, especially Russia, continue their aggressive operations against foreign states, and cyber warfare is becoming the main concern for almost any government.

The official explained that since 2014 the defence spending to face hybrid threats has continued to increase, it has been estimated that by 2024 that amount will reach $ 400 billion.

“NATO data shows a 4,6% increase in 2019. That is the fifth consecutive year of growth. By the end of this year, allies will have invested over $130 billion”, added Marshal Peach

United States Army General Mark Milley, the highest military officer and military adviser to the President, Minister of Defence and U.S. National Security Council, accused the Russian Government of attempting to destabilize the members of the alliance and divide it.

it is evident that Russia has been trying to divide NATO and make it weaker”. General Milley said.

“It would be their benefit. It would be detrimental to Europe and the US if NATO just collapsed and disintegrated.”

Representatives of Montenegro’s Defence Ministry confirmed that NATO counter-hybrid team visited Montenegro in November. Experts fear that Russia could attempt to influence the forthcoming parliamentary elections that will take place in October 2020.

“This visit was the first such engagement in one of the allies, and it was an important experience for Montenegro. Montenegro wants to enhance its capacities and the focus of NATO’s team was on strengthening legislative framework in this domain and its implementation”, said Ivica Ivanović, director general for defence policy.

On June 5, 2017 Montenegro officially joined NATO alliance despite the strong opposition from the Russian Government that threatened to retaliate.

Cybersecurity experts believe that a new wave of attacks from the cyberspace will hit the state. In February 2017, for the second time in a few months, Montenegro suffered massive and prolonged cyberattacks against government and media websites.

Researchers at security firm FireEye who analyzed the attacks observed malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy BearPawn StormStrontiumSofacySednit, and Tsar Team).

Another massive attack hit the country’s institutions during October 2016 elections, amid speculation that the Russian Government was involved.

Hackers targeted Montenegro with spear-phishing attacks, the malicious messages used weaponized documents pertaining to a NATO secretary meeting and a visit by a European army unit to Montenegro.

At the time, the cyberspies delivered the GAMEFISH backdoor (aka Sednit, Seduploader, JHUHUGIT, and Sofacy), a malware that was used only by the APT28 group in past attacks.

Pierluigi Paganini

(SecurityAffairs – Montenegro, elections)

The post NATO will send a counter-hybrid team to Montenegro to face Russia’s threat appeared first on Security Affairs.

Citrix releases permanent fixes for CVE-2019-19781 flaw in ADC 11.1 and 12.0

Citrix addressed the actively exploited CVE-2019-19781 flaw in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

Citrix has released security patches to address actively exploited CVE-2019-19781 vulnerability in Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

While security researchers were warning of ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers affected by the CVE-2019-19781 vulnerability, many experts were announcing the availability online of proof-of-concept exploit code ([12]).

Researchers at MDSsec published technical details of the vulnerability along with a video that shows the exploit they have developed, but they decided to not release it to avoid miscreants use it in the wild.

In December Citrix disclosed the critical CVE-2019-19781 vulnerability and explained that it could be exploited by attackers to access company networks.

It has been estimated that 80,000 companies in 158 countries are potentially at risk, most of them in the U.S. (38%), followed by the UK, Germany, the Netherlands, and Australia. 

The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies.

Now Citrix is announcing then permanent fixes for the above remote code execution vulnerability.

Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here,” reads a post published by Citrix’s CISO Fermin J. Serna.

“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.”

Citrix urges the upgrade for all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15. It is also necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes. 

The company also announced that it has postponed the release of permanent fixes for other ADC versions and for SD-WAN WANOP, below the expected release dates:

  • ADC version 12.1, now January 24
  • ADC version 13 and ADC version 10.5, now January 24
  • SD-WAN WANOP fixes, now January 24
Citrix ADC and Citrix Gateway
VersionRefresh BuildRelease Date
11.111.1.63.15January 19, 2020
12.012.0.63.13January 19, 2020
12.112.1.55.xJanuary 24, 2020
10.510.5.70.xJanuary 24, 2020
13.013.0.47.xJanuary 24, 2020
Citrix SD-WAN WANOP
ReleaseCitrix ADC ReleaseRelease Date
10.2.611.1.51.615January 24, 2020
11.0.311.1.51.615January 24, 2020

Once applied mitigations, it is possible to use a tool released by Citrix to ensure the mitigations have successfully been applied.

“While all the mitigations associated with CVE-2019-19781 are effective across all known scenarios, we strongly encourage customers to apply the permanent fixes as soon as possible.” continues the post.

Security experts are observing a spike in the number of attacks against Citrix servers after that researchers announced the availability online of proof-of-concept exploits for the CVE-2019-19781 flaw in Citrix NetScaler ADC and Citrix NetScaler Gateway servers.

Researchers from FireEye recently noticed that one of the threat actors involved in the attacks is patching the vulnerable Citrix servers, installing their own backdoor, tracked as NOTROBIN, to clean up other malware infections and to lock out any other threat from exploiting the CVE-2019-19781 Citrix flaw.

Pierluigi Paganini

(SecurityAffairs – Citrix servers, hacking)

The post Citrix releases permanent fixes for CVE-2019-19781 flaw in ADC 11.1 and 12.0 appeared first on Security Affairs.

WP Database Reset WordPress plugin flaws allow website takeover

The WP Database Reset WordPress plugin is affected by an “easily exploitable” vulnerability that can allow attackers to take over vulnerable sites. 

Security experts from Wordfence discovered two security vulnerabilities in the WP Database Reset WordPress plugin that can van be used to take over the vulnerable websites.

The WordPress Database Reset plugin allows users to reset the database (all tables or the ones you choose) back to its default settings without having to go through the WordPress, it has over 80,000 installs. 

“On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites.” reads the analysis published by Wordfence. “One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request.”

The first critical vulnerability, tracked as CVE-2020-7048, has been assigned a CVSS score of 9.1. The experts discovered that none of the database reset functions were secured potentially allowing any user to reset any database table without authentication. 

The second vulnerability, tracked as CVE-2020-7047, has received a CVSS score of 8.1 and allowed any authenticated to drop all other users by resetting the wp_users table and escalate to administrative privileges.

“Dropping all users during a database reset may be problematic, but we can always recreate users, right? Unfortunately, this was more complex. Whenever the wp_users table was reset, it dropped all users from the user table, including any administrators, except for the currently logged-in user.” continues the analysis. “The user sending the request would automatically be escalated to administrator, even if they were only a subscriber. That user would also become the only administrator, thus allowing an attacker to fully take over the WordPress site.”

Below the disclosure timeline:

January 7th, 2020 – Vulnerability initially discovered and analyzed.
January 8th, 2020 – Full details disclosed to plugin developer and custom firewall rule released to Wordfence premium users.
January 13th, 2020 – Developer responds and notifies us that a patch will be released the next day.
January 14th, 2020 – Patch released.
January 16th, 2020 – Public disclosure.

Users of the above plugin have to update their installs to the latest version of WP Database Reset, 3.15.  

Earlier this week, experts at security firm WebArx have disclosed vulnerabilities in WP Time Capsule and InfiniteWP plugins, both were patched earlier this month by the developer Revmakx.

The flaws in WP Time Capsule and InfiniteWP WordPress plugins could be exploited to take over websites running the popular CMS that are more than 320,000.

Pierluigi Paganini

(SecurityAffairs – WP Database Reset, hacking)

The post WP Database Reset WordPress plugin flaws allow website takeover appeared first on Security Affairs.

JhoneRAT uses Google Drive, Twitter, ImgBB, and Google Forms to target countries in Middle East

Researchers from Cisco Talos discovered a new Trojan named JhoneRAT that was used in targeted attacks against entities in the Middle East.

A new Trojan named JhoneRAT appeared in the threat landscape, it is selectively attacking targets in the Middle East by checking keyboard layouts.

The malware targets a very specific set of Arabic-speaking countries, including Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon.

“Today, Cisco Talos is unveiling the details of a new RAT we have identified we’re calling “JhoneRAT.” This new RAT is dropped to the victims via malicious Microsoft Office documents.” reads the analysis published by Cisco Talos. “The dropper, along with the Python RAT, attempts to gather information on the victim’s machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms.”

JhoneRAT

The experts discovered that the RAT is distributed via weaponized Office documents, it leverages multiple cloud services (i.e. Google Drive, Twitter, ImgBB and Google Forms) to avoid detection. 

The JhoneRAT is written in Python, it attempts to download additional payloads and upload the information gathered during the reconnaissance phase.

