Category Archives: information security news

Poland and Lithuania fear that data collected via FaceApp could be misused

Poland and Lithuania are probing the potential privacy and security risks of using a Russian-made app FaceApp.

Millions of people recently downloaded the FaceApp app and are taking part in the “#FaceApp Challenge” to show friends how they can look like when they will be old and grey. Many security experts are warning of the risks of using the popular app, threat actors could be potentially interested in data collected by FaceApp.

FaceApp was developed in 2017 by Wireless Lab, when it was downloaded 80 million times, but now thanks to the challenge it is becoming viral. Wireless Lab is a Russian firm based in the Skolkovo hub that is located near Moscow and is considered Russia’s Silicon Valley created by the Kremlin.

The app leverages neural networks to simulate people aging, it adds wrinkles, it turns teeth yellow and colors the hair with gray.

Source AGI

Poland’s digital affairs ministry is investigating into the app and it is evaluating the security risks posed by FaceApp to the personal data of its users.

“For several days in Poland and the world over, social media have been flooded by a wave of modified photos of ‘ageing’ users,” states Poland’s digital affairs ministry.

“Various experts point to possible risks related to inadequate protection of users’ privacy,”

Another EU country Lithuania is also investigating the potential risks posed by the use of the app on a large-scale.

According to deputy defense minister Edvinas Kerza the FaceApp authors had cooperated with other Russian internet companies which may not comply with European privacy and security regulations.

In the US, Senate Minority Leader Chuck Schumer called the FBI and the Federal Trade Commission to “look into the national security & privacy risks” associated with the use of FaceApp. 

FaceApp CEO Yaroslav Goncharov attempted to reassure privacy advocates by explaining that Russian authorities did not have access to any user data.

He pointed out that most of the photos collected by the users are deleted from its servers within 48 hours and that is not used for other purposes.

Pierluigi Paganini

(SecurityAffairs – FaceApp, cybersecurity)

The post Poland and Lithuania fear that data collected via FaceApp could be misused appeared first on Security Affairs.

Slack resetting passwords for roughly 1% of its users

Slack is resetting passwords for accounts belonging to users that have not secured them after the data breach suffered by the company in 2015.

Slack announced it is resetting passwords for accounts belonging to users that have not secured them after the data breach suffered by the company in 2015.

Slack Enterprise Key Management

“In response to new information about our 2015 security incident (explained here at the time), we are resetting passwords for approximately 1% of Slack accounts.” reads the announcement published by the company.

“This announcement affects you only if you

  • created your account before March 2015,
  • AND have not changed your password since,
  • AND your account does not require logging in via a single-sign-on (SSO) provider.

In March 2015, Slack detected unauthorized access to a database containing details of users’ accounts, including usernames, email addresses, hashed passwords, phone numbers and Skype IDs.

The hackers also injected malicious code in the systems of the company to steal plaintext passwords as they were entered by Slack users. No financial or payment information was accessed or compromised in this attack.

Immediately after the discovery of the data breach, Slack reset the passwords for a limited number of users impacted by the incident. The company also recommended remaining users to change the password and enable 2FA.

Recently Slack discovered through its bug bounty program that credentials of other users might have been compromised. According to the company, attackers could have obtained them via malware or a third-party hack.

“We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password re-use between services, which we believed to be the case here.” continues the announcement. “We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users.”

Slack has reset the passwords of these users and sent them notifications.

“We were recently notified that your sign-in credentials (email address and password) for your xxxxx account on were discovered as being in the possession of an unauthorized individual.” reads the notification. “This may be the result of malware installed on a computer you’ve used to sign in to Slack or your credentials being reused from a previous breach of a third party, such as those listed on sites like”

Slack is still investigating the latest incident and will share more information after it will be completed.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Slack resetting passwords for roughly 1% of its users appeared first on Security Affairs.

The Problem With the Small Business Cybersecurity Assistance Act

The Small Business Cybersecurity Assistance Act may provide business owners with access to government-level tools to secure small business against attacks.

Perhaps the best approach to rampant malware, ransomware and cybercrime is stronger cooperation between the public and private sectors.

The American Congress took a stab at that kind of ecumenical solution to the looming $6 trillion problem of cybersecurity in the form of the Small Business Cybersecurity Assistance Act (SBCAA). It’s as bipartisan a bill as the U.S. can hope for at present and an encouraging sign that the problem is on the government’s radar.

Regrettably, the Small Business Cybersecurity Assistance Act has already gathered criticism and detractors, with some saying it falls short of the mark. Let’s look at why this might be the case and what the Act actually contains that might, or might not, be of value to worried business owners.

What Does the SBCAA Seek to Accomplish?

The two main co-sponsors of the Act — Senators Gary Peters and Marco Rubio — frame the SBCAA’s mission as primarily an educational effort to bring small business owners up to speed on cybercrime-related issues such as:

  • The variety of cyber threats in the world today
  • The potential risk that small business owners face
  • The tools available to help them protect themselves

The small business community must understand that they represent a larger — not a smaller — portion of the threat surface where cybercrime is concerned. Small business owners are less likely to have taken adequate measures to protect their digital systems and are consequently at an even higher risk of sustaining a data breach or a ransomware attack than a major corporation.

Under the Small Business Cybersecurity Assistance Act, business owners could visit U.S. Small Business Development Center (SBDC) locations to secure educational materials, enroll in programs, and work with representatives from the Department of Homeland Security to better understand and confront cyber threats and risks. Clearly, the intentions and the desired outcome are heading in the right direction.

The question is: What on earth is a Small Business Development Center?

A Good Idea With Limited Infrastructure Behind It

Like many public services in the United States, Small Business Development Centers are wonderful in theory but consistently go underfunded — despite their value — and remain mostly unknown to the communities most in need of their assistance. Among other things, SBDCs provide services like business counseling and information on local, state and federal government compliance and assistance programs.

But because this service goes underfunded and unheralded, the U.S. has only 63 such centers — barely one for every U.S. state and territory. In contrast, the U.S. had almost 140,000 Starbucks locations in 2018, despite the company employing under 200,000 people that year.

The SBDC’s 63 locations, meanwhile, are meant to support the entire American small business community. In 2016, companies with fewer than 100 employees made up 33.4% of the U.S. workforce, and companies with 500 or fewer made up nearly half.

Many of the criticisms leveled against the SBCAA have latched onto this lack of infrastructure and public awareness. Earmarking additional funding could possibly help raise the SBDC’s public profile and make more people aware of their existence. But this isn’t certain, and it doesn’t look like the SBCAA has addressed the existing funding shortfall.

The Act reportedly permits Small Business Development Centers to use their current funding to make cybersecurity resources available after they’re prepared by other government agencies. But the key phrase is “current funding.” SBDCs, like the one at Wharton School, already face shuttering their doors because of a lack of funding. Adding to the demands placed on their staff without a commensurate rise in funding could be fruitless.

The other problem, apart from a lack of funding and awareness, is that significant numbers of small business owners do business in the cloud. As a result, they outsource most of their IT and digital systems architecture work, including data hosting services, to third parties.

It could be fairly useful to educate small business owners on the security best practices these third parties should follow in their operations — either by law or according to common sense. What’s not useful is doing all of this without backing it up with appropriately harsh fines for the larger companies which mishandle or misplace client data, either by mistake or because they have nefarious intent.

The European Union is off to a slow start levying fines for abusing data privacy and security, but the now-year-old General Data Protection Regulation gives the government the power to do so. Until the U.S. implements a similar measure, U.S. states are left on their own to fine companies which don’t take cybersecurity or client privacy seriously. Any measure undertaken to educate the small business community about cybersecurity won’t do much good if the U.S. government doesn’t stand ready to have their backs.

Another potentially fruitful avenue to explore is providing grants or subsidies to help small business owners purchase cyber liability insurance. Not all small business owners know such products exist, but these services can go a long way toward keeping small businesses in operation after they fall victim to a cybercrime.

Safety on the Internet Isn’t a Luxury

Some seem content to let cybersecurity remain a competitive advantage or a luxury commodity. Others believe the buy-in should be the same for both small entrepreneurships and major corporations when it comes to keeping digital properties safe. Everybody has a right to stay safe online — it shouldn’t be something that only moneyed interests get to enjoy.

The SBCAA is a well-intentioned measure styled after the American tradition of empowering people to pull themselves up by their own bootstraps and know-how.

 But without a more robust support system in place, it risks confirming what many people already believe — that the government throws money at problems instead of solving them. It’s best to think of the SBCAA as a first step toward something better.

A better, second draft would back up its proposals for DHS-SBDC collaboration with additional funding as well as adequate punitive measures for data handlers that get cybersecurity wrong.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(Security Affairs – Small Business Cybersecurity Assistance Act)

The post The Problem With the Small Business Cybersecurity Assistance Act appeared first on Security Affairs.

Experts detailed new StrongPity cyberespionage campaigns

Experts at AT&T’s Alien Labs recently discovered an ongoing campaign conducted by StrongPity threat actor that abuses malicious WinBox installers to infect victims.

AT&T’s Alien Labs experts recently discovered an ongoing campaign conducted by StrongPity APT group that abuses malicious WinBox installers to infect victims.

The activity of the group was initially uncovered in 2016 when experts at Kaspersky observed the cyberespionage group targeting users in Europe, in the Middle East, and in Northern Africa. The group set up malicious sites mimicking legitimate ones to carry out watering holes to deliver tainted installers and malware.

The new campaign started in the second half of 2018, attackers used once again tainted version of popular software like WinRAR to compromise victims’ systems.

“Alien Labs has identified an unreported and ongoing malware campaign, which we attribute with high confidence to the adversary publicly reported as “StrongPity”. Based on compilation times, infrastructure, and public distribution of samples – we assess the campaign operated from the second half of 2018 into today (July 2019).” reads the analysis published by the researchers. “We have also identified StrongPity deploying malicious versions of the WinBox router management software, WinRAR, and other trusted software to compromise targets.”

The new malware samples analyzed in July 2019 appear to have been rebuild by the group in response to public reporting on the group’s activities. The analysis of compilation times, infrastructure build and use, and public distribution of samples allowed the experts to attribute the activity to StrongPity group.

One of the samples employed by the hackers in the recent campaign is a malicious installer for the WinBox, which is the management console for MikroTik’s RouterOS software.

The installer implements all of the features of the legitimate software, but it installs the StrongPity malware on the target’s machine.

winbox GUI StrongPity 2

The malware operates similarly to previously reported variants, it implements spyware capabilities and allows the attacker to get remote access to the compromised machine. The malicious code communicate with the command and control (C&C) infrastructure over SSL.

“The malicious WinBox installer drops the StrongPity sample into the Windows Temporary directory as %temp%\DDF5-CC44CDB42E5\wintcsr.exe. Similar to previous reports of StrongPity, the malware communicates with the C2 server over SSL.” Alien Labs notes.

“Reviewing the compilation timestamps of the identified malware, various clusters of individual campaign start times can be noticed, stretching back into the previous reports of early 2018,”

The APT group used also newer versions of tainted WinRAR software, as well as a tool called Internet Download Manager (IDM).

