Category Archives: Pierluigi Paganini

Hacker broke into super secure French Government’s Messaging App Tchap hours after release

A white hat hacker discovered how to break Tchap, a new secure messaging app launched by the French government for officials and politicians.

The popular French white hat hacker Robert Baptiste (aka @fs0c131y) discovered how to break into Tchap, a new secure messaging app launched by the French government for encrypted communications between officials and politicians.
The app was developed by DINSIC (Interministerial Directorate of Digital and Information System and Communication of the State), as a project controlled by France’s National Cybersecurity Agency (ANSSI).

It aims at replacing popular instant messaging services like Telegram and WhatsApp for government people.

The Tchap was launched on April 18 and is available on the official iOS and Android app stores, but only French government employees (using
@gouv.fr or @elysee.fr email accounts) can sign-up for an account.

The key point Tchap is that encrypted communications flow through internal servers to prevent cyber attacks carried out by foreign nation-state actors.

Anyway, the French government published Tchap’s source code on GitHub, it is based on Riot, a well-known open-source instant messaging client-server package.

News of the day is that Robert Baptiste found a security bug that could allow anyone to sign up an account with the Tchap app and access groups and channels without using an official government email account.

The expert made a dynamic analysis of the mobile app and discovered it implements certificate pinning in the authentication process. Even if he disables it with Frida, during the registration process, the app requests a token.

tchap

The expert noticed that depending on the email address provided by the user, the app will refer the “correct” id_server. The list of available servers is defined in the AndroidManifest.xml.

“I set id_server to matrix.agent.elysee.tchap.gouv.fr. For info, Elysée is the French presidential palace. As I choose this server I guessed I should have an @elysee.fr email address. So, in the requestToken request, I modified email to fs0c131y@protonmail.com@elysee.fr. Hum, no validation email in my inbox… Wait, maybe it is waiting a known @elysee.fr email address. So I did a Google search “email @elysee.fr”” wrote the expert in a blog post.

“So I did another try and in the requestToken request and I modified email to fs0c131y@protonmail.com@presidence@elysee.fr. Bingo! I received an email from Tchap, I was able to validate my account! “

The expert demonstrated how to create an account with the service using a regular email ID by exploiting a potential email validation vulnerability in the Android version of the Tchap app.

After he logged as an Elysée employee, he was able to access to the public rooms.

tchap app

Robert reported the issue the Matrix team who developed the Riot client, and it quickly fixed the bug and released a patch. The released patch was specific only to the application developed by French intelligence.

Just for curiosity, last week Matrix.org warned users of a security breach, a hacker gained unauthorized access to the production databases, including unencrypted message data, access tokens, and also password hashes.

According to Matrix.org, the attacker has exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and gain access to the systems of the organization. Homeservers, source code and packages, identity servers, and Modular.im servers were not impacted.

Pierluigi Paganini

(SecurityAffairs – hacking, Tchap app)

The post Hacker broke into super secure French Government’s Messaging App Tchap hours after release appeared first on Security Affairs.

Facebook admitted to have stored millions of Instagram users’ passwords in plaintext

Other problems for Facebook that admitted to have stored millions of Instagram users’ passwords in plaintext

Yesterday, Facebook made the headlines once again for alleged violations of the privacy of its users, the company admitted to have ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission

In March, Facebook admitted to have stored the passwords of hundreds of millions of users in plain text, including “tens of thousands” passwords belonging to Instagram users as well.

Unfortunately the issue was bigger than initially reported, the company updated the initial press release confirming that millions of Instagram users were affected by the problem.

The disconcerting discovery was made in January by Facebook IT staff as part of a routine security review. The passwords were stored in plain text on internal data storage systems, this means that they were accessible only by employees.

Facebook quickly fixed the issue and notified the affected users.

Now Facebook confirmed to have discovered “additional logs of Instagram passwords” stored in a readable format. The social network giant pointed out that the passwords were never “abused or improperly accessed” by any of its employees.

Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).” reads the updated statement.

instagram

Summarizing, millions of Instagram users had their account passwords stored in plain text and searchable by thousands of Facebook employees.