Talos researchers identified three weaponized Microsoft Office documents that download and load an additional document containing a Macro. The first document named “Urgent.docx” is dated back November 2019.  

The second document named “fb.docx” is dated January and claims to contain data on a Facebook information leak. The third document found in the mid-January pretends to be from a legitimate United Arab Emirate organization. 

The additional Office documents loaded and executed by the JhoneRAT are hosted through Google Drive in the attempt to avoid URL blacklisting. 

JhoneRAT is dropped through Google Drive, which hosts images with a base64-encoded binary appended at the end. Once the images are loaded onto a target machine will deploy the Trojan that harvests information from the victim’s machine (i.e. OS, disk serial numbers, the antivirus, and more). 

The malware used Twitter as C2 while exfiltrates information, it checks a public Twitter feed every 10 seconds.

When communicating with its command-and-control server (C2) in order to exfiltrate information, it checks for comments every 10 seconds.

“This RAT uses three different cloud services to perform all its command and control (C2) activities. It checks for new commands in the tweets from the handle @jhone87438316 (suspended by Twitter) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets.” continues the analysis. “These commands can be issued to a specific victim based on the UID generated on each target (by using the disk serial and contextual information such as the hostname, the antivirus and the OS) or to all of them.”

Experts pointed out that stolen data are exfiltrated through cloud providers, for example, screenshots are uploaded to ImgBB, while commands are executed with output sent to Forms. The malware download binaries disguised has a picture from the Google Drive and execute them.

“The attacker put a couple of tricks in place to avoid execution on virtual machines (sandbox). The first trick is the check of the serial number of the disk. The actor used the same technique in the macro and in the JhoneRAT. By default, most of the virtual machines do not have a serial number on the disk.” continues the analysis.

“The attacker used a second trick to avoid analysis of the Python code. The actor used the same trick that FireEye in the Flare-On 6: Challenge 7: They removed the header of the Python bytecode.”

According to the experts, the campaign is still ongoing, even if the Twitter account is suspended, attackers can easily create new accounts and use them in the same way.

“This campaign shows a threat actor interested in specific Middle Eastern and Arabic-speaking countries. It also shows us an actor that puts effort in opsec by only using cloud providers.” concludes the report. “The malicious documents, the droppers and the RAT itself are developed around cloud providers. Additionally the attackers implemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the analyst.”

The analysis published by Talos contains additional technical details, including Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – JhoneRAT, malware)

The post JhoneRAT uses Google Drive, Twitter, ImgBB, and Google Forms to target countries in Middle East appeared first on Security Affairs.

Bot list with Telnet credentials for more than 500,000 servers and IoT devices leaked online

The availability online of a new collection of Telnet credentials for more than 500,000 servers, routers, and IoT devices made the headlines.

A hacker has published online a massive list of Telnet credentials for more than 515,000 servers and smart devices, including home routers. This is the biggest leak of Telnet passwords even reported.

According to ZDNet that first published the news, the list was leaked on a popular hacking forum by the operator of a DDoS booter service.

The list includes the IP address, username and password for the Telnet service for each device.

The list appears to be the result of an Internet scan for devices using default credentials or easy-to-guess passwords.

“As ZDNet understands, the list was published online by the maintainer of a DDoS-for-hire (DDoS booter) service.” reported ZDNet.

“When asked why he published such a massive list of “bots,” the leaker said he upgraded his DDoS service from working on top of IoT botnets to a new model that relies on renting high-output servers from cloud service providers.”

The lists leaked online are dated October-November 2019, let’s hope that Internet Service Providers will contact ZDNet to receive them and check if the devices belong to their network and secure them.

In August 2017, security researchers Ankit Anubhav found a list of more than 1,700 valid Telnet credentials for IoT devices online

The list of thousands of fully working Telnet credentials was leaked online on Pastebin since June 11, 2017.

Many IoT devices included in the list have default and well-known credentials (i.e., admin:admin, root:root, or no authentication required).

Top five credentials included in the list were:

  • root:[blank]—782
  • admin:admin—634
  • root:root—320
  • admin:default—21
  • default:[blank]—18

The popular researcher Victor Gevers, the founder of the GDI Foundation, analyzed the list and confirmed it was composed of more than 8200 unique IP addresses, about 2.174 are accessible via Telnet with the leaked credentials.

Pierluigi Paganini

(SecurityAffairs – Telnet credentials, hacking)

The post Bot list with Telnet credentials for more than 500,000 servers and IoT devices leaked online appeared first on Security Affairs.

Hackers patch Citrix servers to deploy their own backdoor

Attacks on Citrix servers are intensifying, one of the threat actors behind them is patching them and installing its own backdoor to lock out other attackers.

Security experts are monitoring a spike in the number of attacks against Citrix servers after that researchers announced the availability online of proof-of-concept exploits for the CVE-2019-19781 flaw in Citrix NetScaler ADC and Citrix NetScaler Gateway servers.

Researchers from FireEye noticed that one of the threat actors involved in the attacks is patching the vulnerable Citrix servers, installing their own backdoor, tracked as NOTROBIN, to clean up other malware infections and to lock out any other threat from exploiting the CVE-2019-19781 Citrix flaw.

“One particular threat actor that’s been deploying a previously-unseen payload for which we’ve created the code family NOTROBIN.” reads a report published by FireEye.

“Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.”

The popular expert Kevin Beaumont first reported the scans for vulnerable systems earlier in January, but only last week the exploits were made public.

The issue affects all supported product versions and all supported platforms:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

It has been estimated that 80,000 companies in 158 countries are potentially at risk, most of them in the U.S. (38%), followed by the UK, Germany, the Netherlands, and Australia. 

CVE-2019-19781 Citrix

The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies. 

The NOTROBIN backdoor was designed to prevent subsequent exploitation of the flaw on Citrix servers and also to establish backdoor access, a circumstance that suggests that attackers are preparing future attacks. 

Experts pointed out that the threat actor exploits CVE-2019-19781 to execute shell commands, attackers send the malicious payload to the vulnerable newbm.pl CGI script through an HTTP POST request from a Tor exit node.

Below a web server access log entry reporting the exploitation attemp:

127.0.0.2 – – [12/Jan/2020:21:55:19 -0500] “POST
/vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1″ 304 – “-” “curl/7.67.0”

The experts have yet to recover the POST body contents and analyze them.

Then attackers execute one-line bash script to remove crypto-miners, create a hidden staging folder (/tmp/.init) and download NOTROBIN to it, and install /var/nstmp/.nscache/httpd for persistence via the cron daemon. 

NOTROBIN is written in Go, it scans every second for specific files and delete them. If the filename or file content includes a hardcoded key, the files are not deleted. 

“The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked. However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device at a later time,” continues the analysis. 

The experts from FireEye noticed threat actors deploying NOTROBIN with unique keys, they observed nearly 100 keys from different binaries.

The keys look like MD5 hashes, the use of unique keys makes it difficult for third parties, including competing attackers, to scan for NetScaler devices already infected with NOTROBIN.

FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX267027.” concludes FireEye.”NOTROBIN mitigates CVE-2019-19781 on compromised devices but retains a backdoor for an actor with a secret key. While we haven’t seen the actor return, we’re skeptical that they will remain a Robin Hood character protecting the internet from the shadows.”

Further technical details are reported in the analysis published by FireEye, including Indicators of Compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – Citrix Servers, CVE-2019-19781)

The post Hackers patch Citrix servers to deploy their own backdoor appeared first on Security Affairs.

Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day

Microsoft published a security advisory to warn of an Internet Explorer (IE) zero-day vulnerability (CVE-2020-0674) that is currently being exploited in the wild.

Microsoft has published a security advisory (ADV200001) that includes mitigations for a zero-day remote code execution (RCE) vulnerability, tracked as CVE-2020-0674, affecting Internet Explorer.

The tech giant confirmed that the CVE-2020-0674 zero-day vulnerability has been actively exploited in the wild.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the advisory published by Microsoft. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

An attacker could exploit the flaw to can gain the same user permissions as the user logged into the compromised Windows device. If the user is logged on with administrative permissions, the attacker can exploit the flaw to take full control of the system.

The CVE-2020-0674 flaw could be triggered by tricking victims into visiting a website hosting a specially crafted content designed to exploit the issue through Internet Explorer.

Microsoft announced that it is currently working on a patch to address the vulnerability, the company will likely release an out-of-band update because attackers are already exploiting the flaw in the wild.

Microsoft suggests restricting access to JScript.dll using the following workaround to mitigate this zero-day flaw.