Experts were not able to exactly determine the delivery mechanism of the tainted installers, however, it is likely that methods used in past campaigns such as regional download redirecting from ISPs are still used.

The choice of using installers for software like WinRAR, WinBox, and IDM suggests that the StrongPity is continuing to target technically-oriented victims.

“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated.” concludes the report. “This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years.”

Pierluigi Paganini

(SecurityAffairs – StrongPity, APT)

The post Experts detailed new StrongPity cyberespionage campaigns appeared first on Security Affairs.

CVE-2019-6342 flaw allows hackers to fully compromise Drupal 8.7.4 websites

Drupal developers urge users to update their installs to version 8.7.5, which addresses the CVE-2019-6342 flaw that allows hackers to take control of Drupal 8 sites.

Drupal developers informed users that version 8.7.4 is affected by a critical flaw, tracked as CVE-2019-6342, that could be exploited by attackers to take control of Drupal 8 websites. Users have to update to version 8.7.5 to address the vulnerability.

The issue resides in the Drupal 8.7.4, it is an access bypass vulnerability that can be triggered when the experimental Workspaces module is enabled.

“In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created.” reads the security advisory.

The vulnerability can be mitigated by disabling the Workspaces module.

“For sites with the Workspaces module enabled, update.php needs to run to ensure a required cache clear. If there is a reverse proxy cache or content delivery network (e.g. Varnish, CloudFlare) it is also advisable to clear these as well.” continues the advisory.

The development team pointed out that the flaw only affects Drupal 8.7.4 release, earlier versions are not affected.

The flaw was reported by the Dave Botsch, the good news is that there is no evidence of cyber attacks exploiting the flaw in the wild. Anyway, security experts believe that threat actors could start exploiting the flaw very soon because it affects default configurations, it is easy to exploit and require minimal user interaction to be triggered.

The U.S. Department of Homeland Security (DHS) has also published a security update for the CVE-2019-6342 flaw.

Drupal websites are privileged targets for hackers, in the past several campaigns leveraged other flaws in the popular CMS. In February, just three days after the CVE-2019-6340 flaw was addressed, threat actors in the wild started exploiting the issue to deliver cryptocurrency miners and other payloads.

In 2018, threat actors compromised many Drupal sites by exploiting other two flaw dubbed Drupalgeddon2 and Drupalgeddon3.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-6342, hacking)

The post CVE-2019-6342 flaw allows hackers to fully compromise Drupal 8.7.4 websites appeared first on Security Affairs.

Scraping the TOR for rare contents

Cyber security expert Marco Ramilli explains the difficulties for scraping the ‘TOR networks’ and how to enumerate hidden-services with scrapers.

Scraping the “TOR hidden world” is a quite complex topic. First of all you need an exceptional computational power (RAM mostly) for letting multiple runners grab web-pages, extracting new links and re-run the scraping-code against the just extracted links. Plus a queue manager system to manage scrapers conflicts and a database to store scraped data need to be consistent. Second, you need great starting points. In other words you need the .onion addresses where your scrapers start from. You might decide to begin from common and well-known onion links such as The TOR-hidden-wiki or to start from great reddit threads such this one, but seldom those approaches bring you to what I refer as “interesting links”. For this post “interesting links” means specific links that are rare or not very widespread and mostly focused on cyber-attacks and/or cyber-espionage. Another approach needs be used in order to reach better results. One of the most profitable way to search for “interesting links” is to look for .onion addresses in temporal and up-to-date spots such as: temporal pasties, IRC chats, slack or telegram groups, and so on and so forth. In there you might find links that bring you to more rare contents and to less spread information.

Today I want to start from here by showing some simple stats about scraped .onion links in my domestic scraping cluster. From the following graph you might appreciate some statistics of active-and-inactive scraped hidden services. The represented week is actually a great stereotype of what I’ve got in the last whole quarter. What is interesting, at least in my personal point of view, is the percentage of offline (green) onion services versus the percentage of online (yellow) onion services.

Tor crawlers

This scenario changed dramatically in the past few months. While during Q1 (2019) most of the scraped websites were absolutely up-and-running on Q2 (2019) I see, most of the scraped hidden services, dismissed and/or closed even if they persists in the communication channels (IRC chat, Pasties, Telegram, etc.).

I think there are dual factors that so much affected last quarter in spotting active hidden service. (1) Old content revamping. For example bots pushing “interesting links” back online even after months of inactivity. This activity is not new at all, but during the past quarter has been abused too many time respect to previous quarters. (2) Hidden services are changing address much more fast respect to few months ago. In order to make hard to spot malicious actors, they might decide to keep up-and-running their hidden services only for few hours and then change address/location. Is that way to enumerate hidden-services passing away or is it a simple weird time-frame? We will see it during the next “Scraping” months, stay tuned !

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans.

This analysis and many other studies and tools are available on Marco Ramilli’s blog:

Pierluigi Paganini

(SecurityAffairs – Tor network, DarkWeb)

The post Scraping the TOR for rare contents appeared first on Security Affairs.

Experts spotted a rare Linux Desktop spyware dubbed EvilGnome

Experts at Intezer discovered a new backdoor, dubbed EvilGnome, that is targeting Linux systems for cyber espionage purpose.

Intezer spotted a new piece of Linux malware dubbed EvilGnome because it disguises as a Gnome extension. The researchers attribute the spyware to the Russia-linked and Gamaredon Group.  The modules used by EvilGnome are reminiscent of the Windows tools used by the Gamaredon Group, other analogies include the use of SFX, persistence with task scheduler and the deployment of information stealers.

“Linux desktop remains an unpopular choice among mainstream desktop users, making up a little more than 2% of the desktop operating system market share.” reads the analysis published by Intezer. ” This explains our surprise when in the beginning of July, we discovered a new, fully undetected Linux backdoor implant, containing rarely seen functionalities with regards to Linux malware, targeting desktop users.”

The experts confirmed that the spy agent used by the threat actors was never seen before.


The Gamaredon APT was first spotted in 2013, last year researchers at LookingGlass have shared the details of a cyber espionage campaign, tracked as Operation Armageddon, targeting Ukrainian entities.

The Security Service of Ukraine (SBU) blamed theRussia’s Federal Security Service (FSB) for the cyber attacks. 

The sample analyzed by Intezer was uploaded to VirusTotal by mistake, the presence of metadata that was not removed by the attackers revealed that the malicious code was created on July 4. The analysis revealed that the malicious code includes an unfinished keylogger, some comments, symbol names and compilation metadata, a circumstance that suggests the authors are still working on it.

EvilGnome allows attackers to take screenshots, steal files, capture audio recordings from the microphone, and download and execute other payloads.

The attack starts with spear-phishing emails containing weaponized attachments, the malware is distributed via Russian hosting providers.

The hosting provider used by attackers behind EvilGnome was used by Gamaredon Group for years, the SSH was exposed over the port 3436, the same used by Gamaredon to expose SSH.

The Linux implant is delivered in the form of a self-extracting archive shell script created with makeself that is a small shell script that generates a self-extractable compressed tar archive from a directory. The generated files appear as a shell script, many having a .run suffix, that can be launched as is. 

The setup script installs the malicious code to ~/.cache/gnome-software/gnome-shell-extensions/, and attackers gain persistence by registering to run every minute in crontab.

In the last step of the installation process, the script executes, which in turn launches the main executable gnome-shell-ext:

“The Spy Agent was built in C++, using classes with an object oriented structure. The binary was not stripped, which allowed us to read symbols and understand the developer’s intentions.” continues the analysis.

“At launch, the agent forks to run in a new process. The agent then reads the rtp.dat configuration file and loads it directly into memory”

The spy agent is composed of five modules that run in separate threads:

  • ShooterSound – captures audio from the user’s microphone and uploads to C2;
  • ShooterImage – captures screenshots and uploads to C2;
  • ShooterFile – scans the file system for newly created files and uploads them to C2;
  • ShooterPing – receives new commands from C2;
  • ShooterKey – unimplemented and unused, most likely an unfinished keylogging module;

The modules access to shared resources that are safeguarded through mutexes, they use RC5 with the key “$die3” to encrypt or decrypt data to and from the C&C.

The malware supports several commands, it can download and execute files, set new filters for scanning, download and set new runtime configurations, exfiltrate stored output to the C&C, or stop the modules from running.

EvilGnome is a rare type of malware due to its appetite for Linux desktop users. Throughout this post, we have presented detailed infrastructure-related evidence to connect EvilGnome to the actors behind the Gamaredon Group.” concludes the group. “We believe this is a premature test version. We anticipate newer versions to be discovered and reviewed in the future, which could potentially shed more light into the group’s operations.”

Pierluigi Paganini

(SecurityAffairs – EvilGnome, Linux malware)

The post Experts spotted a rare Linux Desktop spyware dubbed EvilGnome appeared first on Security Affairs.

Anti-Debugging Techniques from a Complex Visual Basic Packer

One of the latest trends for the attackers is to leverage the ISO files to avoid detection, the technique has also been used in a recent Hawkeye campaign.


As we described in our previous post, one of the latest trends for the attackers is to leverage the ISO files in order to reduce detection chances. This technique has also been used by a recent Hawkeye spreading campaign.

“Hawkeye Keylogger” is an info-stealing malware for sale in the dark-web. Anyone can  easily subscribe to the malware service by paying a fee. It has been in continuous development at least since 2013  and the malware authors behind Hawkeye have improved the malware service adding new capabilities and techniques. It can collect credentials from various applications, mostly email clients, web browser and FTP clients, and send them to the crooks via various protocols such as FTP, HTTP, and SMTP.

So, our Cybaze-Yoroi ZLAB decided to take a look at this recent Hawkeye attack, tacking its anti-analysis protection and the anti-debugging techniques enforced by the Visual Basic packer used by the crooks.

Technical Analysis

The delivered file is an ISO image. Inside of it, there is a bat file, but actually is a well formed PE file. So, we can extract the “bat” file and replace its extension in “exe”.

Figure 1: Fake .bat file inside the ISO archive
ThreatHawkey Spyware
Brief DescriptionHawkey Spyware inside a Visual Basic Packer

Table 1: Information about the PE file inside the ISO image

The ISO file has low AV detection rate, but only by extracting the executable from  the ISO image, the rate raises:

Figure 2: AV Detection of the ISO compressed file (left) and of the extracted file (right)

The PE file is packed with a Visual Basic 5.0 stub. It has the duty to protect the core of the malware and complicate the analysis:

Figure 3: Visual Basic packer evidence

As seen above, the malware is written in Visual Basic 5.0. So it is possible to decompile the malware through the use of the ad-hoc decompilers.

Figure 4: Visual Basic code decompilation in P-Code

The decompiled code has been translated in P-Code and it is quite obfuscated in the same way. The only solution to obtain more information about the infection mechanisms is to debug the program.

The first trick to complicate the analysis is to dynamically create a new memory section where inject some code, through the use of the “VirtualAlloc” function. The malware decodes some a piece of code, and choose a random new virtual address space to alloc memory, in this case “0x00260000” loaded into the EAX register.