Let me suggest to change your password using strong ones and enable the
two-factor authentication.

Pierluigi Paganini

(SecurityAffairs – Instagram, privacy)

The post Facebook admitted to have stored millions of Instagram users’ passwords in plaintext appeared first on Security Affairs.

Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison

Djevair Ametovski was sentenced to 90 months in prison for operating an international cybercrime marketplace named Codeshop.

Macedonian national Djevair Ametovski (32) was sentenced to 90 months in prison by US DoJ authorities for operating an international cybercrime marketplace named Codeshop.

Codeshop.su was a website that specialized in selling stolen payment card data. Ametovski acquired payment card data from hackers who had stolen it from financial institutions and individuals.

According to the investigators, the man commercialized data of 181,000 payment cards between 2010 and 2014.

CodeShop carding

Ametovski (known online as Codeshop, Sindromx, xhevo, and Sindrom) was arrested by Slovenian authorities in January 2014, at the time he was charged with aggravated identity theft, access device fraud conspiracy, and wire fraud conspiracy. The Macedonian citizen was extradited to the United States in May 2016.

The man pleaded guilty to access device fraud and aggravated identity theft, he was also ordered to forfeit $250,000 and pay restitution that will be determined later.

Codeshop customers were able to buy stolen card data searching for specific types of data based on criteria such as country, bank, and bank identification number.

“The stolen data could then be used to make online purchases and to encode plastic cards to withdraw cash at ATMs.” reads the press release the Justice Department.      

“Ametovski used a network of online money exchangers and anonymous digital currencies, including Bitcoin, to reap revenues from the Codeshop website and to conceal all participants’ identities, including his own.  Over the course of the scheme, Ametovski obtained and sold stolen credit and debit card data for more than 1.3 million cards,” said the Justice Department.      

Pierluigi Paganini

(SecurityAffairs – Codeshop, carding)

The post Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison appeared first on Security Affairs.

Source code of tools used by OilRig APT leaked on Telegram

Lab Dookhtegan hackers leaked details about operations carried out by Iran-linked OilRig group, including source code of 6 tools.

A hacker group that goes online with the name Lab Dookhtegan have disclosed details about operations conducted by the Iran-linked cyber-espionage group tracked as OilRig, APT34, and HelixKitten.

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

The Lab Dookhtegan hackers used a Telegram channel to dump information about the OilRig infrastructure, revealing details about its hacking tools, members, and operations. The hackers also disclosed IP addresses and domains involved in operations conducted by the group over the years.

OilRig dump
Source ZDnet
OilRig dump
Source ZDnet

It seems that the tools have been leaked since mid-March on a Telegram channel by a user with the Lab Dookhtegan pseudonym.

The dump also includes OilRig victims’ data, including login credentials to several services obtained through phishing attacks.

The entity that leaked the information aimed at disrupting the operations of the Iran-linked hacking groups, it is likely an opponent of the Regime.

Lab Dookhtegan leaked the source code of the following six hacking tools, including data related on their contained in the compromised admin panels:

  • Glimpse (aka BondUpdater), the latest version of the PowerShell-based trojan;
  • PoisonFrog, an older version of BondUpdater;
  • HyperShell web shell (aka TwoFace);
  • HighShell web shell;
  • Fox Panel phishing tool;
  • Webmask, the main tool behind DNSpionage;

According to Chronicle, Dookhtegan leaked data from 66 victims in private industry and Government organizations, most from the Middle East, Africa, East Asia, and Europe.

The list of victims includes Etihad Airways and Emirates National Oil, hackers hit individuals in many industries including energy, transportation, and financial.

Lab Dookhtegan also doxxed Iranian Ministry of Intelligence officers, the leaked shared phone numbers, images, social media profiles, and names of officers involved with APT34 operations.

“We have more secret information about the crimes of the Iranian Ministry of Intelligence and its managers and we are determined to continue to expose them,” Dookhtegan said in a Telegram.

No doubt, the leak will have a severe impact on the future operations of the OilRig group.