For 32-bit systems, enter the following command at an administrative command prompt:

    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, enter the following command at an administrative command prompt:

    takeown /f %windir%\syswow64\jscript.dll
    cacls %windir%\syswow64\jscript.dll /E /P everyone:N
    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N

The company warns that implementing these mitigation might impact the functionality for components or features that use the jscript.dll.

“Implementing these steps might result in reduced functionality for components or features that rely on jscript.dll. To be fully protected, Microsoft recommends the update be installed as soon as possible. Please revert the mitigation steps before installing the update to return to a full state.” continues the advisory.

To undo the workaround, use the following procedures.

For 32-bit systems, enter the following command at an administrative command prompt:

    cacls %windir%\system32\jscript.dll /E /R everyone    

For 64-bit systems, enter the following command at an administrative command prompt:

    cacls %windir%\system32\jscript.dll /E /R everyone    
    cacls %windir%\syswow64\jscript.dll /E /R everyone

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0674, hacking)

The post Microsoft provides mitigation for actively exploited CVE-2020-0674 IE Zero-Day appeared first on Security Affairs.

Turkish Hackers hit Greek Government websites and local stock exchange

Turkish hackers hijacked for more than 1 hour the official websites of the Greek parliament, some ministries, as well as the country’s stock exchange.

While eastern Libya ports controlled by commander Khalifa Haftar are shutting down oil exports, the group of Turkish hackers named Anka Neferler Tim claimed Friday to have hijacked for more than 90 minutes the official websites of the Greek parliament, the foreign affairs, and economy ministries, as well as the country’s stock exchange.

Turkish hackers

The group announced the attacks on their Facebook page, the hackers carried out the attack because “Greece is threatening Turkey in the Aegean Sea and in the eastern Mediterranean. And now it’s threatening the conference on Libya“.

The attacks were launched after Khalifa Haftar held talks in Athens, two days ahead of a peace conference in Berlin. Both Hatftar and the head of Tripoli’s UN-recognised government, Fayez al-Sarraj, are expected to attend the conference, while representatives of the Greek government have not been invited to the conference.

Greek Prime Minister Kyriakos Mitsotakis met with Haftar, the government of Athens encouraged Libyan military commander Khalifa Haftar to be constructive in Berlin.

“We encouraged the commander to take part with a constructive spirit in Berlin’s procedure and try to achieve a ceasefire and the restoration of safety in Libya,” Greek Foreign Minister Nikos Dendias told reporters after the meeting.

The Turkish government is providing military support for the government of Sarraj and plans to send its military troops to Libya to fight against Haftar’s army. 

The Berlin conference aims at establishing peace in Libya under the aegis of the United Nations. 

Pierluigi Paganini

(SecurityAffairs – Turkish hackers, hacking)

The post Turkish Hackers hit Greek Government websites and local stock exchange appeared first on Security Affairs.

Cybercrime Statistics in 2019

I’m preparing the slides for my next speech and I decided to create this post while searching for interesting cybercrime statistics in 2020

Cybercrime will cost as much as $6 trillion annually by 2021.

The global expense for organizations to protect their systems from cybercrime attacks will continue to grow. According to the Cybersecurity Ventures’ cybercrime statistics 2017 cybercrime damages will amount to a staggering $6 trillion annually starting in 2021. Experts fear that the cost of cybercrime should exceed annual costs for natural disasters by 2021. These figures suggest that cybercrime is becoming more profitable than other criminal activities, such as the illegal drug trade. 

Financial losses reached $2.7 billion in 2018.

According to the IC3 Annual Report released in April 2019 financial losses reached $2.7 billion in 2018. Most financially devastating threats involved investment scams, business email compromises (BEC), and romance fraud

The total cost of cybercrime for each company in 2019 reached US$13M.

The total cost of cybercrime for each company increased from US$11.7 million in 2017 to a new high of US$13.0 million—a rise of 12 percent, states the “NINTH ANNUAL COST OF CYBERCRIME STUDY” published by Accenture.

The total annual cost of all types of cyberattacks is increasing.

According to Accenture, malware and Web-based attacks continue to cause higher financial losses to organizations worldwide. The cost of ransomware attacks accounts for 21 percent of the overall expenses, while the cost of malicious insider accounts for 15 percent. The cost of malware attacks is now an average of US$2.6 million annually for organizations.

Source Accenture

Which countries have the worst (and best) cybersecurity?

According to a the report published by Comparitech that used the Global Cybersecurity Index (GCI) scores, Bangladesh saw the highest number of malware infections approximately 35.91% of the country’s mobile users have fallen victim to malware infections. The same report states that Japan is the most equipped country at preventing cybersecurity threats, with the smallest number of mobile malware infections, with only 1.34% of its mobile users affected by the attacks. Other top-performing countries included France, Canada, Denmark, and the United States.

Algeria is the least cyber-secure country, followed by Indonesia and Vietnam.

Which is the impact of cybercrime on small business?

According to the 2019 Data Breach Investigations Report, 43% of all nefarious online activities impacted small businesses. Giving a look at suffered by organizations, 69% of the attacks were perpetrated by outsiders, 34% involved Internal actors, 5% of them featured multiple parties, 2% involved partners.

According to the annual study conducted by IBM examining the financial impact of data breaches on organizations, the cost of a data breach has risen 12% over the past 5 years and now costs $3.92 million on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks. Small businesses with fewer than 500 employees lose an average of $2.5 million due to security incidents.

What about data breaches?

The majority of security breaches were financially motivated, 71%, while 25% of breaches were motivated by the gain of strategic advantage (espionage).

29% of breaches involved use of stolen credentials, 32% of them were the result of phishing attacks. 25% of breaches were motivated by the gain of strategic advantage (espionage)

cybercrime statistics

What about malware?

According to the Symantec 2019 Internet Security Threat Report, The number of attack groups using destructive malware increased by +25, the number of ransomware attack increased for 12%, very concerning it +33% increase in mobile malware.

Bots and worms continue to account for the vast majority of Internet of Things (IoT) attacks, in 2018 Symantec reported a significant increase of targeted attack actors against smart objects confirming the high interest in IoT as an infection vector.

Pierluigi Paganini

(SecurityAffairs – cybercrime statistics, hacking)

The post Cybercrime Statistics in 2019 appeared first on Security Affairs.

Hack the Army bug bounty program paid $275,000 in rewards

Hack the Army bug bounty program results: 146 valid vulnerabilities were reported by white hat hackers and more than $275,000 were paid in rewards.

The second Hack the Army bug bounty program ran between October 9 and November 15, 2019 through the HackerOne platform. The bug bounty program operated by the Defense Digital Service, along with the U.S. Department of Defense (DoD) paid more than $275,000 in rewards and a total of 146 valid vulnerabilities were reported.

52 white hat hackers took part in the Hack the Army bounty program, US army asked participants to test more than 60 publicly accessible web assets, including *.army.mil, *.goarmy.mil, and the Arlington Cemetery website.

Participants were from the U.S., Canada, Romania, Portugal, the Netherlands, and Germany.

“Participation from hackers is key in helping the Department of Defense boost its security practices beyond basic compliance checklists to get to real security,” said Alex Romero, Digital Service Expert at Department of Defense Defense Digital Service. “With each Hack the Army challenge, our team has strengthened its security posture.”

“The partnership with DDS demonstrates a fun and creative way to safely find solutions, so we look forward to building on this relationship to create future events,” said a US Army Cyber Command spokesperson.”

On November 20, during the awards ceremony held in Augusta, Georgia, the top three hackers @alyssa_herrera@erbbysam, and @cdl were rewarded for their contributions. The three experts also spoke about their experience in the program

“The Department of Defense programs are some of my favorites to hack on, and Hack the Army 2.0 was one of the most rewarding,” said second place winner @alyssa_herrera. “It is so exciting to know that the vulnerabilities I find go towards strengthening Army defenses to protect millions of people. Coming in second place and being invited to spend time with the hackers and soldiers I worked alongside made the impact we made in this Challenge feel even bigger.”

More information on the past edition of the Hack the Army program and results are available here.

Pierluigi Paganini

(SecurityAffairs – Hack the Army, hacking)

The post Hack the Army bug bounty program paid $275,000 in rewards appeared first on Security Affairs.

Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity

Chinese authorities continue operations against unauthorized VPN services that are very popular in the country.

China continues to intensify the monitoring of the cyberspace applying and persecution of VPN services that could be used to bypass its censorship system known as the Great Firewall.

The Great Firewall project already blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.

Since early 2019, the Chinese authorities have started banning “unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.