Figure 5: Memory allocation through the VirtualAlloc API

The GetTickCount Anti-Debug Technique

After the context switch inside the new allocated area, the malware adopts the well known “GetTickCount()” anti-debug technique. According to the MSDN documentation, GetTickCount retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days. This API call is used by the malicious actors to retrieve the time of the execution of the process, and if it is higher than a preset threshold, the malware terminates its execution:

Figure 6: GetTickCount routine a new address space

The first malicious action of the created address space is the invoking of the GetTickCount API and the result is:

Figure 7: GetTickCount result in EAX register

The result of the GetTickCount function is stored in EAX register. After doing some other decrypting operations, the malware invokes it another time.

Figure 8: GetTickCount subtraction anti-debug trick

After the second invocation of GetTickCount, there is immediately the subtraction of the two values and it is placed in EAX register. The next instruction is a comparison between the EAX register and a preset threshold value, “0x5DC”, which is 1500 in decimal representation. According to the Microsoft documentation, the resolution of the GetTickCount function is 10ms, thus we can deduce that the decided threshold by the cyber criminal is 15 seconds. After understood the trick, it quite easy to bypass and go on to analyze the sample.

Figure 9: ShellExecute routine to run the payload

The malware allocates another memory space to write an entire file with the MZ header and it is opened through the “ShellExecute” API function. Dumping the process in this moment, another piece of code hidden in a resource, which did not exist before the anti-debug trick, emerges:

Figure 10: Resource comparison between the original exe and the self-modified exe

As shown in the above figure, the original file (on the left) presents as resources only the icons and the manifest, instead the self-manipulated file presents a resource called “RCData” with a resource named “__”. It is the encrypted final payload.

Figure 11: Malicious resource retrieving routine

In order to protect itself and to make more difficult the analysis, the malware respawns itself through the “CreateProcessInternalW” API call:

Figure 12: Execution routine of the final payload

Now the real payload is ready to be self-decrypted with a custom internal routine. 

Figure 13: Decoding routine of the final payload

After the decryption routine, the malware copies this new code into another piece of memory through the “memcpy” function. Moreover, in order to validate the correct extraction of the payload, the malware checks if the first two bytes of the memory spare are “0x5A4D” which is “MZ” in ASCII code.

Figure 14: Validation check of the correct decoding of the final payload

Dumping the file, the real payload is unveiled.

The Payload

The extracted payload is a PE file compiled in .NET C# language with the following static information:

ThreatHawkey Spyware
Brief DescriptionHawkey Spyware obfuscated payload

Table 2: Static information about the final payload

The payload sample is obfuscated with the .NET Reactor tool, but the cleared version can be easily restored:

Figure 15: Usage of .NET Reactor obfuscator evidence

Below some static information of the final payload is reported:

ThreatHawkey Spyware
Brief DescriptionHawkey Spyware clear payload

Table 3: Static information about the cleared version of the final payload

Due to the fact that the payload is written in .NET framework, it is possible to debug the code in order to retrieve all the details of this new sample. The debugging of the sample lets emerge the attribution of the malware, HawkEye.

Figure 16: Recurrent string decryption routine through the usage of Rijndael algorithm

Every sensitive information, string or other information  is encrypted through Rijndael algorithm, as shown in figure 16. Before starting any operation, the malware tries to make a simple evasion trick. It retrievers the username of the victim machine and it compares this one with a series of usernames hardcoded. These usernames are the classical ones adopted by the sandboxes and if one of them is matched, probably the malware is run inside a virtual machine.

Figure 17: Sandbox evasion trick

After the simple check, the info stealer starts to perform its malicious operations. The first malicious operation is the persistence mechanism adopted by the malware:

Figure 18: Persistence mechanism

The persistence is guaranteed through the setting of the classic registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the value “C:\Users\Admin\AppData\Roaming\MyApp\MyApp.exe”, having already copied itself in this path. However, it’s important to say that if the malware is launched from the original wrapper, it copies in the “MyApp” path the entire executable, because the payload is executed inside the wrapper process as a thread; instead if only the final payload is executed, only this part is stored. 

Figure 19: Task Manager disabling

A particular auto-protection mechanism adopted by the malware is the disabling the possibility to open the Task Manager process from the user, through the setting of the highlighted registry key in the Figure 19. At this point the malware can start the information stealing routines.

Figure 20: Password retrieving routine from Internet Explorer

The first information retrieved is the password stored inside Internet Explorer through the routine described in the above figure. This is only the starting point: it retrieves all sensitive data and login data from a large list of browsers. A little example is shown in the following figure:

Figure 21: Piece of the browser list harvested by the malware

Below, the complete list:

  • Google Chrome
  • Yandex
  • Comodo Dragon
  • Cool Novo
  • Chromium
  • Torch Browser
  • 7Star
  • Amigo
  • Brave
  • Cent Browser
  • Chedot
  • Coccoc
  • Elements Browser
  • Epic Privacy
  • Kometa
  • Orbitum
  • Sputnik
  • Uran
  • Vivaldi
  • UC Browser
  • Flock Browser

In the same way, the malware looks for other credentials coming from other services, like CoreFTP, FileZilla and JDownloader. The last information stolen by the malware is the registered email accounts on the victim machine. The searched email clients are:

  • Outlook
  • SeaMonkey
  • Postbox
  • Thunderbird

Now, we wanted to deepen the password gathering routine of the malware on the Microsoft Outlook application. So, we created a fake account and we logged on the Microsoft email account software. 

Figure 22: Registry key where it is stored the Microsoft Outlook client user configuration

Themalware retrieves a particular registry key: “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook”. Inside of it is stored the configuration of the Microsoft Outlook user profile.

Figure 23: Outlook password decryption routine

The method “smethod_50”  in figure 23 shows how is simple to decrypt the password saved in that registry key: it is enough retrieve the array of bytes and use it as parameter, together with the CurrentUser DataProtectionScope,  to the static method provided from the .NET framework, “ProtectedData.Unprotect()”. After that, the harvested information are collected in a list, ready to be sent to the server.

Figure 24: Creation of the list of the gathered accounts

The last action is properly the preparation to send the information to the recipient. As the classic HawkEye malware, the communication protocol designed to transmit the stolen info is SMTP. For this reason the malware needs to use the API provided by the .NET framework in order to  instantiate an SMTP client. Debugging until the right point, the malware configuration are revealed:

Figure 25: SMTP client account configuration


Hawkeye is nowadays a well known threat. The security firms analyzed in an excellent way the malware and all the infection chain, but this sample, like our latest ones, has the peculiarity to be protected by a complex and evasive packer. 

In the last two posts we saw a tough Delphi packer to analyze, but also this one has some points to analyze that make challenging  the reverse engineering process for the analyst. In the end, we were able to dissect all the malware chain revealing the threat actor exfiltration address.

Further technical details, including IoCs and Yara rules are reported in the analysis published on the Yoroi blog:

Pierluigi Paganini

(SecurityAffairs – anti-debugging, malware)

The post Anti-Debugging Techniques from a Complex Visual Basic Packer appeared first on Security Affairs.

Security Affairs 2019-07-17 03:53:53

Tesla paid $10,000 a researcher that found a stored cross-site scripting (XSS) vulnerability that could have been exploited to change vehicle information.

The security researcher Sam Curry has earned $10,000 from Tesla after reporting a stored cross-site scripting (XSS) flaw that could have been exploited to obtain vehicle information and potentially modify it.

Curry discovered the issue in the software on his Tesla Model 3. He used the XSS Hunter tool to insert a payload in the “Name Your Vehicle” field in the infotainment system.

The XSS Hunter works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service. 

Curiously Carry discovered the XSS issue months later when he used the mobile app to contact Tesla support after his windshield was cracked by a rock.

He was setting up an appointment when he noticed from the XSS Hunter panel that the flaw was triggered. He discovered that some information about the vehicle was collected from a page of Tesla application that was used to see the vital statistics of the car.

The exposed information included the vehicle’s VIN, speed, temperature, version number, whether it was locked or not, tire pressure, and alerts. The data also included other firmware info such as geofense locations, CAN viewers, and configurations.

“The thing that was very interesting was that live support agents have the capability to send updates out to cars and, most likely, modify configurations of vehicles. My guess was that this application had that functionality based off the different hyperlinks within the DOM,” Curry wrote. “I didn’t attempt this, but it is likely that by incrementing the ID sent to the vitals endpoint, an attacker could pull and modify information about other cars.”

“If I were an attacker attempting to compromise this I’d probably have to submit a few support requests but I’d eventually be able to learn enough about their environment via viewing the DOM and JavaScript to forge a request to do exactly what I’d want to do.” he added.

The researcher reported the flaw to Tesla that acknowledged it and addressed it is only 12 hours. Below the timeline of the flaw:

  • 20 Jun 2019 06:27:30 UTC – Reported
  • 20 Jun 2019 20:35:35 UTC – Triaged, hot fix
  • 11 Jul 2019 16:07:59 UTC – Bounty and resolution

Curry was awarded $10,000 for reporting the flaw to Tesla.

“Looking back, this was a very simple issue but understandably something that could’ve been overlooked or regressed somehow. Although I’m unsure of the exact impact of the vulnerability, it seems to have been substantial and at the very least would’ve allowed an attacker to view live information about vehicles and likely customer information,” Curry concludes.

Pierluigi Paganini

(SecurityAffairs – Tesla, XSS)

The post appeared first on Security Affairs.

Security Affairs 2019-07-17 02:18:54

Threat actors used the Extembro DNS-changer Trojan in an adware campaign to prevent users from accessing security-related websites.

Security experts at Malwarebytes observed an adware campaign that involved the Extembro DNS-changer Trojan to prevent users from accessing websites of security vendors.

“Recently, we uncovered a new DNS-changer called Extenbro that comes with an adware bundler. These DNS-changers block access to security-related sites, so the adware victims can’t download and install security software to get rid of the pests.” reads the post published by Malwarebytes.

The Extenbro Trojan is delivered by a bundler that is tracked by the security firm as Trojan.IStartSurf.

The Extenbro Trojan is used to change the DNS settings, victims can only notice that it adds four DNS servers to the Advanced DNS tab in Windows.

extenbro trojan

To malware gain persistence by creating a randomly-named Scheduled Task that points to a fixed-location folder.

The Extenbro Trojan adds a certificate to the set of Windows Root certificates, it has no “Friendly Name” and experts believe it was registered to abose[at]reddit[dot]com.

The malware also disables IPv6 by changing the registry value DisabledComponents under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters. Thus, it forces the system to use the new DNS servers.

On top of that, the Trojan makes a change in the Firefox user.js file and configures the browser to use the Windows Certificate Store where its root certificate was added.

The Extenbro Trojan also modifies the Firefox user.js file and sets the security.enterprise_roots.enabled setting to true, in this way it forces Firefox to use the Windows Certificate Store that includes the newly-added root certificate.

The analysis published by Malwarebytes includes the removal instructions.

To restore their DNS settings, users should remove the DNS entries added by the malware from the DNS advanced settings without rebooting the system.

“To get to your security sites, you may need a restart of the browser. Do NOT reboot your system or the DNS servers might be changed for the worse again by the Scheduled Task that belongs to the Trojan. If your existing solution does not pick up on the malware, download  Malwarebytes to your desktop.” concludes the analysis.