Pierluigi Paganini

(SecurityAffairs – hacking, OilRig)

The post Source code of tools used by OilRig APT leaked on Telegram appeared first on Security Affairs.

Ransomware attack knocks Weather Channel off the Air

A ransomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.A ranomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.

A cyber attack hit the Weather Channel and forced it off the air for at least 90 minutes.

The broadcaster confirmed via Twitter that the incident is the result of a cyber attack, it claims that the problems were caused by “a malicious software attack on the network.”

Details are scant at the moment and a tweet from the station does not lift the haze, informing only that it was the victim of “a malicious software attack on the network.”

This morning the broadcaster transmitted a taped programming “Heavy Rescue” instead of the “AMHQ” live show.

The live show started more than 90 minutes later and the anchors informing viewers of the cyber attack. IT staff has restored the normal operations using the backups.

Weather Channel ransomware

Federal law enforcement has immediately started an investigation on the case, at the time The Weather Channel did not disclose technical details about the attack.

According to 11 Alive News, the attack was caused by ransomware, a circumstance confirmed by Feds to The Wall Street Journal. The live show was interrupted due to a ransomware attack, likely an attempt to extort money to from the broadcaster.

Ransomware attacks continue to represent a serious threat for companies and organizations, it is essential to adopt good cyber hygiene using defence software, having up to date applications and implementing an efficient backup policy.

Pierluigi Paganini

(SecurityAffairs – ransomware, Wheater Channel)




The post Ransomware attack knocks Weather Channel off the Air appeared first on Security Affairs.

Broadcom WiFi Driver bugs expose devices to hack

Experts warn of security flaws in the Broadcom WiFi chipset drivers that could allow potential attackers to remotely execute arbitrary code and to trigger DoS.

According to a DHS/CISA alert and a CERT/CC vulnerability note, Broadcom WiFi chipset drivers are affected by security vulnerabilities impacting multiple operating systems. The flaws could be exploited to remotely execute arbitrary code and to trigger a denial-of-service condition.

“The CERT Coordination Center (CERT/CC) has released information on multiple vulnerabilities in Broadcom Wi-Fi chipset drivers. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.” reads the alert published by the DHS/CISA.

“The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.” reads the security advisory published by the CERT/CC.

The CERT/CC vulnerability note includes a list of all vendors potentially impacted by the flaws in Broadcom WiFi chipsets.

The flaws were discovered by Hugues Anguelkov during his internship at Quarkslab are tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.

The heap buffer overflows could be exploited to execute arbitrary code on vulnerable systems.

“You can find these chips almost everywhere from smartphones to laptops, smart-TVs and IoT devices. You probably use one without knowing it, for example if you have a Dell laptop, you may be using a bcm43224 or a bcm4352 card. It is also likely you use a Broadcom WiFi chip if you have an iPhone, a Mac book, a Samsumg phone or a Huawei phone, etc.” reads the post published by Anguelkov.

“Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk.”

broadcom-wifi chipset

According to the CERT/CC,
In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities will result in denial-of-service attacks.
a remote and unauthenticated attackers could exploit the flaws in Broadcom WiFi chipset driver by sending maliciously-crafted WiFi packets to execute arbitrary code on vulnerable systems.

Anguelkov confirmed that two of those vulnerabilities affect both in the Linux kernel and firmware of affected Broadcom chips.

The researcher pointed out that the most common exploitation scenario leads to a remote denial of service.

“Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario.” Anguelkov adds.

Below the details for the flaws:

Vulnerabilities in the open source brcmfmac driver:
• CVE-2019-9503: If the brcmfmac driver receives the firmware event frame from the host, the appropriate handler is called. It is possible to bypass frame validation by using the USB as a bus (for instance by a wifi dongle.). In this case, firmware event frames from a remote source will be processed.

CVE-2019-9500: a malicious event frame can be crafted to trigger an heap buffer overflow in the brcmf_wowl_nd_results function when the Wake-up on Wireless LAN functionality is configured. This flaw could be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.

Vulnerabilities in the Broadcom wl driver:
Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).
• 
CVE-2019-9501: supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
• 
CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.
NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host’s kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset’s firmware.