In December, the Chinese authorities have sentenced a man to five-and-a-half years in prison for selling a VPN service without the authorization.

According to an announcement from China’s Procuratorate Daily the man was also fined 500,000 yuan ($76,000). Prosecutors said the man was convicted of collecting “illegal revenue” of 792,638 yuan ($120,500) from his unauthorized activity.

Now media reports a new arrest made by Chinese authorities in the city of Taizhou, the police arrested a man with the pseudonym of Gao (29) that successfully operated VPN service since mid-2016. Gao has made more than 11 million Chinese yuan ($1.6 million) from renting access to VPN servers to more than 28,000 regular customers, he pleaded guilty in 2019 and is still awaiting the final sentence.

In December 2017, Chinese authorities sentenced a man from Dongguan to nine months in prison for operating a VPN service that allowed him to earn $2,000. Other criminal cases were reported by Chinese authorities in the following months, blocked services had thousands of customers in the country.

In July 2019, in compliance with the Chinese Internet monitoring law, Apple has started removing all IOS VPN apps from it App Store in China.

Pierluigi Paganini

(SecurityAffairs – Chinese authorities, privacy)

The post Chinese police arrested the operator of unauthorized VPN service that made $1.6 million from his activity appeared first on Security Affairs.

Law enforcement seized WeLeakInfo.com for selling access to data from data breaches

The FBI has seized the WeLeakInfo.com websites for selling subscriptions to data that were exposed in data breaches.

WeLeakInfo.com is a data breach notification service that allows its customers to verify if their credentials been compromised in data breaches. The service was claiming a database of over 12 billion records from over 10,000 data breaches. I used the past because a joint operation conducted by the FBI in coordination with the UK NCA, the Netherlands National Police Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland resulted in the seizure of the WeLeakInfo.com domain.

The WeLeakInfo website was sized and now displays a message that informs visitors about the operation conducted by law enforcement agencies.

“The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts.  The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months).” reads the press release published by the Department of Justice.”With execution of the warrant, the seized domain name – weleakinfo.com – is now in the custody of the federal government, effectively suspending the website’s operation.  Visitors to the site will now find a seizure banner that notifies them that the domain name has been seized by federal authorities.  The U.S. District Court for the District of Columbia issued the seizure warrant.”

Law enforcement is still investigating the activities of the operators behind the service and encourage people to provide that information by filing a complaint with the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/complaint/default.aspx

Data breach notification services is a profitable business, visitors pay a fee to access data exposed in past data breaches. A subscription fee ranges from a $2 trial to a $70 three-month unlimited access account and allows users to search for any data in the archive managed by the companies.

This is quite different from services that only alert individuals when their data are exposed in a data breach and that for this reason are considered legal.

Data breach notification services like WeLeakInfo are a mine for threat actors that could gather information on their targets before launching a cyber attack.

Pierluigi Paganini

(SecurityAffairs – WeLeakInfo, data breach)

The post Law enforcement seized WeLeakInfo.com for selling access to data from data breaches appeared first on Security Affairs.

Expert released PoC exploits for recently disclosed Cisco DCNM flaws

A researcher has publicly released some proof-of-concept (PoC) exploits and technical details for flaws in Cisco’s Data Center Network Manager (DCNM).

Early this month, Cisco released security updates for its Cisco’s Data Center Network Manager (DCNM) product that address several critical and high-severity vulnerabilities.

All the vulnerabilities were reported to Cisco through Trend Micro’s Zero Day Initiative (ZDI) and Accenture’s iDefense service by the security researcher Steven Seeley of Source Incite and Harrison Neal from PatchAdvisor.

Cisco published six advisories for a dozen vulnerabilities, eleven of them were reported by Seeley, three of these issues have been rated as critical and seven as high severity. The issues reported by Neal have been rated as medium severity.

Some of the critical flaws addressed by Cisco in DCNM could be exploited by attackers to bypass authentication and execute arbitrary actions with admin privileges on the vulnerable devices.

“Multiple vulnerabilities in the authentication mechanisms of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.” reads the advisory published by Cisco.

“For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.”

The vulnerabilities have been tracked as CVE-2019-15975, CVE-2019-15976 and CVE-2019-15977. The issues affect the REST API endpoint, the SOAP API endpoint and the web-based management interface.

Cisco also addressed two of the high-severity SQL injection flaws that could be exploited by an attacker with administrative privileges to execute arbitrary SQL commands on a vulnerable device.

Three of the high-severity weaknesses could be exploited by an attacker to conduct path traversals, and two other high-severity issues by exploited by an attacker with admin rights to inject arbitrary commands on the underlying operating system.

Seeley provided technical details for three remote code execution chains and various techniques implemented in his exploits.

In this post, I share three (3) full exploitation chains and multiple primitives that can be used to compromise different installations and setups of the Cisco DCNM product to achieve unauthenticated remote code execution as SYSTEM/root. In the third chain, I (ab)use the java.lang.InheritableThreadLocal class to perform a shallow copy to gain access to a valid session.” wrote Seeley in a blog post.

Cisco only assigned 11 CVE identifiers to the flaws reported by Seeley, who anyway has found over 100 exploitable bugs, including a hundred SQL injection issues, two command injections, four instances of hardcoded keys and credentials, four cases of XML external entity (XXE) injection, and 20 file read/write/delete issues.

Cisco has updated the advisories informing its customers of the availability of PoC exploits.

“The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory.” states Cisco.

“Cisco PSIRT is not aware of any malicious use of the vulnerabilities that are described in this advisory. “

Pierluigi Paganini

(SecurityAffairs – Ciaco DCNM, hacking)

The post Expert released PoC exploits for recently disclosed Cisco DCNM flaws appeared first on Security Affairs.

Two PoC exploits for CVE-2020-0601 NSACrypto flaw released

Researchers published proof-of-concept (PoC) code exploits for a recently-patched CVE-2020-0601 flaw in the Windows operating system reported by NSA.

Security researchers have published two proof-of-concept (PoC) code exploits for the recently-patched CVE-2020-0601 vulnerability that has been reported to Microsoft by the US National Security Agency (NSA).

Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions.

The CVE-2020-0601 flaw is different from any other previously addressed flaws because it was reported by the NSA and this is the first time that the US intelligence agency has reported a bug to the tech giant.

The flaw, dubbed ‘NSACrypt’ or ‘CurveBall,’ resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption.  

The flaw affects the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates.

In a press release published by the NSA, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” reads the security advisory published by Microsoft.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

An attacker could exploit the flaw to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

An attacker could also trigger the issue to spoof digital signatures on software tricking the system into believing that it is a legitimate application.

NSA pointed out that the CVE-2020-0601 vulnerability can allow an attacker to:

  • launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections
  • fake signatures for files and emails
  • fake signed-executable code launched inside Windows

The researcher Tal Be’ery analyzed the flaw and explained that the issue stems from a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.

According to a high-level technical analysis of the bug security researcher Tal Be’ery, “the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.”

The US DHS CISA agency also issued an emergency directive urging government agencies to address the bug in their systems in ten days.

“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information.” reads the emergency directive.

Security expert Saleem Rashid first created a proof-of-concept code to fake TLS certificates and allows attackers to set up a site that look-like legitimate ones.

Rashid didn’t publish the exploit code to avoid miscreants using it in the wild. Unfortunately, other experts decided to publicly release the exploit code for the CVE-2020-0601 flaw. Swiss cybersecurity firm Kudelski Security published on GitHub a working exploit for the flaw. Danish security researcher Ollypwn also published an exploit for the CurveBall vulnerability.

The availability online of working exploits for the CVE-2020-0601 vulnerability ensures that threat actors will start exploiting it, for this reason it is essential to patch systems.

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0601, hacking)

The post Two PoC exploits for CVE-2020-0601 NSACrypto flaw released appeared first on Security Affairs.

Israeli spyware firm fails to get hacking case dismissed

Judge orders NSO Group to fight case brought by Saudi activist and pay his legal costs

An Israeli judge has rejected an attempt by the spyware firm NSO Group to dismiss a case brought against it by a prominent Saudi activist who alleged that the company’s cyberweapons were used to hack his phone.

The decision could add pressure on the company, which faces multiple accusations that it sold surveillance technology, named Pegasus, to authoritarian regimes and other governments that have allegedly used it to target political activists and journalists.

Continue reading...

Critical auth bypass issues affect InfiniteWP Client and WP Time Capsule WordPress plugins

WP Time Capsule and InfiniteWP WordPress plugins are affected by security flaws that could be exploited to take over websites running the popular CMS.