To restore Firefox to the initial settings, users should type about:config in the address bar, search for security.enterprise_roots.enabled and change it to the default setting, “False.”

Pierluigi Paganini

(SecurityAffairs – Extembro Trojan, adware)

The post appeared first on Security Affairs.

Turla APT group adds Topinambour Trojan to its arsenal

Kaspersky researchers revealed that since earlier this year, Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks.

Security experts at Kaspersky revealed that the Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks since early 2019.

The Turla APT group (aka SnakeUroburosWaterbugVenomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

In the past months, security experts reported the APT group has been updating its arsenal. In May, ESET experts revealed that Turla has been using a sophisticated backdoor, dubbed LightNeuron, to hijack Microsoft Exchange mail servers.

Now Kaspersky published a detailed analysis of a new modular tool dubbed Topinambour (aka Sunchoke – the Jerusalem artichoke). Kaspersky researchers also found .NET and PowerShell versions of the KopiLuwak Trojan that was involved in targeted attacks since the beginning of this year. 

Topinambour is spread via tainted legitimate software installers, the dropper includes a tiny .NET shell that is used to deliver commands to the target machine and deliver other modules via SMB.

“Using this and SMB shares on rented virtual private servers (VPS), the campaign operators spread the next-stage modules using just “net use” and “copy” Windows shell commands. It’s hard to believe, but SMB still works through public networks.” reads the analysis published by Kaspersky.

“These campaign-related VPSs are located in South Africa. Interestingly, their external IP addresses start with “197.168”. Possibly these first two bytes are there to mimic LAN addresses that start with “192.168”

The dropper sample analyzed by the experts is able to deliver the payload to a specific location, gain persistence for the malicious code with a scheduled task that starts every 30 minutes, and drop the original application the dropper tries to mimic. 

The tiny .NET shell dropped on the target system connects the C2 server and fetches the KopiLuwak dropper, that gains persistence and drops a JavaScript file that leads to the final stage Trojan.

Recent operations also involved another .NET Trojan along with the KopiLuwak JavaScript, it was called RocketMan and supports commands to download/upload a file, and to halt the Trojan activity. 

Hackers also used a PowerShell Trojan tracked as MiamiBeach, it differs from the RocketMan Trojan due to its ability to take a screenshot.

“The reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize detection of the well-knownpublicly discussed JavaScript versions.” concludes Kaspersky.

“Using the Windows system registry to store encrypted data that is later used by the malware also seems to be aimed at minimizing detection and reducing the digital footprint on any victim’s computer, where only a tiny starter would be left,”

Pierluigi Paganini

(SecurityAffairs – Turla APT, Topinambour)

The post Turla APT group adds Topinambour Trojan to its arsenal appeared first on Security Affairs.

Sprint revealed that hackers compromised some customer accounts via Samsung site

US telecommunications company Sprint revealed that hackers compromised an unknown number of customer accounts via the “add a line” website.

The mobile network operator Sprint disclosed a security breach, the company revealed that hackers compromised an unknown number of customer accounts via the “add a line” website.

“On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the “add a line” website.” reads a letter sent to the customers by the company. “We take this matter, and all matters involving Sprint customer’s privacy, very seriously.”

The information exposed in the data breach includes the phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, eligibility, first and last name, billing address, and add-on services.

Sprint us mobile

According to the company, exposed data don’t expose customers to a substantial risk of fraud or identity theft, but in my humble opinion, such kind of information could be used for several malicious purposes.

In response to the incident, on June 25 the mobile network operator reset PIN codes of its users.

The US telecommunications company did not reveal the number of affected customers.

Sprint recommends affected clients to take all the precautionary steps necessary to prevent identity theft and other fraudulent activities as recommended by the Federal Trade Commission (FTC):

As a precautionary measure, we recommend that you take the preventative measures that are recommended by the Federal Trade Commission (FTC) to help protect you from fraud and identity theft.” concludes the letter. “These preventative measures are included at the end of this letter. You may review this information on the FTC’s website at and www.IdentityTheft.govor contact the FTC directly by phone at 1-877-438-4338 or by mail at 600 Pennsylvania Avenue, NW, Washington, DC 20580.”

Pierluigi Paganini

(SecurityAffairs – Sprint, data breach)

The post Sprint revealed that hackers compromised some customer accounts via Samsung site appeared first on Security Affairs.

A flaw in discontinued Iomega/Lenovo NAS devices exposed millions of files

Experts at Vertical Structure and WhiteHat Security discovered a serious flaw that exposed millions of files stored on thousands of exposed Lenovo NAS devices.

An analysis conducted by researchers at Vertical Structure and WhiteHat Security allowed discovering a vulnerability in discontinued Iomega/Lenovo NAS devices, tracked as CVE-2019-6160, that exposed millions of files.

The discovery was made in the fall of 2018 querying the Shodan search engine and revealed 5,114 devices storing over 3 million files. The issue exposed roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the documents contained sensitive information, including card numbers and financial records.

IOmega NAS devices flaw 3

The experts believe the actual number of exposed systems could be much greater because they were able to identify only 5,114 devices.

“Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106.” states a blog post published by WhiteHat Security.

“Within these files, there was a significant amount of files with sensitive financial card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.”

The vulnerability could have been exploited by a remote, unauthenticated attacker to access the files stored on the NAS devices by sending a specially crafted request via an API that was not protected with any authentication mechanism. The experts pointed out that the devices did not leak data through their web interface.

The exploitation of the issue could be automated by developing a script that scans the internet for vulnerable Iomega/Lenovo NAS devices and sends crafted requests to the vulnerable ones.

After the researchers from Vertical Structure and WhiteHat reported their findings to Lenovo, the company pulled three versions of the affected software out of retirement to solve the issue.

“A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.” reads the advisory published by Lenovo.

In October 2018, experts at Lenovo discovered nine vulnerabilities affecting discontinued Iomega and LenovoEMC NAS devices that could be exploited by unauthenticated attackers to access protected content.

Pierluigi Paganini

(SecurityAffairs – NAS devices, hacking)

The post A flaw in discontinued Iomega/Lenovo NAS devices exposed millions of files appeared first on Security Affairs.

Media File Jacking allows manipulating media files users receive via Android WhatsApp and Telegram

Media File Jacking – Security researchers at Symantec demonstrated how to manipulate media files that can be received via WhatsApp and Telegram Android apps.

Security experts at Symantec devised an attack technique dubbed Media File Jacking that could allow attackers to manipulate media files that can be received via WhatsApp and Telegram Android apps. The issue could potentially affect many other Android apps as well.

The attack technique leverages the fact that any app installed on a device can access and rewrite files saved in the external storage, including the files saved by other apps. Popular apps like WhatsApp and Telegram allow users to choose where to store the file. The researchers pointed out that unlike Telegram for Android.

Anyway, many Telegram users prefer to save their data to external storage using the “Save to Gallery” option.

“The security flaw, dubbed “Media File Jacking”, affects WhatsApp for Android by default, and Telegram for Android if certain features are enabled.” reads the report published by Symantec. “It stems from the lapse in time between when media files received through the apps are written to the disk, and when they are loaded in the apps’ chat user interface (UI) for users to consume.”

A malicious app installed on the recipient’s device can intercept and manipulate media files, including photos, documents, or videos stored on the external storage, that are exchanged between users. The attack is completely transparent for the recipient that is not able to see any suspicious activity.

“The fact that files are stored in, and loaded from, external storage without proper security mechanisms, allows other apps with write-to-external storage permission to risk the integrity of the media files,” continues the analysis. ” Write-to-external storage (WRITE_EXTERNAL_STORAGE) is a common permission requested by Android apps, with over a million apps in Google Play having this access. In fact, based on our internal app data, we found nearly 50% of a given device’s apps have this permission.”

media file jacking attack

Researchers presented four attack scenarios that see a malicious app manipulating media files sent to the recipient:

  1. Image manipulation

The malicious, app downloaded by a user can run in the background to perform a Media File Jacking attack while the victim uses WhatsApp or Telegram and manipulate images in near-real-time.

2.) Payment manipulation

The attackers can manipulate an invoice sent by a vendor to the recipient and trick them into making a payment.

3.) Audio message spoofing

Attackers can use voice reconstruction via deep learning technology to modify the original audio message for malicious purposes.

4.) Spread fake news

In Telegram, attackers can carry out Media File Jacking attacks to alter media files that appear in a trusted channel feed in real-time to spread fake news.

To ensure that media files are kept safe from attackers, Symantec provides the following recommendations:

  • Validate the integrity of files: Store in a metadata file a hash value for each received media file before writing it to the disk. Then, confirm that the file has not been changed (i.e. the hash is the same) before the media file is loaded by the app in the relevant chat portion for users to see. This step can help developers validate that files were not manipulated before they are loaded. This approach balances between the security (protection against Media File Jacking attacks) and functionality (e.g., supporting third party backup apps) needs of the IM apps.
  • Internal storage: If possible, store media files in a non-public directory, such as internal storage. This is a measure some IM apps have chosen.
  • Encryption: Strive to encrypt sensitive files, as is usually done for text messages in modern IM solutions. This measure, as well as the previous one, will better protect files from exposure and manipulation. The downside is that other apps, such as photo backup apps, won’t be able to easily access these files.

Symantec shared its findings with both Telegram and WhatsApp, the experts explained that the vulnerability will be addressed by Google with the Android Q update.

“With the release of Android Q, Google plans to enact changes to the way apps access files on a device’s external storage. Android’s planned Scoped Storage is more restrictive, which may help mitigate threats like the WhatsApp/Telegram flaw we found.”concludes Symantec. “Scoped Storage means that apps will have their own storage area in an app-specific directory, but will be prevented from accessing files in the entire storage partition, unless an explicit permission is granted by the user.”

Pierluigi Paganini

(SecurityAffairs – Media File Jacking, hacking)

The post Media File Jacking allows manipulating media files users receive via Android WhatsApp and Telegram appeared first on Security Affairs.

Mysterious hackers steal data of over 70% of Bulgarians

Hackers stole data of millions of Bulgarians, and sent it to local media, According to the media the source could be the National Revenue Agency.

Hackers have exfiltrated data from a Bulgarian government system, likely the National Revenue Agency (NRA), and have shared it with the local media.

The hackers have stolen the personal details of millions of Bulgarians and sent to the local newspaper download links for the archives containing them.

“The link was sent by anonymous hackers via Russian mail servers on Monday to the Bulgarian media. The array of 57 folders contains thousands of files that they claim to be from the Treasury’s servers, probably.” reads the Monitor website.

The National Revenue Agency is investigating the incident and verifying the authenticity of the data.

“The NRA and the specialized bodies of the Ministry of the Interior and the State Agency for National Security (SANS) check the potential vulnerability of the National Revenue Agency’s computer system.” reads a statement published by the NRA.

“Earlier today, emails of certain media have been sent a link to download files allegedly belonging to the Bulgarian Ministry of Finance. We are currently verifying whether the data is real.”

The hackers claim to have breached Treasury’s servers and have exfiltrated data from more than 110 databases. More than 5 million Bulgarian and foreign citizens are affected, consider that the country has a population composed of 7 million people.