The researcher published a timeline for the vulnerabilities that include information on patches released by some vendors.

Pierluigi Paganini

(SecurityAffairs – hacking, Broadcom WiFi chipset)

The post Broadcom WiFi Driver bugs expose devices to hack appeared first on Security Affairs.

Analyzing OilRig’s malware that uses DNS Tunneling

Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

Security researchers at Palo Alto Networks reported that Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

Many of the malware used by the group in the attacks over the years use DNS tunneling to protect communications with the command and control (C&C) infrastructure.

Experts pointed out that DNS tunneling clearly represents one of the preferred communication methods of the group.

OilRig usage of DNS tunneling was first documented in 2016, some of the Trojans in its arsenal using it are Helminth, ISMAgent, QUADAGENT
BONDUPDATER, and ALMACommunicator.

DNS tunnelling OilRig

The analysis of the tunneling protocols used by the OilRig suggests:

  • All subdomains contain a randomly generated value to avoid the DNS query resulting in a cached response
  • Most rely on an initial handshake to obtain a unique system identifier
  • Most rely on hardcoded IP addresses within the DNS answers to start and stop data transfer
  • Data upload includes a sequence number that allows the C2 to reconstruct the uploaded data in the correct order
  • Depending on the tool, A, AAAA, and TXT query types have been used by OilRig for tunneling
  • All of the DNS tunneling protocols will generate a significant number of DNS queries

“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.” reads the analysis published by Palo Alto Networks. “Therefore, the protocols must abide by the DNS protocol, so the specially crafted subdomains must have labels (portions of the subdomain separated by periods) must start and end with a letter or digit, contain letters, digits and hyphens and be less than 63 characters in length. Also, the entire domain queried, which includes the C2 domain and the specially crafted subdomain cannot exceed 253 characters.”

All the tools leverage DNS queries to resolve specially crafted subdomains and send data to the command and control servers. The tools use protocols in different ways, they differ for the structure of the subdomains queried, for the data received by the Trojans, for the subdomains used to transmit data.

Experts observed multiple variants of the Helminth backdoor over the years all using the same DNS Type A, but the threat actors are able to change the generated subdomains to avoid detection.

“There are several variants of Helminth, as the OilRig actors actively developed this Trojan during the course of their attack campaigns. The Helminth Trojan came in two forms, a portable executable version and a PowerShell version, both of which received updates to their DNS tunneling protocol over time.” continues the analysis. “The DNS tunneling protocols used in each variant operated the same way, but the developer would make changes to the generated subdomains to make them look visually different to evade detection.”

OilRig also used the ISMAgent in many campaigns, the malware uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom subdomains. Before transmitting the data, the Trojan issues a beacon to inform the server it is ready.

OilRig also leveraged two variants of the ALMA Communicator in its attacks, each of them using a different domain structure. The two variants sent different information to the server and the formatted data within the DNS tunneling protocol in different ways.

Palo Alto researchers also documented different variants of both the BONDUPDATER tool and QUADAGENT Trojan, the latter uses AAAA queries to transmit/receive data via DNS tunneling.

“This threat group saw the benefits of using DNS tunneling, as DNS is almost universally allowed through security devices.” Palo Alto Networks concludes. “One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C&C server, which may stand out to those monitoring DNS activity on their networks,”

Pierluigi Paganini

(SecurityAffairs – hacking, OilRig)

The post Analyzing OilRig’s malware that uses DNS Tunneling appeared first on Security Affairs.

Drupal patched security vulnerabilities in Symfony, jQuery

The developers of the Symfony PHP web application framework released updates that patch five vulnerabilities, three affecting the Drupal CMS.

The development team of the Symfony PHP web application framework released security updates for five issues, three of which also affects Drupal 7 and 8.

The developers of the Symfony PHP web application framework addressed a total of five vulnerabilities, three of which impact the Drupal CMS.

The flaws that affect the Drupal CMS are:

drupal Symfony

The latest versions of Drupal also include security updates to address a jQuery vulnerability. The Moderately critical Cross Site Scripting flaw resides in the jQuery.extend() function.”