Experts at security firm WebArx have ethically disclosed vulnerabilities in WP Time Capsule and InfiniteWP plugins, both were patched earlier this month by the developer Revmakx.

The flaws in WP Time Capsule and InfiniteWP WordPress plugins could be exploited to take over websites running the popular CMS that are more than 320,000.

we found that the InfiniteWP Client and WP Time Capsule plugins also contain logical issues in the code that allows you to login into an administrator account without a password.” reads the security advisory published by the experts.

The plugins are affected by logical issues that could allow attackers to log in as administrators without providing any password.

Security systems like firewalls might fail to detect the attempt of exploitation for these issues because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload.

InfiniteWP allows users to manage unlimited number of WordPress sites from their own server, it has an estimated 300.000 installs.

The attacker could trigger the issue by sending a POST request with the payload written first in JSON and then encoded in Base64. The request will bypass the password requirement and log in with only the username of an existing account. All the attackers need to know is the username of an administrator on the WordPress site.

“The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This function checks if the request_params variable of the class IWP_MMB_Core is not empty, which is only populated when the payload meets certain conditions.” continues the analysis.

“In this case, the condition is that the iwp_action parameter of the payload must equal readd_site or add_site as they are the only actions that do not have an authorization check in place. The missing authorization check is the reason why this issue exists.”

InfiniteWP Client versions before 1.9.4.5 are affected by the vulnerability.

WP Time Capsule is a backup tool with around 20,000 installs, to bypass the authentication the attackers need to send a POST request containing in the body a certain string.

Below the timeline for both vulnerabilities:

  • 07-01-2020 – Reported the vulnerabilities to the developer of both plugins.
  • 07-01-2020 – Released protection module to all WebARX customers.
  • 08-01-2020 – Developer of the plugin released a new version for both plugins.
  • 14-01-2020 – Security advisory publicly released.

Don’t waste time, update your plugin installs as soon as possible!

Pierluigi Paganini

(SecurityAffairs – WordPress Plugin, hacking)

The post Critical auth bypass issues affect InfiniteWP Client and WP Time Capsule WordPress plugins appeared first on Security Affairs.

Smashing Security #161: Love, lucky dips, and 23andMe

The man who hacked the UK National Lottery didn’t end up a winner, Japanese Love hotel booking tool suffers a data breach, and just what is 23andMe planning to do with your DNA?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford.

VMware addresses flaws in VMware Tools and Workspace ONE SDK

VMware has released security updates to address a local privilege escalation vulnerability in VMware Tools version 10 for Windows.

VMware has released VMware Tools 11.0.0 that addresses a local privilege escalation issue in Tools 10.x.y tracked as CVE-2020-3941. The issue, classified as a race condition flaw that could be exploited by an attacker to access the guest virtual machine to escalate privileges.

“A malicious actor on the guest VM might exploit the race condition and escalate their privileges on a Windows VM. This issue affects VMware Tools for Windows version 10.x.y as the affected functionality is not present in VMware Tools 11.” reads the advisory published by the company.

The vulnerability has been assigned an important severity rating and a CVSS score of 7.8. The company also suggests a workaround in case users cannot upgrade their version.

“However, if upgrading is not possible, exploitation of this issue can be prevented by correcting the ACLs on C:\ProgramData\VMware\VMware CAF directory in the Windows guests running VMware Tools 10.x.y versions. In order to correct ACLs for this directory, remove all write access permissions for Standard User from the directory,” reads Workaround for VMware Tools for Windows security vulnerability (CVE-2020-3941) (76654).

Recently the virtualization giant also disclosed an information disclosure issue, tracked as CVE-2020-3940, that affects Workspace ONE SDK and dependent iOS and Android mobile applications.

Vulnerable applications do not properly handle certificate verification failures if SSL pinning is enabled in the UEM Console.

“A sensitive information disclosure vulnerability in the VMware Workspace ONE SDK was privately reported to VMware.” states the security advisory.

“A malicious actor with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services may be able to capture sensitive data in transit if SSL Pinning is enabled.” 

The vulnerability has been assigned an important severity rating and a CVSS score of 6.8.

The list of vulnerable applications and SDKs include Workspace ONE Boxer, Content, Intelligent Hub, Notebook, People, PIV-D, Web, and the SDK plugins for Apache Cordova and Xamarin.

Pierluigi Paganini

(SecurityAffairs – VM, hacking)

The post VMware addresses flaws in VMware Tools and Workspace ONE SDK appeared first on Security Affairs.

P&N Bank data breach may have impacted 100,000 West Australians

P&N Bank discloses data breach, customer account information, balances exposed

The Australian P&N Bank is notifying its customers a data breach that has exposed personally identifiable information (PII) and sensitive account data.

P&N Bank, a division of Police & Nurses Limited and operating in Western Australia, suffered a data breach and is reporting the incident to its customers, attackers have accessed personally identifiable information (PII) and sensitive account data.

According to The West Australian website, hackers have stolen personal information from 100,000 West Australians in the cyber attack.

P&N Bank confirmed that intruders accessed names, addresses, email addresses, phone numbers, customer numbers, ages, account numbers, and account balances. The bank pointed out that passwords, Social Security numbers, Tax file numbers, driver’s license or passport details, credit card numbers, and dates of birth have not been exposed. 

P&N Bank sent a data breach notification to its customers and reported the incident to law enforcement. The incident notice impacted the customer relationship management (CRM) platform, according to the bank “certain personal information […] appears to have been accessed as a result of online criminal activity.”

The cyber attack took place around December 12, when the financial institution was performing a server upgrade. Hackers likely targeted a third party company that the Bank hired to provide hosting services.

The bank announced to have locked out the attackers and solved the flaw exploited by attackers.

“Upon becoming aware of the attack, we immediately shut down the source of the vulnerability, and have since been working closely with WAPOL, other federal authorities, our third-party IT provider involved, regulators” continues the data breach notification.

The bank hired external experts to help it in investigating the incident.

P&N Bank highlighted that there is no evidence of customer accounts or funds being compromised.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post P&N Bank data breach may have impacted 100,000 West Australians appeared first on Security Affairs.

Hacker offers for sale 49 million user records from US data broker LimeLeads

49 million user records from US data broker LimeLeads were available for sale on a hacking forum.

49 million user records from US data broker LimeLeads were available for sale on a hacking forum, the data were exposed on an Elasticsearch server.

Exposed LimeLeads data contains full name, title, user email, employer/company name, company address, city, state, ZIP, phone number, website URL, company total revenue, and the company’s estimated number of employees.

The news was first reported by ZDNet, LimeLeads offers access to its database that contains business contacts that can be used for marketing activities.

ZDNet was alerted of availability online of the records two weeks ago, a hacker that goes online with the handle Omnichorus was selling LimeLeads’ data online.

“Sources in the threat intelligence community have told ZDNet that Omnichorus is a well-known individual on underground hacking forums, having built a reputation for sharing and selling hacked or stolen data — a so-called “data trader.”” reported ZDNet.

The company failed to configure its Elasticsearch server and accidentally exposed it online allowing anyone to access its content.

The popular data leak hunter Bob Diachenko confirmed to ZDNet exposed records were stored in an internal Elasticsearch server that was accidentally exposed online and indexed by the search engine Shodan since at least July 27, 2019.

Diachenko also added that he already reported the presence of the data online to LimeLeads on September 16, and that the company secured the Elasticsearch DB in just one day. This means that the database remained exposed online for more than a month and that likely someone has accessed its content and tried to monetize from the sale of the data.

Omnichorus started selling the data since October 2019, the availability of these data online pose a risk for companies and individuals whose data were included in the database.

A threat actor could launch a spear-phishing attack against them and perform a broad range of malicious activities.

Pierluigi Paganini

(SecurityAffairs – LimeLeads, hacking)

The post Hacker offers for sale 49 million user records from US data broker LimeLeads appeared first on Security Affairs.

Iranian Threat Actors: Preliminary Analysis

Nowadays Iran’s Cybersecurity capabilities are under the microscope, experts warn about a possible infiltration of the Iranian government.

Nowadays Iran’s Cybersecurity capabilities are under microscope, many news sites, gov. agencies and security experts warn about a possible cybersecurity infiltration from Iranian government and alert to increase cybersecurity defensive levels. Today I want to share a quick and short study based on cross correlation between MITRE ATT&CK and Malpedia about some of the main threat actors attributed to Iran. The Following sections describe the TTPs (Tactics, Techniques and Procedures) used by some of the most influential Iranian APT groups. Each section comes with a main graph which is built by scripting and which comes without legend, so please keep in mind while reading that: the red circles represent the analyzed threat actors, the green circles represent threat actor’s used techniques, the blue circles represent the threat actor’s used Malware and the black circles represent the threat actor’s used tool sets.