“Your government is slow to develop, your state of cybersecurity is parodyous,” wrote the hackers.

The hacker bragged about stealing 110 databases from NRA’s network, totaling nearly 21 GB. The hacker only shared 57 databases, comprising 11GB of data out of 21 aggregate data with local news outlets but promised to release the rest in the coming days.

“Perhaps the biggest leak of personal data in Bulgaria. That’s how the 57-folder contains more than a thousand files that anonymous hackers sent to Bulgarian media on Monday.” reported the Capital website. “Upon reviewing the information, Capital has opened databases with more than 1 million rows containing PINs, names, addresses, and even earnings.”

Most of the data is very old, in some cases, information is dated back as far as 2007.

Hackers also leaked information from Department Civil Registration and Administrative Services (GRAO), Bulgaria’s customs agency, the National Health Insurance Fund (NZOK), and data from the Bulgarian Employment Agency (AZ).

The email was sent by an email address belonging to the Russian service The message sent to local media by hackers ends with a quote by WikiLeaks founder Julian Assange and calls for his release.

“Your government is stupid. Your is a parody.” closes the email.

Immediately after the leak of the data, the Democratic Bulgaria opposition party demanded the resignation of Finance Minister Vladislav Goranov.

It seems that cyber security for Bulgarian government services is very poor, tt the end of June, Bulgarian police arrested the IT expert Petko Petrov after he publicly demonstrated a security vulnerability in the kindergarten software used by local kindergartens.

Pierluigi Paganini

(SecurityAffairs – Bulgarians, hacking)

The post Mysterious hackers steal data of over 70% of Bulgarians appeared first on Security Affairs.

iOS URL Scheme expose users to App-in-the-Middle attack

Security experts at Trend Micro have discovered that iOS URL scheme could allow an attacker to hijack users’ accounts via App-in-the-Middle attack.

Security experts at Trend Micro devised a new app-in-the-middle attack that could be exploited by a malicious app installed on iOS devices to steal sensitive data from other applications. The attack exploits the implementations of the Custom URL Scheme.

Apple iOS implements a sandbox mechanism to prevent that each app could access data of the other ones installed on the device.

Apple also implements some methods to allow sending and receiving limited data between applications, including the URL Scheme (aka Deep Linking). The method could allow developers to launch an app through URLs (i.e. facetime://, whatsapp://, fb-messenger://).

For example, a user can click on “Contact us via Whatspp” within an app, launches the WhatsApp app installed on the device passing the necessary information to authenticate the user.

Experts explained how to abuse the URL Scheme for malicious purposes that could potentially expose users to attacks.

Trend Micro pointed out that iOS allows one single URL Scheme to be used by multiple apps allowing malicious apps to exploit the URL Scheme.

iOS allows one single URL Scheme to be claimed by multiple apps. For instance, Sample:// can be used by two completely separate apps in their implementation of URL Schemes. This is how some malicious apps can take advantage of the URL Scheme and compromise users.” reads the analysis published by Trend Micro.

“Apple addressed the issue in later iOS versions (iOS 11), where the first-come-first-served principle applies, and only the prior installed app using the URL Scheme will be launched. However, the vulnerability can still be exploited in different ways.”

The vulnerability is very dangerous when the login process of app A is associated with app B, the image below shows the attack scenario:

ios custom url scheme

When the Suning app users access their e-commerce account using WeChat, it generates a login-request and sends it to the WeChat app installed on the same device using the iOS URL Scheme for the messaging app. The WeChat app received the login request and in turn requests a login token from its server that sends it back to the Suning app.

The experts discovered that since Suning always uses the same login-request query and WeChat does not authenticate the source of the login request, an attacker could carry out aapp-in-the-middle attack via the iOS URL Scheme.

“With the legitimate WeChat URL Scheme, a fake-WeChat can be crafted, and Suning will query the fake one for Login-Token. If the Suning app sends the query, then the fake app can capture its Login-Request URL Scheme.” continues the analysis. “WeChat recognizes it, but it will not authenticate the source of the Login-Request. Instead, it will directly respond with a Login-Token to the source of the request. Unfortunately, the source could be a malicious app that is abusing the Suning URL scheme.”

The discovery demonstrates that an attacker using a malicious app with the same Custom URL Scheme as a targeted app can trick them into sharing users’ sensitive data with it.

“In our research, plenty of apps that our system audited were found taking advantage of this feature to show ads to victims. Potentially malicious apps would intentionally claim the URL Scheme associated with popular apps: wechat://, line://, fb://, fb-messenger://, etc. We identified some of these malicious apps,” explained the researchers.

Experts remarked that the URL Scheme cannot be used for the transfer of sensitive data. 

Pierluigi Paganini

(SecurityAffairs – URL scheme, hacking)

The post iOS URL Scheme expose users to App-in-the-Middle attack appeared first on Security Affairs.

DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape

Some of the crooks behind the Dridex Trojan have split from the gang and released a forked version of the BitPaymer ransomware dubbed DoppelPaymer.

Cybercrime gang tracked as TA505 has been active since 2014 and focusing on Retail and Banking industries. The group that is known for the distribution of the Dridex Trojan and the Locky ransomware, has released other pieces of malware including the tRat backdoor and the AndroMut downloader

In mid-2017, the group released BitPaymer ransomware (aka FriedEx) that was used in attacks against high profile targets and organizations. The ransomware was being distributed through Remote Desktop Protocol (RDP) brute force attacks.

“CrowdStrike® Intelligence has identified a new ransomware variant identifying itself as BitPaymer. This new variant was behind a series of ransomware campaigns beginning in June 2019, including attacks against the City of Edcouch, Texas and the Chilean Ministry of Agriculture.” reads the analysis published by CrowdStrike.

“We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER.”

Now experts found a new variant of the ransomware tracked as DoppelPaymer. The discovery suggests that some members of TA505 gang left the group and forked the source code of both Dridex and BitPaymer to develop a new malware.

First variants of BitPaymer initially delivered a ransom note containing the ransom amount and the onion address of the payment portal. Later versions did not include the above info, instead, the variant appeared in the threat landscape since July 2018 only included two emails to negotiate the ransom and to contact to receive the instructions for the payment.

The latest variant observed by the experts in November 2018 includes the victim’s name in the ransom note, it also uses 256-bit AES in cipher block chaining (CBC) mode for encryption.

“Since the update in November 2018, INDRIK SPIDER has actively used the latest version of BitPaymer in at least 15 confirmed ransomware attacks. These attacks have continued throughout 2019, with multiple incidents occurring in June and July of 2019 alone.” continues the analysis.

According to the experts, DoppelPaymer was used for the first time in a targeted attack in June 2019. Experts detected eight distinct malware builds that was used at least in attacks against three victims. 

The ransom amounts asked to the victims in the attacks were different and ranged from approximately $25,000 to $1,200,000 worth of Bitcoin. 

The ransom note dropped by the DoppelPaymer ransomware doesn’t include the ransom amount, instead, it contains the onion address for a TOR-based payment portal that is identical to the original BitPaymer portal. 


The authors of DoppelPaymer improved the source code of the BitPaymer.

numerous modifications were made to the BitPaymer source code to improve and enhance DoppelPaymer’s functionality. For instance, file encryption is now threaded, which can increase the rate at which files are encrypted.” continues the report. “The network enumeration code was updated to parse the victim system’s Address Resolution Protocol (ARP) table, retrieved with the command arp.exe -a. The resulting IP addresses of other hosts on the local network are combined with domain resolution results via nslookup.exe.”

DoppelPaymer leverages ProcessHacker, a legitimate open-source administrative utility, to terminates processes and services that may interfere with the file encryption process.

“Both BitPaymer and DoppelPaymer continue to be operated in parallel and new victims of both ransomware families have been identified in June and July 2019.” concludes CrowdStrike. “The parallel operations, coupled with the significant code overlap between BitPaymer and DoppelPaymer, indicate not only a fork of the BitPaymer code base, but an entirely separate operation,”

Pierluigi Paganini

(SecurityAffairs – DoppelPaymer ransomare, TA505)

The post DoppelPaymer, a fork of BitPaymer Ransomware, appeared in the threat landscape appeared first on Security Affairs.

Flaw in Ad Inserter WordPress plugin allows remote attackers to execute code

A critical vulnerability affecting the Ad Inserter WordPress plugin could be exploited by authenticated attackers to remotely execute PHP code.

Security researchers at Wordfence discovered a critical vulnerability in the Inserter WordPress plugin that could be exploited by authenticated attackers to remotely execute PHP code.

Ad Inserter is an Ad management plugin that allows administrators to benefit of advanced features to insert ads at optimal positions. It supports major ad programs, including Google AdSense, Google Ad Manager(DFP – DoubleClick for publishers), contextual Amazon Native Shopping Ads, and rotating banners.

The Ad Inserter WordPress plugin is currently installed on over 200,000 websites. 

The security flaw resides in the authorization process implemented in the check_admin_referer() function that was designed to protect WordPress sites against cross-site request forgery (CSRF) exploits using nonces.

“The function check_admin_referer() is intended to protect against cross-site request forgery (CSRF) attacks by ensuring that a nonce (a one-time token used to prevent unwanted repeated, expired, or malicious requests from being processed) is present in the request.” reads the post published by Wordfence.

“The WordPress documentation makes it clear, though, that check_admin_referer() is not intended for access control, and this vulnerability is a good example of why misusing nonces for authorization is a bad idea.”

Experts pointed out that nonce should never be relied on for authentication or authorization, access control.

“The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP code on websites using the plugin,” continues the experts.

Authenticated attackers can bypass authorization checks implemented by the check_admin_referer() function to access the debug mode provided by the Ad Inserter plugin for admins.

The experts discovered that the debugging feature can be triggered by any user who has the special cookie “Cookie: AI_WP_DEBUGGING=2.”

“Normally, these debugging features are only available to administrators, and when certain options are enabled a block of Javascript is included on nearly every page. That Javascript contains a valid nonce for the ai_ajax_backend action,” continues Wordfence.

ad inserter

The debugging feature could be triggered by an attacker that has access to a nonce, he can also exploit the ad preview feature by sending a malicious payload containing arbitrary PHP code.

The flaw affects all WordPress websites that uses the Ad Inserter plugin version 2.4.21 or previous ones. The developer revealed the 2.4.22 version on July 13 that address the authenticated RCE flaw.

Below the disclosure timeline:

July 12 – Vulnerability discovered by Wordfence Threat Intelligence Team
July 12 – Firewall rule released to Wordfence Premium users
July 12 – Plugin developer notified of the security issue
July 13 – Patch released
August 11 – Firewall rule becomes available to free users

Pierluigi Paganini

(SecurityAffairs – Ad Installer, WordPress plugin)

The post Flaw in Ad Inserter WordPress plugin allows remote attackers to execute code appeared first on Security Affairs.

The npm installer for PureScript package has been compromised

It has happened again, another JavaScript package in the npm registry has been compromised, it is the installer for PureScript.

The installer for PureScript package in the npm registry has tampered forcing project maintainers to purge the malicious code.