“It’s possible that this vulnerability is exploitable with some Drupal modules.” reads the security advisory published by Drupal. “As a precaution, this Drupal security release backports the fix to jQuery.extend(), without making any other changes to the jQuery version that is included in Drupal core (3.2.1 for Drupal 8 and 1.4.4 for Drupal 7) or running on the site via some other module such as jQuery Update,”

Drupal addressed the flaw with the release of versions 8.6.15, 8.5.15 and 7.66.

Pierluigi Paganini

(SecurityAffairs – hacking, Symfony)

The post Drupal patched security vulnerabilities in Symfony, jQuery appeared first on Security Affairs.

Facebook ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission

Facebook made the headlines once again for alleged violations of the privacy of its users, this time collecting contacts from 1.5 Million email accounts without permission.

New problems for Facebook, the company collected contacts from 1.5 Million email accounts without user’permission.

We recently read about an embarrassing incident involving the social network giant that asked some newly-registered users to provide the passwords to their email accounts to confirm their identity.

Some experts speculated that the social network giant was using the password to access the email accounts and collect their contacts.

New of the day is that Facebook admitted it was collecting email contacts of some of its users.

“Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts. Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network” reported the Business Insider.
“The Silicon Valley company said the contact data was “unintentionally uploaded to Facebook,” and it is now deleting them.”

Of course, Facebook declared that it has “unintentionally” uploaded email contacts from up to 1.5 million new users on its servers since May 2016, but the company was never authorized to do it and did not receive their consent.

Facebook passwords

This means that roughly 1.5 million users unintentionally shared passwords for their email accounts with the social network.

According to a Facebook spokesperson who spoke with Business Insider, the company was using harvested data to “build Facebook’s web of social connections and recommend friends to add.”

“At the time, it wasn’t clear what was happening — but on Wednesday, Facebook disclosed to Business Insider that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.” continues the Business Insider.

Facebook stopped using this email verification process a month ago, when a researcher using the pseudononymous of “e-sushi” noticed that the social network was asking some users to enter their email passwords when they signed up for new accounts.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” the spokesperson said in a statement.

“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

The list of incidents that involved the company in the last year is long. In April experts found 540 Million Facebook user records on unprotected Amazon S3 buckets.

In March 2019, Facebook admitted to having stored the passwords of hundreds of millions of users in plain text.

In October 2018, Facebook disclosed a severe security breach that allowed hackers to steal access tokens and access personal information from 29 million Facebook accounts.

Pierluigi Paganini

(Security Affairs – Facebook, privacy)

The post Facebook ‘unintentionally’ collected contacts from 1.5 Million email accounts without permission appeared first on Security Affairs.

APT28 and Upcoming Elections: evidence of possible interference (Part II)

In mid-March, a suspicious Office document referencing the Ukraine elections appeared in the wild, is it related to APT28 and upcoming elections?

Introduction

The uncertain attribution of the Ukrainian themed malicious document discussed in our past article “APT28 and Upcoming Elections: Possible Interference Signals”, led us to a review of Sofacy’s phishing techniques to confirm or deny the possible involvement of Russian state-sponsored actors in the election interference. We ended up in an old fake Hotel reservation request form, containing dummy interactive text boxes used to lure the victims to enable the macro code execution. 

We analyzed this sample two years ago and we linked it to a Sofacy attack operation discovered by FE researchers in the mid of 2017, which hit several hotels in European and Middle Eastern countries. 

Technical Analysis

Sha256a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
ThreatAPT28 GAMEFISH
Brief DescriptionGAMEFISH document dropper (reference sample, 2017)
Ssdeep1536:009J0E4v13p/gL7Jj4P9bvzKGXpIiUvh23oKRO/HhcKmFoR:fb4v13pYL7J49bvr5Iias32Jc5FoR

The macro code inside the 2017 document is password protected, just like the last suspicious document we analyzed to investigate a possible Ukraine elections interference by Russian groups. After its opening, the reference sample decodes the extracted Base64 content using a custom “DecodeBase64” function:

Figure 1: Custom Base64 decryption routine

The decoded content is actually a DLL file which is written into “%AppData%\user.dat”. After that, it will be executed through an ASR bypass technique (Attack Surface Reduction) allowing attackers to run new child process within the Office environment. This is the same publicly available exploit previously found into the Ukrainian sample (more details in the next section). 