OilRig

According to Malpedia: “OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets.” The threat actor uses opensource tools such as Mimikatz and laZagne, common sysadmin toolset available on Microsoft distribution or sysinternals such as: PsExec, CertUtil, Netstat, SystemInfo, ipconfig and tasklist. Bonupdater, Helminth, Quadangent and PowRuner are some of the most sophisticated Malware attributed to OilRig and analyzed over the past few years. Techniques (green) are mainly focused in the lateral movements and in getting persistence on the victim infrastructure; few of them involved exploiting or 0days initiatives.

OilRig TTP

Those observations would suggest a powerful group mostly focused on staying hidden rather than getting access through advanced techniques. Indeed no 0days or usage of advanced exploits is found over the target infrastructure. If so we are facing a state-sponsored group with high capabilities in developing persistence and hidden communication channels (for example over DNS) but without a deep interest in exploiting services. This topic would rise a question: OilRig does not need advanced exploiting capabilities because it is such a simple way to get into a victim infrastructure ? For example by using: user credential leaks, social engineering toolkits, targeted phishing, and so on and so forth or is more on there to be discovered ?

MuddyWater

According to MITRE: “MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.” Currently we have few artifacts related to MuddyWater (‘Muddy’), indeed only Powerstats backdoor is actually attributed to it. Their attack are typically “hands driven”, which means they do not use automation lateral movement but they prefer to use opensource tools or sysinternal ones to deliberately move between target network rather than running massively exploits or scanners.

MuddyWater TTP

Once landed inside a victim machine Muddy looks for local credentials and then moves back and forward by using such a credentials directly on the network/domain controllers. According to MITRE techniques (green) MuddyWater to take an entire target-network might take few months but the accesses are quite silent and well obfuscated. Again it looks like we are facing a group which doesn’t need advanced exploitation activities but rather than advanced IT knowledge in order to move between network segments and eventual proxies/nat.

APT33

According to MITRE: “APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.” Analyzing the observed TTPs we might agree that this threat actor looks very close to MuddyWater. If you take a closer look to the Muddy Graph (in the previous dedicated section) and APT33 graph (following) you will see many similarities: many tools are shared, many techniques are shared and even artifacts Powerstats (Muddy) and Powertron (APT33) share functions and a small subset of code (even if they have different code bases and differ in functionalities). We have more information about APT33 if compared to MuddyWatter, but similarities on TTPs could induce an avid reader to think that we might consider APT33 as the main threat actor while MuddyWater a specific ‘operation’ of the APT33 actor.

APT33 TTP

But if you wonder why I decided to keep them separated on such personal and preliminary analysis you could find the answer in the reason in why they do attack. APT33 showed destruction intents by using Malware such as shamoon and stoneDrill, while Muddy mostly wants to “backdooring” the victims.

CopyKittens

According to MITRE: “CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.” CopyKittens threat actor actually differ from the previous ones. First of all we see the usage of CobaltStrike, which is an autonomous exploiting system (well actually is much more, but let me simplify it). Cobalt and Empire (a post exploitation framework) taken together would allow the attacker to automate lateral movement. Which is a damn different behavior respect to previous actors. CopyKittens would make much more noise inside an attacked network and would be easier to detect if using such automation tools, but on the other hand they would be much more quick in reaching their targets and run away.

CopyKittens TTP

One more characteristic is the “code signing”. While in OilRig, MuddyWater and APT33 we mostly observed “scripting” capabilities, in CopyKittens we are observing most advanced code capabilities. Indeed code signing is used on Microsoft Windows and IOS to guarantee that the software comes from known developer and that it has not been tampered with. While a script (node, python, AutoIt) could be attribute to IT guys as well as developers, developing more robust and complex software ( such as: java, .net, c++, etc) is a skill typically attributed to developers. This difference could be significant in suspecting a small set of different people working on CopyKittens.

Cleaver

According to MITRE: “Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [1] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). ” We have a few information about this group, and as you might see there are few similarities. The usage of Mimikatz could be easily adopted for credential dumping, while TinyZBot is a quite interesting tool since it mostly implements spying capabilities without strong architectural design or code execution or data exfiltration.

Cleaver TTP

Just like Charming Kitten (which is not included into this report since it is a quite ongoing mistery even if a great report from Clear Sky is available), Cleaver is a threat group that is responsible of one of the first most advanced and silent cyber attack attributed to Iran known until now (OpCleaver, by Cylance). Cleaver attack capabilities are evolved over time very quickly and, according to Cylance, active since 2012. They look like to have infiltrated some of the world economic powers (ref: here) such as: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States. In the very first page of the OpCleaver report, the author writes that Cleaver is one of the most advanced threat actors ever. Even if I might agree with Cylance, I personally do not have such evidences so far, so I personally cannot compare Cleaver threat actor to the previus ones.

Threat Actors Comparison

Here comes the fun ! How about taking all these graphs and compare them ? Common references would highlight similarities, scopes and common TTPs and fortunately we might appreciate them in the following unique network diagram. You might spend over 20 minutes to check details on the following graph and I might decide to write an essay over it, but I will not do it :D, I’d like focus on few but important thoughts.

The iper-connection between the analyzed groups (take a look to the following graph) could prove that those teams are really linked together. They share Techniques, Procedures, Tools and Infection Artifacts and everything we might observe looks like belonging with a unique meta-actor. We might agree that the meta-actor would be linked to the sponsorship nation and we might decide to consider some of those groups as operations. In other words we might consider an unique group of people that teams up depending of the ongoing operation adopting similar capabilities and tool sets.

Threat Actor Comparison

OilRig and APT33 are the most known groups attributed to Iran, they share many tools but they clearly have two different intent and two different code bases (writing about Malware). CopyKittens, for example, have been clustered more closed to APT33 while Muddywater looks like clustered straight at the middle of them. But if we closely analyze the purposes and the used Malware we might agree in aggregating Muddy close to APT33, actually the weight of shared code should be heavier compared to common tools or common techniques, but I did not represent such a detail into graphs.

However two different ‘code experience’ are observed. The first one mostly focused on scriptting (node, python, autoIT) which could underline a group of people evolving from IT department and later-on acquiring cyersecurity skills, while the second observed behavior is mostly oriented on deep development skills such as for example: Java, .NET and C++. On MuddyWater and APT33 side, the usage of scripting engines, the usage of powershell, and the usage of Empire framework tighten together, plus the lack of exploiting capabilities or the lack in developing sophisticated Malware could bring the analyst to think that those threat actors hit their target without the need of strong development capabilities. On the other hand OilRig, Cleaver and CopyKitten looks like to have more software developing skills and looks to be mostly focused on stealth operations.

Conclusion

In this post I wrote a preliminary and personal analysis of threat actors attributed by the community to Iran, comparing TTPs coming from MITRE and relations extracted from Malpedia. The outcome is a proposal to consider the numerous groups (OilRig, APT33, MuddyWater, Cleaver, etc..) as a primary meta-threat-actor and dividing them by operations rather real group.

Original Post published on Ramilli’s blog:

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Pierluigi Paganini

(SecurityAffairs – Iranian Threat Actor, hacking)

The post Iranian Threat Actors: Preliminary Analysis appeared first on Security Affairs.

Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA

Microsoft has released a security update to address “a broad cryptographic vulnerability” that is impacting its Windows operating system.

Microsoft Patch Tuesday updates for January 2020 address a total of 49 vulnerabilities in various products, including a serious flaw, tracked as CVE-2020-0601, in the core cryptographic component of Windows 10, Server 2016 and 2019 editions.

The CVE-2020-0601 vulnerability is different from any other previously addressed flaws because it was reported by the NSA and this is the first time that the US intelligence agency has reported a bug to the tech giant.

The flaw, dubbed ‘NSACrypt’ and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various ‘Certificate and Cryptographic Messaging functions’ used by the Windows Crypto API for data encryption.  

The flaw affects the way Crypt32.dll module validates Elliptic Curve Cryptography (ECC) certificates.

In a press release published by the NSA, the agency explains “the certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.”

“A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.” reads the security advisory published by Microsoft.

“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.”

An attacker could exploit the flaw to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

An attacker could also trigger the issue to spoof digital signatures on software tricking the system into believing that it is a legitimate application.

Microsoft addressed the issue by ensuring that Windows CryptoAPI completely validates ECC certificates.

Microsoft did not release technical details of the vulnerability to avoid its public exploitation.