Last week many developers reported several problems with the installer and PureScript contributor Harry Garrood found malicious code in its npm installer.

Launching the installer by typing npm i -g purescript from the command line, it is possible to install the package, an extensive collection of libraries that counts for 2,000 installs a week.

The installer was originally developed and maintained the Japanese developer Shinnosuke Watanabe (@shinnn), later the maintainers of the project asked him to pass the control of the installer to them.

The developer accepted the request but was disappointed for the decision.

after a few too many disagreements and unpleasant conversations with @shinnn about the maintenance of the purescript npm installer, we (the compiler maintainers) recently decided that it would be better if we maintained it ourselves, and asked him if he would transfer the purescript package on npm to us. He begrudgingly did so.” wrote Garrood. “The 0.13.2 PureScript compiler release, which we cut last week, is the first release of the compiler since we took over the purescript npm package.”

Garrood explained that the PureScript installer has some dependencies that are also controlled by Watanabe, and malicious code was added to some dependencies of the npm installer at separate times.

@shinnn claims that the packagers were compromised by an attacker who gained access to his npm account. The good news is that the malicious code that was added has the only purpose of sabotage, it crashes the Purescript npm installer.

The malicious code was identified and removed by the maintainers of the project that have also dropped the Watanabe’s dependencies.

“If you want to be absolutely sure you do not have malicious code on your machine, you should delete your node_modules directories and your package-lock.json files, and set a lower bound of 0.13.2 on the purescript package” wrote Garrood.

A similar case recently impacted developers using the Ruby strong_password library, the attacker hijacked the account of the real developer and injected malicious code in the library.

Pierluigi Paganini

(SecurityAffairs – npm, hacking)

The post The npm installer for PureScript package has been compromised appeared first on Security Affairs.

A flaw could have allowed hackers to take over any Instagram account in 10 minutes

Instagram has recently addressed a critical flaw that could have allowed hackers to take over any Instagram account without any user interaction.

Instagram has recently addressed a critical vulnerability that could have allowed attackers to completely take over any account without user interaction.

The news was first reported by TheHackerNews, the issue was reported to the Facebook-owned photo-sharing service by the Indian security expert Laxman Muthiyah.

According to Muthiyah, the flaw affects the “password reset” mechanism implemented by Instagram for the mobile version of the service. When Instagram users request to recover their passwords, they have to confirm a six-digit secret passcode (that expires after 10 minutes) that is sent to their associated mobile number or email account. This means that to change the passwords in the work case the attackers need to try one million of possible combinations.

The expert focused its test on the maximum number of requests allowed and discovered the absence of blacklisting. He was able to send requests continuously without getting blocked even when he reached the maximum number of requests he can send in a fraction of time.

“When a user enters his/her mobile number, they will be sent a six-digit passcode to their mobile number. They have to enter it to change their password. Therefore if we are able to try all the one million codes on the verify-code endpoint, we would be able to change the password of any account.” reads the analysis of the expert. “But I was pretty sure that there must be some rate limiting against such brute-force attacks. I decided to test it.” “Two things that struck mind was the number of requests and the absence of blacklisting.”

Finally, he discovered two things that allowed him to bypass their rate limiting mechanism, a race condition and the IP rotation.

“Sending concurrent requests using multiple IPs allowed me to send a large number of requests without getting limited.” explained the expert. “The number of requests we can send is dependent on concurrency of reqs and the number of IPs we use. Also, I realized that the code expires in 10 minutes, it makes the attack even harder, therefore we need 1000s of IPs to perform the attack. “

Summarizing the rate limiting can be bypassed by carrying out a brute force attack from different IP addresses and leveraging race condition, sending concurrent requests.

The expert also published a video PoC of the attack that shows the exploitation of the flaw while hacking an Instagram account using 200,000 different passcode combinations without being blocked.

“In a real attack scenario, the attacker needs 5000 IPs to hack an account. It sounds big, but that’s actually easy if you use a cloud service provider like Amazon or Google. It would cost around 150 dollars to perform the complete attack of one million codes.” added the expert.

Laxman Muthiyah received by the company a $30,000 reward as part of its bug bounty program.

Pierluigi Paganini

(SecurityAffairs – Instagram, hacking)

The post A flaw could have allowed hackers to take over any Instagram account in 10 minutes appeared first on Security Affairs.

La Porte County finally opted to pay $130,000 Ransom

On July 6, a ransomware attack brought down government computer systems at La Porte County, Indiana, finally, the county decided to pay $130,000 ransom.

On July 6, a ransomware attack paralyzed the computer systems at La Porte County, Indiana, according to County Commission President Dr. Vidya Kora, employees were not able to access to any government email or website.

The county IT director shut down the computer systems to avoid the spreading of the threat and to limit potential damage. At least half of the servers at the county’s infrastructure were infected, less than 7% of the laptops was not impacted.

Now La Porte County decided to pay $130,000 to recover data on systems infected with the ransomware.

For at least three days, government systems were not working forcing the County officials to evaluate the option to pay the ransom.

Immediately after the attack, the county reported the incident to the FBI and was working with experts of some security firms to investigate the attack and mitigate the threat. The law firm of Mullen Coughlin LLC was managing the incident response operations, but despite the efforts of the experts the La Porte County was not able to resume its operations.

According to WSBT, La Porte County’s systems were infected with a variant of the Ryuk ransomware, the same malware that infected computers at City of Lake City on June 10.

“Two organizations in our area are recovering from recent cyber attacks. Both the South Bend Clinic and La Porte County government are dealing with the aftermath.” reported the WSBT.

“La Porte County paid the ransom on a cyber attack that locked up part of the government’s computer system. The Ryuk virus got into the backup servers.”

Loocipher Ransomware

It seems that $100,000 out of $130,000 are being covered by insurance.

“Fortunately, our county liability agent of record, John Jones, last year recommended a cybersecurity insurance policy which the county commissioners authorized from Travelers Insurance” explained Dr. Vidya Kora,

Recently other administrations decided to pay the ransom to decrypt their files. Crooks earned a total of over $1 million in June from the attacks on two municipalities in Florida, Lake City and Riviera Beach.

In April, Stuart City was victim of the Ryuk Ransomware too, but it refused to pay the ransom. Early March, another city was hit by the same ransomware, computers of Jackson County, Georgia, were infected with Ryuk that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The Ryuk ransomware appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.

Further investigation on the malware allowed the experts from security firms FireEye and CrowdStriketo discover that threat actors behind the 
Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.

Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.

Experts pointed out that Hermes was available for sale into the online underground community, attackers could have purchased it to create their own version of Ryuk.

Recently the United States Conference of Mayors asked its members to “stand united” against paying ransoms in case their systems are hit by ransomware. The decision is essential to discourage criminal practice.

Pierluigi Paganini

(SecurityAffairs – La Porte, ransomware)

The post La Porte County finally opted to pay $130,000 Ransom appeared first on Security Affairs.

Apple temporarily blocked Walkie-Talkie App on Apple Watch due to a flaw

A serious vulnerability in Walkie-Talkie App on Apple Watch forced the tech giant to disable the applications to avoid attackers spying on its users.

Apple has temporarily disabled the Walkie-Talkie app on the Apple Watch due to a vulnerability that could be exploited to spy on users. The issue was reported to Apple via its report a vulnerability portal.

apple Walkie-Talkie app
Apple Walkie-Talkie app – Source The Mirror

The Walkie-Talkie app allows users to communicate with other users using a compatible Watch, it emulates the traditional behavior of walkie-talkie.

According to TechCrunch, Apple is already working on a patch, but the application will not work until it will release a fix.

“Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.” reads the post published by TechCrunch. “Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made.”

An attacker can use another user’s iPhone to listen to communications made throgh the app, at the time no other technical details have been made publicly disclosed.

“Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously,” reads a statement from Apple. “We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent.”

The good news is that Apple is not aware of attacks in the wild exploiting the vulnerability.

Early this year, another major vulnerability in the Apple FaceTime allowed hearing the audio of the person you were calling before he picks up the call.

At the time, privacy advocated and authorities raised concerns about how Apple managed to address the issue.

Pierluigi Paganini

(SecurityAffairs – walkie-talkie app, GDPR)

The post Apple temporarily blocked Walkie-Talkie App on Apple Watch due to a flaw appeared first on Security Affairs.

Emsisoft released a free decryptor for the Ims00rry ransomware

Security experts at Emsisoft released a new decryptor, it could be used for free by victims of the Ims00rry ransomware to decrypt their files.

Thanks to the experts at Emsisoft the victims of the Ims00rry ransomware can decrypt their files for free.

The Ims00rry ransomware used AES-128 algorithm for the encryption process. Unlike most of the ransomware, Ims00rry and doesn’t append an extension to the filenames of the encrypted files. Instead, the ransomware adds the text “—shlangan AES-256—” before the contents of the files. Authors of the malware ask the victim to contact them through the Telegram account @Ims00rybot.

Crooks demands a 50$ ransom worth of Bitcoin to decrypt the files.

Below the text of the ransom note:

I am sorry!!!
My friend. I want to start my own business, but i have no money.
All your files photos, databases, documents and other important are encrypted with strongest encryption and algorithms RSA 4096, AES-256.
If you want to restore your files payment and write to Telegram bot
Price decrypt software is $50.
Do not rename or move the encrypted files.
Bitcoin wàllet:

Contact Telegram bot:

Emsisoft release the detailed usage guide for the decryptor that is available here.

Ims00rry ransomware

In May Emsisoft experts released free Decrypter tools for other threats, the JSWorm 2.0 and GetCrypt.

Pierluigi Paganini

(SecurityAffairs – ransomware, malware)

The post Emsisoft released a free decryptor for the Ims00rry ransomware appeared first on Security Affairs.

SAP Patch Day – July 2019 addresses a critical flaw in Diagnostics Agent

SAP released 11 Security Notes as part of the Patch Day – July 2019, one of which was a Hot News Note addressing a critical flaw in Diagnostics Agent.

This month SAP released 11 Security Notes as part of the Patch Day – July 2019. One of them is a Hot News Note that addresses a critical vulnerability in Diagnostics Agent tracked as CVE-2019-0330.

The vulnerability is an OS command injection issue that could be exploited to fully compromise the SAP system, it received a CVSS score of 9.1.

The Diagnostics Agent is a central component of the SAP Solution Manager system landscape. It allows to manage monitoring and diagnostics events communications between every SAP system and Solution Manager that allows administrators to execute OS commands through a GAP_ADMIN transaction.

Each command is validated using a whitelist file that is present in the Diagnostic Agent installation directory. The CVE-2019-0330 flaw could be exploited by an attacker to bypass the validation process by sending a specially crafted payload.

“Using its basic functionality, a SolMan admin can execute OS commands through a GAP_ADMIN transaction, in order to perform analysis into an SAP system. Once executed, those commands are validated using a whitelist file located in the SMDAgent installation directory.” reads the analysis published by Onapsis. “This vulnerability may allow an attacker to bypass this validation by sending a custom-crafted payload. Using this technique the attacker could obtain full control over an SAP system compromising the SMDAgent user, allowing access sensitive information (such as credentials and critical business information), changing application configurations or even stopping SAP services.”