Figure 2: Technique used to bypass Microsoft ASR protection

In this reference sample, the “user.dat”’s purpose is to create two new artifacts and to set persistence through “HKCU\Environment->UserInitMprLogonScript”. The created files are:

  • %AppData%\mrset.bat
  • %AppData%\mvtband.dat
Figure 3: Persistence setting and artifacts creation by “user.dat” file

The “mrset.bat” file is a short bash file, designed to check the “mvtband.dat” existence and to run it through “rundll32.exe” system utility.

Figure 4: “mrset.bat” file code

Finally, the “mvtband.dat” file, which actually is a Delphi DLL library, is a well-known malware named “GAMEFISH” (f9fd3f1d8da4ffd6a494228b934549d09e3c59d1). Russian groups were used to use it in recon-phases to steal information from victim machine and to implant new payloads. 

Figure 5: Information retrieved by mvtband.dll

Comparison with Ukrainian Elections Sample

Sha256 a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
Threat APT28 GAMEFISH
Brief Description GAMEFISH document dropper (reference sample, 2017)
Ssdeep 1536:009J0E4v13p/gL7Jj4P9bvzKGXpIiUvh23oKRO/HhcKmFoR:fb4v13pYL7J49bvr5Iias32Jc5FoR

Despite some differences between the “Hospitality campaign” vector and the Ukraine elections one, both use similar TTP related to the APT28 group. The link between Hospitality malware and the “FancyBear” actor has been already sifted by Info-Sec community. So, we can exploit the similarities between it and the Ukrainian elections sample to link it to Russian hacker groups.

Both documents under analysis use protected macro code. All the code inside the macro is not obfuscated in any way: Hospitality document surprisingly contains code comments too. Moreover, the main macro function name is “Execute” for both documents and the ASR trick used to create new processes from the Office work-space is substantially the same.

Figure 6. The Ukraine elections macro on the left; Hospitality’s one on the right.

In both cases the real payload is encoded in Base64 and it is stored into an Office hidden section: the first sample uses a document property, the second one employs an XML resource. 

The next stages are different: the Ukraine sample deploys some Powershell obfuscated scripts, which at the end carry an Empire stager, allowing the attackers to directly interact with the victim machine; the reference sample, instead, implants the GAMEFISH malware which automatically exfiltrates victim information while waiting for new payloads to install.

Conclusion

Finally, the attribution of the Ukraine elections sample (highlighted in our previous report) can be confirmed due to the strong similarities with the first stage of the Sofacy’s Hospitality malware, because:

  • Both use password protection.
  • Both have the same function name.
  • Both have the same macro code structure.
  • Both embeds the real payload in a hidden document section.
  • The ASR trick is implemented using the same instructions.

The presence of these similarities between the droppers indicates, with high probability, the attacker is the same and consequentially suggests APT28 is reusing some 2017 tricks and code snippets which, despite their simplicity, make their attacks effective.

Further details, including Indicators of Compromise and Yara rules, are reported in the analysis published on the Yoroi Blog.
Stay Tuned.  

Pierluigi Paganini

(SecurityAffairs – Ukraine, APT28)

The post APT28 and Upcoming Elections: evidence of possible interference (Part II) appeared first on Security Affairs.

Russian TA505 threat actor target financial entities worldwide

Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide.

Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.

“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including 
the Dridex banking trojantRAT RAT, FlawedAmmy RAT, 
Philadelphia ransomware, GlobeImposter and Locky ransomware.

Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.

In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.

In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.

In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a weaponized Word document containing a Visual Basic for Applications (VBA) macr. The macro downloads a payload from the command and control (C&C) server, the last stage of the attack chain is the RMS RAT.

The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.

Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.

The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.