Microsoft confirmed that it is not aware of attacks in the wild exploiting the CVE-2020-0601 flaw.

“This month we addressed the vulnerability CVE-2020-0601 in the usermode cryptographic library, CRYPT32.DLL, that affects Windows 10 systems. This vulnerability is classed Important and we have not seen it used in active attacks.” reads a blog post published by Microsoft.

“This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk.”

The NSA has also released a security advisory that includes mitigation information.

“NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality. The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution.” reads the NSA’s advisory.

“The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available”.

Microsoft also addresses 48 other vulnerabilities, 8 of which are rated as critical and remaining are rated as important.

None of the issues addressed this month by Microsoft were being exploited in the wild.

Pierluigi Paganini

(SecurityAffairs – CVE-2020-0601, hacking)

The post Microsoft addresses CVE-2020-0601 flaw, the first issue ever reported by NSA appeared first on Security Affairs.

January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager

Adobe released its January 2020 Patch Tuesday updates that address several flaws in Illustrator and Experience Manager products.

Adobe releases its first 2020 patch Tuesday software updates that address several vulnerabilities in Illustrator and Experience Manager products.

“Adobe has published security bulletins for Adobe Experience Manager (APSB20-01) and Adobe Illustrator (APSB20-03). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin.” reads the security advisory.

The security updates for Illustrator CC 2019 for Windows addresses five critical memory corruption issues (CVE-2020-3710, CVE-2020-3711, CVE-2020-3712, CVE-2020-3713, CVE-2020-3714) that can lead to arbitrary code execution in the context of the targeted user.

All the vulnerabilities were reported to Adobe by Honggang Ren of Fortinet’s FortiGuard Labs.

While the vulnerabilities have been assigned a severity rating of critical, their priority rating is 3, which means Adobe does not expect any of them to be exploited in attacks.

Adobe also releases security updates for Adobe Experience Manager (AEM) that addresses four issues rated as important and moderate (CVE-2019-16466, CVE-2019-16467, CVE-2019-16468, CVE-2019-16469).

The flaws rated important are Reflected Cross-Site Scripting cross-site scripting (XSS) or Expression Language injection and could lead to the disclosure of sensitive information. The security hole rated moderate has been described as a user interface injection issue and it can also lead to the disclosure of sensitive information.

The flaws tracked as CVE-2019-16466 and CVE-2019-16468 were reported to Adobe by the security expert Lorenzo Pirondini of Netcentric.

Pierluigi Paganini

(SecurityAffairs – Adobe Patch Tuesday, hacking)

The post January 2020 Adobe Patch Tuesday updates fix issues in Illustrator, Experience Manager appeared first on Security Affairs.

Microsoft rolls out Windows 10 security fix after NSA warning

US agency revealed flaw that could be exploited by hackers to create malicious software

Microsoft is rolling out a security fix to Windows 10 after the US National Security Agency (NSA) warned the popular operating system contained a highly dangerous flaw that could be used by hackers. Reporting the vulnerability represents a departure for the NSA from its past strategy of keeping security flaws under wraps to exploit for its own intelligence needs.

The NSA revealed during a press conference on Tuesday that the “serious vulnerability” could be used to create malicious software that appeared to be legitimate. The flaw “makes trust vulnerable”, the NSA director of cybersecurity, Anne Neuberger, said in a briefing call to media on Tuesday.

Related: Skype audio graded by workers in China with 'no security measures'

Continue reading...

Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma?

Russia-linked cyber-espionage group hacked the Ukrainian energy company Burisma at the center of the impeachment trial of US President Donald Trump.

The Russian cyberspies, operating under Russia’s GRU military intelligence agency (aka Fancy Bear) carried out a spear-phishing campaign in November aimed at accessing the email of Burisma Holdings employees.

The attack was detailed by California-based cybersecurity firm Area 1 Security in a report.

“This report details an ongoing Russian government phishing campaign targeting the email credentials of employees at Burisma Holdings and its subsidiaries and partners. The campaign against the Ukranian oil & gas company was launched by the Main Intelligence Directorate of the General Staff of the Russian Army or GRU.” reads the report published by Area 1 Security. “Phishing for credentials allows cyber actors to gain control of an organization’s internal systems by utilizing trusted access methods (e.g.: valid usernames and passwords) in order to observe or to take further action. Once credentials are phished, attackers are able to operate covertly within an organization in pursuit of their goal.”

In December President Trump was facing an impeachment trial over his efforts to pressure Ukraine to investigate former Vice President Joseph R. and its relationship with the former board member Hunter Biden, the son of Joe Biden.

Russian military cyberspies were gathering information by hacking the Ukrainian gas company.

“The timing of the GRU’s campaign in relation to the 2020 US elections raises the specter that this is an early warning of what we have anticipated since the successful cyberattacks undertaken during the 2016 US elections,” continues the Area 1 report.

It is not clear which information the hackers have accessed, experts believe Russian spies were searching for potentially embarrassing material on the rival Biden and his son.

In July 2019, a phone call from Trump to Ukrainian President Volodymyr Zelensky was asking him to investigate the Bidens and Burisma.

Burisma hired the Biden’s son while his father was vice president and leading the Obama administration’s Ukraine policy.

“Donald Trump tried to coerce Ukraine into lying about Joe Biden and a major bipartisan, international anti-corruption victory because he recognized that he can’t beat the vice president,” said Andrew Bates, a spokesman for the Biden campaign.” states the NYT.

“Now we know that Vladimir Putin also sees Joe Biden as a threat,” Mr. Bates added. “Any American president who had not repeatedly encouraged foreign interventions of this kind would immediately condemn this attack on the sovereignty of our elections.”

The scheme was similar to the one allegedly adopted by Russian intelligence ahead of the Presidential election in 2016, when the cyberspies hackerd emails from Hillary Clinton’s campaign and used an army of trolls to spread propaganda and misinformation.

According to Area 1’s report, the GRU spies hacked the servers of Burisma Holdings.

In this campaign, the GRU combined several different authenticity techniques to compromise the targeted network, such as Domain-based authenticity, Business process and application authenticity, and Partner and supply chain authenticity.

“Since 2016, the GRU has consistently used an assembly line process to acquire and set up infrastructure for their phishing campaigns. Area 1 Security has correlated this campaign against Burisma Holdings with specific tactics, techniques, and procedures (TTPs) used exclusively by the GRU in phishing for credentials.” continues the report.”Repeatedly, the GRU uses Ititch, NameSilo, and NameCheap for domain registration; MivoCloud and M247 as Internet Service Providers; Yandex for MX record assignment; and a consistent pattern of lookalike domains.”

Trump is expected to stand trial in the Senate as early as this week on two articles of impeachment abuse of power and obstruction of Congress.

Pierluigi Paganini

(SecurityAffairs – Bronze President, hacking)



The post Why Russian APT Fancy Bear hacked the Ukrainian energy firm Burisma? appeared first on Security Affairs.

Cisco addressed a high-severity bug in Webex that could allow Remote Code Execution

Tech giant Cisco has recently addressed two high-severity vulnerabilities affecting its Webex and IOS XE Software products.

Cisco Systems has released security fixes for two high-severity vulnerabilities in its products, including a remote code execution flaw in the Webex video conferencing platform.

The Webex flaw resides in the web-based management interface of Cisco Webex Video Mesh, a feature that enables on-premises infrastructure for video conferencing.

“A vulnerability in the web-based management interface of Cisco Webex Video Mesh could allow an authenticated, remote attacker to execute arbitrary commands on the affected system.” reads the security advisory published by Cisco.

“The vulnerability is due to improper validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by logging in to the web-based management interface with administrative privileges and supplying crafted requests to the application. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with root privileges on a targeted node.”

An authenticated, remote attacker could exploit the issue by supplying crafted requests to the application.

This flaw affects Cisco Webex Video Mesh Software releases earlier than 2019.09.19.1956m.

The vulnerability has received a CVSS score of 7.2 out of 10, the good news is that Cisco said that it is not aware of any attacks exploiting the flaw in the wild.

Cisco also addressed a high-severity flaw in the web user interface of Cisco IOS and Cisco IOS XE Software that runs on Cisco routers and switches.

“A vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system.” reads the Cisco security advisory.

“The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device.”

The vulnerability could be exploited by an unauthenticated, remote attacker to launch a cross-site request forgery (CSRF) attack on the vulnerable devices. An attacker could exploit the issue by tricking the victims into clicking specially-crafted links that then send a forged request to the webserver running on the device.