Experts pointed out that the SDMAgent must be installed in every SAP system for diagnostic purposes, this means that the extent of the attack is broad and could affect the entire landscape.

SAP also released a High priority Security Note that addresses a code injection flaw, tracked as CVE-2019-0328, that affects the ABAP Tests Modules of NetWeaver Process Integration.

The CVE-2019-0328 vulnerability received a CVSS score of 8.7. 

The flaw resides in the Extended Computer Aided Test Tool (eCATT), a tool used to cover automatic testing in SAP business processes.

July 2019 Patch Day updates also address other 9 Medium severity flaws: Denial of service in Commerce Cloud (CVE-2019-0322), XSS in OpenUI5 (CVE-2019-0281), XSS in Information Steward (CVE-2019-0329), XSS in ABAP (CVE-2019-0321), XSS in SAP BusinessObjects (CVE-2019-0326), Unrestricted File Upload in NetWeaver (CVE-2019-0327), Missing Authorization check in ERP HCM (CVE-2019-0325), Information disclosure in NetWeaver (CVE-2019-0318), and Content Injection in Gateway (CVE-2019-0319).

sap security notes july

Pierluigi Paganini

(SecurityAffairs – SAP security, hacking)

The post SAP Patch Day – July 2019 addresses a critical flaw in Diagnostics Agent appeared first on Security Affairs.

NCSC report warns of DNS Hijacking Attacks

The UK’s National Cyber Security Centre (NCSC) issued a security advisory to warn organizations of DNS hijacking attacks and provided recommendations this type of attack.

In response to the numerous DNS hijacking attacks the UK’s National Cyber Security Centre (NCSC) issued an alert to warn organizations of this type of attack.

“In January 2019 the NCSC published an alert to highlight a large-scale global campaign to hijack Domain Name Systems (DNS).” reads the security advisory.

“Since that alert was published we have observed further activity, with victims of DNS hijacking identified across multiple regions and sectors. This Advisory covers some of the risks for organisations around DNS hijacking activity and gives advice on ways the risks can be mitigated.”

DNS hijacking is the practice of subverting the resolution of Domain Name System (DNS) queries to carry out several malicious activities. It can be achieved using a malicious code that modifies the computer’s TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

The Domain Name System (DNS) is the service responsible for pointing the web browser to the right IP address when we navigate to a web domain.

According to a report recently published by Avast, for nearly a year, Brazilian users have been targeted with router attacks. In the first half of 2019, hackers have modified the DNS settings of over 180,000 Brazilian routers with even more complex attacks.

router attacks brazil

This year, security experts at Avast have blocked more than 4.6 million cross-site request forgery (CSRF) attempts carried out by crooks to modify DNS settings of targeted routers.

Recently, experts at Cisco Talos published a detailed analysis of the DNS hijacking campaign conducted by Sea Turtle threat actor for espionage purposes.

UK’s NCSC explains the variety of motivations and objectives behind DNS hijacking attacks ranging from taking down or defacing a website, to intercepting data.

The main risks enumerated in the report are:

  • Creating malicious DNS records;
  • Obtaining SSL certificates;
  • Transparent Proxying for traffic interception;

To prevent phishing attacks, NCSC recommends using unique, strong passwords, and enabling multi-factor authentication when the option is available.

To prevent registrar accounts from being compromised using familiar Account Take Over (ATO) techniques (i.e. Phishing, Credential stuffing, Social engineering) the agency suggests regularly checking the details linked to the account. It is important that they are up to date and point to the organization rather than an individual.

Restricting access to these accounts only to personnel charged with the management of the registrar accounts.

“Registry and Registrar Lock – many registries offer a “registrar lock” service. This lock prevents the domain being transferred to a new owner, without the lock being removed.” continues the report. “A “registry lock” (which sometimes involves a fee) is considered an additional level of protection whereby changes cannot be made until additional authentication has taken place which usually involves a call to the owner.”

In case an organization runs its own DNS infrastructure, the NCSC recommends implementing access and change control systems that can provide backup and restore function for DNS records. It also recommends enforcing strict access to the systems hosting DNS services.

NCSC also recommends implementing SSL monitoring and Domain Name System Security Extensions (DNSSEC) specifications.

Early 2019, DHS issued a notice of a CISA emergency directive urging federal agencies of improving the security of government-managed domains (i.e. .gov) to prevent DNS hijacking attacks.

Pierluigi Paganini

(SecurityAffairs – DNS hijacking, hacking)

The post NCSC report warns of DNS Hijacking Attacks appeared first on Security Affairs.

Security Affairs newsletter Round 222 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

newsletter Digging The Deep Web

Once again thank you!

Croatia government agencies targeted with news SilentTrinity malware
Customers of 7-Eleven Japan lost $500,000 due to a flaw in the mobile app
Hackers compromised a Canonical GitHub account, Ubuntu source code was not impacted
Backdoor mechanism found in Ruby strong_password library
Cyberattack shuts down La Porte County government systems
Experts uncovered a new Magecart campaign that hacked over 960 stores
Hackers are poisoning the PGP SKS keyserver network poisoned
Spotting RATs: Delphi wrapper makes the analysis harder
UK ICO fines British Airways £183 Million under GDPR over 2018 security breach
A new Astaroth Trojan Campaign uncovered by Microsoft
Flaw in Zoom video conferencing software lets sites take over webcam on Mac
Kaspersky report: Malware shared by USCYBERCOM first seen in December 2016
Maryland Department of Labor discloses a data breach
Prototype Pollution flaw discovered in all versions of Lodash Library
Adobe Patch Tuesday updates for July 2019 address only 5 minor flaws
Kali Linux is now available for Raspberry Pi 4
Microsoft released Patch Tuesday security updates for July 2019
Parents Guide for Safe YouTube and Internet Streaming for Kids
Severe vulnerabilities allow hacking older GE anesthesia machines
UK ICO proposes a $123 million fine for Marriott 2014 data breach
A new NAS Ransomware targets QNAP Devices
Agent Smith Android malware already infected 25 million devices
Intel addresses high severity flaw in Processor Diagnostic Tool
New FinFisher spyware used to spy on iOS and Android users in 20 countries
CVE-2019-1132 Windows Zero-Day exploited by Buhtrap Group in government attack
Exclusive, experts at Yoroi-Cybaze ZLab released a free decryptor for Loocipher Ransomware
Hackers stole $32 million from Bitpoint cryptocurrency exchange
New Miori botnet has a unique protocol for C2 communication
FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal
Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 222 – News of the week appeared first on Security Affairs.

For nearly a year, Brazilian users have been targeted with router attacks

Brazilian users have been targeted by a large number of router attacks aimed at modifying the configuration of their routers for malicious purposes.

This year, security experts at Avast have blocked more than 4.6 million cross-site request forgery (CSRF) attempts carried out by crooks to execute commands without the users’ knowledge.

The campaign uncovered by Avast aimed at silently modifying the Brazilian users’ Domain Name System (DNS) settings to redirect victims to malicious websites mimicking legitimate ones.

Crooks targeted users of many major organizations, including Netflix and large banks like Santander, Bradesco, and Banco do Brasil.

A router CSRF attack could be launched by tricking victims into visiting a compromised website with malicious advertising (malvertising) typically served through third-party ad networks to the site.

“Avast frequently observes malvertising infections on local Brazilian websites that host adult content, illegal movies or sports content. Just by visiting a compromised site, the victim is redirected to a malicious page where their router is automatically attacked without user interaction.” reads a blog post published by Avast.

Malware then guesses routers’ passwordswhich new research from Avast shows are often weak. In some cases the router is reconfigured to use rogue DNS servers, which redirect victims to phishing pages that closely look like real online banking sites. Most recently, Netflix became a popular domain for DNS hijackers.”

Avast researchers also observed crooks using DNS hijacking to deliver crypto mining scripts to users’ browsers.

Experts first observed the router attacks last summers, researchers from Radware and Netlab first reported them.

Experts at Qihoo 360 NetLab reported that between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

In April 2019, experts at Bad Packets uncovered a new wave of attacks mainly aimed at compromising D-Link routers, many of them hosted belonging to Brazilian users.  

According to Avast, in the first half of 2019, hackers have modified the DNS settings of over 180,000 Brazilian routers with even more complex attacks.

router attacks brazil

The router attacks involved an exploit kit that attempts to find the router IP on a network, then attempts to guess the password using common login credentials.

“The password “gvt12345”, for example, suggests that hackers target users with routers from the former Brazilian internet service provider (ISP) GVT, which was acquired by Teleônica Brasil, and is the largest telecommunications company in the country.” states the analysis published by Avast. “The password “vivo12345” is used on routers distributed by the ISP Vivo, which is also Telefônica Brasil brand.”

Experts explained that the GhostDNS variant Novidade was one of the most active in router attacks against Brazilian users.

Avast confirmed that Novidade attempted to infect its users’ routers over 2.6 million times in February alone, the experts observed at least three campaigns spreading the malware.

In the past three months, experts also uncovered three drive-by attacks from another exploit kit tracked “SonarDNS EK” because it was based on the SONAR JS framework.

“Users should be careful when visiting their bank’s or Netflix’s website, and make sure the page has a valid certificate, by checking for the padlock in the browser URL bar. Additionally, users should frequently update their router’s firmware to the latest version, and set up their router’s login credentials with a strong password.”  concludes Avast.

Pierluigi Paganini

(SecurityAffairs – router attacks, Brazil)

The post For nearly a year, Brazilian users have been targeted with router attacks appeared first on Security Affairs.

FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal

The United States Federal Trade Commission (FTC) has approved a record $5 billion settlement with Facebook over the Cambridge Analytica scandal.

Facebook will be obliged to pay a $5 Billion fine to settle the investigation conducted by the United States Federal Trade Commission (FTC) over the Cambridge Analytica scandal. In April 2018, Facebook revealed that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

“The Federal Trade Commission has approved a fine of roughly $5 billion against Facebook for mishandling users’ personal information, according to three people briefed on the vote, in what would be a landmark settlement that signals a newly aggressive stance by regulators toward the country’s most powerful technology companies.” reported The New York Times.

Facebook Cambridge Analytica scandal

The news is not a surprise for the expert, the settlement was anticipated by the media over the past months. The final approval will arrive in the coming weeks from the US Justice Department, that usually approves settlements reached by the FTC.

If approved, it would be the biggest fine assigned by the federal government against a tech firm.

The probe began more than a year ago, the agency found that the way Facebook manages user data violated a 2011 privacy settlement with the FTC. At the time, Facebook was accused of deceiving people about how the social network giant handled their data. The settlement obliged the company to review its privacy practices.

In the Cambridge Analytica privacy scandal, the company allowed to access to the personal data of around 87 million Facebook users without their explicit consent.

In April, Facebook disclosed its first quarter 2019 financial earnings report that revealed the company had set $3 billion aside in anticipation of the settlement with the FTC.

“This fine is a fraction of Facebook’s annual revenue. It won’t make them think twice about their responsibility to protect user data,” said Representative David Cicilline, a Democrat and chair of a congressional antitrust panel.

Recently the UK’s Information Commissioner Office (ICO) has also imposed a £500,000 fine on Facebook over the Cambridge Analytica scandal.