“This behaviour is consistent with other TA505 campaigns utilising a combination of weaponised Microsoft Office files containing either VBA macros or exploit code to spawn additional processes.” continues the analysis published by Cyberint. “Of the spreadsheet lures analysed in this campaign, four different C2 servers and payloads were identified, with each likely being unique to a specific target organization or victim cluster.”

Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.

TA505

The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.

At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.

Further technical details on the attacks are included in the report published by Cyberint.

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

The post Russian TA505 threat actor target financial entities worldwide appeared first on Security Affairs.

Cisco addresses a critical bug in ASR 9000 series Routers

Cisco released security patches for 30 vulnerabilities, including a critical flaw in ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit.

The critical vulnerability in ASR 9000 Series Aggregation Services Routers running IOS XR 64-bit is tracked as CVE-2019-1710 (CVSS score of 9.8). The flaw could be exploited by an unauthenticated, remote attacker to access internal applications running on the sysadmin virtual machine (VM).

The bug is due to the incorrect isolation of the secondary management interface from internal sysadmin applications.

“An attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device.” reads the security advisory published by Cisco.

There are workarounds that address this issue, but Cisco recommends to install the software updates it has released to address the flaw. The tech giant has fixed the flaw in Cisco IOS XR 64-bit Software Release 6.5.3 and 7.0.1, which will edit the calvados_boostrap.cfg file and reload the device.

Cisco will not publish a software maintenance upgrade (SMU) for this vulnerability due to the effectiveness of the workaround.

CISCO-ASR-9000-2

The Cisco Product Security Incident Response Team (PSIRT) confirmed that is not aware of any attacks in the wild exploiting the issue.

Cisco also addressed 6 high-severity bugs in Inter-Access Point Protocol (IAPP) messages by Wireless LAN Controller (WLC) software, and in the administrative GUI configuration and the web-based management interface of WLC software, as well as in the phone book feature of Expressway Series and TelePresence Video Communication Server (VCS), and the development shell authentication for Aironet Series Access Points running the AP-COS operating system.

The complete list of the addressed vulnerabilities is available found on Cisco security center portal.

Pierluigi Paganini

(SecurityAffairs – hacking, CISCO ASR 9000)

The post Cisco addresses a critical bug in ASR 9000 series Routers appeared first on Security Affairs.

RCE flaw in Electronic Arts Origin client exposes gamers to hack

Electronic Arts (EA) has fixed a security issue in the Windows version of its gaming client Origin that allowed hackers to remotely execute code on an affected computer.

Electronic Arts (EA) has addressed a vulnerability in the Windows version of its gaming client Origin that allowed hackers to remotely execute code on an affected computer.

Electronic Arts already released a security patch for the remote code execution vulnerability. The Origin app on Windows is used by tens of millions of gamers. The Origin client for macOS was not affected by this flaw.

The flaw was reported by security experts Dominik Penner and Daley Bee from Underdog Security.

“We located a client-sided template injection, where we proceeded to use an AngularJS sandbox escape and achieve RCE by communicating with QtApplication’s QDesktopServices.” reads a blog post published by
Underdog Security.

“To make it easier to access an individual game’s store from the web, the client has its own URL scheme that allows gamers to open the app and load a game from a web page by clicking a link with origin:// in the address.” reported Techcrunch.

“But two security researchers, Daley Bee and Dominik Penner of Underdog Security, found that the app could be tricked into running any app on the victim’s computer.”

The experts shared a proof-of-concept code with Techcrunch to trigger the issue.

Researchers pointed out that the code allowed any app to run at the same level of privileges as the logged-in user. In the following image, the security duo popped open the Windows calculator remotely.

Electronic Arts Origin client

“But worse, a hacker could send malicious PowerShell commands, an in-built app often used by attackers to download additional malicious components and install ransomware.” continues the post.

An attacker could craft a malicious link and send it via email to the victims or include it on a webpage, the issue could also be triggered if the malicious code was combined with cross-site scripting exploit that ran automatically in the browser.

The flaw can also be exploited by an attacker to take over gamers’ accounts by stealing access token with just a single line of code.

Pierluigi Paganini

(SecurityAffairs – hacking, Electronic Arts)

The post RCE flaw in Electronic Arts Origin client exposes gamers to hack appeared first on Security Affairs.