The attacker could exploit the vulnerability to perform arbitrary actions with the privilege level of the targeted user.

The issue affects Cisco devices that are running vulnerable releases of Cisco IOS or Cisco IOS XE Software earlier than 16.1.1 with the HTTP Server feature enabled.

The flaw was reported by Mehmet Önder Key and received a CVSS score of 8.8, Cisco is not aware of any exploits in the wild against the issue.

Pierluigi Paganini

(SecurityAffairs – Cisco WebEx, hacking)

The post Cisco addressed a high-severity bug in Webex that could allow Remote Code Execution appeared first on Security Affairs.

China-linked APT40 group hides behind 13 front companies

A group of anonymous security researchers that calls itself Intrusion Truth have tracked the activity of a China-linked cyberespionage group dubbed APT40.

A group of anonymous security researchers that calls itself Intrusion Truth has discovered that a China-linked cyberespionage group, tracked as APT40, uses 13 front companies operating in the island of Hainan to recruit hackers.

The Intrusion Truth group has doxed the fourth Chinese state-sponsored hacking operation.

“We know that multiple areas of China each have their own APT.” reads the report.

“After a long investigation we now know that it is possible to take a province and identify front companies, from those companies identify individuals who work there, and then connect these companies and individuals to an APT and the State.”

The Intrusion Truth group has already other APT groups operating in other provinces of the country, including APT3 (from the Guangdong province), APT10 (from Tianjin province), and APT17 (Jinan province). The last group tracked by the researcher is now operating out of the Hainan province, an island in the South China Sea.

Intrusion Truth did not associate the group from Hainan with a specific Chinese APT group, but FireEye and Kaspersky researchers believe that the China-linked group is the APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan).

The cyber-espionage group tracked as APT40 (aka TEMP.PeriscopeTEMP.Jumper, and Leviathan), apparently linked to the Chinese government, is focused on targeting countries important to the country’s Belt and Road Initiative (i.e. Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom).

APT40

Experts believe that APT40 is a state-sponsored Chinese APT group due to its alignment with Chinese state interests and technical artifacts suggesting the actor is based in China.

The APT40 group has been active since at least 2013 and appears to be focused on supporting naval modernization efforts of the Government of Beijing. Threat actors target engineering, transportation, and defense sectors, experts observed a specific interest in maritime technologies.

The cyberspies also targeted research centres and universities involved in naval research with the intent to access advanced technology to push the growth of the Chinese naval industry.

The list of victims of the APT40 group also includes organizations with operations in Southeast Asia or involved in South China Sea disputes.

The 13 companies identified by the Intrusion Truth have similar characteristics, like the lack of an online presence, and experts noticed overlapping of contact details and share office locations. The companies were all involved in the recruiting of hackers with offensive security skills.

“Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum,” reads the post published by Intrusion Truth.

“While the companies stress that they are committed to information security and cyber-defence, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks,” they go on to say.

According to the experts, a professor in the Information Security Department at the Hainan University was tasked with recruiting for the 13 companies.

One of the above companies was headquartered in the University’s library, and the professor was also a former member of China’s military.

“Following further analysis, we noticed a close association between these Hainan front companies and the academic world. Multiple job adverts for the companies are posted on university websites. Hainan Xiandun even appears to operate from the Hainan University Library!” continues the post. “Gu Jian, a Professor in the Information Security Department and former member of the PLA is now the contact person for an APT front company which itself is linked to twelve other front companies.”

Technical details of the analysis are included in the report published by the experts.

Pierluigi Paganini

(SecurityAffairs – Intrusion Truth, APT40)

The post China-linked APT40 group hides behind 13 front companies appeared first on Security Affairs.

Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info

Facebook addressed last week a security flaw that exposed page admin accounts, the bug was exploited against several high-profile pages.

Last week Facebook has addressed a security issue that exposed page admin accounts, the bug was exploited in attacks in the wild against several high-profile pages.

The page admin accounts are anonymous unless the Page owner opts to make the admins public, but a bug allowed anyone to reveal the accounts running a Page.

“The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can’t see, for example, the names of the people who post to Facebook on WIRED’s behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one.” reads a post published by Wired.

The “View edit history” in Facebook allows Page admins to view any activity related to pages, including the name of users that made changes to a post. The bug allowed miscreants to reveal the account of the individual who made the changes, including page admins, with serious privacy implications.

Wired confirmed that on message boards like 4chan, people started posting screenshots that doxed the accounts behind prominent pages. The exploitation of the bug was simple, by opening a target page and checking the edit history of a post, it was possible to view the account or accounts that made edits to each post.

Facebook quickly addressed the issue after it was alerted by a security researcher.

“We quickly fixed an issue where someone could see who edited or published a post on behalf of a Page when looking at its edit history,” Facebook said in a statement. “We are grateful to the security researcher who alerted us to this issue.”

The list of the pages targeted by hackers included the ones belonging to President Donald Trump, the street artist Banksy, Russian president Vladimir Putin, former US secretary of state Hillary Clinton, Canadian prime minister Justin Trudeau, the hacking collective Anonymous, climate activist Greta Thunberg, and the rapper Snoop Dogg, among others.

In February 2018, the security researcher Mohamed Baset discovered a similar vulnerability on Facebook.

Baset explained that the flaw was a “logical error” that he discovered after receiving an invitation to like a Facebook page on which he had liked a post. The researchers analyzed the source code of the email sent by the social network and discovered it included the name of the administrator of the page and other info.

Pierluigi Paganini

(SecurityAffairs – Facebook, hacking)

The post Facebook quickly fixed a bug exploited in attacks that exposed Page Admins info appeared first on Security Affairs.

Accelerated Digital Innovation to impact the Cybersecurity Threat Landscape in 2020

Its December and the Christmas lights are going up, so it can't be too early for cyber predictions for 2020.   With this in mind, Richard Starnes, Chief Security Strategist at Capgemini, sets out what the priorities will be for businesses in 2020 and beyond.


Accelerated digital innovation is a double-edged sword that will continue to hang over the cybersecurity threat landscape in 2020.  As businesses rapidly chase digital transformation and pursue the latest advancements in 5G, cloud and IoT, they do so at the risk of exposing more of their operations to cyber-attacks. These technologies have caused an explosion in the number of end-user devices, user interfaces, networks and data; the sheer scale of which is a headache for any cybersecurity professional. 

In order to aggressively turn the tide next year, cyber analysts can no longer avoid AI adoption or ignore the impact of 5G. 

AI Adoption
Hackers are already using AI to launch sophisticated attacks – for example AI algorithms can send ‘spear phishing’ tweets six times faster than a human and with twice the success. In 2020, by deploying intelligent, predictive systems, cyber analysts will be better positioned to anticipate the exponentially growing number of threats.

The Convergence of IT and OT
At the core of the Industry 4.0 trend is the convergence of operations technology (OT) and information technology (IT) networks, i.e. the convergence of industrial and traditional corporate IT systems. While this union of these formerly disparate networks certainly facilitates data exchange and enables organisations to improve business efficiency, it also comes with a host of new security concerns.

5G and IoT
While 5G promises faster speed and bandwidth for connections, it also comes with a new generation of security threats. 5G is expected to make more IoT services possible and the framework will no longer neatly fit into the traditional security models optimised for 4G. Security experts warn of threats related to the 5G-led IoT growth anticipated in 2020, such as a heightened risk of Distributed Denial-of-Service (DDoS) attacks.

Death of the Password
2020 could see organisations adopt new and sophisticated technologies to combat risks associated with weak passwords.

More Power to Data Protection Regulations
In 2020, regulations like GDPR, The California Consumer Privacy Act and PSD2 are expected to get harsher. We might also see announcements of codes of conduct specific to different business sectors like hospitality, aviation etc. All this will put pressure on businesses to make data security a top consideration at the board level.

Twitter to clear out inactive accounts and free up usernames

Company has been criticised for handling of move it says will reduce risk from hacking

Twitter has announced it is to clear out inactive accounts, freeing up dormant usernames and reducing the risk of old accounts being hacked.

But the company is facing criticism for the way it has handled the announcement, with many concerned that the accounts of people who have died over the past decade will be removed with no way of saving their Twitter legacies.

Continue reading...

The Myth of “Staying One Step Ahead of the Hackers”

 

The assumption that software security can stay ahead of the hackers is not true because the software security industry is always reacting to threats that hackers expose. Once hackers start exploiting a flaw in an application, security companies try to block the resulting threat by providing security updates for existing software or by developing new programs. Either way, hackers will be one step ahead because the software security industry can’t predict what new threats the hackers will unleash.