Pierluigi Paganini

(SecurityAffairs – Cambridge Analytica, Facebook)

The post FTC approves a record $5 billion settlement with Facebook over Cambridge Analytica scandal appeared first on Security Affairs.

Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets

The Magecart continues to target websites worldwide, it infected over 17,000 domains by targeting improperly secured Amazon S3 buckets. 

The Magecart gang made the headlines again, according to a new report published by RiskIQ, it has infected over 17,000 domains by targeting improperly secured Amazon S3 buckets

A few days ago, security experts at Sanguine Security have uncovered a new large-scale payment card skimming campaign that already hacked 962 online stores running on the Magento CMS. Security expert Micham spotted another attack attributed to the Magecart gang, hackers injected a skimmer script in the The Guardian via old AWS S3 bucket and exploiting wix-cloud[.]com as a skimmer gate.

According to RiskIQ, since April 2018, Magecart hackers adopted a new tactic that relies on misconfigured Amazon S3 buckets. These buckets allow anyone with an active Amazon Web Services account to read or write them.

“However, the actual scale of this campaign and the number of sites affected is much larger than previously reported. The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for misconfigured Amazon S3 buckets.” reads the analysis published by RiskIQ. “These buckets are un-secure because they are misconfigured, which allows anyone with an Amazon Web Services account to read or write content to them.”

The attackers scan the web for misconfigured buckets containing any JavaScript files, then download the files, modify them by appending the skimming code to the bottom, and overwrite the script on the bucket.

RiskIQ experts believe threat actors have already compromised a large number of S3 buckets affecting over 17,000 domains, including websites in the top 2,000 of Alexa rankings.

“However, the ease of compromise that comes from finding public S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment.” concludes RiskIQ.

“Perhaps most importantly, the widespread nature of this attack illustrates just how easy it is to compromise a vast quantity of websites at once with scripts stored in misconfigured S3 buckets.”

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify​​

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

The post Magecart group infected over 17,000 domains via unprotected AWS S3 Buckets appeared first on Security Affairs.

Security roundup: July 2019

Every month, we dig through cybersecurity research, trends, advice and news for our readers. This month: T&Cs, stronger security in Europe, and a birthday with bitter memories.

Policing policies to protect privacy

One of the greatest lies on the internet is “I have read the terms and conditions”. But maybe most people aren’t to blame when those same policies read like “an incomprehensible disaster”. That’s what a New York Times investigation found after reviewing 150 privacy policies. The European Commission came to a similar conclusion after surveying 27,000 citizens on their attitudes to data protection. Commissioner Věra Jourová noted that 60 per cent of Europeans read their privacy statements, but only 13 per cent read them fully. “This is because the statements are too long or too difficult to understand,” she said.

But not reading T&Cs could have unwitting consequences; like turning your phone into a spying tool. Spain’s Liga app activated a user’s smartphone audio function when it knew they were in a bar. Spain’s football administrators said the app’s terms made it clear this was to identify places that were streaming matches illegally. The Spanish data protection authority took a different view and slapped the league with a €250,000 fine.

In other privacy news, the UK Information Commissioner’s Office has published guidance providing clarity and certainty on correct cookie use. Cookie rules technically fall under the Privacy and Electronic Communications Regulations, but some of that regulation’s concepts derive from GDPR. As well as a reader-friendly myth-busting blog, there’s also more comprehensive guidance in a longer document.

Strengthening security across Europe

The EU Cybersecurity Act came into force on 26 June. For the first time, it introduces EU-wide cybersecurity certification rules for digital products, services and processes. It also strengthens the mandate for ENISA. The Union’s cybersecurity agency will set up the certification framework and it now has a remit to help Member States to handle cyber incidents.

BH Consulting is a contributor to ENISA and our CEO Brian Honan recently gave a presentation on threat intelligence at an ENISA industry event. The meeting also covered cybersecurity, internet regulation and Europe’s position in the race to a competitive ICT global industry. Brian also spoke to the Irish Times for a feature article about steps under way to improve security. Meanwhile Ireland’s second national cyber security strategy is expected in the coming weeks, as the Irish Examiner reports.

Déjà vu all over again

If working in information security can sometimes feel like Groundhog Day, then you might want to pause before reading further. Consider the following sentences, then guess when they were written (no peeking). “Paradoxically, the drive for business efficiency and globalism serves only to increase the potential damage which computer viruses and other malicious programs can cause… the more streamlined and interconnected computers become, the greater will be the penalties resulting from carelessness, recklessness and vandalism… no-one knows when or where a computer virus will strike. They attack indiscriminately. Virus writers, whether or not they have targeted specific companies or individuals, must know their programs, once unleashed, soon become uncontrollable.”

So how old is that text? Five years? Ten? Fifteen, at a push? Actually, it’s double that number. Edward Wilding penned them in the summer of ’89, for the very first edition of Virus Bulletin (PDF). Brain, the world’s first computer virus, appeared just three years before then.

It says a lot that Wilding could write these words and, without knowing, still have them resonate three decades later. The same issues he identified then have not gone away. (Side note: the same is true of attacks like SQL injection. Even today, they account for two-thirds of all web app attacks, according to new findings from Akamai.) The industry’s progress, or lack of it, is a point to ponder while security professionals (hopefully) enjoy some deserved downtime this summer.

Links we liked

NIST guidance on understanding and managing security risks with IoT devices. MORE

Demand for cybersecurity jobs in Ireland is growing, but supply can’t keep up. MORE

Controversial: you should think about paying to get data back from ransomware. MORE

An open letter to the security profession, from a privacy practitioner. MORE

You know that ‘padlock’ icon in your web browser? It could be a fake. MORE

How a data request can quickly turn into a data breach. MORE and MORE

The Irish privacy champion on a mission to clean up dirty adtech. MORE

A sceptical take on Facebook’s planned move into cryptocurrency. MORE

When BGP goes wrong, the whole internet feels it. MORE

How a trivial cell phone hack is ruining lives. MORE


The post Security roundup: July 2019 appeared first on BH Consulting.

Security roundup: May 2019

We round up interesting research and reporting about security and privacy from around the web. This month: password practice, GDPR birthday, c-suite risk, and further reading for security pros.

Passwords: a good day to try hard

No self-respecting security pro would use easy passwords, but could they say the same for their colleagues (i.e. everyone else)? The answer is no, according to the UK National Cyber Security Centre. It released a list of the 100,000 most hacked passwords, as found in Troy Hunt’s ‘Have I Been Pwned’ data set of breached accounts. Unsurprisingly, ‘123456’ topped the list. A massive 23 million accounts use this flimsy string as “protection” (in the loosest possible sense of the word). Next on the list of shame was the almost as unimaginative ‘123456789’, ‘qwerty’, ‘password’ and 1111111.

The NCSC released the list for two reasons: firstly to prompt people to choose better passwords. Secondly, to allow sysadmins to set up blacklists to block people in their organisations from choosing any of these terrible passwords for themselves. The list is available as a .txt file here and the agency blogged about the findings to give more context. Help Net Security has a good summary of the study. The NCSC published the research in the buildup to World Password Day on May 2, which Euro Security Watch said should be every day.

WP Engine recently performed its own analysis of 10 million compromised passwords, including some belonging to prominent (and anonymised) victims. It makes a useful companion piece to the NCSC study by looking at people’s reasons for choosing certain passwords.

Encouraging better security behaviour through knowledge is one part of the job; effective security controls are another. In April, Microsoft said it will stop forcing password resets for Windows 10 and Windows Server because forcing resets doesn’t improve security. CNet’s report of this development noted Microsoft’s unique position of influence, given its software powers almost 80 per cent of the world’s computers. We recently blogged about what the new FIDO2 authentication standard could mean for passwords. Better to use two-factor authentication where possible. Google’s Mark Risher has explained that 2FA offers much more effective protection against risks like phishing.

GDPRversary getting closer

Almost one year on from when the General Data Protection Regulation came into force, we’re still getting to grips with its implications. The European Data Protection Supervisor, Giovanni Buttarelli, has weighed in on the state of GDPR adoption. He covered many areas in an interview with Digiday, including consent, fines, and legitimate interest. One comment we liked was how falling into line with the regulation is an ongoing activity, not a one-time target to hit. “Compliance is a continued working progress for everyone,” he said.

The European Data Protection Board (formerly known as the Article 29 Working Group) recently issued draft guidance on an appropriate legal basis and contractual obligations in the context of providing online services to data subjects. This is a public consultation period that runs until May 24.

The EDPB is also reportedly planning to publish accreditation requirements this summer. As yet, there are no approved GDPR certification schemes or accreditation bodies, but that looks set to change. The UK regulator recently published its own information about certification and codes of conduct.

Meanwhile, Ireland’s Data Protection Commission has started a podcast called Know Your Data. The short episodes have content that mixes information for data controllers and processors, and more general information for data subjects (ie, everyone).

Breaching the c-suite

Senior management are in attackers’ crosshairs as never before, and 12 times more likely to be targeted in social engineering incidents than in years past. That is one of the many highlights from the 2019 Verizon Data Breach Investigations Report. Almost seven out of ten attacks were by outsiders, while just over a third involved internal parties. Just over half of security breaches featured hacking; social engineering was a tactic in 33 per cent of cases. Errors were the cause of 21 per cent of breaches, while 15 per cent were attributed to misuse by authorised users.

Financial intent was behind 12 per cent of all the listed data breaches, and corporate espionage was another motive. As a result, there is a “critical” need for organisations to make all employees aware of the potential threat of cybercrime, Computer Weekly said. ThreatPost reported that executives are six times more likely to be a target of social engineering than a year ago.

Some sites like ZDNet led with another finding: that nation-state attackers are responsible for a rising proportion of breaches (23 per cent, up from 12 per cent a year ago). It also highlighted the role of system admin issues that subsequently led to breaches in cloud storage platforms. Careless mistakes like misconfiguration and publishing errors also left data at risk of access by cybercriminals.

The Verizon DBIR is one of the most authoritative sources of security information. Its content is punchy, backed by a mine of informative stats to help technology professionals and business leaders plan their security strategies. The analysis derives from 41,000 reported cybersecurity incidents and 2,000 data breaches, featuring contributions from 73 public and private organisations across the globe, including Ireland’s Irisscert. The full report and executive summary are free to download here.

Links we liked

Challenge your preconceptions: a new paper argues cybersecurity isn’t important. MORE

An unfortunate trend that needs to change: security pros think users are stupid. MORE

It’s time to panic about privacy, argues the New York Times in this interactive piece. MORE

Want a career in cybersecurity, or know someone who does? Free training material here. MORE

NIST has developed a comprehensive new tool for finding flaws in high-risk software. MORE

NIST also issued guidelines for vetting the security of mobile applications. MORE

Cybersecurity threats: perception versus reality as reported by AT&T Security. MORE

Here’s a technical deep dive into how phishing kits are evolving, courtesy of ZScaler. MORE

A P2P flaw exposes millions of IoT security cameras and other devices to risks. MORE

A new way to improve network security by analysing compressed traffic. MORE


The post Security roundup: May 2019 appeared first on BH Consulting.