Code execution – Evernote

A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs.

Technical observation:
A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like
(../../../../something.app).

Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.

Evernote

Patch: 
A patch for this issue was released in Evernote 7.10 Beta 1 and 7.9.1 GA for macOS [MACOSNOTE-28840]. CVE-2019-10038 was assigned to this issue.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj_)

Original post at:

https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html

Pierluigi Paganini

(Security Affairs – Evernote, hacking)

The post Code execution – Evernote appeared first on Security Affairs.

Justdial is leaking personal details of all customers real-time

A database belonging to the Indian local search service JustDial was left online without protection exposing personal data of over 100M users.

The archive is still leaking personally identifiable information of more than JustDial customers that are accessing the service via its website, mobile app, or even by calling on the customer care number (“88888 88888”).

The news was first reported by The Hacker News that independently verified the authenticity of the story.

JustDial is the largest and oldest search engine in India that allows its users to find vendors of various products and services.

The independent researcher Rajshekhar Rajaharia discovered how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone.

The leaked data includes username, email, mobile number, address, gender, date of birth, photo, occupation, company name and other.

According to the expert, data remained exposed since at least mid-2015 through unprotected API, at the time it is not clear if anyone had accessed the huge trove of data.

justdial data-breach-hacking

Experts at THN provided Rajshekhar a new phone number that was never before registered with Justdial server, then used it to contact the JustDial service and request information on restaurants, The service created a profile and associated it with the number provided by THN. Rajshekhar was able to access the profile a circumstance that confirmed that expose DB was the one associated with production systems.

“Although the unprotected API is connected to the primary JD database, Rajshekhar revealed that it’s an old API endpoint which is not currently being used by the company but left forgotten on the server.” reads the post published by THN.

Rajshekhar discovered this unprotected end-point while conducting a penetration test on the latest APIs, which are apparently protected.

Rajshekhar also found other issued associated with old unprotected APIs, one of them could be exploited by anyone to trigger OPT request for any registered phone number making possible to spam users.

Rajshekhar attempted to report the issues to the company but without success.

Pierluigi Paganini

(SecurityAffairs – hacking, JustDial)

The post Justdial is leaking personal details of all customers real-time appeared first on Security Affairs.

European Commission is not in possession of evidence of issues with Kaspersky products

The European Commission confirmed that has no evidence of issues associated with using products designed by Kaspersky Lab.

In June 2018, European Parliament passed a resolution that classified the security firm’s software as “malicious” due to the alleged link of the company with the Russian intelligence.

The call for a ban on Kaspersky’s software among the members of the European Union was part of a report on cyber defense written by Estonian MEP Urmas Paet of the Committee on Foreign Affairs.

“Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab.” stated the report.

The European eurocrats adopted the A8-0189/2018 motion that could ban the products of the security giant from European Union institutions.

Kaspersky was accused of working for the Russian intelligence, many EU states including the U.K., the Netherlands and Lithuania banned its products.

In response to a March 2019 inquiry from Gerolf Annemans, European Parliament member from Belgium, the European Commission confirmed that it is not aware of problems with the products of Kaspersky Lab.

Citing the experience of Germany, France, and Belgium, that never found any issues with the use of Kaspersky Lab solutions, Annemans asked further clarifications to the European Commission.

APT28 EU

Annemans asked it the European Commission knows “any reason other than certain press articles that justifies the labelling of Kaspersky as ‘dangerous’ or ‘malicious’.”

He asked for technical proof of problems and “any reports or opinions of cyber experts or consultancies about Kaspersky Lab.”

“The Commission is not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products.” reads the response of the Commission. “The Commission is following closely debates and developments concerning the security of IT products and devices in general, including discussions about potential measures related to access to the EU market.”

“Regarding reports or opinions published concerning the issue raised by the Honourable Member, the Commission did not commission any reports,”

Pierluigi Paganini

(SecurityAffairs – European Commission, Kaspersky Lab)

The post European Commission is not in possession of evidence of issues with Kaspersky products appeared first on Security Affairs.